The following terms apply in addition to the definitions set forth in the Terms of Service and Ghost Product Addendum. In the event of a conflict between definitions in this Addendum and the Ghost Product Addendum, this Addendum controls solely with respect to Optimus.
"Optimus" means the ALCE enterprise security monitoring and vendor supply chain security assessment platform accessible at optimus.alceconsulting.tech and any associated APIs, dashboards, monitoring workflows, vendor invite workflows, CVE intelligence features, and related enterprise functionality.
"Enterprise Client" means an organization or individual that subscribes to Optimus, establishes an enterprise account, configures an Authorized Domain Scope, and may initiate monitoring workflows, vendor invite flows, and CVE intelligence features within Optimus.
"Vendor" means a third party invited by an Enterprise Client through a Vendor Invite to authorize and submit a Designated Domain for scanning through the Optimus vendor supply chain security pipeline. A Vendor's access is strictly limited to the Designated Domain established by the Enterprise Client and cannot be modified by the Vendor.
"Vendor Invite" means a unique, single-use, 48-character hexadecimal token-based invitation link generated by the Optimus platform that authorizes a specific Vendor to submit a specific Designated Domain for scanning. Each Vendor Invite is associated with one Designated Domain, is valid only while its status is pending, and is permanently consumed upon Vendor acceptance and scan initiation.
"Designated Domain" means the specific domain assigned to a Vendor Invite by the Enterprise Client at the time of invite creation. The Designated Domain is immutable once set and may include publicly reachable subdomains under the same registrable domain. A Designated Domain does not include unrelated third-party domains, third-party SaaS platforms, internal networks, private IP ranges, authenticated systems, or systems outside the expressly designated scope.
"Authorized Domain Scope" or "ACL" means the set of domains authorized for scanning within Optimus, including Enterprise Client-owned domains that have completed DNS ownership verification and Designated Domains locked to Vendor Invites. The Authorized Domain Scope is enforced server-side and cannot be modified or overridden by Enterprise Clients or Vendors through the platform.
"DNS Verification Token" means the unique DNS TXT record value generated by Optimus for each Enterprise Client domain submission, which the Enterprise Client must publish in their domain's DNS configuration to verify ownership and authorize monitoring.
"Monitoring Domain" means an Enterprise Client-owned domain that has completed DNS ownership verification and been added to the Enterprise Client's continuous monitoring program within Optimus.
"Vendor Consent Records" means the separate, dedicated records generated at the moment of Vendor acceptance of a Vendor Invite, stored independently of scan job records, and including without limitation: timestamp of acceptance, IP address of the accepting device, user agent, session identifier, Vendor email address, Designated Domain accepted, Vendor Invite identifier, authorization acknowledgment status, report-sharing acknowledgment status, the version of the Terms of Service accepted; the version of this Addendum accepted; and the version of the Ghost Product Addendum accepted. Each version is recorded in a separate dedicated field within the Vendor Consent Record.
"CVE Intelligence" means the automated daily cross-reference of technology stack indicators detected during scans against ALCE's internal CVE database, generating CVE alerts for active Enterprise Client accounts.
"Subscription Plan" means the selected Optimus pricing tier -- Standard, Professional, or Unlimited -- governing access, domain limits, vendor invite limits, scan frequency, and associated features.
Optimus is an enterprise-tier security monitoring and vendor supply chain security assessment platform. Optimus provides three core functions:
(a) Own-Domain Continuous Monitoring. Enterprise Clients may add their own domains to Optimus for automated, scheduled security scanning and ongoing monitoring. Ownership of each domain must be verified through a DNS TXT record verification process before monitoring is enabled. Once verified, Optimus runs automated full-scope security scans on a monthly schedule and performs daily CVE intelligence cross-referencing against detected technology stacks.
(b) Vendor Supply Chain Security Assessment. Enterprise Clients may generate single-use, token-based invite links for specific third-party vendors, partners, suppliers, or other organizations. Each invite link is associated with a single Designated Domain selected by the Enterprise Client. The invited Vendor accepts the invite, provides the required acknowledgments, and authorizes the scan. Optimus enforces domain scope at the server level -- a Vendor cannot scan any domain other than the pre-designated Designated Domain.
