Bitsight - Terms of Service - Product Schedules
Version date: 23 June 2026
A) BITSIGHT SPM (Security Performance Management), FQ (Financial Quantification)
1. Customer may externally share Bitsight Data exclusively related to Customer.
2. A feature of the Services allows Customer, at its option, to create or provide annotations (such as annotations Customer marks “public” that explain aspects of its rating, or information that corrects or updates its rated IP addresses or domains), corrections, additional information, clarifications, and comments with respect to the internet protocol (IP) assets or associated events attributed to it by Bitsight (collectively, “Annotations”), and make these Annotations available for viewing by other users in the Services. Customer hereby grants to Bitsight a worldwide, perpetual, irrevocable, nonexclusive, transferable, and royalty-free right and license to use such Annotations in connection with the Bitsight Services.
3. Customer may publicly display the Bitsight logo or ‘Bitsight BadgeⓇ’ in the form made available by Bitsight, either alone or with the Bitsight-provided industry sector rating (together, the “Bitsight Logo”), solely to notify third parties of its Bitsight rating. All goodwill arising from such use will inure to Bitsight’s benefit. Customer may not use the Bitsight Logo other than as expressly permitted or in any way that misrepresents the Bitsight Security Rating, is deceptive or misleading, or tarnishes or damages Bitsight or its trademarks. The right to use the Bitsight Logo is personal to Customer and may be revoked by Bitsight at any time.
4. To support the accuracy and effectiveness of the Services, during the Subscription Term, Customer agrees it will not opt-out of or implement technical measures that would prevent Bitsight from conducting non-intrusive internet scanning activities with respect to internet protocol (IP) and other information technology assets associated with Customer.
B) BITSIGHT TPRM (Third Party Risk Management), CM (Continuous Monitoring), EASM (External Attack Surface Management)
Additional Definition:
| Monitored Organization | Customer’s current or prospective vendor, service provider, regulator, insured, or affiliate (including any portfolio companies or potential acquisition or investment targets) in relation to which Customer receives Bitsight Data via the Services. |
1. External Use. The Bitsight Services may additionally be used externally by Customer to share the Bitsight Data that relates exclusively to a Monitored Organization with such organization via functionality provided in the Bitsight Service, for the purpose of initiating or maintaining a business relationship.
C) BITSIGHT VRM (Vendor Risk Management); TRUST MANAGEMENT HUB
Additional Definition:
| Monitored Organization | Customer’s vendor, service provider, regulator, insured, or affiliate (including any portfolio companies or potential acquisition or investment targets) in relation to which Customer receives Bitsight Data via the Services; |
1. External Use. Customer may share Bitsight Data exclusively related to a Monitored Organization with that Monitored Organization via functionality provided in the Services, to support a business relationship for the benefit of Customer.
2. Shareable Content. A core feature of Bitsight VRM and Trust Management Hub provides Customer the option of sharing content with third parties regarding its vendor risk management program and cybersecurity risk profile (“Shareable Content”). Shareable Content shall comprise Customer’s Confidential Information. Solely as directed and authorized by Customer within the Services, Bitsight may disclose Shareable Content to those third parties designated by Customer, and Customer grants to Bitsight a worldwide, royalty-free, nonexclusive, transferable license to host and use Shareable Content for such purposes.
3. Corporate Data. Customer acknowledges that the Bitsight Services are not intended to process sensitive or special categories of personal data (including but not limited to personal health information or social security numbers), and Customer agrees it will not provide or upload such information. When uploading data relating to third parties, Customer may only include corporate assets (IPs and Domains); personal IP addresses and Domain information may not be provided.
D) INSURANCE
Additional Definitions:
| Insurance Services | The Bitsight products and services intended for use by insurers as specified in a corresponding Order; |
| Monitored Insurance Organization | Customer’s insured party, prospective insured party, or broker of record in relation to which Customer receives Bitsight Data via the Services. |
1. Use of Insurance Services. Insurance Services, consisting of curated cyber security risk information about Customer’s insureds or potential insureds, may be used by Customer for its internal underwriting, risk assessment, loss control and portfolio management activities, and for other related internal business purposes.
2. External Use. Customer may share Bitsight Data exclusively related to a Monitored Insurance Organization with the Monitored Insurance Organization via functionality provided in the Services to support an existing or prospective business relationship. If sharing with a broker of record, Customer is responsible for obtaining consent from the Monitored Insurance Organization.
3. Shareable Content. Certain Bitsight insurance products provide Customer the option of sharing insurance content with Customer’s designated third parties (“Shareable Content”). Shareable Content shall comprise Customer’s Confidential Information; however, Bitsight may disclose any Shareable Content to the third parties designated by Customer, solely as directed and authorized by Customer within the Services, and Customer grants to Bitsight a worldwide, royalty-free, nonexclusive, transferable license to host and use Shareable Content for such purposes.
4. Indemnification. Customer shall indemnify, defend, and hold Bitsight (together with its affiliates and each of their respective employees, officers, and directors) harmless against any third-party claims, suits or actions and any damages, losses, or costs associated therewith, resulting from Customer’s distribution of Bitsight Data received as part of the Insurance Services, without limit of liability
E) CYBER THREAT INTELLIGENCE (CTI) (including ‘CSG’ SKUs)
Additional Definitions:
| CTI | Bitsight’s cyber threat intelligence services, designated as such in an Order (including any ‘CSG’ SKU) or statement of work. |
| CTI Deliverables | The content and data obtained via the CTI Solution. The CTI Deliverables form part of the Bitsight Data. |
| CTI Solution | The proprietary solution and API identified in the applicable Order, and all related manuals, specifications and documentation provided by Bitsight. The CTI Solution forms part of the Services. |
| Customer Data | Any non-public data (e.g., assets and user information) provided by Customer to enable the provision and use of the CTI Solution, other than Threat Identifiers. |
| SoW Services | Any services described in a CTI statement of work. |
| Threat Identifiers | Phishing URLs, crimeware or other threat identifiers either provided by Customer or collected in the ordinary operation of the Services, not containing data directly relating to Customer or identifying Customer. |
1. Supplementary Use Rights and Restrictions
1.1 Except as expressly permitted in this Agreement, Customer shall not, directly or indirectly: (i) modify, incorporate into or use the CTI Solution with other software, or create a derivative work of any part of the CTI Solution or CTI Deliverables; or (ii) use the CTI Solution to access any confidential or other non-public information of any third party without such third party’s consent or collect, copy or use any CTI Deliverables in a manner that infringes or violates the rights of any third party, including, without limitation, privacy rights and Intellectual Property Rights.
1.2 Notwithstanding anything to the contrary in the Agreement, the CTI Solution and CTI Deliverables are for internal use only.
1.3 Use of the API provided as part of the CTI Solution shall be subject to the additional terms available at https://cybersixgill.com/api-restrictions.
1.4 The Services, including all CTI Deliverables, shall not be used for any purposes regulated by the Health Insurance Portability and Accountability Act (HIPAA) or similar laws and regulations.
2. Customer Data. Any Customer Data shall comprise Confidential Information of Customer. Customer hereby grants to Bitsight a worldwide, royalty-free, nonexclusive, transferable right and license to store, host and display to Customer any Customer Data and Threat Identifiers, including to service Customer-specific support requests. Threat Identifiers may be used for any lawful business purpose without a duty of accounting to Customer.
3. Warranties and Representations. Customer represents and warrants that (i) it has all required permissions, authorizations and approvals to request, collect and use any and all CTI Deliverables and any data and content requested by Customer as part of the Services; (ii) it has all necessary consents and permissions to provide any information, including Customer Data, that it uploads in the CTI Solution or otherwise supplies to Bitsight in connection with the CTI Solution, CTI Deliverables or Services; and (iii) that it shall not permit any personnel located in China (including the special administrative regions of Hong Kong and Macau) to access any Personally Identifiable Sensitive Data of U.S. individuals (as defined in the Protecting Americans’ Data from Foreign Adversaries Act of 2024) provided as part of the CTI Solution or CTI Deliverables. Customer shall implement appropriate controls to ensure compliance with this restriction and shall promptly notify Bitsight of any unauthorized access or non-compliance. Failure to comply with this provision constitutes a material breach of this Agreement.
4. Disclaimer of Warrant
4.1 THE CTI DELIVERABLES AND ANY RESULTS OF THE SOW SERVICES ARE BASED ON INFORMATION AND CONTENT COLLECTED FROM THE DARK AND DEEP-WEB AND SUCH OTHER THIRD PARTY SOURCES, AND THEREFORE BITSIGHT DOES NOT WARRANT THAT THEY ARE CORRECT, COMPLETE, ACCURATE OR RELIABLE. BITSIGHT DOES NOT WARRANT THAT THE CTI SOLUTION OR CTI DELIVERABLES WILL OPERATE WITHOUT INTERRUPTIONS OR ERRORS OR THAT ANY ERRORS OR BUGS WILL BE REPRODUCIBLE OR REPAIRABLE. FURTHER, UNLESS OTHERWISE AGREED BETWEEN THE PARTIES, BITSIGHT DISCLAIMS ANY WARRANTY OF CORRECTNESS, USEFULNESS, ACCURACY, RELIABILITY, OR OTHERWISE RELATED TO THE CTI SOLUTION, CTI DELIVERABLES OR SOW SERVICES. CUSTOMER SHALL BE RESPONSIBLE FOR TAKING ALL PRECAUTIONS IT BELIEVES ARE NECESSARY OR ADVISABLE TO PROTECT IT AGAINST ANY CLAIM, DAMAGE, LOSS OR HAZARD THAT MAY ARISE BY VIRTUE OF ANY USE OF OR RELIANCE UPON THE CTI SOLUTION, CTI DELIVERABLES OR SOW SERVICES. CUSTOMER IS RESPONSIBLE FOR VERIFYING ANY OUTPUT RESULTING FROM USE OF THE CTI SOLUTION INCLUDING ANY USE AND OUTPUT FROM AI FEATURES AND FUNCTIONALITY.
4.2 As part of any SoW Services, Customer may access and use Third-Party Services under a direct engagement with the third party service provider. Bitsight shall not be liable for Customer’s use of any Third-Party Services.
5. Indemnification. Customer agrees to defend, indemnify and hold harmless Bitsight, its affiliates, licensors, suppliers, officers, directors, employees and agents from and against any and all claims, damages, obligations, losses, liabilities, costs, debts, and expenses (including but not limited to attorney’s fees) arising from: (i) Customer’s use of the CTI Deliverables or the content or data provided as part of the Services or CTI Solution; (ii) Customer’s violation of any law, rule, regulation or order in relation to the CTI Deliverables, or its violation of any terms and conditions of any third party service; (iii) takedown services requested by Customer, including any request or approval by or on Customer’s behalf to seek the suspension or removal of any website, social media page or other online asset (including for the avoidance of doubt, violations of export compliance); and/or (iv) Customer’s provision of Customer Data to Bitsight. Customer may not settle a claim that provides for Bitsight liability without Bitsight’s prior written consent and will pay those costs and damages finally awarded in any such legal action, or in a settlement of such legal action, that are specifically attributable to the claim. This indemnification shall not be subject to any limitation of liability stated in the Agreement. For the purposes of the Intellectual Property Indemnity specified in the Agreement, ‘Services’ shall mean the CTI Solution excluding CTI Deliverables.
6. Termination. Notwithstanding anything to the contrary in the Agreement, upon termination Customer shall discontinue all further use of the CTI Solution and CTI Deliverables, promptly remove the CTI Solution and CTI Deliverables from all hard drives, networks and other storage media, and destroy all copies of the CTI Solution in its possession or under its control.
F) ARTIFICIAL INTELLIGENCE
The terms set out at https://service.bitsighttech.com/accounts/ai-terms/ govern your use of any AI Features which are made available within Bitsight's Services.
G) CUSTOMER USE OF API AND MCPS
In connection with the Agreement and the applicable Order, the following restrictions and requirements apply to Customer’s use of Bitsight’s API and any MCP functionality as further described below.
| API | Bitsight-provided programmatic web APIs, software, interface definitions, generated code libraries, technical documentation, and associated functionalities made available by Bitsight that enable Customer to access or interact with certain Bitsight Data, datasets, information, content, systems, or integrations made available through the Services; |
| Access Credentials | Any credentials, API keys, tokens, secrets, certificates, or other authentication mechanisms issued to Customer for use of the API; |
| Breaking Change | A backwards incompatible update that materially disrupts Customer’s existing integration or materially removes previously available functionality; |
| Customer MCP Integrations | Any customer-created or customer-operated Model Context Protocol (“MCP”) servers, MCP clients, connectors, artificial intelligence (“AI”) agents, orchestration frameworks, prompts, workflows, vector databases, retrieval systems, automation tools, external AI platforms or inference solutions, such as large language model (“LLM”) vendors, or related integrations that interact with the API or Bitsight Data; |
| Material Action | Any operation initiated through the API or any Customer MCP Integration that: (a) writes to, modifies, deletes, or otherwise changes any data or configuration within Customer systems or third-party systems connected by Customer; (b) invokes credentialed actions (including use of Customer or third-party access tokens, secrets, or service principals); (c) triggers transactions, notifications to external parties, or system changes that are not easily reversible; or (d) accesses or transmits Customer Confidential Information to any third-party system outside Customer’s controlled tenant. For avoidance of doubt, read-only retrieval of Bitsight Data is not a Material Action; |
| Non-Breaking Change | Any update, modification, enhancement, security update, or operational change that does not materially disrupt existing functionality; |
| Security Incident | The loss or unauthorized destruction, alteration, disclosure of, access to, or control of Customer’s systems, operational technology systems, networks, internet-enabled applications, or the data contained within such systems that affects the Services; |
| Service Telemetry | Telemetry, logs, and operational metadata generated by Customer’s use of the API and Customer MCP Integrations, including but not limited to: request and response timestamps, authentication method and pseudonymous identifier, endpoint and method invoked, scope and tool identifiers, request size and rate-limit signals, execution status and error codes, and performance metrics; |
1. API and MCP Scope
1.1 API Scope Customer’s use of the API and any Customer MCP Integrations must comply with the Documentation. Bitsight may monitor Customer’s use of the API and Customer MCP Integrations to ensure compliance with this Agreement (including this Product Schedule), maintain security and integrity of the Services, prevent misuse, and protect Bitsight Data and systems.
1.2 Customer-Controlled MCP Environments Customer acknowledges that any Customer MCP Integrations are solely controlled by Customer and not by Bitsight. Customer is solely responsible for the design, configuration, operation, monitoring, security, legality, and outputs of any Customer MCP Integrations and for ensuring that such systems comply with applicable law and this Agreement. Bitsight is not responsible for outages, changes, or security events originating from Customer MCP Integrations or third-party providers.
Unless expressly authorized in writing by Bitsight, Customer MCP Integrations may access Bitsight Data solely on a read-only basis and may not modify Bitsight systems, alter Bitsight Data, execute transactions, or initiate actions within Bitsight environments.
2. Access Credentials and Authentication
Customer shall:
- maintain industry-standard administrative, technical, and physical safeguards to protect Access Credentials;
- implement per-user or dedicated service principal authentication for all API and Customer MCP Integrations, ensuring that (i) human users authenticate exclusively via individual flows and may not share credentials or authenticate on behalf of automated systems and(ii) non-human and automated callers authenticate exclusively via scoped service principals and may not utilize human user credentials;;
- use multi-factor authentication where supported;
- restrict Access Credentials to authorized personnel and approved systems solely for purposes authorized under the Agreement and prohibit the sharing of API keys or tokens across users or systems;
- maintain attribution to an identified user or service identity for each request;
- immediately revoke or rotate compromised credentials;
- promptly notify Bitsight of any actual or reasonably suspected unauthorized access, misuse, compromise, or Security Incident involving the API, Customer MCP Integrations, or Access Credentials; and
- not embed, store, log, or transmit Access Credentials within AI prompts, model context windows, training datasets, vector databases, or retrieval-augmented generation (“RAG”) systems.
Customer may not sell, sublicense, disclose, distribute, or otherwise make Access Credentials available to any third party except authorized contractors operating on Customer’s behalf that are not competitors of Bitsight and subject to written confidentiality and security obligations no less protective than those contained herein.
Bitsight may require the use of specific supported authentication methods as described in the Documentation.
Customer is fully responsible for all activities conducted using its Access Credentials, including activities conducted by AI agents, automation tools, subprocessors, contractors, Managed Security Service Providers (“MSSPs”), or integrated systems.
3. MCP-Specific Security and Governance Requirements
3.1 Customer Responsibilities Customer acknowledges that Customer MCP Integrations may enable AI systems, applications, or agents to retrieve, process, generate, or act upon data dynamically. Accordingly, Customer shall:
- ensure that any Material Actions initiated through Customer MCP Integrations is approval-gated by a human reviewer designated by Customer prior to execution, and that approval workflows, including approver identity, timestamp, requested scope, and executed scope, are recorded in audit logs;
- ensure that read operations are logically and technically separated from write-capable operations;
- validate outputs before use in operational, legal, compliance, investigative, or security decisions;
- maintain commercially reasonable safeguards consistent with industry security standards against prompt injection attacks, privilege escalation, unauthorized tool execution, hallucinated outputs, and data exfiltration, and any additional safeguards that may be required by the Documentation;
- ensure connected AI systems are configured to follow least-privilege access principles;
- maintain audit logs sufficient to identify actions taken through Customer MCP Integrations and make such logs available to Bitsight upon reasonable written request in connection with a security incident or compliance investigation; and
- ensure that any third party, MSSP, contractor, AI provider, or downstream system accessing the API or Bitsight Data through Customer MCP Integrations is bound by written obligations no less protective than those contained herein.
3.2 AI Outputs Customer acknowledges that AI-generated outputs may be probabilistic and may contain inaccuracies. Customer remains solely responsible for verifying the accuracy, legality, appropriateness, and security of any outputs, recommendation, workflow, or action generated through Customer MCP Integrations. Customer may not use Bitsight Data to create or share AI-generated outputs that violate this Product Schedule, the Agreement, or any third-party agreement or policies.
Bitsight does not develop, control, monitor, or validate Customer-created AI models, prompts, workflows, or outputs and disclaims responsibility for Customer AI-generated outputs, decisions, actions, or downstream processing activities.
3.3 Automated Decision Making Customer shall comply with all applicable laws and regulations governing automated decision-making, profiling, and AI systems in connection with any use of Bitsight Data in Customer MCP Integrations. Customer shall not use Bitsight Data as a factor in any automated decision that has a legal or similarly significant effect on any individual or entity without implementing appropriate human review, fairness assessment, and disclosure obligations required by applicable law. Customer shall promptly notify Bitsight of any regulatory inquiry, investigation, or enforcement action relating to Customer's use of Bitsight Data in AI or automated decision-making systems.
4. API Modifications
4.1 API Modifications Bitsight reserves the right to modify the Services, API, technical specifications, security requirements, and Documentation. Customer may be required to use the most current version of the API to continue using the Services. Bitsight will use commercially reasonable efforts to provide at least thirty (30) days’ notice of Breaking Changes to generally available API endpoints, together with migration guidance where applicable. Non-Breaking Changes may be implemented with or without notice.
4.2 Emergency Changes Bitsight may implement immediate changes without prior notice where necessary to:
- maintain security or integrity of the Services;
- respond to legal or regulatory requirements;
- address vulnerabilities, abuse, or threats; or
- prevent harm to BitSight, customers, third parties, or systems.
Bitsight will provide notice as soon as practicable thereafter.
5. Usage Limitations
5.1 Usage Limits Customer’s use of the API, Customer MCP Integrations, and related Services is subject to the usage limits, technical restrictions, and security requirements specified in the Documentation or applicable Order Form, including any rate limits, token limits, concurrency limits, or monthly usage quotas established by Bitsight from time to time. Bitsight may monitor Customer’s use of the API and Customer MCP Integrations to ensure compliance with the Agreement, maintain platform security and integrity, prevent abuse, and protect Bitsight Data and systems.
5.2 Prohibited Activities In addition to any restrictions contained in the Agreement, Customer shall not, and shall not permit any third party (e.g. MSSP, AI provider), AI agent, automated process, downstream system, directly or indirectly to:
- exceed, circumvent, disable, or otherwise interfere with usage limitations, authentication controls, monitoring mechanisms, or security protections applicable to the API;
- use the API in a manner that generates excessive, abusive, disruptive, or unreasonable request volumes or otherwise adversely impacts the availability, performance, integrity, or security of the Services;
- scrape, harvest, replicate, or systematically extract Bitsight Data except as expressly authorized by Bitsight;
- use the API, Customer MCP Integrations, or Bitsight Data to train, fine-tune, improve, benchmark, or otherwise develop any generalized, shared, or multi-tenant artificial intelligence or machine learning models without Bitsight’s prior written consent;
- incorporate Bitsight Data into shared or multi-tenant AI systems, reusable training datasets, cross-customer retrieval environments, or generalized AI knowledge bases (e.g., use Bitsight Data in a non-enterprise LLM);
- operate autonomous or unsupervised agents that execute Material Actions without human approval;
- permit unauthorized retrieval, retention, caching, indexing, scraping, replication, exfiltration, or downstream redistribution of Bitsight Data;
- use the API or Customer MCP Integrations in connection with autonomous or unsupervised actions that could reasonably create legal, operational, cybersecurity, or compliance risk;
- introduce malicious code, prompt injection attacks, adversarial inputs, unauthorized tool execution, or other harmful or disruptive activity into the Services or connected systems;
- persist, store, or retain Bitsight Data — whether in raw form, as vector embeddings, in RAG index stores, in AI model fine-tuning datasets, or in any other derived form — beyond the term of the applicable Order or the period necessary for the authorized purpose for which it was retrieved, whichever is shorter, except as required by law.
5.3 Suspension Rights Bitsight may suspend, throttle, restrict, or terminate access to the API where Bitsight reasonably determines that Customer’s use violates the Agreement, involves prohibited automated activity or unsafe AI behavior, poses a security risk, threatens the integrity or availability of the Services, or could expose Bitsight Data, systems, customers, or third parties to harm.
6. Bitsight Obligations
6.1 Use of Service Telemetry Bitsight may collect and process Service Telemetry. Service Telemetry will not include Customer Confidential Information other than incidental inclusion in technical headers or fields necessary for routing and security, which Bitsight will minimize and not use for model training. Bitsight may use Service Telemetry solely to provide, secure, support, monitor, and improve the reliability and performance of the Services, to enforce usage limits and security controls, and to comply with law.
Bitsight may use aggregated, de-identified Service Telemetry to operate, secure, prevent abuse of, and improve the reliability and performance of the Services. Service Telemetry used for service improvement will be aggregated and de-identified so it does not identify Customer, a User, or Customer Confidential Information. Customer shall maintain its own audit logs sufficient to trace actions executed via Customer MCP Integrations for at least 90 days.
6.2 Limitations on Training Bitsight will not use Customer Confidential Information or Customer-provided content accessed through the API to train, retrain, or improve any generalized or multi-tenant AI or machine learning models without Customer’s prior written agreement.
7. Security Incidents and Cooperation
Customer shall notify Bitsight without any undue delay, and no later than 24 hours after discovery, in the event of any:
- actual unauthorized access to or use of the API, Bitsight Data, or Customer MCP Integrations;
- Security Incident involving Customer systems that could impact the Services;
- misuse of Customer MCP Integrations;
- AI-related safety issue, prompt injection attack, or unauthorized automated action involving the API or Bitsight Data.
Customer shall: (a) preserve all logs, forensic evidence, and records relating to the incident for a minimum of 12 months; (b) to the extent possible, include known indicators, affected credentials or scopes, preliminary root cause, and containment steps in any notice; (c) implement reasonable containment measures promptly upon discovery; (d) cooperate fully with Bitsight's investigation, including providing access to relevant audit logs and system records upon request; and (e) not make any public statement regarding the incident that references Bitsight without Bitsight's prior written approval.
8. Audit
Upon reasonable written notice, Bitsight may, by itself or through an independent third party, audit Customer’s use of the Services to verify compliance with this Product Schedule. Customer shall maintain complete and accurate books, logs, and other records with respect to Customer’s use of the Services sufficient to verify compliance with this Product Schedule and provide reasonable access to such records for the purpose of conducting these audits.
9. Indemnification
Customer shall defend, indemnify, and hold harmless Bitsight and its affiliates, officers, directors, employees, and agents from and against any third-party claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) Customer's operation, configuration, or outputs of any Customer MCP Integration; (b) Customer's use of Bitsight Data in any AI, automated decision-making, or machine learning system; (c) Customer's breach of this Product Schedule (G); or (d) any legal or regulatory violation arising from Customer's AI use of Bitsight Data. Customer’s indemnity under this Product Schedule is subject to the Agreement’s limitation of liability provisions.