Skip to main content

Terms of Service

Last Updated: May 2, 2026

These Terms of Service (“Terms”) govern your access to and use of the Cloudarq cloud infrastructure auditing platform at cloudarq.net (the “Service”), operated by Abdallah Khaldi (“Cloudarq,” “we,” “us,” or “our”).

By creating an account or using the Service, you agree to these Terms. If you do not agree, do not use the Service.

1. Service Description

Cloudarq is a cloud infrastructure auditing platform that scans Amazon Web Services (AWS) accounts across six pillars: security, cost optimization, reliability, performance, operational excellence, and sustainability. The Service provides up to 169 automated infrastructure checks, finding reports, AI-powered remediation guidance, compliance mapping (CIS, SOC 2, HIPAA, PCI-DSS, NIST 800-53, ISO 27001, AWS Well-Architected), PDF/CSV/JSON exports, REST API access, and related features depending on your subscription tier.

2. Accounts and Registration

To use the Service, you must create an account with a valid email address and provide accurate information. You must be at least 18 years old and have the authority to bind the organization you represent. You are responsible for maintaining the confidentiality of your credentials and for all activity under your account. Notify us immediately at [email protected] if you become aware of unauthorized access.

3. AWS Access and Credentials

3.1 Authorization

By providing AWS credentials to Cloudarq, you represent and warrant that you own the AWS account or have explicit authorization from the account owner, that you have authority to permit read-only access, and that granting access does not violate any agreement, policy, or law applicable to you.

3.2 Read-Only Access

Cloudarq accesses your AWS infrastructure in read-only mode exclusively. We do not create, modify, delete, or write to any resources in your AWS environment.

3.3 Your Responsibility

You are responsible for ensuring credentials have appropriate minimal permissions, rotating or revoking credentials if you suspect compromise, and complying with AWS’s terms of service regarding third-party access.

4. Subscription Plans and Billing

4.1 Plans

Self-serve tiers (Starter, Pro, Max) are billed per AWS connection. One Cloudarq connection corresponds to one AWS account; a customer with multiple AWS accounts pays per account at the chosen tier and may mix tiers across connections. Organization and Enterprise are quote-driven and aggregate multiple AWS accounts under a single AWS Organizations management role.

  • Starter (Free, per connection): 46 infrastructure checks, 2 scans/month, up to 50 resources, 1 team member, CIS compliance
  • Pro ($79/month per connection): 108 infrastructure checks, 10 scans/month (max 2/week), up to 500 resources, 5 team members, AI remediation, CIS + SOC 2 + HIPAA compliance, delta reports, priority support
  • Max ($199/month per connection): 169 infrastructure checks (full coverage), 50 scans/month (max 2/day), up to 2,000 resources, 10 team members, REST API access, all 7 compliance frameworks, Terraform/CloudFormation code generation, priority support
  • Organization (custom quote): Everything in Max with cross-account dashboards under your AWS Organizations management role, OU grouping, pooled scans, custom compliance frameworks, evidence collection, expanded team seats, volume discount at 4+ member accounts (10 / 20 / 30% at 4 / 7 / 11+ accounts). Pricing is agreed during the sales conversation and memorialised in the order form — contact [email protected].
  • Enterprise (custom quote): Unlimited resources, full compliance coverage, SSO, white-label, named technical contact, custom DPA, priority production support. Aggregates AWS accounts under your AWS Organizations management role. Contact sales.

Organization and Enterprise tiers are quote-driven. Any monthly amount, included-resources cap, and renewal terms are fixed in the signed order form; public pages do not publish a specific Organization or Enterprise list price so the figure on the order form and the figure communicated on the website cannot diverge.

Max-tier connections exceeding 2,000 resources are subject to an overage charge of $0.05 per resource per month for each resource beyond the threshold, billed against the specific connection that exceeded the cap. Organization-tier overage behaviour is defined in the applicable order form. We reserve the right to modify plans, pricing, and feature availability with 30 days notice to existing subscribers.

4.2 Billing and Cancellation

Paid subscriptions are billed through Paddle.com Market Limited (“Paddle”), which acts as the Merchant of Record for your purchase. This means Paddle — not Cloudarq — is the legal seller of your subscription, even though the product is provided by Cloudarq. Your purchase is therefore subject to Paddle’s Buyer Terms in addition to these Terms.

Paddle handles payment processing, currency conversion, fraud screening, chargeback handling, and tax compliance globally (including VAT for EU/UK/Switzerland, GST for Australia / India / Singapore / Japan, US sales tax across all states, and other local indirect taxes). Tax is calculated and added at checkout based on your billing address; the figure displayed at checkout is the total amount charged. Your credit-card statement will read “Paddle.com” with a Cloudarq descriptor.

You may cancel at any time through your account settings or via Paddle’s customer portal. Cancellation takes effect at the end of the current billing period. We do not prorate refunds for partial billing periods; however, a new subscription that is cancelled within its first 14 days with fewer than two completed scans is eligible for a full refund through Paddle — contact [email protected] and we will process the refund via Paddle’s adjustments API. Full eligibility, exceptions (chargebacks, ToS violations, order-form refund clauses for Org / Enterprise), and the request process are documented in our Refund Policy, which is the operative document — this paragraph is the summary. If a payment fails, you have a 24-hour grace period to update your payment method before your subscription is downgraded.

We reserve the right to change payment processors on 30 days notice delivered via in-app notification and email to the account’s billing contact. See /legal/subprocessors for the complete and current sub-processor list, including scheduled changes.

4.3 Free Tier

The free Starter tier is provided at our discretion. We reserve the right to modify or discontinue the free tier with reasonable notice.

4.4 Early-Adopter Program

The first 50 paying customers on monthly billing are eligible for a 25% discount on their Pro or Max subscription for 12 monthly billing cycles, subject to the following terms:

  • Monthly billing only. The early-adopter discount is available on monthly-billed Pro and Max subscriptions. Annual cycles are not part of the program at launch. Organization and Enterprise tiers are custom-quoted and follow the order-form pricing on the relevant statement of work; the early-adopter discount does not apply to those tiers.
  • Automatic expiry. The 25% discount applies to the first 12 monthly billing cycles measured from account activation. Beginning cycle 13, the subscription automatically reverts to list price at the then-current rate. We do not offer a lifetime-discount clause.
  • Non-transferable. Early-adopter eligibility is tied to the originating Cloudarq account. It does not transfer on account merge, domain change, or acquisition.
  • Slot allocation. Slots are allocated first-come-first-served. Once all 50 slots are claimed, the program closes; customers who cancel an early-adopter subscription do not free their slot for re-allocation.
  • Optional case study. We may invite early-adopter customers to participate in a short written case study after account activation. Participation is optional and is not a condition of the discount.

Cloudarq may revoke early-adopter status for breach of these Terms or chargeback. Revoked subscribers continue at the original discounted rate through the end of the current billing cycle and revert to list price the following cycle.

5. Acceptable Use

You agree not to: scan AWS accounts you do not own or are not authorized to audit; circumvent usage limits or access controls; reverse engineer any part of the Service; use the Service to develop a competing product; share or resell account access; transmit malicious code or interfere with operations; or use the Service in violation of applicable law.

We reserve the right to suspend or terminate accounts that violate these terms without notice.

6. Intellectual Property

The Service, including its software, design, and branding, is owned by Cloudarq. You retain ownership of all data you provide. You grant us a limited license to process your data solely to provide and improve the Service. Reports generated by the Service are provided for your use and may be shared with your team, auditors, or stakeholders.

7. AI-Generated Content

The Service uses artificial intelligence to generate remediation suggestions, enriched finding descriptions, and infrastructure-as-code fixes (Terraform, CloudFormation). AI-generated content is provided for informational purposes only. It may contain inaccuracies and should not be treated as professional security, legal, or compliance advice. You are responsible for reviewing and validating any AI-generated recommendations before implementing them in your infrastructure.

7a. API Access

Max tier subscribers have access to the Cloudarq REST API. API keys are tied to your account and must be kept confidential. You are responsible for all activity performed through your API keys. API access is subject to rate limits. You may not use the API to build a competing product, resell access, or circumvent subscription tier limits. We may revoke API access for abuse or Terms violations.

8. Disclaimer of Warranties

The Service is provided “as is” and “as available” without warranties of any kind, whether express, implied, or statutory. We disclaim all warranties, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

We do not warrant that the Service will identify all vulnerabilities or misconfigurations, that results are complete or accurate at all times, that operation will be uninterrupted, or that compliance mapping constitutes a formal audit or certification.

9. Limitation of Liability

To the maximum extent permitted by law, Cloudarq shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of data, revenue, or profits, business interruption, security breaches, or costs incurred from implementing or failing to implement recommendations.

9.1 Tiered Aggregate Cap

Our total aggregate liability for all claims arising out of or relating to your use of the Service is capped as follows:

  • Self-serve tiers (Starter, Pro, Max): the lesser of (i) the total subscription fees you paid to Cloudarq through Paddle in the twelve (12) months immediately preceding the event giving rise to the claim, or (ii) ten thousand US dollars (US$10,000).
  • Organization and Enterprise tiers: the cap is set in your signed order form. Where the order form is silent, the self-serve cap above applies.

9.2 Carve-outs from the Cap

The cap in §9.1 does not apply to liability arising from: (a) wilful misconduct or gross negligence; (b) infringement of third-party intellectual property rights; (c) breach of confidentiality obligations; or (d) any liability that cannot be limited under applicable mandatory law (for example, certain consumer-protection rights and personal-injury claims). For these carve-outs, liability is determined by the underlying law, not by §9.1.

9.3 Acknowledgement

You acknowledge that the Service is an automated scanning tool that provides recommendations, not guarantees. It does not replace professional security audits, penetration testing, or compliance assessments performed by qualified third parties. The §18 service-specific terms below allocate further risk per product surface.

10. Indemnification

You agree to indemnify, defend, and hold harmless Cloudarq, its officers, employees, and agents from and against any claim, demand, loss, damage, cost, or expense (including reasonable legal fees) arising from or relating to:

  • Misuse of the Service. Running scans against AWS accounts you do not own or are not authorised to audit. If the AWS account owner brings a claim against Cloudarq, you indemnify Cloudarq against that claim — you warranted authorisation in §3.1.
  • Your content. Custom-framework definitions, white-label brand assets, uploaded logos, organisation-specific compliance mappings, and any other material you provide. If a third party claims your content infringes their intellectual property or violates their rights, the defence and any settlement is on you.
  • Compliance representations to third parties. If you describe a Cloudarq dashboard as a SOC 2 attestation, ISO 27001 certification, PCI DSS qualified-assessor report, HIPAA audit, or any other formal certification — Cloudarq is none of those (see §18.3) — and a third party (auditor, customer, regulator) sues us for the misrepresentation, you indemnify us. Our compliance dashboards show mappings, not attestations.
  • Customer-configured destinations. Misconfigured Slack channels, webhook URLs, PagerDuty services, or email forwarding rules that expose Cloudarq finding payloads to unintended audiences. The destination's security posture is yours to manage; we deliver where you tell us to.
  • Team-member offboarding. Continued access by a former employee whose Cloudarq account you did not deactivate. We do not learn about employment changes; revoking seats is your operational responsibility.
  • Violation of these Terms or applicable law in your use of the Service.

We will notify you promptly of any claim subject to this section and cooperate reasonably with your defence. Settlement of any claim that imposes obligations on Cloudarq beyond payment of money requires our written consent.

11. Team Members

The account owner is responsible for all team members added to their account. Seat limits are determined by your subscription tier. The account owner is responsible for managing permissions and revoking access when appropriate.

12. Data Handling

Our collection, use, and protection of your data is described in our Privacy Policy. By using the Service, you acknowledge that you have read and understood our Privacy Policy.

13. Suspension and Termination

You may stop using the Service at any time. To delete your account, contact [email protected]. We may suspend or terminate access for Terms violations, payment failure, legal requirements, or security concerns. Upon termination, your stored AWS credentials are deleted.

14. Changes to These Terms

We may update these Terms from time to time. Material changes will be communicated with at least 30 days notice. Continued use after the effective date constitutes acceptance.

15. Governing Law

These Terms are governed by the laws of the State of Israel. Disputes shall be resolved in the competent courts of Israel.

16. General Provisions

These Terms and the Privacy Policy constitute the entire agreement. If any provision is found unenforceable, the remaining provisions remain in force. Our failure to enforce any provision does not constitute a waiver. You may not assign your rights without our written consent.

17. Contact

For questions about these Terms: [email protected]

18. Service-Specific Terms

The clauses below allocate risk for individual product surfaces. They sit alongside the umbrella warranty disclaimer in §8 and the liability cap in §9; where a service-specific clause is more restrictive than the umbrella, the more restrictive clause applies. Where a clause carves out warranties or caps damages, those carve-outs are subject to the §9.2 mandatory-law exceptions.

18.1 Automated AWS Scans

Scans are best-effort interpretations of public AWS metadata returned by the AWS APIs we call. False positives (a check flagging a non-issue) and false negatives (a check missing a real risk) are possible by the nature of automated rule-based scanning. We do not warrant that any scan is exhaustive, that any check correctly characterises your specific configuration, or that the absence of a finding indicates the absence of a problem. You are solely responsible for triaging findings, validating their applicability, and acting on them. We are not a Qualified Security Assessor (QSA), an authorised PCI auditor, a SOC 2 examiner, or a HIPAA-credentialed auditor.

18.2 AI Remediation

AI-generated remediation suggestions, enriched finding descriptions, and infrastructure-as-code samples (Terraform, CloudFormation) are produced by Anthropic's Claude API. Output may be inaccurate, outdated, internally inconsistent, or unsafe to apply without modification. You must review every AI recommendation before applying it to your infrastructure. We disclaim all liability for damage caused by following AI guidance — including, without limitation: data loss from a deletion command, downtime from a misconfigured restart, security regression from a flawed IAM policy, billing surprises from a resize, or compliance drift introduced by an AI-suggested change. Test in staging before production.

18.3 Compliance Frameworks

Compliance dashboards show a mapping between Cloudarq checks and the corresponding controls in the named framework (CIS Benchmarks, SOC 2, HIPAA, PCI DSS, NIST 800-53, ISO 27001, AWS Well-Architected). They do not constitute an attestation, certification, audit report, or qualified-assessor opinion. Cloudarq is not authorised to issue any of those instruments under the named frameworks. A green compliance dashboard is not, in itself, a substitute for a formal audit conducted by an appropriately credentialed third party. Mappings are interpretations of public framework documentation and may diverge from a particular auditor's reading.

18.4 Custom Frameworks

Custom-framework definitions you create in the Service are user-generated content. You warrant that you have the rights necessary to publish the controls you define within your tenant, including any rights in copyrighted source material the definitions are derived from. Cloudarq disclaims liability for the accuracy, completeness, or third-party-rights status of customer-authored compliance mappings.

18.5 Scheduled Reports and PDF Exports

Reports are point-in-time snapshots of scan data as of the report-generation timestamp. They may not reflect resource changes that occurred during the scan, AWS-side data lag (AWS APIs do not always reflect a configuration change immediately), or post-report customer changes. We disclaim liability for inaccuracies that result from these conditions or from your use of a Cloudarq report as if it were an attestation issued by a qualified third party (see §18.3). Cross-reference: §10 indemnifies Cloudarq against the latter use.