(c) CVE Intelligence and Alerting. Optimus performs daily automated cross-referencing of technology stack fingerprints detected during scans against an internal CVE database maintained by ALCE. New CVE matches generate alert records and email notifications to Enterprise Clients. Previously identified CVEs that remain present are re-opened automatically. No technology stack data, domain data, or user data is transmitted to external CVE data providers as part of this process.
Optimus is built on the same scanning infrastructure as Ghost and uses Ghost-powered full-scope scans for all scan activity within the platform. Optimus is not a penetration testing service, managed security service, incident response service, security operations center, forensic investigation service, compliance audit service, legal assessment service, or real-time threat monitoring service. Optimus Reports and findings are informational only and do not constitute legal, compliance, insurance, regulatory, or professional cybersecurity advice.
All Ghost-powered scans initiated through Optimus -- including Enterprise Client own-domain scans, scheduled monthly monitoring scans, manual scans, and Vendor invite scans -- are governed by the Ghost Product Addendum v4.1 with respect to scan scope and technical actions, authorization requirements and representations, prohibited use, customer assumption of risk, report confidentiality and data protection, report use and license and restrictions, findings and scores and automated output disclaimers, no remediation duty, and scan limitations and conditions outside ALCE's control.
This Addendum modifies and supplements the Ghost Product Addendum solely with respect to Optimus enterprise features, including subscription tiers, own-domain monitoring, DNS ownership verification, vendor invite workflows, ACL enforcement, Vendor Consent Records, CVE intelligence, enterprise data retention, and post-cancellation data deletion. Where this Addendum and the Ghost Product Addendum address the same subject matter and are irreconcilable, this Addendum controls with respect to Optimus.
Optimus is offered on a monthly recurring subscription basis. As of the Effective Date, Optimus subscription tiers include the following:
*Unlimited subject to acceptable use, technical limits, abuse-prevention controls, provider limitations, and any restrictions stated in the Terms of Service, this Addendum, or the applicable order form.
Domain limits and Vendor Invite limits are enforced at the API layer based on the Enterprise Client's active Subscription Plan. Limits are stored per enterprise account record and cannot be exceeded through normal platform operation. ALCE may adjust tier limits, pricing, features, and configurable parameters from time to time. Changes to active subscription pricing will be communicated with reasonable notice as described in the Terms of Service.
Optimus subscriptions are billed monthly on a recurring basis beginning on the date of initial subscription. Payment is processed through Stripe. Enterprise Client authorizes ALCE and its payment processor to charge the designated payment method for recurring monthly fees, applicable taxes, and other charges associated with the active Subscription Plan. Payment terms, failed payment consequences, chargeback policy, and pricing change procedures are governed by the Terms of Service.
Access to Optimus platform features, including domain monitoring, vendor invite generation, CVE alerts, dashboard access, report history, and scan history, is conditioned on an active, paid subscription in good standing. ALCE may suspend or terminate access for non-payment, failed payment, chargeback, account misuse, unauthorized scanning risk, provider complaint, legal risk, security risk, abuse risk, or violation of these Terms or any applicable addendum as described in the Terms of Service.
Enterprise Client may cancel the Optimus subscription at any time. Upon cancellation, access to the Optimus platform will continue through the end of the then-current monthly billing period. Following the end of the final billing period, Enterprise Client access, Vendor access, monitoring workflows, vendor invite flows, CVE alerting, dashboard access, and report history access will cease. Enterprise Clients are responsible for exporting or downloading any scan history, reports, or records they require before access ends. ALCE is not responsible for data loss where Enterprise Client failed to export required data before access termination.
Before enabling continuous monitoring for any domain, Optimus requires Enterprise Client to complete a two-step authorization process:
(a) Authorization Acknowledgment. Enterprise Client must accept an authorization acknowledgment confirming that they own the domain or have legal authority to authorize automated security scanning of that domain and its publicly reachable subdomains. The acknowledgment timestamp and terms version are recorded in the domain_verifications table.
