Terms of Service
The ground rules for using SecretSweep.
01Service Description
SecretSweep is operated by Iron Digital Labs LLC ("we," "us," or "our"). SecretSweep provides automated scanning of source code repositories for leaked secrets, API keys, and credentials. By using this service, you agree to these terms.
SecretSweep is offered from the United States to users in the United States. It is not specifically directed to, marketed toward, or intended for residents of the European Economic Area, the United Kingdom, or Switzerland. If you access SecretSweep from outside the United States, you do so on your own initiative and are responsible for compliance with applicable local laws. Nothing in these Terms limits any mandatory consumer protection rights that apply to you under the laws of your jurisdiction and that cannot be waived by agreement.
02License Grant
By connecting your repositories to SecretSweep, you grant a limited, revocable license to access and analyze your source code solely for the purpose of detecting leaked secrets and credentials. SecretSweep claims no intellectual property rights over your code.
03Data Handling
SecretSweep processes repository content solely for the purpose of detecting leaked secrets and credentials, and retains only the minimum data necessary to provide the Service as described below.
SecretSweep does not permanently store your source code. Repositories and CI/CD build logs are cloned or downloaded temporarily during scanning and deleted immediately after. Scan results are stored, including redacted previews of detected secrets (first and last 4 characters only) and cryptographic hashes for deduplication. When a credential is verified as active, an encrypted copy (AES-256-GCM) is retained solely for automated monthly re-verification and is permanently deleted when the credential is revoked or the account is closed. Full secrets are never stored in plaintext or exposed through the user interface, API, or data exports.
04Disclaimer of Warranties
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
SecretSweep does not guarantee that the service will detect all secrets, vulnerabilities, or security issues in your code. You are solely responsible for the security of your code and infrastructure, including the remediation of any findings.
Nothing in these Terms excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be excluded or limited under applicable law, including mandatory consumer protection laws of your jurisdiction.
05Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, TOTAL LIABILITY FOR ALL CLAIMS ARISING FROM THE SERVICE SHALL NOT EXCEED THE GREATER OF $100 USD OR THE TOTAL FEES PAID BY YOU IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. SECRETSWEEP SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.
The foregoing cap does not apply to: (a) liability that cannot be limited or excluded under Section 4 or under applicable non-waivable law; (b) either party's indemnification obligations under Section 8; (c) gross negligence or willful misconduct; or (d) either party's misappropriation or infringement of the other party's intellectual property rights.
Subject to the carve-outs above, this limitation applies to the maximum extent permitted by applicable law.
06User Responsibilities
You are responsible for: (a) ensuring you have the right to grant access to the repositories you connect; (b) acting on scan findings in a timely manner; (c) maintaining the security of your account credentials.
07Acceptable Use
You may not use SecretSweep to scan repositories you do not own or have explicit authorization to scan. You may not use the service to conduct unauthorized security testing against third parties.
You may not use the Service if you are located in, or a resident of, a country or region subject to comprehensive United States sanctions (currently including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine), or any other country or region designated from time to time as subject to comprehensive U.S. sanctions by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC). You also may not use the Service if you are listed on the U.S. Treasury Department's Specially Designated Nationals (SDN) list, the Consolidated Sanctions List, or any other applicable U.S., U.K., or EU sanctions list.
In addition, you may not:
- Exploit, share, or weaponize any secrets, credentials, or vulnerabilities discovered through the Service.
- Use scan results to gain unauthorized access to any system, service, or account.
- Reverse-engineer the scanning engine or attempt to extract detection rules beyond what is documented.
08Indemnification
You agree to indemnify, defend, and hold harmless Iron Digital Labs LLC and its officers, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the Service; (b) scanning repositories you do not own or lack authorization to scan; (c) your violation of these Terms; or (d) any content found in your repositories. This obligation survives termination of your account.
Iron Digital Labs LLC will (i) notify you in writing of any claim for which it seeks indemnification without undue delay, and in any event within fifteen (15) business days of becoming aware of such claim, provided that a failure to provide timely notice relieves you of your obligations under this Section only to the extent you are actually prejudiced by the delay; (ii) give you sole control of the defense and settlement of the claim, with counsel reasonably acceptable to Iron Digital Labs LLC, except that you will not settle any matter in a way that imposes any obligation, liability, or admission of fault on Iron Digital Labs LLC without its prior written consent; and (iii) reasonably cooperate in the defense at your sole cost and expense. Iron Digital Labs LLC may participate in the defense with counsel of its own choosing at its own expense.
This Section does not apply to users who qualify as consumers under mandatory consumer protection laws of their jurisdiction, to the extent such laws prohibit or limit consumer indemnification obligations.
09Termination
Either party may terminate this agreement at any time. Upon termination, SecretSweep will delete your account data, scan history, and findings immediately in a single database transaction. A minimal abuse-prevention record is retained indefinitely solely to enforce free-tier lifetime limits on any future re-registration. That record includes your public GitHub user ID, irreversible hashed repository identifiers used only for distinct-repository counting, aggregate scan counters, and limited deletion metadata. See the Privacy Policy for full details.
10DMCA and Abuse Reports
SecretSweep respects intellectual property rights. If you believe content accessible through the Service infringes your copyright, or if you wish to report abuse of the Service, please send a written notice to support@secretsweep.com with the following information: (a) identification of the copyrighted work or description of the abuse; (b) identification of the material at issue and its location; (c) your contact information; and (d) a statement, under penalty of perjury, that you have a good-faith belief the use is unauthorized or abusive. SecretSweep will review all reports and respond within a reasonable time.
11Governing Law and Jurisdiction
These Terms are governed by the laws of the State of Washington, United States, without regard to its conflict-of-laws principles. Any dispute arising from or related to these Terms or the Service shall be brought exclusively in the state or federal courts located in King County, Washington, and you consent to the personal jurisdiction of those courts.
Nothing in this Section limits any mandatory non-waivable right of a consumer to bring proceedings in the courts of their country of residence to the extent required by applicable law.
12Changes
SecretSweep may update these terms with 30 days' notice. Continued use after changes constitutes acceptance.
13Subscription Terms and Auto-Renewal
PAID SUBSCRIPTIONS AUTOMATICALLY RENEW EACH MONTH AT THE THEN-CURRENT PRICE UNTIL YOU CANCEL. YOUR PAYMENT METHOD WILL BE CHARGED AT THE START OF EACH BILLING PERIOD.
Current pricing: Pro is $9 per month; Power is $19 per month. All charges are in U.S. dollars.
You may cancel your subscription at any time through the Stripe customer portal accessible from your billing page, or by contacting support@secretsweep.com. Cancellation takes effect at the end of your current paid period; you retain access to paid features until then. No refunds are provided for partial billing periods, except as required by applicable non-waivable law.
14Price Changes
If Iron Digital Labs LLC raises the price of an existing paid subscription, the new price takes effect no earlier than 30 days after written or email notice to you. You may cancel your subscription before the new price takes effect without penalty. Continued use of the Service after the new price takes effect constitutes acceptance of the new price.
15Statutory Cancellation Rights
Where your local law provides a mandatory statutory cancellation, withdrawal, or cooling-off right in connection with digital-service purchases, that right applies as required by that law. To exercise any such statutory right, contact support@secretsweep.com within the period provided by your local law.
16No Compliance Guarantee
SecretSweep is a scanning tool. It does not guarantee detection of all secrets, compliance with any regulatory framework, or protection against all security incidents. References to compliance frameworks (SOC 2, ISO 27001, PCI DSS, NIST, CMMC, or others) describe how the Service may support your compliance efforts and do not constitute certification, attestation, or legal opinion.