Kikimora Platform & AI Agent Terms and Conditions

These Terms and Conditions (the “Terms”) govern the provision of the Kikimora vulnerability risk management platform & AI agent (the “Platform”) by Kikimora io AD, UIC: 207472703, a corporation incorporated under the laws of Republic of Bulgaria, having its registered address at Bulgaria, Sofia 1612, Hipodruma Building 107A, Ap.1, (the “Company”).

1. Definitions

• “Asset” means any digital, physical, or virtual resource, system, application, infrastructure component, or network that a User owns, controls, or is authorized to assess, scan, or test using the Platform.
• “Integrations” means the connections, interfaces, or data exchanges between the Platform and Third Party platforms, tools, or services (such as Qualys, BurpSuite, Jira, Rapid7, Nessus, Wazuh, Google Gemini) that enable enhanced functionality, data sharing, or interoperability.
• “Third Party” means any individuals, entities, service providers, or organizations other than the User or the Company, including but not limited to vendors, contractors, platform providers, and any external parties involved in integrations or related services.
• “User” means any legal entity that registers for or accesses the Platform for business purposes, including its authorized employees, contractors, or representatives who are permitted to use the Platform on its behalf. The Platform is intended solely for business-to-business (B2B) use, and by registering, Users represent and warrant that they are acting within the scope of their professional or organizational capacity.

2. Platform

2.1 Platform Description

The Platform is a vulnerability risk management solution that centralizes and correlates data from automated security testing tools and manual assessments.

a) It provides a unified dashboard for tracking identified risks, managing remediation workflows, scheduling scans, and generating actionable insights. b) All collected data is stored securely in one place to enhance visibility into your security posture. c) By automating repetitive tasks and offering intelligent recommendations, the Platform helps organizations accelerate remediation and streamline the entire vulnerability lifecycle, from discovery to resolution.

2.2 Access and Tokens

The Platform does not require a subscription or upfront payment to access. Upon registration, Users are granted a limited number of free Tokens, as defined below, which can be used to perform scans and access certain features.

2.3 Agreement

By creating an account and using the Platform, Users agree to these Terms and Conditions.

3. AI Agent

3.1 Agent Functionality

The Platform includes an AI-powered agent (the “Agent”) that assists with interpreting scan results, generating summaries, and suggesting remediation steps. This feature is designed to enhance the User experience but does not replace professional security expertise or manual review.

3.2 Data Processing

The Agent is powered by a large language model via integration with Google Gemini and processes data in real-time, including content retrieved from the User’s live vulnerability database within the Platform. By using the Agent, Users acknowledge and agree that data may be transmitted to Gemini’s servers for processing in accordance with Gemini’s Terms of Use and Privacy Policy (https://policies.google.com/).

3.3 User Responsibility

Users are responsible for ensuring that any data accessible to the Agent, including personal data, confidential information, or proprietary findings, is lawfully processed, and that appropriate safeguards are in place before using the Agent functionality.

3.4 No Guarantees

The Company does not guarantee the accuracy, completeness, or reliability of any Agent-generated output. Agent responses are generated based on statistical patterns and should not be relied upon as definitive security findings, legal advice, or remediation instructions. Users must independently validate and review all Agent-assisted outputs.

3.5 Liability Disclaimer

The Company disclaims all liability arising from any use or reliance on Agent-generated content. Use of the Agent is entirely at the User’s own risk.

4. Tokens & Payment

4.1 Token System

The Platform operates on a token-based system (the “Token”) that allows Users to perform vulnerability scans and related actions. Upon account registration, Users are granted a limited number of free Tokens, which may be used to initiate scans or utilize certain features of the Platform. Once the allocated tokens are exhausted, Users may either:

a) Wait for the next scheduled token refresh (if applicable), or b) Purchase additional tokens through the Platform

4.2 Token Management

The Company may set, modify, or limit the number of Tokens allocated per User, the frequency of Token refresh, the cost of purchasing additional Tokens, or the types of features that require Tokens. These limits and conditions will be communicated through the Platform interface or relevant documentation.

4.3 Token Terms

Tokens are non-refundable, non-transferable, and have no cash value. Purchased Tokens may be subject to expiration or usage limits, as indicated at the time of purchase.

4.4 Pricing Changes

The Company reserves the right to change its pricing, billing methods, or Token policies at any time, with reasonable notice to Users where required by applicable law.

4.5 Payment Processing

Token purchases are processed via integrated payment providers (e.g., Stripe). By initiating a payment, Users agree to the relevant provider’s terms of service and privacy policy. The Company does not store or process payment card information directly; all such data is handled by the payment provider.

5. Onboarding

5.1 Self-Onboarding

The Platform operates on a self-onboarding basis. Users are solely responsible for creating their own accounts through the registration interface, and no manual approval or intervention is required from the Company.

5.2 Information Accuracy

Users must provide accurate, current, and complete information during registration. The Company reserves the right to suspend or terminate accounts that contain false or misleading information.

5.3 Credential Security

Users are responsible for maintaining the confidentiality and security of their login credentials. The Company shall not be liable for any loss or damage resulting from unauthorized access arising from failure to safeguard credentials.

6. Functionality

6.1 Data Aggregation

The Platform aggregates and consolidates security-related data from various automated security testing tools and manual activities into a single platform to provide Users with enhanced visibility into their overall security posture.

6.2 Security Testing Integration

The Platform integrates with industry-leading security testing solutions to facilitate comprehensive identification of potential vulnerabilities across connected systems and Assets.

6.3 Passive Analysis

The Platform does not perform active exploitation of vulnerabilities. It passively analyzes collected data to identify potential security risks and misconfigurations, without executing harmful actions or exploiting identified weaknesses.

6.4 Data Access Limitations

By design, the Platform operates on metadata and integration results, and does not directly access source systems or handle sensitive business data. However, when Users install and configure an Agent, the Agent may interact with local systems (e.g., collecting technical metrics or executing diagnostic actions). Such functionality is explicitly controlled and initiated by the User and depends on the granted permissions and configuration settings.

7. Limitations

7.1 Asset Accessibility

The Platform can only analyze Assets that are accessible at the time of scanning. If an Asset is protected by authentication mechanisms (e.g., usernames, passwords, access tokens), it will not be scanned unless the User explicitly provides the necessary credentials.

7.2 User Responsibility

Users are solely responsible for choosing whether to grant access to such gated Assets.

7.3 Credential Handling

The Platform does not store or access these credentials unless explicitly provided through secure input for the purpose of the scan.

7.4 Coverage Limitations

Failure to provide access may result in incomplete scan coverage or missed vulnerabilities in restricted areas.

8. Service Levels

8.1 “As Is” Basis

The Platform is provided on an “as is” and “as available” basis. The Company makes no representations or warranties regarding availability, performance, or reliability of the Platform and does not provide any guaranteed service levels, uptime commitments, or formal service-level agreements (“SLA”).

8.2 No Guarantees

The Company does not warrant that the Platform will be uninterrupted, error-free, or secure. Users acknowledge that the Platform may be subject to occasional downtime, bugs, or maintenance periods.

8.3 Support Response

Although no formal service guarantees are provided, The Company endeavors to respond to support requests or inquiries within twenty (20) business days, depending on the nature and severity of the issue.

9. License & Acceptable Use

9.1 License Grant

Subject to these Terms, the Company grants Users a limited, non-exclusive, non-transferable, and revocable license to access and use the Platform solely for lawful, internal business purposes in accordance with its intended functionality.

9.2 Legal Rights

Users represent and warrant that they have all necessary legal rights, permissions, and authorizations to scan, test, or analyze any target Assets using the Platform. Unauthorized scanning or testing of assets owned by Third Parties is strictly prohibited.

9.3 Compliance

Users agree to use the Platform solely for lawful, authorized business purposes, and in compliance with all applicable cybersecurity laws, regulations, and industry standards, including but not limited to the NIS2 Directive, DORA Regulation, and any other relevant local or international legal requirements.

9.4 Prohibited Activities

Users shall not, directly or indirectly:

a) Scan, test, or interact with Assets they do not own, control, or have explicit authorization to assess; b) Attempt to gain unauthorized access to networks, systems, or data; c) Attempt to manipulate the Token system, including but not limited to exploiting usage limits, bypassing purchase mechanisms, or reverse-engineering Token allocation logic; d) Interfere with or disrupt the operation of the Platform or connected systems; e) Reverse engineer, decompile, or otherwise attempt to extract the source code or underlying structure of the Platform; f) Use the Platform for any harmful, illegal, or fraudulent activity, including security research or penetration testing on Third Party systems without consent; g) Violate the rights of others, including intellectual property, privacy, or contractual rights.

9.5 Termination Rights

The Company reserves the right to suspend or terminate access to the Platform or any User account at any time, without notice, if it determines in its sole discretion that a User has violated this License & Acceptable Use clause or otherwise misused the Platform.

10. Disclaimers

10.1 Scan Results

Users acknowledge that scan results generated by the Platform may contain false positives or false negatives. The Company does not warrant the accuracy, completeness, or reliability of any findings, insights, or recommendations provided.

10.2 Vulnerability Detection

The Company makes no guarantee that all vulnerabilities, misconfigurations, or security issues will be identified, nor that identified issues will be classified or reported correctly.

10.3 User Responsibility

Users are solely responsible for evaluating, interpreting, and acting upon any scan data, findings, or recommendations provided by the Platform. Any security measures, code changes, or operational decisions made based on the Platform’s output are undertaken at the User’s own risk.

10.4 Liability Exclusion

The Company shall not be liable for any loss, damage, or liability arising from actions taken, or not taken, based on scan results, including but not limited to system downtime, data breaches, security failures, or operational disruptions.

11. Risks

11.1 Performance Impact

Running vulnerability scans, particularly on production environments, may cause temporary performance degradation, service slowdowns, or outages. Users are responsible for scheduling scans during off-peak times, ensuring proper rate-limiting is in place, and taking any other necessary precautions to mitigate any operational impact, including traffic generation or Asset overloads.

11.2 Asset Reactions

Some scanned Assets may react unpredictably to automated probes or data collection, which could lead to Asset misbehavior or alerts being triggered (e.g., IDS/IPS alerts, rate-limiting, firewall blocks).

11.3 Configuration Issues

Improper setup or lack of access permissions may result in incomplete or inaccurate scan results. Users are responsible for properly configuring integrations, targets, credentials, and scan scopes.

11.4 Legal Compliance

If scans are conducted without proper legal or organizational authorization, Users may unintentionally violate compliance requirements, internal policies, or cybersecurity laws.

11.5 Data Security

While the Company takes reasonable precautions to secure scan data, Users must ensure they are not uploading sensitive or classified data unless appropriate access controls are in place.

12. Intellectual Property

12.1 Company Ownership

All intellectual property rights in and to the Platform, including but not limited to software code, features, trademarks, content, design elements, and documentation, are and shall remain the exclusive property of the Company or its licensors.

12.2 Limited License

These Terms do not grant the User any ownership rights or licenses to the Platform, except for the limited, revocable license expressly stated herein.

12.3 Prohibited Actions

Users shall not:

a) Copy, reproduce, modify, or create derivative works of the Platform; b) Decompile, reverse-engineer, disassemble, or attempt to derive the source code of the Platform; c) Remove, obscure, or alter any copyright, trademark, or proprietary notices within the Platform.

13. Limitation of Liability & Indemnity

13.1 Exclusions

Nothing in these Terms shall exclude or limit either party’s liability for death or personal injury caused by that party’s negligence, fraud or fraudulent misrepresentation, or any liability which cannot be legally excluded or limited.

13.2 Limitation of Liability

Neither party will be liable, whether in contract, tort (including negligence) breach of statutory duty, or otherwise, for any of the following losses or damage (whether or not such losses or damage were direct, foreseen, foreseeable, known or otherwise) howsoever arising in respect of any: special, indirect, incidental or consequential loss or damage; loss of actual or anticipated profits; loss of business or contracts; loss of revenue or of the use of money; loss of anticipated savings; and/or loss of goodwill, arising out of or in connection with these Terms.

13.3 Maximum Liability

The maximum aggregate liability of the Company to the User for all claims arising in connection with this Agreement whether in contract, tort (including negligence) or breach of statutory duty, misrepresentation or otherwise shall be limited to 1,000 EUR.

13.4 Indemnification

Users agree to indemnify, defend, and hold harmless the Company, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including legal fees) arising out of or related to:

a) The User’s breach of these Terms; b) Unauthorized scanning or testing of Assets; c) Violation of applicable laws or Third Party rights; or d) Misuse of the Platform or integration with Third Party platforms.

14. Security

14.1 Access Control

The Company implements role-based access control within the Platform to ensure that only authorized Users can access specific data and functionalities according to their assigned roles. This mechanism allows organizations to keep stakeholders appropriately informed while preventing unauthorized access to sensitive or irrelevant information.

14.2 Infrastructure

The Platform is hosted on the Company’s own infrastructure located in Bulgaria. All data is stored and processed locally on servers maintained and secured by the Company. No Third-Party cloud providers are used for hosting, ensuring full control over data handling and residency.

15. Third-Parties

15.1 Integrations

The Platform may integrate with Third Party platforms and services such as Qualys, BurpSuite, Jira, Rapid7, Nessus, Wazuh, and Google Gemini among others. These integrations are provided to enhance the functionality of the Platform and improve the user experience.

15.2 Third Party Terms

All Third Party platforms are operated independently of the Company and are subject to their own terms of use, privacy policies, and service agreements. The Company does not control and is not responsible for the content, functionality, or availability of these services.

15.3 No Guarantees

The Company makes no representations or warranties regarding the continued availability, performance, or compatibility of any Third Party integration. Integrations may be modified, suspended, or discontinued at any time without notice.

15.4 Liability Exclusion

The Company shall not be liable for any issues arising from the use of Third Party services, including but not limited to service interruptions, data loss, security incidents, or errors introduced via the integration. Users acknowledge and accept the risks associated with the use of such Third Party platforms.