(b) DNS TXT Record Verification. Optimus generates a unique DNS Verification Token for each submitted domain. Enterprise Client must publish this token as a DNS TXT record in the domain's DNS configuration. Optimus verifies that the token is present before enabling monitoring. A domain status transitions from pending to verified only upon successful DNS TXT record verification.
DNS ownership verification is a technical safeguard designed to reduce the risk of unauthorized monitoring. It does not constitute ALCE's independent legal determination that Enterprise Client has all required legal, contractual, hosting-provider, or third-party permissions to authorize scanning. Enterprise Client remains solely responsible for ensuring that monitoring is lawfully authorized for each domain added to their account.
Before initiating each scheduled monthly scan, Optimus independently re-verifies that the DNS Verification Token remains published in the domain's DNS configuration. If the token has been removed, Optimus automatically marks the domain status as removed, sends a DNS removal notification email to the Enterprise Client, and does not initiate the scan. Monitoring for that domain remains suspended until the token is republished and verification is re-confirmed. This re-verification occurs at every scheduled scan cycle and is not waivable.
Automated monitoring scans run on the first day of each calendar month at 7:00 AM UTC for all domains with verified status belonging to active Enterprise Client accounts. Scans are not initiated for domains with pending, failed, or removed verification status, or for accounts with a canceled, past_due, or suspended subscription status at the time of the scheduled scan cycle. Each monthly monitoring scan executes the full 21-module Ghost scan against the Monitoring Domain.
Upon scan completion, Optimus writes a summary record to the Enterprise Client's scan_history table and sends the Enterprise Client the full scan report PDF by email along with a monthly summary email. The full report JSON is retained in the scan_jobs table for up to seven (7) days following confirmed delivery, after which it is deleted from active production systems. ALCE does not guarantee uninterrupted monitoring, scan completion by any particular time, or continued availability of any particular scan module.
In addition to monthly full-scope scans, Optimus monitors SSL certificate expiry for verified Monitoring Domains using TLS handshake checks. Certificate expiry warnings are generated and delivered to Enterprise Client as the certificate approaches expiration. Certificate monitoring is automated and informational only. ALCE does not guarantee detection of all certificate issues, real-time certificate status monitoring, or alert delivery during platform outages or email delivery failures.
Optimus retains summary-level scan metadata in the scan_history table for the life of the active Enterprise Client account. Summary metadata includes domain, score, grade, critical, high, and medium finding counts, scan timestamp, and trigger type. The full scan report JSON is not stored in scan_history. Full report JSON is retained in the scan_jobs table for up to seven (7) days following confirmed delivery or scan completion, after which it is deleted from active production systems. Enterprise Clients are responsible for downloading and retaining full reports during the applicable seven-day window. ALCE is not responsible for report loss after the seven-day retention period expires.
Enterprise Clients may generate Vendor Invites through the Optimus dashboard. Each Vendor Invite is associated with a specific Designated Domain selected by the Enterprise Client at the time of invite creation. The platform generates a unique, cryptographically random 48-character hexadecimal token for each invite. The invite token is single-use. Once a Vendor accepts the invite and the scan is initiated, the invite status changes from pending to completed and the token is permanently consumed. Any subsequent attempt to use the same token returns an HTTP 400 error. Revoked invites cannot be reactivated.
The Designated Domain associated with each Vendor Invite is enforced server-side through the platform's access control list at the API layer. When a Vendor submits a domain through the vendor scan workflow, the submitted domain is validated against the allowed_domain field of the corresponding invite record using exact string matching, stripping leading www prefixes. Any submission that does not exactly match the ACL-designated domain is rejected with an HTTP 403 error and no scan is initiated. There is no mechanism through which a Vendor can modify, expand, substitute, or circumvent the Designated Domain. The ACL enforcement is not dependent on client-side controls and cannot be overridden by the Vendor.
When a Vendor accesses a Vendor Invite link, the Optimus platform presents the Vendor with the Designated Domain pre-filled and non-editable. Before the scan can be initiated, the Vendor must complete three required acknowledgments:
(a) Authorization Acknowledgment. Vendor confirms that they have legal authority to authorize automated security scanning of the Designated Domain, that such authorization covers the active technical testing described in the Ghost Product Addendum and this Addendum, and that such use complies with all applicable laws, contracts, hosting agreements, and third-party policies.
(b) Terms Acceptance. Vendor independently agrees to the ALCE Consulting LLC Terms of Service, this Addendum, and the Ghost Product Addendum. The Vendor's acceptance constitutes a separate, independent agreement between the Vendor and ALCE, distinct from the Enterprise Client's agreement with ALCE.
(c) Report-Sharing Acknowledgment. Vendor acknowledges that scan results, report summaries, scores, grades, finding counts, risk indicators, completion status, and related metadata will be made available to the Enterprise Client that initiated the invite through dashboards, email notifications, and other product workflows.
All three acknowledgments must be affirmatively completed before the platform initiates the scan. The platform does not allow partial completion or bypass of any acknowledgment.
At the moment of Vendor acceptance and scan initiation, Optimus writes a Vendor Consent Record to a dedicated database table that is separate from the scan_jobs table. Vendor Consent Records are not subject to the seven-day scan job deletion schedule. The database foreign key from Vendor Consent Records to vendor invite records is configured to set the invite reference to null on invite deletion rather than cascade-delete the consent record. As a result, Vendor Consent Records are not subject to the seven-day scan job deletion schedule or the thirty-day post-cancellation enterprise account deletion schedule.
Vendor Consent Records are retained for a minimum of three (3) years from the date of acceptance, unless a longer period is required or reasonably necessary for legal compliance, fraud prevention, abuse prevention, provider complaint response, dispute resolution, enforcement, or claim defense.
Vendor Consent Records include without limitation: timestamp of acceptance, IP address of the accepting device, user agent, session identifier, Vendor email address, Designated Domain accepted, Vendor Invite identifier, authorization acknowledgment status, report-sharing acknowledgment status, the version of the ALCE Consulting LLC Terms of Service accepted; the version of this Addendum accepted; and the version of the Ghost Product Addendum accepted. Each version is recorded in a separate dedicated field within the Vendor Consent Record.
If a Vendor accepts a Vendor Invite and authorizes scanning of the Designated Domain without having legal authority to do so, the Vendor bears full responsibility for any resulting claim, damage, regulatory action, provider complaint, third-party complaint, contractual dispute, or legal consequence. ALCE's reliance on the Vendor's authorization representation is commercially reasonable given the technical controls in place, and ALCE shall not be liable for claims arising from a Vendor's false, inaccurate, incomplete, or unauthorized authorization representation to the maximum extent permitted by applicable law.
Enterprise Clients are responsible for ensuring that the Vendors they invite are appropriate parties for assessment of the Designated Domains, have legal authority to accept the scope of scanning described in this Addendum and the Ghost Product Addendum, and will comply with the Terms of Service, this Addendum, the Ghost Product Addendum, and all applicable laws. Enterprise Clients assume responsibility for Vendor conduct on the platform to the extent such conduct was authorized, facilitated, configured, or enabled by the Enterprise Client.
Scan results generated for a Vendor's Designated Domain are made available to the Enterprise Client that initiated the invite through dashboards, email notifications, and other product workflows. Enterprise Clients own the scan results generated for their invited Vendors within the context of their enterprise account. Vendors may access their own scan results through the platform during the applicable retention period. Vendor scan data is not shared with other Enterprise Clients, used to improve scanning for unrelated engagements, or sold to third parties, except as necessary to operate the platform, prevent fraud and abuse, comply with law, respond to legal process, enforce applicable terms, or defend against claims.
If an Enterprise Client's relationship with a Vendor ends, the Enterprise Client may revoke or archive the Vendor's invite record within the platform to the extent such functionality is available. Vendor scan records in scan_history are retained for the life of the active Enterprise Client account. Full report JSON is retained for up to seven (7) days following delivery and then deleted from active production systems. Vendor Consent Records are retained for a minimum of three (3) years from acceptance as described in Section 6.4.
Optimus performs automated daily CVE cross-referencing for all active Enterprise Client accounts. The process runs daily at 6:00 AM UTC. For each active enterprise account, Optimus reads all technology stack records stored in the domain_tech_stacks table for that account's Monitoring Domains and performs matching against ALCE's internal CVE database using technology name and version prefix matching logic. The CVE database used for matching is an internal Supabase database table maintained by ALCE. No domain data, technology stack data, user data, or account data is transmitted to external CVE data providers, external vulnerability databases, or third-party enrichment services as part of the CVE matching process.
When a new CVE match is identified, Optimus inserts a CVE alert record in the cve_alerts table and sends an email notification to the Enterprise Client. If a previously identified CVE match that was marked as resolved is still present in the current technology stack data, the alert is automatically re-opened and the Enterprise Client is notified. CVE alert records persist for the life of the active Enterprise Client account and are deleted as part of the post-cancellation data deletion process described in Section 9.4.
CVE alerts are automated informational outputs generated from technology fingerprint matching and may include false positives, false negatives, incomplete version matches, outdated CVE references, missed technologies, incorrect technology fingerprints, reopened alerts for resolved issues, or duplicate alerts. A CVE alert does not mean the affected domain or system is exploited, actively vulnerable, breached, unpatched, or legally noncompliant. Enterprise Clients are solely responsible for independently validating all CVE alerts before taking remediation, procurement, contractual, legal, insurance, compliance, or vendor-management action. ALCE has no duty to manually review CVE matches, confirm exploitability, validate patches, or provide remediation guidance.
All scans initiated through Optimus use the full 21-module Ghost scanning engine. The complete list of technical actions, active probing techniques, scan methods, module descriptions, and scan limitations is set forth in the Ghost Product Addendum and incorporated into this Addendum by reference.
Authorization for a Monitoring Domain or Designated Domain includes publicly reachable subdomains under the same registrable domain, including subdomains identified through DNS queries, certificate-transparency lookups, or common-prefix enumeration conducted as part of the scan. Enterprise Clients and Vendors represent and warrant that their authorization covers such publicly reachable subdomains. Authorization does not extend to unrelated third-party domains, third-party SaaS platforms, internal networks, private IP ranges, authenticated systems, or systems outside the expressly designated scope.
Optimus independently rejects scan requests resolving to private, loopback, link-local, or reserved IP address ranges at both submission time and scan initiation. This dual validation is implemented independently in both the API layer at domain submission and in the Celery task worker at scan initiation, closing the window between submission and execution. This safeguard operates automatically and cannot be disabled by Enterprise Clients or Vendors.
Optimus does not authenticate into or log in to any system, exploit vulnerabilities, inject payloads or execute malicious code, modify data on target systems, brute force credentials or session tokens, perform denial-of-service testing, conduct social engineering, perform recursive directory crawling, scan internal or private IP ranges, access email message content, store, validate, or attempt to exploit exposed credentials detected during scanning, or perform any technique designed to compromise, bypass, or damage target systems. Email security assessment is limited to DNS record analysis, including SPF, DKIM, and DMARC records.
For active Enterprise Client accounts, the following retention periods apply unless a longer retention period is required or reasonably necessary for legal compliance, fraud prevention, abuse prevention, provider complaint response, dispute resolution, enforcement, or claim defense:
The scan_history table stores summary-level metadata only. It does not store full scan report JSON. Full scan report JSON is stored exclusively in the scan_jobs table and is subject to the seven-day deletion schedule described in Section 5.5 and the Ghost Product Addendum. Enterprise Clients requiring long-term retention of full report content are responsible for downloading reports within the applicable seven-day window.
Vendor Consent Records are stored in a dedicated database table that is operationally and structurally separate from the scan_jobs table. The seven-day scan job deletion task does not access, modify, or delete Vendor Consent Records. The database foreign key from Vendor Consent Records to vendor invite records is configured to set the invite reference to null on invite deletion rather than cascade-delete the consent record. As a result, Vendor Consent Records survive deletion of dashboard data, scan history, vendor invite records, and enterprise account records and are retained independently for the duration specified in Section 6.4.
