Effective Date: April 5, 2026 · Custodia, LLC · Pittsburgh, PA
These Terms and Conditions ("Agreement" or "Terms") constitute a legally binding contract between you ("User," "you," or "your") and Custodia, LLC("Custodia," "we," "us," or "our"), a Pennsylvania limited liability company with its principal place of business in Pittsburgh, Pennsylvania. By creating an account, installing the CLI, or otherwise accessing or using custodia.devand all related services, APIs, and software (collectively, the "Service"), you agree to be legally bound by these Terms. If you do not agree, do not use the Service.
Please read these Terms carefully, including the Disclaimer of Warranties (Section 12), Limitation of Liability (Section 13), and Governing Law / Dispute Resolution (Section 18), which materially affect your legal rights.
You must be at least 18 years of age and have the legal authority to enter into this Agreement on behalf of yourself or the organization you represent. By using the Service, you represent and warrant that you meet these requirements.
The Service is currently offered exclusively within the United States. By using the Service, you represent that you are located in the United States or are a U.S. person accessing the Service for authorized business purposes. Access from outside the United States is not supported and may be restricted without notice.
Custodia provides automated cybersecurity scanning, vulnerability reporting, dependency CVE analysis, auto-fix tooling, monthly scheduled security posture reports, and SOC 2 readiness assessment services for software development teams. The Service is delivered via:
The Service provides security analysis and advisory output. It is not a guarantee of security. All scan results, findings, scores, and remediation recommendations are informational only.See Section 12 (Disclaimer of Warranties) for the full scope of this limitation.
To access most features, you must register for an account. Account authentication is managed by Clerk, Inc. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. You agree to:
Custodia offers a free tier and paid subscription plans (currently Pro at $39/month, Team at $89/month, and Business at $249/month) with different usage quotas and feature sets. Plan details, including scan credits, diff scan limits, auto-fix credits, and scheduled scan limits, are displayed on the pricing page and in the dashboard. Custodia reserves the right to modify plan pricing or features with 30 days' advance notice to active paid subscribers.
Paid subscriptions are billed monthly in advance through Stripe. Your billing cycle begins on the date you upgrade to a paid plan and renews automatically each month unless cancelled. Quotas (scan credits, diff scans, auto-fix credits) reset at the start of each billing cycle. Unused quota does not carry over to the next cycle.
You may cancel your paid subscription at any time from the Custodia dashboard. Upon cancellation, you will retain access to your paid plan features through the end of the current billing period. No partial-month refunds are provided for cancellations mid-cycle.
Subscription fees are non-refundable except in the following circumstances:
The SOC 2 Scanner one-time purchase ($295) is non-refundable once the analysis pipeline has been initiated. If the pipeline fails to complete due to a Custodia system error, you will receive a full refund or a complimentary re-run.
Custodia targets high availability but does not guarantee uninterrupted service. The Service depends on upstream providers including Anthropic (AI inference), Neon (database), and Vercel (hosting). We will not issue refunds or credits for outages caused by third-party infrastructure providers unless the outage renders the Service completely non-functional for more than 24 continuous hours within a billing period.
The free tier is provided at no charge and includes limited scan credits, diff scans, and basic security features as posted on the pricing page. Free tier is provided "as is" with no SLA or uptime commitment. Custodia reserves the right to modify, throttle, or discontinue free tier access at any time with reasonable notice. The free tier is intended for individual developers evaluating the Service; commercial use at scale requires a paid plan.
You agree to use the Service only for lawful purposes and in accordance with these Terms. You agree not to:
Violation of these Acceptable Use terms may result in immediate account suspension or termination at Custodia's discretion, without refund of prepaid fees.
Custodia operates exclusively as an external, read-only observer. Custodia does not have, request, or accept write access, deploy access, or edit access to your codebase, servers, CI/CD pipelines, cloud infrastructure, or production environments.
Source code submitted for scanning is transmitted by you through the CLI. Any code changes resulting from Custodia's recommendations are applied solely by you through your own tooling, commit workflow, or by explicitly invoking custodia fix --pr to open a GitHub pull request — a pull request that requires your own review and merge authorization. Custodia cannot and does not alter your production systems.
The only exception is the optional GitHub OAuth connection for the SOC 2 Scanner, which grants read-only repository access (repo scope) for file fetching during analysis. This connection is voluntary, revocable at any time, and never used to push, modify, or delete repository content.
You retain full ownership of your source code, repositories, and all data you submit to the Service. By using the Service, you grant Custodia a limited, non-exclusive, non-transferable license to process your submitted code solely for the purpose of performing the security analysis you requested. This license is strictly limited to the inference operation and ends immediately upon completion of the scan. Custodia does not acquire any ownership or license rights to your code or its outputs beyond what is necessary to deliver the Service.
You represent and warrant that you have the legal right to submit the code you scan and that doing so does not violate any third-party intellectual property rights, confidentiality agreements, or applicable law.
Auto-Fix feature: When you use the Auto-Fix feature (custodia fix), the source files containing security findings are transmitted to Anthropic's API for AI-powered remediation. This transmission is subject to Anthropic's privacy policy and Data Processing Agreement. Custodia does not store your source code at any point during this process. You use the Auto-Fix feature at your own riskand acknowledge that your source code will pass through Anthropic's inference infrastructure. Do not use Auto-Fix on code you are not authorized to transmit to third-party AI services.
API keys are issued per account and are subject to your plan's key limit. You are responsible for all API usage that occurs under your keys. API keys must not be shared publicly, committed to public repositories, or distributed to unauthorized parties. Custodia is not liable for scan quota consumption, billing charges, or data exposure resulting from unauthorized use of a key you failed to secure.
