Legal terms and conditions for using Rocoto
By using any product or service provided by Artoo Corporation ("artoo," "we," "us"), including Rocoto, you agree to these Terms.
The "Services" means all products and services provided by artoo, including:
You must keep credentials confidential and notify us of any suspected compromise. You are responsible for actions taken using your credentials. For Rocoto engagements, any Git access tokens or target authentication credentials you provide are used solely for the contracted assessment and are not retained beyond the engagement period.
You will not:
Use of Rocoto for security testing requires a signed engagement agreement that defines the scope of the assessment, including: target systems, authorized communication channels (HTTP, email, SMS, voice, WebSocket), approved attack categories, budget and rate limits, and any excluded endpoints or methods.
Rocoto enforces engagement scope through technical controls including target pinning (HTTP origin, email/phone/WebSocket address enforcement), HTTP method allowlists (DELETE, PUT, and PATCH are blocked by default), rate limiting, cost budgets, maximum attack plan limits, and optional approval gates that require human authorization before attack execution.
Rocoto operates as a white-box tool. You grant artoo a limited, revocable license to access, analyze, and process the source code repositories you designate solely for the purpose of performing the contracted security assessment. Source code is cloned into ephemeral environments, analyzed, and cleaned up upon engagement completion. artoo does not retain source code beyond the engagement period, and does not use customer source code to train machine learning models.
Rocoto may send communications to your AI systems via channels you authorize in the engagement agreement, including HTTP requests, email, SMS, voice calls, and WebSocket messages. All communications target only the endpoints, addresses, and phone numbers you explicitly designate. SMS and voice communications are subject to the terms described in our SMS Consent page.
Security findings, vulnerability reports, attack transcripts, and related engagement deliverables are your confidential information. artoo may retain engagement data for the period necessary to provide report access and support, after which it will be deleted per our data retention practices.
Rocoto offers a dry-run mode in which threat models and attack plans are generated but no network requests are sent to target systems. Dry-run outputs are previews and may differ from live assessment results.
We strive to provide reliable service and support. Specific service levels and support response times may vary by plan tier and engagement type. Status updates and maintenance windows will be communicated as appropriate.
We may modify or deprecate features with reasonable notice. For materially adverse changes to paid features, we will provide advance notice; enterprise terms may vary.
Our Privacy Policy is incorporated by reference. You retain ownership of your Customer Materials, including your source code and engagement data. You grant artoo a limited license to process Customer Materials to provide and secure the Services, perform contracted security assessments, and to derive de-identified or aggregated insights to improve the Services.
The Services interoperate with or depend on third-party products and services ("Third-Party Services"), including LLM providers, communication platforms, and infrastructure providers. artoo does not control Third-Party Services and is not responsible for their availability, security, or compliance. Your use of Third-Party Services is governed by their terms, not these Terms. See our Subprocessors page for the current list.
The Services are not designed for use in hazardous environments or other high-risk activities where failure could lead to death, personal injury, or severe environmental or property damage. You must not use the Services for such purposes. Rocoto security assessments must only target systems you own or are contractually authorized to test.
We may make beta, preview, early-access, or experimental features available ("Beta Features"). Beta Features may be modified or discontinued at any time, are provided "as is," and are excluded from any warranties, support, or commitments.
You are responsible for: (a) configuring and securing your environments and integrations; (b) safeguarding credentials, tokens, and accounts; (c) your Users' actions and permissions; (d) complying with laws applicable to your use of the Services and your Customer Materials; (e) ensuring you have proper authorization to test any systems included in a Rocoto engagement; and (f) reviewing and approving Rocoto attack plans when approval gates are enabled.
Open Source Components. The Services may include third-party open-source software ("OSS"). Each OSS component is provided under its own license, which governs your use of that component.
Definitions.
Ownership of Improvements. artoo exclusively owns all right, title, and interest in and to the Services and all Improvements.
Feedback Assignment; Work-Made-for-Hire. To the fullest extent permitted by law, you agree that any copyrightable Feedback is a "work made for hire" for artoo. If (and to the extent) any Feedback is not a work made for hire, you hereby assign to artoo all right, title, and interest in and to the Feedback, including all intellectual property rights. You waive (and, to the extent not waivable, agree not to assert) any moral rights in the Feedback. You will reasonably cooperate — at artoo's expense — to execute further documents to perfect this assignment; if you fail to do so, you appoint artoo as your attorney-in-fact solely to effectuate the foregoing.
Patent License & Covenant. To the extent the Feedback discloses or claims any invention, you grant artoo a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable license under any patents you own or control to make, use, sell, offer to sell, import, and otherwise exploit the Services and Improvements that implement or are based on the Feedback, together with a covenant not to assert such patents against artoo, its affiliates, customers, and partners for such uses.
Exclusions; No Secrets. This section does not apply to Customer Materials (including your source code) or deliverables under a separate written agreement (e.g., an SOW or engagement agreement). Do not include confidential information or personal data in Feedback (other than your contact details for correspondence). artoo has no confidentiality obligations regarding Feedback.
Independent Development; No Obligation. artoo may independently develop features similar to or competing with any Feedback and has no obligation to implement or credit any Feedback. No fees or royalties are owed for use of Feedback.
Each party will protect the other party's confidential information and use it only as necessary to perform under these Terms. For Rocoto engagements, your source code, engagement data, security findings, and reports are treated as your confidential information.
Except as expressly stated in a service description or SLA, the Services are provided "as is" and "as available." We disclaim all implied warranties to the maximum extent permitted by law. Rocoto security assessments represent a point-in-time evaluation and do not guarantee the detection of all vulnerabilities or the absence of security issues.
To the maximum extent permitted by law: (a) neither party is liable for indirect, incidental, special, consequential, or punitive damages; and (b) each party's total liability for all claims in the aggregate is limited to the fees paid by you for the Services in the 12 months preceding the event giving rise to liability (or USD $100 if you are on a free plan).
Either party may terminate for material breach after notice and a reasonable cure period. Rocoto engagements terminate upon delivery of the final report unless otherwise specified. Upon termination, your access ends, source code and engagement data are deleted per our retention practices, and certain sections survive (e.g., Confidentiality, Liability, Dispute Resolution).
[Optional for U.S. customers] Binding arbitration and class action waiver apply to disputes, except for small claims or equitable relief. Governing law and venue: the laws of the State of Delaware, USA, without regard to conflict-of-law principles. Exclusive jurisdiction and venue for any dispute not subject to arbitration shall be the state and federal courts located in New Castle County, Delaware. If you are in the EEA/UK, mandatory local consumer rights are unaffected.
Notices must be in writing and will be deemed given when sent to your account email or posted in-product. You may not assign these Terms without our consent, except to an affiliate or in connection with a merger or sale of assets. Neither party is liable for delay/failure due to events beyond reasonable control. These Terms (plus any order form, engagement agreement, DPA, or SLA) are the entire agreement regarding the Services.
Artoo Corporation — Attn: Legal
legal@artoo.love