For clarity, Vendor Consent Records are not subject to the seven-day scan job deletion schedule or the thirty-day post-cancellation enterprise account deletion schedule. Vendor Consent Records may be retained beyond enterprise account deletion to the extent reasonably necessary for legal compliance, fraud prevention, abuse prevention, provider complaint response, dispute resolution, enforcement, or claim defense.
Following cancellation of an Optimus subscription, all enterprise account data is retained in active production systems for up to thirty (30) days beginning on the effective date of cancellation. The delete_after date is set at the time of cancellation and is enforced by an automated Celery task running daily at 5:00 AM UTC. Upon reaching the delete_after date, enterprise data is hard-deleted from active production systems in the following cascading order: CVE alerts, technology stack data, scan history metadata, vendor invite records, domain verification records, and enterprise account records.
The thirty-day post-cancellation retention period begins on the effective date of cancellation regardless of the remaining billing period. Enterprise Clients are responsible for exporting required data before the delete_after date. ALCE is not responsible for data loss after the hard-delete date. Post-cancellation deletion does not include Vendor Consent Records, payment records, Stripe billing records, abuse-prevention records, legal records, tax records, accounting records, provider complaint records, security logs, or other operational records retained for legitimate business, legal, security, compliance, fraud-prevention, abuse-prevention, dispute-resolution, or claim-defense purposes.
Deletion from active production systems does not require immediate deletion from encrypted backups, disaster-recovery systems, Supabase database-level logs, SendGrid email delivery logs, Stripe payment records, Redis task records, Render.com application logs, or other operational systems maintained by ALCE or its service providers. Such residual records are retained, overwritten, or anonymized according to the applicable retention cycles for those systems. ALCE does not use residual backup or log data to recreate Reports or enterprise account data for ordinary business purposes.
Enterprise Client access to the Optimus platform is managed through Supabase Auth. Enterprise Clients authenticate using email and password credentials managed by Supabase. Session tokens are managed by Supabase Auth JS client. Inactivity auto-logout is implemented in the Optimus frontend.
Vendor access to the Optimus platform is token-based. Vendors do not create Supabase Auth accounts. Vendor access is scoped exclusively to the specific Vendor Invite workflow associated with their invite token and cannot be expanded to other platform features, Enterprise Client dashboard data, other vendor records, or other scan results.
Optimus enforces row-level security on all enterprise data tables. Enterprise Client users can only access records belonging to their own enterprise account. Cross-account data access through normal platform operation is not possible. Vendor invite records are subject to a deny-all policy -- all vendor invite access is routed exclusively through the FastAPI service role, and direct client-side database queries against the vendor_invites table are blocked to protect raw invite tokens.
Access to scan report JSON and PDF reports is restricted to HMAC-SHA256 signed access tokens derived from the scan identifier and a server-side secret key. Unauthenticated access to report content is not permitted. Report access tokens are generated at scan completion and are valid only for the duration of the applicable report retention period.
Optimus API endpoints are subject to rate limiting and abuse-prevention controls as appropriate to the applicable endpoint and operational environment. Rate limits are applied per endpoint and per identifier to reduce abuse risk. ALCE may adjust rate limits for operational, security, or abuse-prevention reasons.
Enterprise Client data, including scan records, domain verification records, vendor invite records, CVE alerts, and technology stack data, is logically isolated within the platform through row-level security policies. One Enterprise Client's data is not accessible to another Enterprise Client through normal platform operation. Data transmitted between users and the Optimus platform is encrypted using TLS. Data stored in Optimus's primary database infrastructure is encrypted at rest using the encryption controls provided by Supabase and ALCE's infrastructure providers.
No security practice, authentication control, encryption, access control, or technical safeguard eliminates all risk. ALCE cannot guarantee that the Optimus platform is immune from unauthorized access, disclosure, alteration, loss, or misuse despite these measures.