If you believe an API key has been compromised, revoke it immediately from the dashboard and generate a new one. Custodia cannot reverse quota consumption that occurred before revocation.
By using the Service, you acknowledge and agree that Custodia collects fully anonymized, non-identifiable security analytics from completed scans as described in the Privacy Policy, Section 2.8. This data — which contains no source code, repo names, user identifiers, or file paths — is used to produce Custodia's annual "State of Code Security" public research report and to improve the accuracy and coverage of the scan pipeline.
You may opt out of research analytics inclusion by contacting support@custodia.dev. Opting out does not affect Service functionality.
All rights, title, and interest in and to the Custodia platform, including the web application, CLI, AI pipeline architecture, scan prompts, scoring methodology, report formats, trademarks, and all associated documentation, are the exclusive property of Custodia, LLC. Nothing in these Terms grants you any right to use Custodia's intellectual property except to the limited extent necessary to use the Service as intended.
Scan reports generated for your repositories are owned by you. You may use, share, and publish your own Custodia security reports without restriction.
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CUSTODIA, LLC EXPRESSLY DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE.
CUSTODIA DOES NOT WARRANT THAT: (a) THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR AVAILABLE AT ANY PARTICULAR TIME; (b) SCAN RESULTS WILL BE COMPLETE, ACCURATE, OR FREE FROM FALSE POSITIVES OR FALSE NEGATIVES; (c) ALL VULNERABILITIES IN YOUR CODEBASE WILL BE DETECTED; (d) REMEDIATION PROMPTS OR AUTO-FIX OUTPUTS WILL BE CORRECT, SECURE, OR SUITABLE FOR YOUR SPECIFIC ENVIRONMENT; OR (e) THE SERVICE WILL MEET ANY SPECIFIC COMPLIANCE OR REGULATORY REQUIREMENT.
SECURITY SCAN RESULTS ARE ADVISORY ONLY.YOU ARE SOLELY RESPONSIBLE FOR REVIEWING, VALIDATING, TESTING, AND APPROVING ALL SECURITY FINDINGS AND CODE CHANGES BEFORE DEPLOYING THEM TO YOUR SYSTEMS. CUSTODIA'S OUTPUT DOES NOT CONSTITUTE A PROFESSIONAL SECURITY AUDIT, LEGAL ADVICE, OR COMPLIANCE CERTIFICATION.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL CUSTODIA, LLC, ITS MEMBERS, MANAGERS, OFFICERS, EMPLOYEES, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, BUSINESS OPPORTUNITY, OR GOODWILL, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF CUSTODIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CUSTODIA'S TOTAL CUMULATIVE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICE, WHETHER IN CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, SHALL NOT EXCEED THE GREATER OF: (a) THE TOTAL FEES PAID BY YOU TO CUSTODIA IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY; OR (b) ONE HUNDRED DOLLARS ($100.00 USD).
THIS LIMITATION OF LIABILITY IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN YOU AND CUSTODIA. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU IN FULL.
You agree to defend, indemnify, and hold harmless Custodia, LLC, its members, managers, officers, employees, agents, and affiliates from and against any claims, liabilities, damages, judgments, awards, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) your violation of these Terms; (b) your use or misuse of the Service; (c) your violation of any third-party rights, including intellectual property rights or privacy rights; (d) your submission of code or data you did not have the right to submit; or (e) any security breach or data loss in your systems, whether or not Custodia scan output was involved.
By you: You may terminate your account at any time by deleting it from the dashboard or by contacting support. Upon termination, your access to the Service will cease. Fees paid for the current billing period are non-refundable.
By Custodia:We reserve the right to suspend or terminate your account, with or without notice, if we determine in good faith that you have violated these Terms, engaged in fraud or abuse of the Service, or if continued access poses a risk to the Service or other users. For terminations not based on violations, we will provide 30 days' advance notice and a pro-rata refund of prepaid subscription fees.
Upon termination, the following sections of these Terms survive: Section 8 (Your Code & Data), Section 11 (Intellectual Property), Section 12 (Disclaimer of Warranties), Section 13 (Limitation of Liability), Section 14 (Indemnification), Section 18 (Governing Law), and Section 19 (Dispute Resolution).
The Service integrates with third-party providers including Clerk (auth), Anthropic (AI inference), Neon (database), Vercel (hosting), Resend (email), Stripe (payments), and GitHub (optional OAuth). Your use of these services is subject to their respective terms of service and privacy policies. Custodia is not responsible for the availability, accuracy, or practices of any third-party service.
Custodia reserves the right to modify, update, or discontinue any aspect of the Service at any time. For material changes to these Terms, we will provide at least 14 days' advance notice via email to the address associated with your account, or by prominent notice on the website. Continued use of the Service after the effective date of any updated Terms constitutes your acceptance of the new Terms.
Plan pricing changes will be communicated at least 30 days in advance to active paid subscribers. Price changes do not take effect until the next renewal cycle.
These Terms shall be governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, without regard to its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
Informal Resolution: Before initiating any formal legal proceeding, you agree to attempt to resolve disputes informally by contacting Custodia at support@custodia.dev. Custodia will attempt to resolve the dispute within 30 days. This informal process is a prerequisite to filing any claim.
Venue: If informal resolution fails, any legal action or proceeding arising out of or related to these Terms or the Service shall be brought exclusively in the state or federal courts located in Allegheny County, Pennsylvania. You consent to the personal jurisdiction of such courts and waive any objection to inconvenient forum.
Class Action Waiver: You agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated, or representative action. You waive any right to participate in a class action lawsuit or class-wide arbitration against Custodia.
For questions regarding these Terms: