Effective April 14, 2026

Terms of Service.

These Terms of Service (the “Terms”) form a binding agreement between you (“Customer,” “you”) and Toadstool Labs LLC, a Delaware limited liability company doing business as “Toshiku” (“Toshiku,” “we,” “us”). By creating an account, submitting a domain, purchasing a snapshot, enabling monitoring, paying a fee, or otherwise using our services, you accept these Terms on behalf of yourself and the entity you represent. If you do not agree, do not use the Services.

Contents
  1. The Services
  2. Verification Tiers & Scope
  3. Customer Responsibilities
  4. Acceptable Use
  5. AI, Attribution & Human Review
  6. Sensitive Findings & Monitoring Gate
  7. Fees, Renewal, Cancellation
  8. Confidentiality & Handling of Exposed Data
  9. Intellectual Property
  10. No Warranties
  11. Limitation of Liability
  12. Indemnification
  13. Suspension; Termination
  14. Force Majeure
  15. Compliance Disclaimer
  16. Governing Law
  17. Arbitration; Class Waiver
  18. Changes
  19. Miscellaneous

1.The Services

We provide outside-in security visibility services, including public-footprint reviews, external attack surface inventory, passive exposure analysis, internet-facing posture snapshots, and related written findings, reports, dashboards, alerts, or exports (collectively, the “Services” and “Reports”).

Unless we expressly agree otherwise in writing, the entry-tier Services are based on public data, passive collection, and probabilistic attribution. They are designed to help identify likely associated assets and externally observable risk signals. They are not a full penetration test, not exploit validation, not an exhaustive security assessment, and not a certification or guarantee of security.

Reports are for your internal business use only. Reports describe what we observed or inferred during a defined period using defined methods and available data. They do not describe everything that exists, everything that could be found, or everything an attacker could do.

2.Verification Tiers & Scope

We may offer different capabilities depending on the level of ownership verification you complete.

You represent and warrant, on a continuing basis, that any domain, asset, system, application, account, dataset, endpoint, or organization you submit to us (each, a “Target”) is submitted accurately, lawfully, and with all required authority and consents. You will notify us immediately if any submission is inaccurate, stale, incomplete, disputed, or no longer authorized.

We may rely on your representations without independent investigation, may require verification at any time, and may refuse, suspend, limit, redact, or terminate any Service if ownership, authorization, sensitivity, legality, or risk is unclear.

3.Customer Responsibilities

You are solely responsible for:

4.Acceptable Use

You will not use the Services to impersonate a third party, to claim ownership you do not have, to monitor or investigate a person or organization without lawful basis, to harass any person, to evade lawful access controls, to compete with us through scraping or replication, or to perform any activity prohibited by law. We may immediately suspend or terminate the Services for any actual or suspected violation, without refund and without liability.

5.AI, Attribution & Human Review

The Services rely on artificial intelligence, machine learning, automated tooling, public datasets, internet telemetry, and human review. These methods can be incomplete, inaccurate, stale, ambiguous, biased, or wrong.

In particular, ownership and asset association may be inferred from DNS records, certificates, content, naming patterns, historical data, IP information, or other external signals. Those signals are often probabilistic rather than definitive. Unless and until you verify ownership to our satisfaction, any identified asset should be treated as “likely associated” only, with the confidence level or context we provide.

Human review is best-effort and does not transform any output into a guarantee, certification, legal conclusion, or assurance of any kind.

6.Sensitive Findings & Monitoring Gate

We may require verification before showing, exporting, or enabling access to higher-sensitivity findings or capabilities, including findings involving exposed files, credentials, access tokens, employee accounts, personal data, internal documents, breach or credential intelligence, organization-wide inventory, recurring monitoring, alerts, change tracking, or similar sensitive information or workflows.

Until the required verification is complete, we may withhold, redact, summarize, hash, truncate, delay, or decline to provide such findings or capabilities in our sole discretion. We may also require a separate contract or additional review before enabling continuous monitoring or any higher-risk service.

7.Fees, Renewal, Cancellation

Fees are stated on our pricing page or order flow and are exclusive of taxes, withholdings, duties, and bank charges, all of which are your responsibility. Subscriptions renew automatically each billing period until cancelled. You may cancel at any time, effective at the end of the current period. All fees are non-refundable, except where refund is required by law or expressly promised by us in writing. We may change pricing on thirty (30) days’ notice. Continued use after the effective date constitutes acceptance. Late amounts accrue interest at 1.5% per month or the maximum permitted by law, whichever is lower.