18.6 API Access (REST + Webhooks)

API access (Max tier) is gated by API keys and rate limits. You are responsible for keeping API keys confidential, rotating compromised keys, and securing webhook receiver endpoints. A leaked API key exposes your tenant's data; a compromised webhook receiver exposes payloads we deliver to that endpoint. Webhook delivery is best-effort with retry; we do not guarantee at-least-once or exactly-once semantics, and the customer endpoint is responsible for its own idempotency. Rate limits are enforced server-side and may be tightened with reasonable notice in response to abuse.

18.7 Integrations (Slack, PagerDuty, custom webhooks)

When you configure an integration, you authorise Cloudarq to deliver scan-related payloads to the destination you specified. The destination's security posture (Slack channel access list, PagerDuty service routing, webhook URL secrecy) is your responsibility. Any data exposure caused by a misconfigured destination — a public Slack channel, a logging webhook saved publicly, a PagerDuty service that broadcasts to too many responders — is on you, not us.

18.8 AWS Organizations Support

For Organization-tier customers using cross-account discovery, you grant Cloudarq access via an IAM role you create in your management account. You are solely responsible for the IAM permissions on that role and for the trust policy. Cloudarq is read-only by design (we never call mutating APIs against your AWS environment), but verifying that property in your CloudTrail and reviewing the trust-policy principals is your operational responsibility.

18.9 Single Sign-On (SAML)

SSO is gated to Enterprise customers. You configure your Identity Provider (IdP) and supply us the federation metadata (entity ID, certificate, redirect URL). We disclaim liability for misconfigured SSO causing unauthorised access — a stale IdP certificate, a broken assertion-validation rule, a misrouted ACS URL. SSO assertions are trusted as configured; if your IdP issues an assertion to a user it shouldn't, that user gains the Cloudarq access the IdP attests to. Rotate IdP certificates per your own schedule.

18.10 Team Members and RBAC

The account owner is solely responsible for managing team membership, role assignments, and seat allocations within the seat limits of the subscription tier. We do not learn about employee departures, role changes, or contractor offboarding events at customer organisations; revoking access for departed personnel is your operational responsibility. See §11 for the umbrella team-member clause and §10 for the indemnification consequences of failing to revoke.

18.11 Data Export (GDPR Article 20)

Data exports are best-effort snapshots of the data we hold about your tenant at the export-generation time. We do not retain copies of issued exports indefinitely (see Privacy Policy retention table) and we do not warrant that data exported and subsequently deleted from our systems can be re-imported. If you intend to migrate to another platform, complete the migration before initiating an account-deletion request (§18.12).

18.12 Account Deletion (GDPR Article 17)

Customer-initiated deletions are irreversible after the cooling-off window described on the in-product deletion page elapses. Before confirming a deletion request you must download (via the export flow at §18.11) any data you wish to retain — once the deletion executes, that data is no longer recoverable. We disclaim liability for data lost via a deletion you authorised. The customer-facing flow has guards (cooling-off banner, secondary confirmation) but the responsibility ultimately rests with you.

18.13 White-Label (Enterprise)

White-label deployments allow you to display the Service to your end-customers under your branding (logo, color, custom subdomain). You warrant that the white-labelled use complies with your jurisdiction's consumer-protection, accessibility, and disclosure laws, and that your end-customer agreements grant the rights necessary for our underlying processing. You indemnify Cloudarq (per §10) against any claim arising from the white-labelled deployment, including end-customer claims that originate with the white-label tier.

18.14 Support SLAs

Support response times are best-effort. There is no uptime SLA on the Starter, Pro, or Max tiers. Max-tier customers receive best-effort responses within one business day for support tickets opened during business hours; we do not guarantee resolution times. Organization and Enterprise tiers may negotiate response and resolution SLAs in the order form, in which case the order form supersedes this section. Failure to meet a non-binding response target does not entitle you to financial credits unless an order form specifies otherwise.