Skip to content
← Legal

Master Subscription Agreement

Effective: Last updated:

This Master Subscription Agreement (“MSA”) is entered into between Fimil, Inc., a Delaware corporation (“Fimil”), and the customer identified in an Order Form (“Customer”). It governs Customer’s subscription to the Fimil application-security platform (the “Service”). This MSA is Fimil’s standard commercial form; for self-serve customers without a signed Order Form, the Terms of Service apply instead.

A signed Order Form referencing this MSA forms the binding agreement; this published version is provided for transparency and procurement review. Bracketed/italicized items are completed per the applicable Order Form.

1. Definitions

  • “Order Form” — an ordering document executed by both parties referencing this MSA.
  • “Customer Data” — data Customer or its users submit to or generate through the Service, including source code accessed for scanning, scan results, and findings.
  • “Documentation” — Fimil’s then-current usage and technical documentation.
  • “Subscription Term” — the period stated in an Order Form.

2. Order of precedence

In the event of conflict, the documents control in this order: (1) the applicable Order Form; (2) the AI-Pentest Addendum (for the penetration-test agent); (3) the Data Processing Agreement (for personal data); (4) this MSA; and (5) Fimil’s published policies (e.g., AUP, SLA).

3. Access and license

Subject to this MSA and payment of fees, Fimil grants Customer a non-exclusive, non-transferable right to access and use the Service during the Subscription Term for Customer’s internal business purposes. Customer will use the Service in accordance with the Acceptable Use Policy and, for the penetration-test agent, the AI-Pentest Addendum. Customer must not reverse engineer, resell, or exceed the scope of its subscription.

4. Customer Data and intellectual property

Customer owns all right, title, and interest in Customer Data, including its source code, repositories, configurations, and the findings generated for it. Customer grants Fimil a limited, non-exclusive license to host, process, and use Customer Data solely to provide, secure, and support the Service. Fimil owns the Service, the Documentation, and all related software, models, and intellectual property, including any improvements and aggregated, de-identified data that does not identify Customer.

No model training on Customer Data. Fimil does not use Customer Data — including source code, findings, or scan data — to train its own machine-learning models. Where the Service uses third-party LLM providers to deliver AI-assisted features, Fimil uses providers whose terms do not permit training on Customer’s commercial-API content. See the Privacy Policy and Subprocessors.

5. Fees and payment

Customer will pay the fees stated in the Order Form. Unless stated otherwise, fees are invoiced in advance, are non-cancelable and non-refundable, and are due within the period stated in the Order Form. Fees are exclusive of taxes, which are Customer’s responsibility (excluding taxes on Fimil’s net income). Any terms on a Customer purchase order or vendor portal are of no effect and do not modify this MSA.

6. Confidentiality

Each party (the “Receiving Party”) will protect the other party’s Confidential Information with at least reasonable care, use it only to perform under this MSA, and disclose it only to personnel and advisors bound by confidentiality obligations or as required by law. Customer Data is Customer’s Confidential Information.

7. Warranties and disclaimer

Each party warrants it has the authority to enter into this MSA. Fimil warrants that the Service will perform materially in accordance with the Documentation. EXCEPT AS EXPRESSLY STATED, THE SERVICE IS PROVIDED “AS IS” AND FIMIL DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. The Service performs automated and AI-assisted security testing and does not guarantee discovery of all vulnerabilities or the absence of false positives or negatives; security decisions remain Customer’s responsibility.

8. Indemnification

By Fimil. Fimil will defend Customer against third-party claims that the Service, as provided and used in accordance with this MSA, infringes that third party’s intellectual-property rights, and will indemnify Customer for resulting damages finally awarded, excluding claims arising from Customer Data or Customer’s misuse.

By Customer. Customer will defend Fimil against third-party claims arising from Customer Data, Customer’s Targets, or Customer’s breach of the AUP or the AI-Pentest Addendum (including testing of systems Customer was not authorized to test), and will indemnify Fimil for resulting damages finally awarded.

9. Limitation of liability

EXCEPT FOR THE EXCLUDED CLAIMS BELOW, AND TO THE MAXIMUM EXTENT PERMITTED BY LAW: (a) neither party will be liable for any indirect, incidental, special, consequential, or punitive damages, or for lost profits, revenue, or data; and (b) each party’s total aggregate liability arising out of or relating to this MSA will not exceed the fees Customer paid or owed for the Service in the twelve (12) months preceding the event giving rise to the claim.

Excluded Claims (not subject to the cap, or subject to a higher super-cap as stated): Customer’s payment obligations; either party’s indemnification obligations; a party’s fraud or willful misconduct; and Fimil’s liability for a data-breach of Customer Personal Data arising from Fimil’s breach of the DPA, which is subject to a higher cap of [super-cap amount — per Order Form].

The parties agree that the fees reflect this allocation of risk and that these limitations are an essential basis of the bargain and apply even if a remedy fails of its essential purpose.

10. Term, termination, and survival

This MSA applies for the Subscription Term and any renewals stated in the Order Form. Either party may terminate for the other’s uncured material breach (30 days’ notice). On termination, Customer’s access ends and Fimil will handle Customer Data as described in the DPA and Privacy Policy. Sections that by their nature should survive (including Customer Data ownership, confidentiality, fees accrued, warranties disclaimer, indemnification, limitation of liability, and this Section) survive termination.

11. Data protection

The processing of personal data under this MSA is governed by the Data Processing Agreement, which is incorporated by reference.

12. General

Governing law is the State of Delaware, without regard to conflict-of-laws rules. Force Majeure: neither party is liable for failure or delay caused by events beyond its reasonable control. Export control and sanctions: Customer will comply with all applicable export-control, import, and economic-sanctions laws (including the U.S. Export Administration Regulations and OFAC-administered sanctions), represents that it is not a sanctioned or denied/restricted party and is not located in a comprehensively sanctioned region, and will not use the Service (including the penetration-testing agent) for any prohibited person, system, or destination. Assignment: neither party may assign this MSA without the other’s consent, except to a successor in a merger, acquisition, or sale of substantially all assets. Notices to Fimil must be sent to legal@fimil.dev. If any provision is unenforceable, the remainder remains in effect. This MSA, with the Order Form and incorporated documents, is the entire agreement and supersedes prior proposals. Fimil may update this MSA on notice; for material adverse changes during a paid term, the version in effect when the Order Form was signed continues to apply until renewal.

13. Contact

legal@fimil.dev — Fimil, Inc., 2093 Philadelphia Pike, Suite #2016, Claymont, DE 19703, USA.