8.Confidentiality & Handling of Exposed Data

Each party will protect the other party’s non-public information disclosed in connection with the Services using at least reasonable care and will use it only to perform or receive the Services. This obligation does not apply to information that becomes public through no fault of the receiving party, was independently developed without use of the disclosing party’s information, was lawfully received from a third party, or must be disclosed by law or legal process.

If the Services surface publicly accessible files, credentials, tokens, personal data, secrets, buckets, or other sensitive content, we may access, process, retain, and disclose that material only as reasonably necessary to confirm the exposure, reduce abuse, comply with law, protect rights or safety, or report the issue to you. We may minimize collection, avoid unnecessary downloading, redact or hash values, restrict internal access, suppress detail, and delete or de-identify material when no longer reasonably needed for those purposes.

You acknowledge that some exposed content may already be public when discovered and that we do not assume responsibility for the original exposure or for third-party access to such content.

9.Intellectual Property

We retain all right, title, and interest in our methods, models, software, dashboards, infrastructure, documentation, report templates, and any improvements to the foregoing, including all intellectual property rights therein. Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to use Reports for your internal business purposes.

You retain rights to your data. You grant us a worldwide, royalty-free, sublicensable license to host, copy, transmit, display, and process your data and Targets as needed to provide, maintain, secure, and improve the Services, and to create de-identified and aggregated data, which we may use for any lawful purpose, including benchmarking and model improvement, in perpetuity.

Any feedback, suggestions, or ideas you provide are non-confidential, and you assign all rights in such feedback to us.

10.No Warranties

THE SERVICES, REPORTS, DASHBOARDS, ALERTS, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITH ALL FAULTS. TO THE MAXIMUM EXTENT PERMITTED BY LAW, TOSHIKU DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, QUIET ENJOYMENT, AND ANY WARRANTY ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

WITHOUT LIMITING THE FOREGOING, WE DO NOT WARRANT THAT ANY IDENTIFIED ASSET IS COMPLETE, CORRECTLY ATTRIBUTED, OR DEFINITIVELY YOURS ABSENT CUSTOMER VERIFICATION; THAT THE SERVICES WILL DETECT ALL OR ANY PARTICULAR EXPOSURES, RISKS, VULNERABILITIES, OR THREATS; THAT REPORTS WILL BE ERROR-FREE; THAT THE ABSENCE OF FINDINGS MEANS THE ABSENCE OF RISK; THAT YOUR SYSTEMS WILL BE OR REMAIN SECURE; THAT YOU WILL PASS ANY AUDIT, ASSESSMENT, OR CERTIFICATION; OR THAT ANY SERVICE WILL BE TIMELY, UNINTERRUPTED, OR FREE OF DEFECT.

THE SERVICES ARE NOT A SUBSTITUTE FOR PENETRATION TESTING, SECURITY MONITORING, INCIDENT RESPONSE, ACCESS CONTROL, PATCH MANAGEMENT, EMPLOYEE TRAINING, OR ANY OTHER SECURITY CONTROL. NO ADVICE OR INFORMATION OBTAINED FROM US, ORAL OR WRITTEN, CREATES ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.

11.Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL TOSHIKU, ITS AFFILIATES, OR ITS OR THEIR DIRECTORS, OFFICERS, EMPLOYEES, CONTRACTORS, OR AGENTS BE LIABLE FOR ANY (A) INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES; (B) LOSS OF PROFITS, REVENUE, GOODWILL, BUSINESS, CUSTOMERS, OPPORTUNITY, ANTICIPATED SAVINGS, USE, OR DATA; (C) DAMAGES ARISING FROM ANY SECURITY INCIDENT, BREACH, EXPLOIT, INTRUSION, MISIDENTIFICATION, INACCURATE ATTRIBUTION, MISSED ASSET, FALSE POSITIVE, OR CUSTOMER RELIANCE ON ANY REPORT; (D) DAMAGES ARISING FROM SERVICE INTERRUPTION, DATA LOSS, OR DATA CORRUPTION; OR (E) COSTS OF PROCURING SUBSTITUTE GOODS OR SERVICES, IN EACH CASE WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, STATUTE, OR OTHERWISE.

THE TOTAL CUMULATIVE LIABILITY OF TOSHIKU, ITS AFFILIATES, AND ALL SUCH PERSONNEL FOR ANY AND ALL CLAIMS ARISING OUT OF OR RELATED TO THE SERVICES OR THESE TERMS, IN THE AGGREGATE, WILL NOT EXCEED THE GREATER OF (i) THE FEES YOU ACTUALLY PAID TO US IN THE THREE (3) MONTHS IMMEDIATELY PRECEDING THE EVENT FIRST GIVING RISE TO THE CLAIM OR (ii) ONE HUNDRED U.S. DOLLARS ($100). THIS CAP IS AGGREGATE ACROSS ALL CLAIMS, COUNTERPARTIES, AND THEORIES.

