"Customer" means the individual or entity that submits a domain to Ghost, initiates a scan, accepts this Addendum, accesses a Ghost Report, and, where applicable, completes payment for a paid scan. If Customer uses Ghost on behalf of an organization, Customer represents and warrants that Customer has full legal authority to bind that organization to this Addendum and the Terms of Service.
"Submitted Asset" means the submitted domain name and the publicly reachable web resources, DNS records, redirects, subdomains, CDN endpoints, hosting endpoints, JavaScript files, HTTP resources, certificate transparency records, and related technical infrastructure that are returned by, served from, linked by, redirected from, or otherwise publicly associated with the submitted domain during normal public operation, including subdomains identified through DNS queries, certificate-transparency lookups, or common-prefix enumeration conducted as part of the scan. Submitted Asset does not include third-party systems except to the extent such systems are publicly reachable from or publicly associated with the submitted domain and are only observed, requested, queried, or minimally tested as necessary to complete the scan. Customer is solely responsible for ensuring that its agreements with hosting providers, CDN providers, managed service providers, SaaS providers, and other third-party service providers permit the requested scan activity.
"Ghost Report" or "Report" means any scored security analysis, finding, recommendation, summary, dashboard, PDF, JSON output, downloadable file, web-based report, emailed report, screenshot, export, or other output generated by Ghost following scan completion.
"Scan" means the automated technical assessment of the Submitted Asset performed by Ghost on behalf of Customer.
"Quick Scan" means the no-charge scan tier described in Section 3.
"Paid Scan" or "Full Audit" means the paid scan tier described in Section 3.
"Security Finding" means an automated observation, risk indicator, configuration issue, informational item, potential exposure, potential vulnerability, or other output generated by Ghost.
"Applicable Terms" means this Addendum, the Terms of Service, the Privacy Policy, and any additional terms, notices, acknowledgments, or disclosures presented to Customer in connection with Ghost.
Ghost is an automated website security scanning product that analyzes publicly accessible infrastructure associated with a Submitted Asset. Ghost performs automated checks against publicly reachable endpoints and generates a scored Report identifying potential security findings, configurations, exposures, and informational observations.
Ghost, as a self-service automated product, is not a substitute for a professional security assessment, penetration test, managed security service, incident response engagement, forensic investigation, breach-response service, legal assessment, compliance audit, insurance assessment, regulatory assessment, or cybersecurity advisory engagement. Ghost Reports are informational only. They do not constitute legal, compliance, financial, insurance, regulatory, or professional cybersecurity advice.
Ghost does not guarantee that it will detect all vulnerabilities, misconfigurations, exposures, threats, weaknesses, security issues, breach indicators, compliance gaps, or risks affecting the Submitted Asset. Ghost Reports reflect point-in-time observations based on publicly available responses at or near the time of scan. Findings may change immediately after the scan due to configuration changes, DNS propagation, CDN behavior, third-party service changes, deployment activity, patching, access-control changes, attacker activity, provider outages, caching, routing, geolocation behavior, or other internal or external conditions.
Ghost does not provide continuous monitoring unless separately purchased under separate terms. As of the Effective Date, paid scans are sold as one-time purchases unless otherwise stated at checkout. Customer must be at least eighteen (18) years old and legally capable of entering into a binding agreement.
Quick Scan performs limited, non-authenticated, non-exploitative public-surface checks against the Submitted Asset. These checks are designed to avoid exploit attempts, authentication bypass, sensitive path probing, port sweeping, payload injection, brute forcing, credential testing, directory brute forcing, recursive crawling, denial-of-service testing, destructive testing, or modification of systems. Quick Scan may still involve DNS queries, TCP handshakes, TLS handshakes, and HTTP requests to publicly reachable endpoints.
Quick Scan may include the following modules: SSL/TLS certificate analysis; HTTP security header inspection; DNS record analysis; and Email security record analysis, including SPF, DKIM, and DMARC.
A Paid Scan, also referred to as a Full Audit, is sold as a one-time purchase at the price displayed at checkout. A Paid Scan constitutes active automated security testing and may perform all Quick Scan modules plus additional modules, which may include:
Not all modules may produce results for every Submitted Asset. A module may be skipped, limited, fail, timeout, or return no finding due to target configuration, safety controls, provider limitations, network conditions, third-party outages, bot protection, WAF behavior, rate limiting, CDN behavior, lack of applicable data, legal restrictions, provider restrictions, or other technical or operational conditions.
Customer may only submit a domain to Ghost that Customer owns or for which Customer has received explicit written authorization from the appropriate owner or operator to conduct automated security scanning. Customer represents and warrants that Customer has full legal authority to authorize ALCE to perform the Ghost Scan against the Submitted Asset and any publicly reachable systems, redirects, subdomains, CDN endpoints, hosting infrastructure, or related third-party services that respond as part of the Submitted Asset's normal public operation.
Customer specifically represents and warrants that:
Customer agrees to indemnify, defend, and hold harmless ALCE Consulting LLC and its members, officers, managers, employees, contractors, agents, affiliates, representatives, successors, and assigns from and against any and all claims, liabilities, damages, fines, penalties, losses, judgments, settlements, costs, and expenses, including reasonable attorneys' fees, arising out of or related to: Customer's submission of any domain Customer did not have legal authority to scan; Customer's violation of any applicable law, regulation, contract, policy, or third-party right in connection with Ghost; any third-party claim arising from Customer's initiation of a Scan; Customer's disclosure, publication, misuse, or distribution of a Ghost Report; or Customer's breach of this Addendum, the Terms of Service, the Privacy Policy, or any Applicable Terms.
Unauthorized scanning is illegal. ALCE reserves the right to immediately terminate access to Ghost, preserve associated logs and records, refuse future service, report suspected unauthorized scanning activity to appropriate authorities, notify affected providers, respond to abuse complaints, and cooperate with legal process.
Ghost scans only publicly accessible infrastructure comprising the Submitted Asset. Ghost does not attempt to bypass authentication, access password-protected resources, defeat access controls, inject code, execute exploits, modify data, brute force credentials, conduct credential stuffing, perform denial-of-service testing, access non-public systems, or intentionally access private systems.
Ghost is designed to reject scan requests resolving to private, loopback, link-local, reserved, internal, and non-public IP address ranges. This rejection is applied independently at both submission time and scan initiation, closing the window between submission and execution.
During a Paid Scan, Ghost may perform active technical actions including: TCP connection probes to a limited set of common ports; HTTP GET requests to public endpoints; HTTP GET requests to a limited, predefined set of public file paths commonly associated with accidental exposure; DNS queries for multiple record types; enumeration of common subdomain prefixes via DNS queries; queries to public certificate transparency resources; HTTP requests using synthetic headers to evaluate CORS policy behavior; review of publicly available breach-related metadata sources; redirect chain analysis; review of robots.txt; cookie and header inspection; technology fingerprinting with CVE cross-reference; third-party script risk assessment; API documentation endpoint exposure checks; DNS resolution checks against common typosquat domain variants; HTTP path checks for common administrative interface paths; and analysis of publicly reachable login page characteristics.
Ghost uses limited, predefined public path checks and does not perform recursive crawling, directory brute forcing, fuzzing, payload injection, exploit execution, malware execution, password guessing, authentication testing, account takeover testing, social engineering, phishing, spam, denial-of-service testing, destructive testing, or persistence testing.
Ghost's product design is to avoid using, storing, validating, exploiting, or displaying full sensitive response-body contents, full secrets, full credentials, private keys, tokens, or session identifiers from scans. Where a finding is needed to identify a potential exposure, Ghost displays only redacted, truncated, hashed, masked, or summarized indicators. All network requests are made from ALCE infrastructure. Ghost does not use Customer's local network or IP address to conduct scanning.
Customer acknowledges that even limited automated security testing may trigger security controls, rate limits, logging systems, abuse-detection systems, web application firewalls, intrusion detection systems, intrusion prevention systems, hosting-provider alerts, CDN protections, bot protections, monitoring tools, security operations alerts, third-party notifications, provider abuse complaints, account reviews, temporary blocks, false-positive alerts, or other defensive responses on or associated with the Submitted Asset.
