IMPORTANT – PLEASE READ CAREFULLY. BY CREATING AN ACCOUNT, ACCESSING OR USING THE EXODOS LABS PLATFORM (THE "SERVICE"), YOU ("CUSTOMER", "YOU", "YOUR") ACCEPT AND AGREE TO BE BOUND BY THIS EULA. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.
1. DEFINITIONS
"Affiliate" – any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
"AI Services" – Exodos' internal AI capabilities and approved third-party AI processors, including LangSmith and Google Gemini, used to enrich SBOM data, perform vulnerability and license analysis, generate recommendations, or enhance data accuracy.
"Audit Logs" – immutable logs maintained by Exodos recording user actions, API calls, SBOM uploads, access events, and system-level activities.
"Data Protection Laws" – all applicable laws and regulations governing the Processing of Personal Data, including the EU GDPR, UK GDPR, CCPA/CPRA, Swiss FADP, and any similar global legislation.
"EU Representative" – the representative appointed under GDPR Article 27: esb Rechtsanwälte Emmert Bücking Speichert Matuszak-Lesny (Adwokat) PartG mbB, Schulze-Delitzsch-Str. 16, 70565 Stuttgart, Germany, Email: stuttgart@kanzlei.de.
"Personal Data" – any information relating to an identified or identifiable natural person, including personal identifiers that may appear in SBOM metadata.
"Platform" – the Exodos Labs cloud-based service located at app.exodos.io, including the SBOM repository, CI/CD ingest pipeline, APIs, ABAC permissions, communication hub, notifications, dashboards, and automated security and compliance analysis.
"SBOM" – a Software Bill of Materials or comparable component inventory uploaded to, generated by, or processed through the Service.
"Sub-processors" – third parties engaged by Exodos to assist in providing the Service.
"Subscription Term" – the period during which You are authorized to use the Service under an Order Form.
"Proprietary Information" – all trade secrets, software, documentation, business, technical and financial information disclosed by Exodos and any data derived therefrom.
2. GRANT OF LICENSE
Subject to payment of all applicable fees and Your compliance with this EULA, Exodos Labs, Inc. ("Exodos," "we," "us") grants You a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for Your internal business purposes during the Subscription Term.
The Service is licensed, not sold.
3. ACCOUNT REGISTRATION & RESPONSIBILITIES
3.1 Confidentiality of Credentials. You must maintain strict confidentiality of all credentials (including usernames, passwords, API keys, SSO identity mappings, and CI/CD tokens). You must promptly notify Exodos of any unauthorized use or security incident.
3.2 Responsibility for Users. You are responsible for all activities under Your account, including those by Your employees, contractors, suppliers, or integrated systems using API credentials.
3.3 Accuracy. You agree to provide accurate, current, and complete registration information.
4. DATA PROTECTION & PRIVACY
4.1 Roles. You are the data controller and Exodos is the data processor with respect to Personal Data Processed through the Service.
4.2 Processing Purposes. Exodos Processes Personal Data solely to:
provide, maintain, and improve the Service;
operate the SBOM repository and perform automated analysis;
run AI Services for SBOM enhancement, supplier scoring, and vulnerability & license analysis;
support CI/CD integrations and APIs;
enable ABAC permissions, audit logging, and communication features;
deliver incident notifications, service updates, and operational alerts;
comply with legal and regulatory requirements.
4.3 Hosting, Data Residency & Transfers. All Customer data is stored exclusively in Germany (Hetzner, Frankfurt). Transfers to Sub-processors outside the EU/UK (e.g., analytics and AI processors in the US) are governed by: (i) EU Standard Contractual Clauses (SCCs), (ii) UK International Data Transfer Addendum (IDTA), and (iii) supplementary safeguards.
4.4 Sub-Processors. You authorize Exodos to use the following Sub-processors:
Provider: Hetzner | Purpose: Hosting, compute, storage | Region: Germany (Frankfurt)
Provider: Resend | Purpose: Email delivery | Region: US
Provider: Hotjar | Purpose: UX analytics | Region: EU
Provider: Google Analytics | Purpose: Web analytics | Region: US
Provider: HubSpot | Purpose: CRM, support, analytics | Region: US
Provider: Stripe | Purpose: Payment processing | Region: US
Provider: Coralogix | Purpose: Error monitoring | Region: EU datacenter
Provider: Swan AI | Purpose: Lead scoring & profiling | Region: US
Provider: LangSmith + Google Gemini | Purpose: AI processing of SBOM-related data | Region: US
All Sub-processors are bound by written agreements imposing data-protection obligations at least as protective as those in this EULA.
4.5 Assistance & Breach Notification. Exodos will: (i) assist You with data-subject rights requests, (ii) assist with privacy impact assessments, (iii) notify You without undue delay of any Personal Data breach, (iv) provide reasonable cooperation with Your regulatory obligations.
