Terms of Service

1. Who we are

SurfaceCheckr (“SurfaceCheckr”, “we”, “us”) operates a passive external security-reporting service at surfacecheckr.com. By scanning a domain, viewing a report, or purchasing access, you agree to these terms. If you don't agree, don't use the service.

2. What the service does

We read what a website already serves publicly - HTML, response headers, linked JavaScript, the TLS certificate, public DNS records, and a fixed list of well-known sensitive paths - and produce a graded report of what an outside observer can see. The scan is passive: we never authenticate, never send attack payloads, never POST, and never extract user data. Full details are on the scanner information page.

3. Authorisation to scan

You may request a scan of any domain. The free grade and issue count are visible only to the requester via an unguessable report URL - we do not publish results, and we do not list or rank domains. To unlock the full report you must verify control of an email address at the scanned domain. By requesting a scan you confirm you are not using the service to facilitate unauthorised access to any system.

Domain operators may opt out at any time as described on the scanner information page; we honour opt-outs within 24 hours.

4. No warranty - this is not a pentest

SurfaceCheckr reports what is visible from outside; it does not test authenticated routes, business logic, XSS, SQL injection, IDOR, or anything POST-based, and it is not a substitute for a penetration test or a formal security audit. A clean grade does not mean a site is secure. Reports are provided “as is”, without warranty of any kind. We do not guarantee that every issue is detected or that every reported issue is exploitable. You are responsible for validating findings before acting on them.

5. Payments

Payments are processed by Paddle, which acts as the merchant of record for all purchases. Your contract of sale for the transaction is with Paddle, and Paddle's buyer terms also apply. We currently offer a one-off report unlock and an optional monthly subscription for recurring re-scans, at the prices shown at checkout.

• A one-off purchase unlocks the full report for the scanned domain and includes free re-scans for 30 days from purchase.
• A monthly subscription keeps re-scans available for as long as it is active and can be cancelled at any time; cancellation stops future re-scans and renewals but does not retroactively lock already-unlocked reports.
• Re-scans are rate-limited (currently one per report lineage per 24 hours) to keep the service sustainable.

6. Refunds

Because a report is delivered digitally and in full immediately on unlock, we generally do not offer refunds once a report has been unlocked. If something went wrong - a failed scan, a duplicate charge, or a report that didn't generate - email [email protected] and we'll make it right. Refunds, where granted, are handled through Paddle.

7. Acceptable use

You agree not to:

• use the service to gain or attempt unauthorised access to any system;
• resell, scrape, or systematically harvest reports or grades;
• circumvent rate limits, the email-verification gate, or the payment flow;
• use the service in violation of any applicable law or export-control restriction.

We may suspend access that we reasonably believe is abusive or unlawful.

8. Limitation of liability

To the maximum extent permitted by law, SurfaceCheckr is not liable for any indirect, incidental, or consequential damages, or for any loss arising from action or inaction taken on the basis of a report. Our total liability for any claim relating to the service is limited to the amount you paid us for the report giving rise to the claim.

9. Changes

We may update these terms; the effective date above reflects the most recent material change. Continued use after a change constitutes acceptance.

10. Contact

Questions about these terms: [email protected]. Scanning concerns or opt-out: [email protected].