Customer assumes all risk associated with authorizing Ghost to scan the Submitted Asset. Customer is solely responsible for ensuring that the scan is permitted by Customer's hosting provider, CDN provider, managed service provider, security vendor, domain registrar, DNS provider, platform provider, SaaS provider, employer, customer, internal policies, third-party contracts, bug bounty rules, and all applicable laws.
Scan results may be limited, delayed, incomplete, unavailable, inaccurate, or affected by DNS failures, hosting-provider restrictions, CDN behavior, WAF rules, rate limits, robots policies, network errors, third-party outages, target downtime, redirects, geolocation restrictions, bot protections, CAPTCHAs, anti-abuse systems, caching behavior, temporary configuration states, provider restrictions, or other conditions outside ALCE's control. ALCE is not liable for scan failures, incomplete results, delayed results, false positives, false negatives, missed findings, unavailable modules, blocked requests, limited results, or inaccurate findings arising from such conditions.
Customer shall not use Ghost to:
ALCE reserves the right to refuse to scan, or to manually review, any domain associated with government, military, healthcare, financial services, education, critical infrastructure, emergency services, public safety, high-risk platforms, high-profile targets, suspected abuse, suspected impersonation, suspected fraud, or domains that ALCE determines in its sole discretion present elevated legal, operational, security, reputational, or abuse risk. Suspected unauthorized scan activity may be reported to abuse@alceconsulting.tech.
ALCE uses third-party service providers to operate Ghost. These providers may process Customer data on ALCE's behalf subject to their applicable terms, privacy policies, security practices, and ALCE's vendor relationship with those providers. Customer acknowledges and consents to the transmission, processing, and storage of data by third-party providers as necessary to operate Ghost, process payment, deliver Reports, prevent abuse, maintain security, troubleshoot issues, and comply with legal obligations.
Stripe, Inc. or another payment processor designated by ALCE may be used for payment processing on paid scans. The submitted domain name, scan identifier, payment amount, and related transaction metadata may be transmitted to the payment processor as session metadata or payment metadata. The payment processor's applicable terms and privacy policy govern its handling of payment information. ALCE does not store full payment card information.
SendGrid, Twilio, or another email delivery provider designated by ALCE may be used for email delivery of Ghost Reports, report notifications, scan status updates, waitlist communications, and transactional messages. If Customer provides an email address, Customer consents to delivery of Ghost-related communications to that email address. The submitted domain name, scan score, grade, summary information, Report content, report link, or other Ghost-related information may be transmitted to the email delivery provider for delivery. Customer acknowledges that email delivery involves transmission through third-party email infrastructure and may not be encrypted end-to-end. Customer is solely responsible for ensuring the email address submitted is accurate, secure, monitored, and authorized to receive the Report.
Ghost may query public certificate transparency resources, including crt.sh or similar services, to identify publicly logged subdomains associated with the Submitted Asset. The submitted domain query may be transmitted to such services. Other than the submitted domain query itself, ALCE does not intentionally transmit Customer contact information, payment information, Report content, or scan results to certificate transparency services.
Ghost may compare the submitted domain against breach-related metadata sources that ALCE is authorized to use, including HaveIBeenPwned where permitted by applicable terms. Ghost does not attempt to access private breach records, expose individual breached account details, validate credentials, or determine whether any specific person's credentials have been compromised unless expressly disclosed in the applicable scan flow. Where implemented, Ghost performs matching locally on ALCE infrastructure. The submitted domain name is not transmitted to HaveIBeenPwned for local matching.
Supabase or another infrastructure or database provider designated by ALCE may be used for data storage throughout the scan lifecycle. Scan job records, domain names, email addresses, scan metadata, authorization records, scan results, and Report content may be stored in Supabase-hosted infrastructure or other infrastructure used by ALCE to operate Ghost.