THESE LIMITATIONS APPLY EVEN IF ANY LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE. THE PARTIES AGREE THESE LIMITATIONS ARE A FUNDAMENTAL BASIS OF THE BARGAIN AND THAT FEES WOULD BE MATERIALLY HIGHER WITHOUT THEM. ANY CLAIM ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICES MUST BE BROUGHT WITHIN ONE (1) YEAR AFTER THE CLAIM ACCRUES OR IT IS PERMANENTLY BARRED.

12.Indemnification

You will defend, indemnify, and hold harmless Toshiku, its affiliates, and their respective directors, officers, employees, contractors, and agents from and against any claim, demand, loss, liability, damage, judgment, settlement, fine, fee, cost, or expense (including reasonable attorneys’ fees) arising out of or related to:

We may, at our option, take exclusive control of the defense and settlement of any such claim at your expense. You will not settle any claim that imposes any obligation on us without our prior written consent.

13.Suspension; Termination

We may suspend or terminate the Services or your account at any time, with or without notice, for any reason or no reason, including suspected violation of these Terms, unclear ownership, unresolved sensitivity concerns, legal risk, risk to other customers, risk to us, or non-payment. Upon termination, your right to use the Services and Reports ends. Sections that by their nature should survive termination will survive, including Sections 2, 3, 7, 8, 9, 10, 11, 12, 15, 16, 17, and 19.

14.Force Majeure

We are not liable for any delay, interruption, or failure to perform caused by events beyond our reasonable control, including acts of God, war, terrorism, civil unrest, labor disputes, internet or network failures, cyberattacks, third-party service failures, governmental actions, public health events, or natural disasters.

15.Compliance Disclaimer

We are not your auditor, lawyer, accountant, or compliance advisor. Nothing we provide constitutes legal, regulatory, audit, accounting, financial, insurance, or compliance advice. Use of the Services does not certify your compliance with SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, or any other standard, framework, or law. References to compliance frameworks describe how a Report may be organized for convenience only, not a representation of certification, completeness, or sufficiency. You are solely responsible for engaging qualified professionals as needed.

16.Governing Law

These Terms are governed by the laws of the State of Delaware, without regard to its conflict-of-laws rules. The United Nations Convention on Contracts for the International Sale of Goods does not apply. Subject to Section 17, the parties consent to the exclusive jurisdiction of the state and federal courts located in New Castle County, Delaware, and waive any objection to venue or forum non conveniens.

17.Arbitration; Class Waiver; Jury Waiver

EXCEPT for claims for injunctive or equitable relief and claims for intellectual property infringement or misappropriation, any dispute, claim, or controversy arising out of or relating to these Terms or the Services will be resolved exclusively by final, binding, individual arbitration administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures, before a single arbitrator, in Wilmington, Delaware. Judgment on the award may be entered in any court of competent jurisdiction.

THE PARTIES EXPRESSLY WAIVE ANY RIGHT TO A TRIAL BY JURY AND ANY RIGHT TO PARTICIPATE IN A CLASS, COLLECTIVE, CONSOLIDATED, OR REPRESENTATIVE ACTION OR PROCEEDING. The arbitrator may not consolidate claims or preside over any form of class proceeding. If the class waiver in this Section is held unenforceable, then the entirety of this arbitration provision is null and void, but the remainder of these Terms remains in effect.

18.Changes to These Terms

We may revise these Terms at any time by posting an updated version. The “Effective” date will be updated. Material changes will be communicated through the Services or by email. Your continued use of the Services after the effective date constitutes acceptance of the revised Terms.

19.Miscellaneous

These Terms, together with our Privacy Policy and any order form executed between the parties, constitute the entire agreement between the parties with respect to the Services and supersede all prior or contemporaneous agreements, proposals, and communications. Any conflicting or additional terms in your purchase order or other procurement document are rejected and have no effect.

If any provision of these Terms is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its intent. We may assign these Terms freely, including in connection with a merger, acquisition, or sale of assets; you may not assign these Terms without our prior written consent, and any attempted assignment in violation of this provision is void. No waiver of any provision will be effective unless in writing, and no waiver constitutes a continuing waiver. There are no third-party beneficiaries. The relationship of the parties is that of independent contractors. Headings are for convenience only.

Contact

Toadstool Labs LLC
legal@toshiku.com