4.6 Data Security & Retention.
TLS 1.2 encryption is used for all data in transit.
Customer data is not encrypted at rest (disclosed for transparency).
Audit Logs are retained indefinitely.
Backups are retained for 30 days.
SBOMs and Inventory content remain stored until You delete them or Your Subscription Term ends.
5. SECURITY
Exodos maintains industry-standard safeguards, including:
attribute-based access control (ABAC),
immutable audit logs,
monitoring and alerting systems,
annual penetration tests,
secure CI/CD integration controls,
controlled Sub-processor access,
segregation of environments.
You acknowledge that no system can be guaranteed 100% secure.
6. CONFIDENTIALITY
6.1 Each party will protect the other's Proprietary Information with at least the same degree of care used to protect its own confidential information, and use it solely to fulfil obligations under this EULA.
6.2 Confidentiality obligations survive for five (5) years after termination, and indefinitely for trade secrets.
7. CUSTOMER OBLIGATIONS & RESTRICTIONS
You shall not:
(a) resell, sublicense, or commercially exploit the Service;
(b) reverse engineer, decompile, or derive source code;
(c) process unlawful content or Personal Data without a lawful basis;
(d) interfere with or disrupt the Service;
(e) circumvent access controls or audit logging;
(f) introduce malware or harmful code;
(g) upload SBOMs or content infringing third-party rights.
8. INTELLECTUAL PROPERTY RIGHTS
The Service and software remain the exclusive property of Exodos and its licensors.
Exodos claims no ownership in SBOMs or content You upload. You grant Exodos a worldwide, non-exclusive license to host, reproduce, and Process Your content solely to provide the Service, including through AI Services.
9. FEEDBACK
Any feedback You provide may be used by Exodos without restriction or obligation. Paying customers grant Exodos the right to reference their company name, logo, and approved testimonials in marketing materials.
10. FEES & PAYMENT
10.1 Fees and payment schedules are listed in Your Order Form.
10.2 Late payments accrue interest at 1.5% per month.
10.3 Fees exclude applicable taxes and duties.
11. FREE TIER
11.1 Availability. Exodos may offer a "Free Tier" to encourage product-led adoption.
11.2 Public SBOMs. All SBOMs uploaded under the Free Tier may be shared publicly by the user and may be indexed, viewed, and downloaded by any user or the general public once published. Do not upload confidential, proprietary, or export-controlled data.
11.3 Usage Limits. Technical limits may apply and exceeding them requires upgrading.
11.4 Changes. Exodos may modify or discontinue the Free Tier with reasonable notice.
11.5 No Warranty. The Free Tier is provided "AS IS" without support or SLAs.
11.6 Data Retention. Content may be deleted after 30 days following downgrade. Public SBOMs may remain publicly accessible indefinitely.
11.7 Upgrade. You may convert to a paid plan at any time.
12. SUSPENSION & TERMINATION
12.1 Exodos may suspend or terminate access for material breach after thirty (30) days' notice unless cured.
12.2 Either party may terminate at the end of a Subscription Term with at least thirty (30) days' prior notice.
13. EFFECT OF TERMINATION
13.1 Upon termination, Your license ends and You must stop using the Service.
13.2 Upon request within thirty (30) days, Exodos will delete or return Your private content unless retention is required by law.
13.3 Public SBOMs posted on the Free Tier and marked as published publicly may remain publicly accessible.
14. DISCLAIMER OF WARRANTIES
The Service is provided "AS IS" and "AS AVAILABLE," without warranties of any kind.
15. LIMITATION OF LIABILITY
Neither party is liable for indirect, special, incidental, consequential, or punitive damages. Exodos's total liability is limited to the fees paid by You in the twelve (12) months preceding the claim.
16. INDEMNIFICATION
You will indemnify and hold Exodos harmless from claims arising from: (i) Your breach of this EULA, (ii) content You upload, or (iii) unlawful or unauthorized use of the Service.
17. EXPORT COMPLIANCE
You must comply with all export-control and sanctions regulations.
18. GOVERNING LAW & DISPUTE RESOLUTION
If You are domiciled in North America, Delaware law governs. Otherwise, German law applies. Courts in the applicable venue have exclusive jurisdiction.
19. MISCELLANEOUS
19.1 Entire Agreement. This EULA and Order Forms constitute the full agreement.
19.2 Amendments. Must be in writing.
19.3 Assignment. Allowed only with consent, except in corporate transactions.
19.4 Severability. Invalid provisions do not affect the rest.
19.5 Force Majeure. Neither party is liable for events beyond reasonable control.
19.6 Relationship. Independent contractors.
19.7 Notices. Written notices required; email acceptable for routine matters.
19.8 Survival. Sections 6, 8, 9, 11.2, 13–19 survive termination.