Redis or another message broker or task queue provider designated by ALCE may be used for Ghost scan processing, background job execution, retry handling, progress updates, and related operational workflows. Scan task payloads, including scan identifier, submitted domain, scan tier, and related processing metadata, may be transmitted to Redis for task queue management. Redis task records are short-lived and managed through Redis time-to-live settings or other queue lifecycle controls. Redis is not used as ALCE's primary system of record for Customer Data, scan results, or Report content.
ALCE may use hosting providers, cloud providers, DNS providers, logging tools, analytics tools, error-monitoring tools, security tools, email systems, payment systems, and other operational providers to run, secure, monitor, debug, improve, and protect Ghost. ALCE uses commercially reasonable administrative, technical, and organizational safeguards designed to protect Ghost scan records and Reports during the limited period they are retained. No system, transmission, storage mechanism, or security control can be guaranteed completely secure.
Customer acknowledges that Ghost is offered as a low-cost, automated, self-service product and is not designed for storing highly sensitive, regulated, classified, export-controlled, protected health, financial account, payment card, or mission-critical data. ALCE's safeguards are calibrated to the nature, scope, cost, and intended use of Ghost and are not equivalent to safeguards required for enterprise managed security services, regulated data environments, classified systems, or high-sensitivity data processing.
Paid scans are sold as one-time purchases unless otherwise stated at checkout. No recurring charges are initiated for a paid scan unless Customer separately purchases a subscription, continuous monitoring plan, managed service, or other recurring service under separate terms.
Customer agrees to pay the price displayed at checkout for the selected scan or service. Prices may change from time to time, but pricing changes do not affect scans already purchased and initiated. Prices are exclusive of applicable taxes unless stated otherwise. Customer is responsible for all applicable taxes, duties, governmental charges, and similar assessments, excluding taxes based on ALCE's income.
Payment is processed by Stripe or another payment processor designated by ALCE. ALCE does not store full payment card information. Scan execution may be initiated upon confirmation of successful payment. ALCE is not responsible for delays, failures, duplicate attempts, abandoned sessions, authorization holds, processor errors, bank declines, fraud reviews, payment interruptions, payment reversals, or payment disputes caused by Stripe, Customer's financial institution, payment networks, or other third parties.
ALCE may suspend Report delivery, future scans, or access to Ghost where payment is declined, reversed, charged back, suspected fraudulent, subject to dispute, or otherwise not successfully completed. Customer remains responsible for charges incurred for scans initiated using Customer's payment method, except where prohibited by applicable law.
Completed scans are non-refundable. A scan is considered complete when the scan engine has finished processing and a Report has been generated, regardless of whether the Report was successfully delivered by email, provided ALCE makes commercially reasonable efforts to make the Report available through redelivery, alternative delivery, secure link, download, or another reasonable delivery method. Failure of email delivery does not by itself make a completed scan refundable.
If payment is successfully processed and ALCE determines that a scan failed to complete due to a technical error within ALCE's control, Customer may contact support@alceconsulting.tech to request resolution. Refunds or complimentary rescans are issued at ALCE's reasonable discretion.
ALCE does not issue refunds for: completed scans; findings that do not meet Customer's expectations; domains that return limited findings due to their existing security posture; scan results affected by WAFs, CDNs, bot protections, DNS failures, rate limits, third-party outages, network conditions, or other conditions outside ALCE's control; Customer error in domain submission; Customer failure to provide an accurate or accessible email address; Customer failure to download a Report before deletion; Customer failure to complete requested verification; Customer's lack of authorization to scan the submitted domain; payment disputes, chargebacks, suspected fraud, or payment reversals; Customer's violation of this Addendum, the Terms of Service, or any Applicable Terms; or any other reason where ALCE determines the scan was completed or the failure was outside ALCE's reasonable control. This Refund Policy does not limit any non-waivable consumer rights that may apply under applicable law.
Ghost is designed to retain production scan records only for the limited operational period necessary to process, deliver, troubleshoot, retry, secure, verify, or support Report delivery.
Scan job records, including the full Report, are retained in Ghost's active production database for up to seven (7) days following confirmed email delivery or scan completion, after which they are automatically deleted from active production systems, unless a longer retention period is required or reasonably necessary for troubleshooting, security, abuse prevention, fraud prevention, payment disputes, legal compliance, dispute resolution, enforcement, or claim defense.
Scan job records are retained in Ghost's active production database for up to seven (7) days following scan completion, after which they are automatically deleted from active production systems, unless a longer retention period is required or reasonably necessary for the purposes described above.
Abandoned scans, pending scans, or scans where no payment is confirmed may be deleted after twenty-four (24) hours from initiation or at another interval reasonably determined by ALCE based on operational, security, fraud-prevention, or payment-processing needs.
Ghost scan records where email delivery has failed are deleted after forty-eight (48) hours from initiation, unless longer retention is required or reasonably necessary for troubleshooting, alternative delivery, security, abuse prevention, fraud prevention, payment disputes, provider complaints, legal compliance, dispute resolution, enforcement, or claim defense.
Email addresses submitted to a Ghost waitlist are retained for up to three hundred sixty-five (365) days, until Customer requests removal, or until ALCE no longer needs the information for the waitlist purpose, whichever occurs first. To request removal, contact privacy@alceconsulting.tech.
Ghost does not maintain a separate active archive of scan Reports unless expressly disclosed. The scan job record and the Report may be the same production database record. Deletion of the scan job record constitutes deletion of the Report from Ghost's active production database. Customer acknowledges that Ghost Reports are retained for up to seven (7) days following delivery or scan completion and may not be recoverable after deletion. Customer is responsible for downloading, saving, and securely storing the Report promptly after delivery or access.
Deletion of the scan job record removes the active Report from Ghost's production database. Residual copies or related metadata may persist for a limited period in encrypted backups, security logs, provider logs, transactional email records, payment metadata, error logs, debugging logs, abuse-prevention records, analytics records, disaster-recovery systems, or other operational systems maintained by ALCE or its service providers. Such residual records are deleted, overwritten, anonymized, or retained according to the applicable retention cycles for those systems. ALCE does not use residual backup or log data to recreate Reports for ordinary business purposes.
ALCE may disclose scan metadata, authorization records, payment records, Customer-submitted information, Report-related information, and related logs where ALCE believes disclosure is required or appropriate to comply with law, legal process, governmental request, platform abuse reporting, provider request, payment processor request, security investigation, or to protect ALCE, customers, third parties, or the public. Privacy requests may be submitted by contacting privacy@alceconsulting.tech.
Ghost Reports may contain sensitive security information regarding the Submitted Asset, including identified vulnerabilities, potential exposures, exposed paths, technology fingerprints, subdomain records, configuration issues, scores, grades, and related findings. Customer agrees to protect Reports from unauthorized disclosure.
Customer shall not publish, post, distribute, sell, leak, publicly disclose, or share Reports except with employees, contractors, service providers, insurers, auditors, attorneys, advisors, hosting providers, developers, security vendors, or other representatives who have a legitimate need to know and are bound by appropriate confidentiality obligations, professional duties, or comparable restrictions. Customer assumes all risk arising from disclosure, publication, distribution, forwarding, storage, or misuse of a Ghost Report.
ALCE will treat non-public Ghost Reports as Customer confidential information during the period they are retained, except as necessary to operate Ghost, deliver the Report, use service providers, process payment, prevent abuse, investigate misuse, improve security, comply with law, respond to legal process, enforce terms, or defend against claims. No method of transmission, processing, or storage is completely secure.
Subject to Customer's compliance with this Addendum and the Terms of Service, ALCE grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right to use a delivered Ghost Report for Customer's internal security review, remediation planning, vendor coordination, insurance documentation support, audit-support, and compliance-support purposes, provided Customer remains solely responsible for determining whether the Report satisfies any insurer, auditor, regulator, customer, vendor, or other third-party requirement.
Customer may share the Report with employees, contractors, service providers, insurers, auditors, attorneys, advisors, hosting providers, developers, security vendors, or other representatives who have a legitimate need to know, provided Customer remains responsible for such sharing and protects the Report from unauthorized disclosure.
Customer may not represent that a Ghost Report constitutes a certification, attestation, audit opinion, penetration test result, compliance approval, regulatory approval, insurance approval, endorsement, guarantee, or validation by ALCE of Customer's security posture. Customer may not use a Ghost Report in a misleading, deceptive, defamatory, coercive, extortionate, commercially disparaging, unlawful, or harmful manner.
ALCE retains all right, title, and interest in and to Ghost, the scan engine, software, workflows, scoring methodology, templates, report formats, user interface, documentation, business processes, technical methods, and all related intellectual property. Customer retains rights to Customer-submitted information. Customer receives only the limited right to use the Report as described in this Addendum.
Customer is solely responsible for:
ALCE may be unable to recover, regenerate, or redeliver deleted Reports after the applicable retention period expires.
Ghost findings are automated observations and risk indicators only. They are not admissions, legal conclusions, compliance determinations, audit opinions, forensic conclusions, or definitive proof of negligence, compromise, exploitability, regulatory violation, or security failure by Customer or any third party. Ghost does not validate exploitability unless expressly stated. The presence of a finding does not mean the issue is exploitable, reachable by attackers, practically impactful, unpatched, or legally significant. Customer must independently validate all findings before relying on them, making business decisions, notifying third parties, or taking remediation action.
Scores, grades, and severity labels are automated prioritization aids only. They are not guarantees of security posture, breach likelihood, exploitability, business risk, regulatory compliance, insurance eligibility, operational resilience, or absence of security issues. A high score does not mean the Submitted Asset is secure, compliant, breach-proof, properly configured, or free of vulnerabilities. A low score does not mean the Submitted Asset is compromised, exploitable, negligent, noncompliant, or legally deficient.
CVE references are generated from automated technology and version-detection indicators and may be incomplete, outdated, or inaccurate. A CVE reference does not mean the Submitted Asset is exploitable, affected, unpatched, vulnerable, reachable, or practically at risk. Customer must independently validate all CVE-related findings before relying on them.
Third-party script findings are based on automated indicators such as script source, domain reputation signals, permissions, loading behavior, public metadata, and common risk patterns. Such findings are not a determination that any third-party provider is malicious, negligent, compromised, unsafe, unlawful, or legally noncompliant. Customer is responsible for independently validating any third-party script finding before taking action or making claims to others.
Breach metadata findings are based on available data sources and matching logic. Such findings may be incomplete, outdated, inaccurate, or limited by provider availability, licensing restrictions, or data-source limitations. A breach-related finding does not prove that Customer is currently compromised, that any specific person's credentials are exposed, that any account remains vulnerable, or that any legal notification obligation exists.
Technology fingerprinting may be inaccurate or incomplete. Ghost may infer technologies based on headers, scripts, cookies, public metadata, HTML patterns, response behavior, or other indicators. Customer must independently validate technology and version information before relying on it.
Any remediation guidance provided by Ghost is general informational guidance only and may not apply to Customer's specific hosting provider, platform, architecture, application code, business requirements, compliance obligations, risk tolerance, or operational environment. ALCE is not responsible for implementing, validating, monitoring, retesting, or confirming remediation of any finding identified in a Ghost Report.
Any custom remediation, advisory support, implementation assistance, consultation, retesting, validation, fix guidance, or professional service is outside the scope of Ghost unless separately purchased and governed by a separate written statement of work, service agreement, or other written agreement signed or accepted by Customer and ALCE. Ghost is not an emergency incident response, managed detection, continuous monitoring, forensic investigation, breach-response, threat-hunting, malware-analysis, or containment service.
ALCE may modify, suspend, discontinue, replace, or update Ghost features, modules, scan methods, third-party providers, pricing, report formats, security controls, abuse controls, availability, or technical processes at any time. Certain Ghost features may be released as beta, preview, experimental, or early-access features and may be modified, suspended, discontinued, or removed at any time.
Ghost may be unavailable, delayed, interrupted, or degraded due to maintenance, security events, provider outages, infrastructure failures, payment processor failures, email provider failures, abuse prevention, legal review, manual review, high-risk domain review, technical errors, or circumstances outside ALCE's control. ALCE does not guarantee uninterrupted access to Ghost, continuous availability, any particular scan completion time, any particular Report delivery time, any specific result, or continued availability of any particular scan module.
Customer may not access or use Ghost in violation of U.S. export control laws, sanctions laws, anti-terrorism laws, or restrictions administered by applicable governmental authorities. Customer represents and warrants that Customer is not located in, organized under the laws of, ordinarily resident in, or acting on behalf of any jurisdiction, entity, or person subject to sanctions, embargoes, denied-party restrictions, or other legal restrictions that would prohibit use of Ghost. Customer may not use Ghost for military targeting, offensive cyber operations, unlawful surveillance, unlawful intelligence gathering, or any purpose prohibited by applicable law.
Because Ghost scans are performed from ALCE infrastructure, third parties may contact ALCE regarding scan traffic, logs, provider alerts, or suspected unauthorized scanning. Customer authorizes ALCE to use and disclose limited scan metadata, authorization records, payment records, submitted domain information, submitted email information, timestamps, IP addresses, user agents, accepted terms versions, and related logs as reasonably necessary to investigate, respond to, or defend against abuse complaints, provider complaints, legal requests, chargebacks, fraud claims, unauthorized-scan allegations, or third-party disputes.
ALCE may suspend or terminate access to Ghost, withhold Reports, preserve records, cancel scans, issue refunds, refuse future service, or cooperate with providers, authorities, or legal process where ALCE reasonably believes such action is necessary to protect ALCE, customers, third parties, infrastructure, or the public.
Nothing in this Addendum limits ALCE's liability under the Texas Deceptive Trade Practices Act or any other applicable consumer protection law to the extent such liability cannot be waived, disclaimed, capped, or limited under applicable law. Customer acknowledges that Ghost is offered at a low-cost or no-cost price point based on the disclaimers, limitations of liability, risk allocations, and Customer responsibilities stated in this Addendum.
This Addendum is governed by the Terms of Service, including all provisions relating to dispute resolution, arbitration, class-action waiver, governing law, venue, limitation of liability, disclaimers, acceptable use, and termination. If Customer has entered into a separate written agreement with ALCE that expressly governs Ghost, that agreement controls to the extent of any conflict.
Any enterprise agreement, statement of work, managed service agreement, consulting agreement, data processing agreement, security assessment agreement, or custom security engagement must be separately signed or accepted by ALCE to modify this Addendum. No purchase order, vendor form, procurement term, security questionnaire, email, ticket, chat message, oral statement, or other Customer document modifies this Addendum unless expressly agreed in writing by ALCE.
Customer must accept or be presented with the Terms of Service, Privacy Policy, and this Addendum prior to initiating any scan, purchasing a paid scan, accessing a Report, or otherwise using Ghost. Customer's acceptance may be logged or retained with a timestamp, IP address, user agent, submitted domain, submitted email address, scan type, payment session, authorization acknowledgment, terms acceptance, and applicable terms version.
ALCE may present one or more customer-facing acknowledgments during scan initiation, checkout, report delivery, or other Ghost workflows. Customer's use of Ghost after being presented with such acknowledgments constitutes acceptance of the applicable terms. Such acknowledgments may include, without limitation: general authorization acknowledgment; paid scan active testing acknowledgment; report delivery acknowledgment; refund and retention acknowledgment; and high-risk domain acknowledgment. The exact acknowledgments presented may vary based on scan type, payment status, risk level, delivery method, domain category, and operational requirements.
ALCE may update this Addendum from time to time. Updated terms apply to scans initiated after the updated terms are posted, displayed, or accepted. Material changes do not retroactively apply to scans already completed unless required by law or expressly agreed by Customer and ALCE. ALCE may require Customer to accept an updated Addendum before initiating a new scan, purchasing a new paid scan, accessing new features, or using continued Ghost services. The version of this Addendum presented, posted, displayed, or accepted at the time of scan initiation, checkout, report access, or report delivery governs the applicable scan.
ALCE may update designated contact addresses from time to time. Customer is responsible for using the current contact address provided by ALCE on its website, Terms of Service, Privacy Policy, checkout flow, or other official communication channel.