These Terms of Service ("Terms") constitute a legal agreement between you ("Customer," "you") and Vietnam CyStack JSC ("CyStack," "we," "us," or "our"), governing your access to and use of CyStack's websites, platforms, products, and services (collectively, the "Services").

Please read these Terms carefully before using the Services. By creating an account, accessing, or using the Services, you agree to be bound by these Terms. If you do not agree, please do not use the Services.

1. Definitions

"Services" includes all SaaS products (Locker, CyStack Endpoint, WhiteHub, VulnScan, Data Leak Detection), the CyStack Platform (cystack.net), and Professional Services (penetration testing, red teaming, security assessments, SOC, DFIR, training).

"Customer Data" means all data, content, and information that you or your Authorized Users input, upload, or generate through the Services.

"Authorized Users" means individuals you permit to access and use the Services under your account.

"Documentation" means user guides, technical documentation, and policies provided by CyStack, as updated from time to time.

"Professional Services" means consulting, testing, and assessment services delivered under a separate Statement of Work (SOW).

2. Eligibility and Authority

2.1. If you register on behalf of an organization, you represent and warrant that you have full legal authority to bind that organization to these Terms. In that case, "you" refers to the organization you represent.

2.2. You may not use the Services if the laws of your jurisdiction prohibit you from doing so.

2.3. The Services are not intended for individuals under 16 years of age. By using the Services, you confirm that you are at least 16 years old.

3. Accounts

3.1. Registration: You must provide accurate, complete, and current information when creating an account. You are responsible for maintaining the accuracy of your account information.

3.2. Account security: You are responsible for safeguarding your password and credentials, and for all activities that occur under your account. You must notify CyStack immediately upon discovering any unauthorized access.

3.3. Access: You may only access the Services through the interfaces and APIs provided by CyStack, unless otherwise agreed in writing. You must not attempt to gain unauthorized access to any systems, networks, or other accounts.

4. Scope of Services and Acceptable Use

4.1 SaaS Products

CyStack grants you a non-exclusive, non-transferable, revocable right to access and use the SaaS products you have subscribed to for the duration of your subscription, subject to the feature, capacity, and user limits specified in your plan.

4.2 Professional Services

Professional Services are delivered under a separate SOW. Where a specific provision of the SOW directly conflicts with these Terms and both cannot be simultaneously complied with, the SOW prevails for that specific matter only. All other provisions of these Terms remain in effect.

The authorized scope of all security testing activities (including penetration testing and red teaming) must be expressly defined in the SOW. CyStack is not liable for damages resulting from an inaccurately or incompletely defined scope in the SOW.

4.3 Prohibited Uses

You agree not to use the Services to:

Violate applicable laws or the rights of any third party.

Transmit, store, or distribute malware, viruses, or harmful content.

Interfere with, disrupt, or degrade the operation of the Services, servers, or connected networks.

Reverse engineer, decompile, or copy the source code of the Services.

Access other users' accounts, data, or systems without authorization.

Resell, sublicense, or redistribute the Services to third parties without CyStack's written consent.

Use the Services to perform security testing on systems you do not own or are not legally authorized to test.

5. Fees and Payment

5.1 Plans and Pricing

CyStack offers Services under plans with features and pricing published at cystack.net/pricing, or under custom quotes for enterprise customers. Certain features may be available free of charge within specified limits.

5.2 Billing Cycle

SaaS fees are billed in advance on a monthly or annual cycle depending on your selected plan, unless otherwise agreed.

5.3 Auto-Renewal

Unless you cancel before the end of the current billing cycle, your subscription will automatically renew for the same cycle at the then-current price. CyStack will send renewal notice **at least 30 days in advance** for annual plans and **at least 7 days in advance** for monthly plans, via your registered email.

5.4 Price Changes

CyStack may adjust pricing. New prices will apply to the next billing cycle and will be communicated at least 30 days in advance. If you do not agree with the new pricing, you may cancel the Services before the new cycle begins.

5.5 Taxes

Fees are exclusive of value-added tax (VAT) and other applicable taxes unless otherwise stated. You are responsible for paying all taxes due under applicable law.

5.6 Professional Services

Fees for Professional Services are specified in the applicable SOW or service agreement, including scope, timeline, and payment terms.

