Terms of Service

Last updated: 12 February 2026

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("you", "your", "User") and XYGEN Ltd, trading as SecPortal ("we", "us", "our", "SecPortal"), a company registered in England and Wales.

By creating an account, accessing, or using the SecPortal platform located at secportal.io and any associated sub-domains (the "Service"), you confirm that you have read, understood, and agree to be bound by these Terms and our Privacy Policy, which is incorporated herein by reference.

If you are entering into these Terms on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to these Terms. If you do not agree to these Terms, you must not access or use the Service.

2. Description of Service

SecPortal is a software-as-a-service (SaaS) platform designed for security teams and cybersecurity organisations. The Service provides tools for:

  • Managing security assessments and operations (vulnerability assessments, compliance audits, incident response, and more).
  • Logging and tracking security findings, vulnerabilities, and compliance controls.
  • Generating AI-assisted security reports.
  • Delivering findings to clients via branded, secure client portals.
  • Creating and sending invoices to clients, with payments processed via Stripe Connect.
  • Managing workspace teams with role-based access control.
  • Storing and sharing engagement-related documents.

The Service is provided as a tool to assist your work. It does not constitute professional security advice, legal advice, or any form of certification or assurance.

3. Eligibility

  • You must be at least 18 years of age to use the Service.
  • You must have the legal capacity to enter into a binding contract.
  • If you are using the Service on behalf of an organisation, you must be authorised to bind that organisation.
  • You must not have been previously suspended or removed from the Service for violation of these Terms.

4. Account Registration & Security

  • You must provide accurate, current, and complete information during registration and keep it up to date.
  • You are solely responsible for maintaining the confidentiality and security of your account credentials (email and password).
  • You must not share your account credentials with any other person or allow any other person to access the Service using your credentials.
  • You must immediately notify us at support@secportal.io if you become aware of any unauthorised use of your account or any other breach of security.
  • We are not liable for any loss or damage arising from your failure to protect your account credentials.
  • One person or legal entity may not maintain more than one free-tier workspace.

5. Workspace Roles & Responsibilities

Each workspace has team members with the following roles:

  • Owner: Full control over the workspace, including billing, settings, team management, and all data.
  • Admin: Can manage team members and all workspace data, except billing and workspace settings.
  • Member: Can create and edit clients, engagements, findings, documents, and invoices.
  • Viewer: Read-only access to all workspace data.

The workspace Owner is the primary account holder and is responsible for the actions of all team members within their workspace, including compliance with these Terms. The Owner is responsible for ensuring that all team members and invited clients are made aware of relevant policies.

6. Subscriptions, Billing & Fees

6.1 Plans & Pricing

  • The Service offers free and paid subscription plans. Features, limits, and pricing for each plan are displayed on our pricing page and may change over time.
  • Paid plans are billed in advance on a monthly or annual basis via Stripe.
  • All fees are quoted and charged in United States Dollars (USD) unless otherwise stated.
  • Fees are exclusive of taxes unless explicitly stated. You are responsible for any applicable taxes.

6.2 Upgrades & Downgrades

  • Plan upgrades take effect immediately. You will be charged the prorated difference for the remainder of the current billing period.
  • Plan downgrades take effect at the end of the current billing period. No refund is issued for the unused portion of the current period.

6.3 Refunds

  • Monthly subscriptions: No refunds are provided for partial months.
  • Annual subscriptions: Non-refundable once the billing period has begun, except where required by applicable consumer protection law.
  • One-time purchases (e.g. AI report credit packs): Non-refundable once credits have been delivered to your account.

6.4 Payment Failures

  • If a payment fails, we will attempt to charge your payment method again in accordance with Stripe's retry schedule.
  • We will notify you by email of failed payments.
  • After repeated payment failures, your workspace may be downgraded to the free tier, and premium features may become unavailable. We are not liable for any loss of functionality or data access resulting from payment failures.

6.5 Price Changes

We reserve the right to change our pricing at any time. Existing subscribers will receive at least 30 days' written notice (via email) before any price increase takes effect. If you do not agree with the new pricing, you may cancel your subscription before the new pricing applies.

7. Invoicing & Client Payments (Stripe Connect)

  • The Service allows you to create and send invoices to your clients. Client payments are processed through your own connected Stripe account via Stripe Connect.
  • SecPortal charges a platform fee (as a percentage of each invoice payment, determined by your subscription plan) which is deducted at the time of payment. The applicable fee rates are displayed in your workspace settings.
  • You are solely responsible for the accuracy, completeness, and legality of invoices you create and send through the Service. SecPortal does not verify, audit, or guarantee the correctness of invoice contents.
  • You are solely responsible for compliance with all applicable invoicing, tax, and accounting laws in your jurisdiction, including but not limited to VAT/GST obligations, invoice numbering requirements, and record-keeping.
  • Refund and chargeback handling for client invoice payments is solely between you and your client, facilitated through Stripe. SecPortal is not a party to the transaction between you and your client and bears no responsibility for disputes, chargebacks, or refund claims.
  • SecPortal does not act as a payment institution, financial intermediary, or escrow service. We merely provide the software interface through which you interact with Stripe's payment infrastructure.
  • You must comply with Stripe's Connected Account Agreement and all applicable Stripe policies.

8. Your Data & Content

8.1 Ownership

You retain all ownership rights to the data and content you upload, create, or store on the Service ("Your Content"). We do not claim any ownership over Your Content.

8.2 Licence Grant

By using the Service, you grant us a limited, non-exclusive, royalty-free, worldwide licence to store, process, reproduce, display, and transmit Your Content solely as necessary to provide, operate, and improve the Service. This licence terminates when you delete Your Content or close your account.

8.3 Your Responsibilities

  • You are solely responsible for the legality, accuracy, and appropriateness of all content you upload to or create within the Service.
  • You represent and warrant that you have all necessary rights, permissions, and authorisations to upload and share Your Content on the platform.
  • You are responsible for ensuring that sharing security findings, vulnerability details, or client data through the Service complies with any applicable confidentiality agreements, contracts, or regulations.
  • You must not upload content that infringes the intellectual property rights, trade secrets, or confidential information of any third party without proper authorisation.

8.4 Backups

While we maintain standard infrastructure-level backups, we do not guarantee the availability or recoverability of Your Content. You are responsible for maintaining your own backups of critical data. We strongly recommend regularly exporting your data using the export features provided within the Service.

9. AI-Powered Features

  • The Service includes AI-powered features such as report generation and contextual chat (available on Pro and Team plans).
  • AI features use your workspace data (engagement details, findings, client information) as context to generate responses. This data is sent to our AI provider (Anthropic) for processing.
  • Your data is not used by Anthropic to train, fine-tune, or improve their AI models.
  • AI-generated content is provided "as is" and may contain errors, inaccuracies, or omissions. You are solely responsible for reviewing, verifying, and editing all AI-generated content before using it in any deliverable, report, or communication with clients or third parties.
  • SecPortal makes no representations or warranties regarding the accuracy, completeness, or fitness for purpose of any AI-generated content.
  • You acknowledge that AI-generated content does not constitute professional advice of any kind (security, legal, compliance, or otherwise).
  • AI report credits are consumed upon generation and are non-refundable regardless of output quality.

10. Client Portals

  • The Service allows you to invite your clients to access a branded portal where they can view engagements, findings, documents, and invoices.
  • Client portal access is invite-only. You control which clients are invited and which engagements they can access.
  • You are solely responsible for the data you share with clients through the portal, including ensuring that the information is accurate, appropriate, and compliant with any applicable confidentiality or contractual obligations.
  • SecPortal does not verify the identity of invited clients beyond email-based authentication.
  • Client portal users are bound by these Terms. You are responsible for ensuring your clients are aware of the Terms and Privacy Policy.

10A. Active Security Testing Features

SecPortal offers active security testing features including vulnerability scanning, continuous monitoring, and attack surface discovery ("Active Features"). Use of Active Features is subject to the following additional terms:

  • Domain Verification Required: Before using any Active Features against a domain, you must verify your ownership of or authorisation to test that domain through one of our supported verification methods (DNS TXT record, file upload, or HTML meta tag).
  • Attestation Required: You must submit a legally binding attestation confirming you are authorised to perform security testing against each verified domain. This attestation is recorded immutably with your IP address and timestamp.
  • User Responsibility: You are solely responsible for ensuring you have legal authority to perform security testing against any domain you add to SecPortal. SecPortal acts as a tool provider — you are the actor performing the testing.
  • Plan Limits Apply: Active Features are subject to plan-based limits on the number of verified domains and monthly scan quotas. Free plan users are limited to 1 domain and 2 scans per month.
  • Prohibited Targets: You must not use Active Features to scan government, military, critical infrastructure, or any target for which you do not have explicit authorisation. SecPortal maintains a blocklist of restricted domains.
  • Immediate Suspension: We reserve the right to immediately suspend your access to Active Features if we detect or receive reports of unauthorised scanning activity from your account.
  • Cooperation with Authorities: SecPortal will cooperate with law enforcement agencies upon receipt of valid legal requests regarding scanning activity conducted through the Service.
  • Acceptable Use Policy: Use of Active Features is also subject to our Acceptable Use Policy, which is incorporated herein by reference.

Indemnification for Active Features: You agree to indemnify, defend, and hold harmless XYGEN Ltd, its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or relating to: (a) your use of Active Features; (b) your breach of any attestation or representation regarding authorisation to test; (c) any unauthorised security testing conducted through your account; (d) any third-party claims arising from scanning activity initiated from your workspace.

11. Acceptable Use

You agree not to use the Service to:

  • Violate any applicable local, national, or international law or regulation.
  • Upload, store, or transmit any content that is unlawful, harmful, threatening, abusive, harassing, defamatory, or otherwise objectionable.
  • Upload malicious software, viruses, or any code designed to disrupt, damage, or compromise the Service or any connected systems.
  • Attempt to gain unauthorised access to any part of the Service, other users' accounts, or other systems connected to the Service.
  • Use the Service to conduct or facilitate unauthorised penetration testing, hacking, or security assessments against any target without proper written authorisation.
  • Scrape, crawl, or use automated tools to extract data from the Service beyond the intended use of the API or export features.
  • Circumvent, disable, or interfere with any security, access control, or rate-limiting features of the Service.
  • Reverse-engineer, decompile, disassemble, or attempt to derive the source code of any part of the Service.
  • Resell, sublicence, or redistribute access to the Service without our prior written consent.
  • Use the Service in a manner that could damage, disable, overburden, or impair the Service or interfere with any other party's use of the Service.
  • Impersonate any person or entity, or misrepresent your affiliation with any person or entity.
  • Share account credentials or allow multiple individuals to access the Service under a single account.

We reserve the right to investigate and take appropriate action (including suspension or termination of your account) against any User who, in our sole discretion, violates this section.

12. Intellectual Property

  • The Service, including all software, design, text, graphics, logos, and other materials (excluding Your Content), is owned by or licensed to SecPortal and is protected by copyright, trademark, and other intellectual property laws.
  • You are granted a limited, non-exclusive, non-transferable, revocable licence to access and use the Service for its intended purpose during the term of your subscription.
  • You may not copy, modify, distribute, sell, or lease any part of the Service or its underlying software.
  • SecPortal's name, logo, and branding are trademarks of XYGEN Ltd. You may not use them without our prior written consent.

13. Service Availability & Modifications

  • We strive to maintain high availability but do not guarantee uninterrupted, error-free, or secure access to the Service at all times.
  • The Service may be temporarily unavailable due to maintenance, updates, infrastructure issues, or events beyond our control.
  • We reserve the right to modify, suspend, or discontinue any part of the Service at any time, with or without notice. For material changes that negatively affect paid features, we will provide reasonable notice.
  • We are not liable for any loss, damage, or inconvenience caused by downtime, service interruptions, or modifications to the Service.

14. Disclaimer of Warranties

THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.

To the maximum extent permitted by applicable law, we expressly disclaim all warranties, including but not limited to:

  • Implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
  • Any warranty that the Service will be uninterrupted, timely, secure, or error-free.
  • Any warranty regarding the accuracy, reliability, or completeness of any content or data obtained through the Service, including AI-generated content.
  • Any warranty that defects will be corrected.
  • Any warranty that the Service is free of viruses or other harmful components.

You use the Service at your own risk. You are solely responsible for any damage to your computer systems or loss of data resulting from your use of the Service.

15. Limitation of Liability

To the maximum extent permitted by applicable law, in no event shall SecPortal, XYGEN Ltd, its directors, officers, employees, agents, partners, or suppliers be liable for:

  • Any indirect, incidental, special, consequential, exemplary, or punitive damages, however caused.
  • Any loss of profits, revenue, business, savings, data, goodwill, or anticipated savings.
  • Any damage arising from your use of or inability to use the Service.
  • Any damage arising from unauthorised access to or alteration of your data or transmissions.
  • Any damage arising from the conduct or content of any third party on or through the Service.
  • Any damage arising from errors, inaccuracies, or omissions in AI-generated content.
  • Any damage arising from the actions of your clients, team members, or other users within your workspace.
  • Any damage arising from payment processing, including failed payments, chargebacks, or disputes handled by Stripe.
  • Any damage arising from the loss, corruption, or unauthorised disclosure of documents or data stored on the Service.

In any event, our total aggregate liability for all claims arising out of or related to these Terms or the Service shall not exceed the greater of: (a) the total amount you paid to us in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) fifty US dollars ($50).

This limitation applies regardless of the legal theory on which the claim is based (contract, tort, negligence, strict liability, or otherwise), even if we have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of certain damages, so the above limitations may not apply to you in full.

16. Indemnification

You agree to indemnify, defend, and hold harmless SecPortal, XYGEN Ltd, its directors, officers, employees, agents, and partners from and against any and all claims, demands, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or related to:

  • Your use of or access to the Service.
  • Your violation of these Terms.
  • Your violation of any applicable law or regulation.
  • The content you upload, create, or share through the Service.
  • Invoices you create or send through the Service.
  • Your interactions with your clients, including any disputes arising from security assessments, reports, or invoice payments.
  • Any claim by a third party that Your Content infringes their intellectual property or other rights.
  • Your failure to comply with any applicable confidentiality, data-protection, or professional conduct obligations.

17. Termination

17.1 Termination by You

  • You may cancel your paid subscription at any time from the Settings page. Cancellation takes effect at the end of the current billing period.
  • To fully delete your account and all associated data, email support@secportal.io from the email address associated with your account. See our Privacy Policy Section 11 for details on the deletion process.

17.2 Termination by Us

  • We may suspend or terminate your access to the Service immediately, without prior notice or liability, if you breach these Terms.
  • We may suspend or terminate accounts that have been inactive for more than 12 months.
  • We may discontinue the Service entirely with 60 days' written notice to all registered users.

17.3 Effects of Termination

  • Upon termination, your right to access and use the Service ceases immediately.
  • We may delete your account data within 30 days of termination unless we are required to retain it by law.
  • We are not liable for any loss of data or access resulting from termination.
  • Sections that by their nature should survive termination (including but not limited to Sections 14, 15, 16, 19, and 20) shall survive.

18. Third-Party Services & Links

The Service integrates with and may link to third-party services (including Stripe, Supabase, Anthropic, and others). Your use of such third-party services is subject to their own terms of service and privacy policies. We are not responsible for the availability, accuracy, content, or practices of any third-party services, and our inclusion of or integration with such services does not imply endorsement. You acknowledge that we have no control over and assume no responsibility for any third-party services.

19. Governing Law & Dispute Resolution

  • These Terms are governed by and construed in accordance with the laws of England and Wales, without regard to conflict-of-law principles. For users in the United States, to the extent permitted by applicable law, the laws of the State of Delaware shall apply.
  • Any dispute arising out of or in connection with these Terms, including any question regarding their existence, validity, or termination, shall be subject to the jurisdiction of the courts of England and Wales, or for US-based users, the state or federal courts located in the State of Delaware.
  • Before initiating any formal legal proceedings, you agree to first attempt to resolve any dispute informally by contacting us at support@secportal.io. We will attempt to resolve the matter within 30 days.

20. General Provisions

  • Entire Agreement: These Terms, together with the Privacy Policy, constitute the entire agreement between you and SecPortal regarding the Service, superseding all prior or contemporaneous agreements, understandings, or representations.
  • Severability: If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.
  • Waiver: Our failure to enforce any provision of these Terms shall not constitute a waiver of that provision or the right to enforce it at a later time.
  • Assignment: You may not assign or transfer your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations without restriction.
  • Force Majeure: We shall not be liable for any failure or delay in performing our obligations where such failure or delay results from events beyond our reasonable control, including but not limited to natural disasters, war, terrorism, pandemic, government actions, power failures, internet outages, or third-party service provider failures.
  • No Agency: Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between you and SecPortal.
  • Notices: We may send notices to you via email to the address associated with your account. Such notices are deemed received when sent. You may send notices to us at legal@secportal.io.

21. Changes to These Terms

We reserve the right to modify these Terms at any time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Terms. If you do not agree with the changes, you must stop using the Service and may request account deletion.

22. Contact

For questions or concerns about these Terms: