Terms of Service

By accessing or using the Service, you agree to be bound by these Terms and our Privacy Policy. If you do not agree to these Terms, you may not use the Service.

If you are using the Service on behalf of an organization, you represent and warrant that you have authority to bind that organization to these Terms, and references to "you" include both you as an individual and that organization.

Cavexia provides a security analysis platform for Model Context Protocol (MCP) configurations. The Service includes:

• A web-based scanner that analyzes MCP config files for known vulnerabilities, tool poisoning patterns, malicious packages, and supply-chain risks.
• A REST API for programmatic access to scanning, threat-intel data, and monitoring features.
• Continuous monitoring for registered MCP configs, with alerting on new findings.
• A threat-intelligence feed aggregating CVEs, malicious package reports, and security research relevant to the MCP ecosystem.

The Service is provided for informational and security research purposes. Scan results represent the output of automated heuristics and known-vulnerability databases; they do not constitute a complete security audit or guarantee of safety.

Some features of the Service require a registered account. You agree to:

• Provide accurate, current, and complete information during registration.
• Maintain the security of your password and API keys. You are responsible for all activity under your account.
• Notify us immediately at legal@cavexia.com if you suspect unauthorized access to your account.
• Not share your account credentials or API keys with unauthorized parties.

You must be at least 13 years old (or the age of digital consent in your jurisdiction) to create an account. Accounts may not be created by automated means without our express written consent.

You agree to use the Service only for lawful purposes and in accordance with these Terms. You must not:

• Submit MCP configs containing malicious code intended to compromise {COMPANY_NAME} infrastructure.
• Attempt to reverse-engineer, circumvent, or exploit the Service's security measures or rate-limit controls.
• Use the Service to scan systems or infrastructure you do not own or do not have explicit written permission to scan.
• Use automated tools to scrape, crawl, or mass-download threat-intel data beyond normal API usage patterns.
• Resell or redistribute raw API responses as a competing service without a written reseller agreement.
• Impersonate any person or entity or falsely represent your affiliation.
• Submit false vulnerability reports to the threat-intel feed with the intent to harm third-party package maintainers.
• Use the Service in any way that could damage, overload, or impair the platform's availability.

We reserve the right to terminate or suspend access for violations of this section at our sole discretion.

Access to the API is subject to the rate limits and quotas specified in your plan. Current limits are described in our API documentation.

• Anonymous (unauthenticated) requests are rate-limited per IP address.
• Authenticated requests are rate-limited per API key, per the terms of your subscription plan.
• Exceeding your monthly API quota will result in 429 responses until the quota resets or you upgrade your plan.
• We reserve the right to adjust rate limits to ensure fair use and service stability, with reasonable advance notice.

API keys must be kept confidential. You are responsible for all API usage attributed to your keys, including accidental or unauthorized use. Rotate compromised keys immediately via the dashboard.

Paid plans are billed monthly or annually in advance. Payments are processed by Stripe. By providing payment information, you authorize us to charge the applicable fees.

• Subscriptions auto-renew at the end of each billing period unless cancelled.
• You may cancel your subscription at any time from the billing portal. Cancellation takes effect at the end of the current billing period — no prorated refunds are issued for partial periods.
• We may change plan pricing with 30 days notice. Continued use after the effective date constitutes acceptance.
• All fees are exclusive of applicable taxes. You are responsible for taxes arising from your use of the Service.
• Unpaid invoices may result in suspension of your account after a grace period of 7 days.

Enterprise plans are governed by a separate order form or Master Service Agreement (MSA). In the event of conflict between these Terms and an executed MSA, the MSA controls.

The Service and all its original content, features, and functionality are owned by Cavexiaand are protected by copyright, trademark, and other intellectual property laws.

We grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for your internal security purposes in accordance with these Terms.

You retain ownership of all MCP configs and other content you submit to the Service. You grant us a limited license to process that content for the sole purpose of providing the Service to you. We do not claim any ownership of your configs.

You are responsible for the MCP configs and other content you submit. By submitting content, you represent that you have the rights to do so and that the content does not violate any applicable laws or third-party rights.

We process and store your content as described in our Privacy Policy. Anonymous scan inputs are discarded within 60 seconds of completion and are never stored.

Scan results, findings, and monitoring data generated from your configs belong to you. We may use aggregated, anonymized statistical data (e.g., "percentage of scanned configs containing toolPoisoning patterns") for product improvement and public research — but we will never publish data that identifies you or your specific configs.

Each party may have access to confidential information of the other party in connection with the Service. "Confidential Information" means any information marked as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure.

Each party agrees to: (a) hold the other party's Confidential Information in strict confidence; (b) use it only to fulfill obligations under these Terms; and (c) not disclose it to third parties except as required by law or with prior written consent. These obligations survive termination.

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

WE DO NOT WARRANT THAT: (A) THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE; (B) SCAN RESULTS WILL BE ACCURATE, COMPLETE, OR CURRENT; (C) THE SERVICE WILL DETECT ALL VULNERABILITIES IN YOUR MCP CONFIGURATION; OR (D) ANY DEFECTS WILL BE CORRECTED.

Scan results are produced by automated analysis and are not a substitute for professional security review. You are solely responsible for decisions made based on scan output.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL CAVEXIA, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES — INCLUDING LOSS OF PROFITS, DATA, GOODWILL, OR BUSINESS INTERRUPTION — ARISING OUT OF OR RELATED TO YOUR USE OF THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

OUR TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING UNDER OR RELATED TO THESE TERMS SHALL NOT EXCEED THE GREATER OF: (A) THE AMOUNT YOU PAID TO CAVEXIAIN THE TWELVE (12) MONTHS PRECEDING THE CLAIM; OR (B) ONE HUNDRED US DOLLARS (US$100).

Some jurisdictions do not allow the exclusion of certain warranties or the limitation of liability for certain damages. In those jurisdictions, the above limitations may not apply to the extent required by law.

You agree to indemnify, defend, and hold harmless Cavexia and its affiliates, officers, directors, employees, and agents from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses, or fees (including reasonable attorneys' fees) arising out of or relating to:

• Your violation of these Terms.
• Your use of the Service in a manner not authorized by these Terms.
• Any content you submit to the Service that infringes on third-party rights or applicable law.

Either party may terminate this agreement at any time. You may terminate by deleting your account; we may terminate or suspend your access immediately, without prior notice or liability, for any reason, including a material breach of these Terms.

Upon termination: (a) your right to use the Service ceases immediately; (b) we will delete your account data within 30 days, subject to legal retention requirements; (c) accrued payment obligations survive termination; and (d) sections 7, 10, 11, 12, 14, and this section survive.

These Terms are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law provisions. You agree to resolve any disputes arising from these Terms or the Service in the state or federal courts located in Delaware.

Informal resolution: Before filing a formal dispute, you agree to contact us at legal@cavexia.com and attempt to resolve the matter informally for at least 30 days.

Class action waiver: To the extent permitted by law, disputes must be brought on an individual basis; you waive any right to bring claims as a class or representative action.

We reserve the right to modify these Terms at any time. For material changes, we will provide at least 30 days notice by posting the revised Terms on this page and, where appropriate, by email. The "Last updated" date at the top of this page reflects the most recent revision.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Terms. If you do not agree to the new Terms, you must stop using the Service before the effective date.

Questions about these Terms? Contact us: