Terms of Service
Last updated: July 1, 2026
These Terms of Service (“Terms”) govern your access to and use of the FDIE (Firmware Delta Intelligence Engine) platform, operated by Magdox Private Limited (“Magdox,” “we,” “us,” or “our”). By accessing or using the Service, you agree to these Terms. If you are agreeing on behalf of an organization, you confirm that you have the authority to bind that organization.
1. How These Terms Fit Together
For Enterprise customers, these Terms are supplemented by an Order Form and, where applicable, a Data Processing Agreement (DPA) and an On-Prem License Addendum (see Section 9). If a signed Order Form or Master Service Agreement (MSA) conflicts with these Terms, the signed document controls for that customer.
These Terms incorporate our Refund Policy, Privacy Policy, and Information Security Addendum by reference. You should read all of them.
2. What FDIE Is
FDIE is a platform for automated firmware security analysis. It provides:
- CVE detection with CVSS and EPSS scoring
- SBOM (CycloneDX and SPDX), CBOM, and VEX document generation
- A deterministic security test suite
- Compliance scoring across multiple regulatory frameworks
- Cross-version Delta Intelligence
FDIE is available in two deployment models:
- SaaS (Starter, Pro, Growth, and Enterprise by default): a hosted, multi-tenant service you access over the internet. Details are on our Pricing page.
- On-Prem (Enterprise only): a self-hosted deployment installed on infrastructure you control. This is a licensed deployment, not a hosted service. Section 9 covers on-prem terms specifically.
3. Your Account
To use the Service, you must register for an account and provide accurate, current information. You are responsible for:
- Keeping your account credentials confidential
- Configuring authentication options (including multi-factor authentication) appropriately for your organization
- All activity that happens under your account
For on-prem Enterprise deployments that integrate with your own identity provider, you are also responsible for the configuration and security of that identity provider.
If you suspect unauthorized access, tell us immediately at [email protected].
4. Acceptable Use
You agree not to:
- Upload firmware or other content you do not have the legal right to analyze
- Use the Service to develop, test, or distribute malware or other malicious code
- Reverse-engineer, decompile, or attempt to extract the source code of the Service itself
- Circumvent rate limits, usage quotas, or other technical restrictions, or abuse the Service in a way that degrades it for other customers
- Use the Service in violation of applicable export control or economic sanctions laws (see Section 16)
We reserve the right to suspend accounts that violate this policy.
5. Subscriptions, Billing, and Payment
The Service is offered under the subscription plans described on our Pricing page. Subscriptions automatically renew at the end of each billing period unless you cancel before renewal. Refunds and cancellation terms are in our Refund Policy, which is part of these Terms.
6. Free Trial
We offer a free trial of Pro and Growth plans for 14 days. Enterprise customers may request a 14-day proof-of-concept trial.
To start a trial, you must provide payment details through our payment gateway at signup. Your account does not automatically convert to a paid subscription when the trial ends and you will not be charged without your authorization. If you do not subscribe to a paid plan before the trial ends, access is suspended. There is no free tier after the trial ends.
Enterprise proof-of-concept terms are set out in the applicable Order Form.
7. Intellectual Property
Magdox retains all right, title, and interest in the Service, including the FDIE platform, its underlying software, and its documentation.
You retain all rights to the firmware images, configuration data, and other content you upload, as well as the analysis results, reports, and SBOM, CBOM, and VEX documents generated from that content (“Customer Data”).
FDIE’s analysis engine performs deterministic, rule-based static analysis. It does not use generative AI or machine learning to produce findings. Customer Data is never used to train any model, whether operated by Magdox or a third party, and is not shared with any third party except as described in our Privacy Policy and DPA.
8. Confidentiality
Each party agrees to protect the other’s confidential information with the same degree of care it uses for its own confidential information of a similar nature, and in any event no less than a reasonable standard of care. Each party agrees not to disclose the other’s confidential information except as necessary to provide or use the Service, or as required by law.
Your firmware and the findings derived from it are treated as your confidential information.
This Section survives termination of these Terms for five (5) years, except for trade secrets, which remain protected for as long as they retain trade secret status.
Nothing in this Section restricts either party’s use of general knowledge, skills, or experience retained in the unaided memory of personnel who had access to the other party’s confidential information, provided that use does not involve disclosure of the confidential information itself.
9. On-Prem Enterprise Deployments
This Section applies only to Enterprise customers deploying FDIE on-premise or in infrastructure they control (“On-Prem Deployment”).
9.1 License, Not Sale
On-Prem Deployments are licensed, not sold. Magdox grants you a non-exclusive, non-transferable, non-sublicensable license to install and run FDIE on the infrastructure and for the number of seats specified in your Order Form and license file, for the license term stated in that Order Form.
9.2 How the License Works
On-Prem Deployments are activated and gated by an offline, Ed25519-signed license file issued by Magdox. The license file encodes the deployment details, seat count, licensed features, and expiration date.
Tampering with, circumventing, or attempting to forge a license file is a material breach of these Terms.
9.3 Expiration and Grace Period
After the license expiration date, the deployment enters a 14-day grace period. During this period, the Service continues to operate so you have time to renew.
If the license is not renewed before the grace period ends, the On-Prem Deployment will fail closed: the Service will refuse to start or process new analyses until a renewed or reissued license file is installed. Fail-closed behavior does not delete Customer Data already stored on your infrastructure.
9.4 No Source Escrow
Unless we separately agree in writing, Magdox does not provide source code access or source code escrow for On-Prem Deployments.
9.5 License Compliance
Magdox may request reasonable confirmation that an On-Prem Deployment is operating within its licensed seat count and feature set. Operating beyond the licensed scope is a material breach of these Terms.
10. Data Protection and Security
Our collection and use of personal data is described in our Privacy Policy. If you need a Data Processing Agreement, see our DPA.
The technical and organizational security measures we implement (encryption, access control, secrets management, and audit logging) are described in our Information Security Addendum, which is incorporated into these Terms by reference.
11. Service Availability
We aim to maintain high availability of the SaaS Service. Enterprise customers may be offered a contractual uptime SLA (target: 99.9% monthly uptime) with associated service credits, as set out in their Order Form. Where SLA credits apply to Growth and Enterprise plans, the terms are described in our Refund Policy, Section 8.
Starter and Pro plans do not include a contractual SLA or service credits.
12. What FDIE Can and Cannot Do
12.1 Static Analysis Only
FDIE performs static binary analysis of firmware images. The Service does not execute firmware, run dynamic tests, perform fuzz testing, or simulate runtime behaviour. Results reflect what can be determined by inspecting binary content without execution.
12.2 Vulnerability Database Timing
CVE and vulnerability data comes from the NIST National Vulnerability Database (NVD), OSV.dev, the CISA Known Exploited Vulnerabilities (KEV) catalogue, and EPSS scoring data. These databases are synchronized on a schedule (NVD: daily; KEV: every six hours). The Service does not provide real-time vulnerability data.
A vulnerability published after the most recent database sync may not appear in analysis results until the next scheduled sync. Each SBOM exported by FDIE includes the age of the NVD cache at the time of export so you can assess how current the data is.
12.3 Detection Limitations
The Service identifies firmware components through ELF dynamic-linking metadata, binary string extraction, version banner matching, and known component signature databases. The Service cannot guarantee detection of components or vulnerabilities in these situations:
- Firmware images that are encrypted, compressed with an unsupported algorithm, or packed using custom or proprietary packaging formats
- Components that are statically compiled into a monolithic binary without version strings or recognizable identifiers
- Components distributed under vendor-specific or private names that differ from the canonical product names used in public vulnerability databases
- Components whose vulnerabilities are described in vendor-specific security advisories not indexed by the databases FDIE queries
12.4 SBOM, CBOM, and VEX Completeness
SBOMs, CBOMs, and VEX documents generated by the Service reflect the components, cryptographic assets, and vulnerabilities identified by static analysis at the time of the analysis run. They are not a complete or authoritative inventory of all software present in a firmware image.
Each exported SBOM includes two properties:
fdie:analysis_method: identifies the document as the product of static analysisfdie:nvd_last_sync_days: indicates the age of the vulnerability database used
12.5 Regulatory Compliance Is Your Responsibility
The Service provides analysis results, compliance scoring, and document artifacts to help you with your regulatory and supply-chain security programmes. Using the Service does not, by itself, make you compliant with any regulatory framework. This includes, but is not limited to:
- EU Cyber Resilience Act (CRA)
- ETSI EN 303 645
- NIST 800-193
- IEC 62443
- OWASP FSTM
You remain solely responsible for:
- Validating analysis results against your specific products and supply chains
- Determining whether and how analysis results trigger reporting obligations under applicable law, including CRA Article 14 mandatory incident reporting to ENISA
- Taking corrective action in response to identified vulnerabilities
- Ensuring that SBOMs, CBOMs, and VEX documents you submit to regulators, customers, or other third parties meet those recipients’ requirements
12.6 Not a Substitute for Professional Assessment
The Service is an automated analysis tool. It does not replace professional penetration testing, manual code review, or expert security assessment. For high-assurance or safety-critical applications, you should supplement FDIE outputs with appropriate professional review.
13. Disclaimers and Limits on Liability
THE SERVICE IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
General cap. To the maximum extent permitted by law, each party’s total liability arising out of or related to these Terms will not exceed the amount you paid for the Service in the twelve (12) months before the claim.
Enhanced cap for confidentiality and security breaches. The general cap above does not apply to these two categories. Instead, each party’s total liability for (a) breach of the confidentiality obligations in Section 8, or (b) breach of its own security obligations that results in unauthorized access to the other party’s confidential information, will not exceed two (2) times the fees you paid for the Service in the twelve (12) months before the claim.
Carve-outs: what the caps do not limit. Neither cap applies to:
- A party’s indemnification obligations under Section 14
- Damages arising from a party’s fraud, gross negligence, or willful misconduct
- A party’s infringement of the other party’s intellectual property rights outside the scope of the license granted in these Terms
Nothing in this Section limits liability that cannot be limited or excluded under applicable law.
IN PARTICULAR, MAGDOX MAKES NO WARRANTY THAT THE SERVICE WILL DETECT ALL VULNERABILITIES, COMPONENTS, OR COMPLIANCE GAPS IN ANY FIRMWARE IMAGE. MAGDOX IS NOT LIABLE FOR REGULATORY PENALTIES, FINES, OR THIRD-PARTY CLAIMS ARISING FROM UNDETECTED VULNERABILITIES OR INCOMPLETE ANALYSIS RESULTS, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
14. Mutual Indemnification
14.1 Your Indemnity to Us
You agree to indemnify, defend, and hold Magdox harmless from third-party claims arising out of:
- Your breach of these Terms
- Your misuse of the Service
- Content you upload in violation of Section 4 (Acceptable Use)
14.2 Our Indemnity to You
Magdox will indemnify, defend, and hold you harmless from third-party claims alleging that the Service, as provided by Magdox and used in accordance with these Terms, infringes that third party’s intellectual property rights. We will pay resulting damages finally awarded or agreed to in settlement.
This obligation applies only if you:
- Promptly notify us of the claim
- Give us sole control of the defense and settlement
- Provide reasonable cooperation
This obligation does not apply to claims arising from:
- Your Customer Data or third-party materials
- Modifications to the Service not made by Magdox
- Use of the Service in combination with products or services not provided by Magdox, where the infringement would not have occurred without that combination
15. Termination
Either party may terminate the Service for convenience at the end of the current billing period, or immediately for a material breach that remains uncured for 30 days after notice.
When the Service ends, you will have a reasonable window (at least 30 days) to export your Customer Data. After that, we will delete it from our systems as described in our Privacy Policy.
For On-Prem Deployments, termination or non-renewal of the license triggers the fail-closed behavior described in Section 9.3. Customer Data stored on your own infrastructure is not affected and remains under your control.
16. Export Compliance and Sanctions
The Service, and firmware analyzed using it, may be subject to export control and economic sanctions laws. You confirm that you are not located in, and are not a national or resident of, any country subject to a comprehensive U.S., EU, or UN embargo. You also confirm that you are not on any restricted-party list maintained by those authorities.
You agree not to use the Service to analyze or export firmware in violation of applicable export control laws.
17. Governing Law and Disputes
These Terms are governed by the laws of India, without regard to conflict-of-laws principles. Any disputes arising under these Terms will be resolved in the competent courts of West Bengal, India.
Enterprise customers may negotiate an alternative governing law and venue (for example, Ireland or the Netherlands for EU-based customers) in their Order Form or MSA. This Section does not override any separately negotiated governing-law or arbitration clause in an Enterprise Order Form or MSA.
18. Changes to These Terms
We may update these Terms from time to time. Material changes will be communicated via the website or by email to registered account holders. The “Last updated” date at the top of this page reflects the most recent revision. Prior versions of these Terms are archived and available on request.
19. General
These Terms, together with the Privacy Policy, DPA (where applicable), any Order Form, and any On-Prem License Addendum, are the entire agreement between the parties about the Service. They replace all prior agreements on the subject matter.
Neither party may assign these Terms without the other’s consent, except in connection with a merger, acquisition, or sale of substantially all of its assets. If any provision is held unenforceable, the remaining provisions stay in full force.
Notices under these Terms should be sent to the contact addresses in Section 20.
20. Contact
Questions about these Terms can be sent through our Contact page.