6. Cancellation and Refunds

6.1 Cancellation by Customer

You may cancel your SaaS subscription at any time through your account dashboard. Cancellation takes effect at the end of the current billing cycle. You retain access to the Services until the end of the paid period.

6.2 Refunds

Fees paid are non-refundable, except in the following cases:

CyStack fails to deliver the Services as committed for a continuous period exceeding the applicable SLA (if any).

Applicable law requires a refund.

CyStack elects to issue a refund at its sole discretion in exceptional circumstances.

6.3 Termination by CyStack

CyStack may suspend or terminate your access to the Services if:

You breach these Terms and fail to cure within 15 days of written notice.

You fail to pay fees due within 30 days of the due date.

Applicable law requires CyStack to cease providing the Services to you.

Continued provision creates a serious security risk or impacts other users.

7. Customer Data

7.1 Ownership

You own all Customer Data. CyStack claims no ownership rights over Customer Data. Nothing in these Terms transfers ownership of your data to CyStack.

7.2 Limited License

You grant CyStack the right to access, process, and store Customer Data to the extent necessary to provide, maintain, and improve the Services. This license terminates automatically upon expiration or termination of the service agreement, subject to the retention terms in the Privacy Policy.

7.3 Data Export

During your use of the Services and for 30 days after termination, you may request export of your Customer Data in a standard format. After this 30-day period, CyStack may delete Customer Data in accordance with the Privacy Policy.

7.4 Data Protection

CyStack processes personal data in accordance with the Privacy Policy and applicable data protection laws, including Vietnam's Law on Personal Data Protection (Law No. 91/2025/QH15), Decree 356/2025/NĐ-CP, and the GDPR for users in the EEA.

8. Intellectual Property

8.1 CyStack's Rights

CyStack owns all intellectual property rights in the Services, including software, interfaces, algorithms, documentation, designs, trademarks, logos, and domain names. Nothing in these Terms transfers any of CyStack's intellectual property rights to you, other than the limited right of use granted in Section 4.

8.2 Restrictions

You may not copy, modify, reverse engineer, decompile, create derivative works from, or use CyStack's trademarks, logos, or domain names without prior written consent.

8.3 Customer Reference

For organizational customers, you agree that CyStack may use your company name and logo in customer lists, marketing materials, and public communications solely to identify you as a CyStack customer. You may revoke this consent at any time by written notice to CyStack.

9. Service Availability and Updates

9.1 Availability

CyStack endeavors to maintain continuous Service availability but does not guarantee uninterrupted operation. Scheduled maintenance will be communicated at least 24 hours in advance via email or in-product notification, except for emergency maintenance to address security incidents.

9.2 Updates

CyStack may update, upgrade, or modify the Services to improve functionality, performance, and security. Updates may be applied automatically. If an update materially affects functionality or compatibility, CyStack will provide at least 7 days' advance notice.

9.3 Discontinuation

If CyStack decides to discontinue a product or feature, CyStack will provide at least 90 days' notice and assist you with data export or transition.

10. Product-Specific Terms

10.1 Locker Password Manager

Locker uses end-to-end encryption with a zero-knowledge architecture. CyStack cannot access your Master Password or vault data in decrypted form.

You are responsible for safeguarding your Master Password. If lost, CyStack cannot recover your vault data.

You may not use Locker to store content that violates applicable law.

10.2 CyStack Endpoint

CyStack Endpoint collects device-level data necessary for endpoint protection and DLP functions, within the scope configured by your organization's administrator.

Organizations deploying CyStack Endpoint are responsible for ensuring compliance with labor laws and privacy regulations in their jurisdiction, including employee notification where required.

10.3 WhiteHub

Organizations participating in Bug Bounty programs on WhiteHub are responsible for defining program scope, reward policies, and report responses.

Security researchers using WhiteHub must comply with the code of conduct and Responsible Disclosure policies of each program.

CyStack operates as an intermediary platform and is not responsible for the content of vulnerability reports or organizations' reward decisions.

10.4 VulnScan & Data Leak Detection

You may only use VulnScan to scan assets you own or are legally authorized to test.

Scan results are provided "as-is." CyStack does not guarantee detection of all vulnerabilities or security risks.

11. Limitation of Liability

11.1 Disclaimer

The Services are provided “as is” and “as available.” CyStack disclaims all warranties, express or implied, including fitness for a particular purpose, non-infringement, and uninterrupted or error-free operation. Use is at your own risk.