Optimus uses the following third-party service providers. Enterprise Clients and Vendors acknowledge and consent to the transmission, processing, and storage of data by these providers as necessary to operate Optimus.
| Provider | Purpose | Data Transmitted |
|---|---|---|
| Supabase | Primary database (PostgreSQL) | All enterprise account data, scan records, vendor invite records, domain verification records, CVE alerts, technology stacks |
| Supabase Auth | Enterprise Client login and session management | Email address, hashed password, session tokens |
| Redis | Celery message broker and task queue | Scan task payloads (scan_id, domain, tier) |
| SendGrid (Twilio) | Scan reports, CVE alerts, cert expiry warnings, vendor notifications, monthly summaries | Report content, PDF attachments, recipient email, domain name, scan metadata |
| Stripe | Recurring subscription billing | Enterprise Client email, billing details, subscription metadata |
| Render.com | Application and worker hosting | All application data processed on Render infrastructure |
| ReportLab | Scan report PDF generation | Full report data processed in-memory on ALCE servers -- not transmitted externally |
| crt.sh | Subdomain enumeration | Submitted domain name as URL query parameter |
| Internal Supabase table | CVE cross-reference matching | No external transmission -- internal database query only |
ALCE may add, replace, or remove third-party service providers from time to time. ALCE uses commercially reasonable efforts to engage service providers under terms that restrict their use of data to providing services to ALCE.
Optimus Reports and monitoring records are point-in-time assessments based on publicly observable information at the time of each scan. They are provided for informational and operational purposes only. Optimus is designed to support Enterprise Client vendor risk management and supply chain security documentation programs. Enterprise Clients may use Optimus outputs as supporting documentation in broader compliance, vendor due diligence, audit support, security questionnaire, or risk management programs.
ALCE does not warrant that Optimus Reports or monitoring records are sufficient, appropriate, accurate, complete, or fit for any specific insurer, underwriter, broker, regulator, auditor, customer, vendor, lender, contractual counterparty, or other third party. Before using any Optimus Output for Insurance Evidence Use or any compliance-support purpose, Enterprise Client is solely responsible for independently determining whether the Output is appropriate for that purpose, reviewing applicable third-party requirements, and consulting qualified legal, insurance, compliance, risk, or cybersecurity professionals where appropriate.
ALCE does not communicate with insurers, brokers, underwriters, regulators, auditors, or other third parties on Enterprise Client's behalf unless expressly agreed in a separate written statement of work or enterprise agreement signed or accepted by ALCE.
Enterprise monitoring and CVE alerting features are scheduled, periodic, automated, and informational. They are not real-time monitoring, managed detection and response, security operations center coverage, threat hunting, penetration testing, incident response, emergency alerting, forensic investigation, compliance certification, or guaranteed change detection. Monitoring results reflect point-in-time observations at or near the time each scan is performed. Monitoring may miss changes occurring between scheduled scans, during platform outages, during provider disruptions, during DNS propagation, when target systems block or limit requests, when third-party sources are unavailable, or where automated detection is incomplete, outdated, inaccurate, delayed, or unavailable.
ALCE has no duty to manually review every finding, continuously monitor every domain, escalate every risk, notify every affected party in real time, provide emergency notification, or confirm remediation. If ALCE identifies a finding during Optimus operation that ALCE reasonably determines represents an imminent and critical risk of harm to an Enterprise Client's systems or data, ALCE may, at its discretion, provide reasonable notification to the Enterprise Client outside the regular scan delivery cycle. This discretionary notification does not create a duty to discover, monitor for, escalate, or report all findings in real time, and ALCE is not liable for harm arising from findings that were not separately escalated.
Enterprise Clients and Vendors acknowledge that Optimus is offered on the basis of the disclaimers, limitations of liability, risk allocations, and customer responsibilities stated in this Addendum and the Terms of Service, and that ALCE would not offer Optimus on the same terms without these limitations.
Enterprise Clients accept this Addendum by creating an Optimus account, initiating a subscription, adding a domain to monitoring, generating a Vendor Invite, or otherwise accessing or using Optimus. Vendors accept this Addendum by accepting a Vendor Invite link and proceeding through the vendor scan workflow, completing all three required acknowledgments. Acceptance is logged as described in Section 6.4 and in the Terms of Service.
The version of this Addendum accepted by Enterprise Client or Vendor at the time of account creation, subscription initiation, or invite acceptance governs that engagement. ALCE may update this Addendum from time to time. Material updates will be communicated to active Enterprise Clients with reasonable notice as described in the Terms of Service.