15.5 User Responsibility

Users are solely responsible for ensuring that their use of Third Party services is in compliance with the respective terms, licenses, and policies of those service providers. The Company is not responsible for any breach of Third Party terms resulting from user activity.

16. Data Collection

16.1 Data Retention

The Company retains access to scan reports, associated user information, and vulnerability data generated through the platform. This information is securely hosted on the Company’s internal system to support platform functionality, product improvement, and customer support.

16.2 Data Review

Users acknowledge that the Company may review scan results and vulnerability data for quality assurance, debugging, analytics, and development of features or improvements.

16.3 Data Deletion

In the event that a user account is deleted, or upon explicit request for data removal, the Company will delete or anonymize all associated personal and organizational identifiers from the scan data.

16.4 Anonymized Data

Anonymized data may be retained indefinitely and used for internal purposes such as trend analysis, machine learning model training, benchmarking, and usage statistics.

16.5 Third Party Sharing

No identifiable customer data will be shared with Third Parties without explicit consent.

17. Personal Data

17.1 Data Input

During use of the Platform, Users may input personal data (e.g., names, roles, or contact details) as part of vulnerability reports, task assignments, or internal workflows.

17.2 Legal Rights

Users are responsible for ensuring they have the necessary legal rights and consents to share personal data within the Platform. This includes data about employees, contractors, or other individuals from their organization.

17.3 Processing Purpose

The Company processes such data solely for the purpose of enabling Platform functionality, including vulnerability tracking, task management, and User collaboration.

17.4 Data Retention

Personal data will be stored securely and retained only as long as necessary to fulfill its purpose or as required by applicable law. Users may request deletion or anonymization of their personal data at any time by contacting the Company. Such requests will be honored to the extent permitted by applicable law and where technically feasible, taking into account the Company’s legal, security, and operational obligations.

17.5 Privacy Notice

The use of the Platform is also governed by the Privacy Notice, which explains how personal data is collected, processed, and protected in more detail.

18. Additional Services

18.1 Standalone Platform

The Platform is offered as a standalone software solution. The Company does not provide security consulting, advisory, or implementation services as part of the Platform offering.

18.2 Separate Agreements

Users seeking consulting, advisory, or implementation support must enter into a separate agreement and purchase such services from the Company.

18.3 No Professional Relationship

Use of the Platform alone does not create any client-consultant, fiduciary, or professional services relationship between the User and Company.

19. Termination

19.1 Termination Grounds

The Company may suspend or terminate a User’s access to the Platform at any time, with or without prior notice, if:

a) the User breaches these Terms or engages in unlawful, unauthorized, or harmful use of the Platform; b) such suspension or termination is required by law or a competent authority; or c) the Company discontinues the provision of free Tokens or ceases offering the Platform.

19.2 Post-Termination

Upon termination, the User must immediately stop all use of the Platform. The Company may delete or anonymize any User data associated with the account, unless retention is required to comply with applicable legal obligations.

20. Miscellaneous

20.1 Amendments

The Company reserves the right to modify, amend, or update these Terms at any time. Continued use of the Platform after such changes constitutes acceptance of the updated Terms. Users may be notified of significant changes via email or through the Platform interface.

20.2 Severability

If any provision of these Terms is found to be invalid, illegal, or unenforceable by a competent court, the remaining provisions shall remain in full force and effect.

20.3 Survival

Any provisions of these Terms which by their nature are intended to survive termination, including but not limited to those relating to data ownership, limitations of liability, dispute resolution, and post-termination obligations, shall continue to apply in accordance with their terms.

20.4 Confidentiality

During the course of using the Platform, Users may gain access to non-public, confidential, or proprietary information of the Company. Users agree not to disclose, use, or exploit any such confidential information for any purpose other than as necessary to use the Platform in accordance with these Terms.

20.5 Privacy Notice

The use of the Platform is also governed by the Platform’s Privacy Notice which explains how personal data is collected, processed, and protected. In the event of any conflict between these Terms and the Privacy Notice, these Terms shall prevail with respect to the use of the Platform, unless otherwise stated.

20.6 Force Majeure

Neither party shall be liable for any failure or delay in performance due to causes beyond their reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, strikes, or governmental actions.

20.7 Marketing Use

Users agree that Company may use their company name and logo for marketing or promotional purposes unless the User expressly opts out in writing.

20.8 Governing Law

These Terms shall be governed by and construed in accordance with the laws of Bulgaria. Any disputes arising from or related to these Terms shall be subject to the exclusive jurisdiction of the courts located in Sofia, Bulgaria.

20.9 Contact Information

For support, legal inquiries, or other communications, Users may contact Company at [email protected]