Terms of Service

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you and Extra Security LLC ("Company," "we," "us") governing your access to and use of the Thrombus platform at thrombus.io (the "Service"). By creating an account or using the Service, you agree to be bound by these Terms. If you are accepting these Terms on behalf of an organization, you represent that you have the authority to bind that organization.

2. Description of Service

Thrombus is a platform that facilitates security testing engagements for medical devices. The Service allows customers to submit devices for penetration testing, track engagement progress, exchange documents, and manage payments. Security testing is performed through a combination of proprietary automated tooling and hands-on analysis by Extra Security personnel.

3. Accounts and Registration

To use the Service, you must create an account with accurate and complete information. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. You must notify us immediately at security@extrasecurity.io if you suspect unauthorized access to your account.

We may suspend or terminate accounts that violate these Terms, that remain inactive for an extended period, or at our discretion with reasonable notice.

4. Engagement Terms and Statement of Work

Each security testing engagement is subject to a Statement of Work ("SOW") that specifies scope, timeline, deliverables, and applicable fees. The SOW is generated based on your engagement details and must be reviewed and accepted before payment is processed. No testing will commence until the SOW is accepted and payment is received.

In the event of a conflict between these Terms and an SOW, the SOW governs for that engagement.

You represent that you have the legal right to authorize security testing on any device you submit, and that such testing will not violate any law, regulation, or third-party agreement. You are solely responsible for obtaining any necessary authorizations from device manufacturers, regulatory bodies, or other parties.

5. Confidentiality

Each party agrees to hold in confidence all non-public information received from the other party that is designated as confidential or that reasonably should be understood to be confidential ("Confidential Information"). This includes, without limitation:

• Security testing findings, reports, and vulnerability data
• Device firmware, schematics, and technical documentation
• Business information, pricing, and customer lists
• Authentication credentials and access information

Confidential Information may only be disclosed to employees and contractors who have a need to know and are bound by obligations of confidentiality at least as protective as these Terms. This obligation survives termination for a period of five (5) years, or indefinitely for trade secrets.

Confidentiality obligations do not apply to information that: (a) is or becomes publicly available without breach; (b) was known to the receiving party prior to disclosure; (c) is independently developed without use of Confidential Information; or (d) is required to be disclosed by law, provided the disclosing party receives prompt notice when legally permitted.

6. Payment Terms

Fees for engagements are specified at the time of order. A 50% deposit is required before testing begins, with the remaining balance due upon delivery of the final report. All fees are in U.S. dollars and are non-refundable except as expressly stated in the applicable SOW.

Payments are processed through Stripe. By submitting payment, you agree to Stripe's terms of service. Invoices not paid within 30 days of issuance may accrue interest at 1.5% per month or the maximum rate permitted by law, whichever is less.

7. Intellectual Property

You retain all rights to your devices, firmware, documentation, and other materials you provide to us. We retain all rights to our testing methodologies, tools, and proprietary processes.

Upon full payment, you receive a non-exclusive, perpetual license to use the deliverables (reports, findings) produced during your engagement for your internal business purposes. We may retain copies of deliverables for our records and for quality assurance.

8. Shipping and Physical Devices

When engagements require physical device shipment, you are responsible for shipping costs and insurance to our facility. We will exercise reasonable care with physical devices in our possession but are not liable for damage inherent to security testing (e.g., decapping, JTAG probing, destructive firmware extraction) that is within the agreed scope.

Devices will be returned via the method agreed upon in the SOW. We are not responsible for devices left unclaimed for more than 90 days after engagement completion.

9. Responsible Disclosure

If our testing uncovers vulnerabilities that pose an imminent risk to patient safety, we reserve the right to recommend coordinated disclosure to the relevant device manufacturer or regulatory body (e.g., FDA, CISA). We will consult with you before initiating any such disclosure unless delay would pose a direct risk to patient safety.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE, REGARDLESS OF THE THEORY OF LIABILITY.

OUR TOTAL AGGREGATE LIABILITY UNDER THESE TERMS SHALL NOT EXCEED THE FEES PAID BY YOU DURING THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

THE SERVICE IS PROVIDED "AS IS." WE MAKE NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SECURITY TESTING CANNOT GUARANTEE THE DISCOVERY OF ALL VULNERABILITIES.

11. Indemnification

You agree to indemnify and hold harmless Extra Security LLC, its officers, employees, and contractors from any claims, losses, or damages (including reasonable attorneys' fees) arising from: (a) your breach of these Terms; (b) your use of the Service; (c) your lack of authorization to submit a device for testing; or (d) your violation of any applicable law or regulation.

12. Governing Law and Disputes

These Terms are governed by the laws of the State of Florida, without regard to conflict of law principles. Any dispute arising from these Terms shall be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration shall take place in Florida, and the arbitrator's decision shall be final and enforceable in any court of competent jurisdiction.

13. Modifications

We may update these Terms from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised Terms.

14. General

These Terms, together with any applicable SOW, constitute the entire agreement between you and Extra Security LLC regarding the Service. If any provision is found to be unenforceable, the remaining provisions remain in full force. Our failure to enforce any right or provision does not constitute a waiver.

Contact

Questions about these Terms should be directed to legal@extrasecurity.io.