Terms of Service | LeakLoop

1. Agreement to Terms

These Terms of Service ("Terms") are a legal agreement between you ("Customer," "you," or "your") and LeakLoop (ABN 79 390 265 966) ("LeakLoop," "we," "our," or "us").

By accessing or using LeakLoop ("the Service"), you agree to be bound by these Terms. If you do not agree to these Terms, do not use the Service.

2. Description of Service

LeakLoop is a breach monitoring service that allows organizations to monitor employee email addresses for exposure in known data breaches. The Service uses the Have I Been Pwned (HIBP) API to check for breach exposure across known data breaches.

3. Service Limitations

You acknowledge and agree that:

LeakLoop does not guarantee detection of all data breaches. Breach datasets sourced from third-party providers may be delayed, incomplete, or unavailable.
The Service is not a substitute for a comprehensive information security program, penetration testing, or professional security audits.
The Customer remains solely responsible for its overall cybersecurity posture, including but not limited to incident response, password policies, and employee training.
Breach data is provided on an "as available" basis and may not reflect the most recent breach events.

4. Account Registration

To use the Service, you must create an account. You agree to:

Provide accurate and complete registration information
Maintain the security of your account credentials
Enable Multi-Factor Authentication (MFA) for enhanced account security (recommended)
Keep your MFA backup codes secure and accessible only to you
Notify us immediately of any unauthorized account access
Accept responsibility for all activities under your account

5. Acceptable Use

You agree to use the Service only for lawful purposes and in accordance with these Terms. You agree NOT to:

Use the Service for any illegal or unauthorized purpose
Monitor email addresses without proper authorization
Attempt to gain unauthorized access to the Service
Interfere with the proper operation of the Service
Upload or transmit viruses or malicious code
Resell or redistribute the Service without permission

6. Customer Representations and Warranties

By connecting your organization's email accounts (via Google Workspace, Microsoft 365, or manual entry) to LeakLoop, you represent and warrant that:

Authority: You have the necessary authority to bind the organization to these Terms and to grant LeakLoop access to the employee accounts provided.
Consent & Notice: You have provided all legally required notices to, and obtained all necessary consents from, your employees (or other data subjects) regarding:
- The monitoring of their email addresses for security breaches.
- The transfer of their email addresses to LeakLoop and our third-party data providers.
- The receipt of automated remediation emails or notifications from LeakLoop.
Workplace Surveillance Notice: Where applicable (including but not limited to the Workplace Surveillance Act 2005 (NSW) and equivalent state or territory legislation), you have provided written notice to employees at least 14 days prior to commencing monitoring, specifying the nature of the monitoring, that email addresses will be checked against breach databases, and the purpose of such monitoring.
Compliance with Laws: Your use of the Service complies with all applicable laws, including but not limited to the Privacy Act 1988 (Cth), the Workplace Surveillance Act 2005 (NSW) (and equivalent state laws), and the GDPR (where applicable). Your monitoring is consistent with the OAIC's Australian Privacy Principles (APP) Guidelines, in particular APP 3 (collection), APP 5 (notification), APP 6 (use and disclosure), and APP 11 (security).
Workplace Policies: Your use of LeakLoop is consistent with your organisation's workplace monitoring policies and employment agreements.
Data Subject Requests: You are responsible for handling all employee data subject access, correction, and deletion requests. LeakLoop will reasonably assist upon request, as described in our Privacy Policy.
No "Spyware" Use: You verify that LeakLoop is being used solely for defensive cybersecurity purposes (identifying compromised credentials) and not for employee performance monitoring, behavioral surveillance, or interception of private communications.

7. API & Integration Specifics (Google & Microsoft)

Google Workspace Data: Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You acknowledge that LeakLoop accesses this data strictly to populate user lists for breach scanning and does not access user emails for any other purpose.
Microsoft 365 Data: You authorize LeakLoop to read user profile and directory data via Microsoft Graph permissions granted by your administrator (e.g., User.Read.All) to maintain an up-to-date list of monitored identities.

8. Subscription and Payment

Some features of the Service require a paid subscription. By subscribing, you agree to:

Pay all applicable fees according to your chosen plan
Provide accurate billing information
Accept automatic renewal unless you cancel before the renewal date

All plans include a 14-day free trial. No credit card is required to start. Because a free trial is provided, paid subscriptions are non-refundable. You may cancel at any time to prevent future billing.

9. Security Commitments

We are committed to protecting your data and maintaining the security of our Service. Our security measures include:

Multi-Factor Authentication: Optional MFA via TOTP authenticator apps (e.g., Google Authenticator, Authy), with trusted device management and backup recovery codes
Encryption: All data is encrypted in transit (industry-standard TLS, provider-supported) and at rest (AES-256-GCM)
Access Control: Row-level security policies ensure strict data isolation between organizations
Authentication: Industry-standard authentication with secure session management
Compliance: Our security practices are inspired by ISO 27001 principles and Australian Privacy Principles (APP)
Infrastructure: We use SOC 2 Type II certified hosting providers (Vercel, Supabase)
Payments: Payment processing through PCI DSS Level 1 certified Stripe

For comprehensive security information, please visit our Security page.

10. Data Protection

We implement the following data protection measures:

Personal data is only collected when necessary for service operation
Sensitive data in audit logs is hashed to protect privacy
API responses mask sensitive information (e.g., webhook URLs)
Employee email addresses are protected and only used for breach monitoring
We do not sell or share your data with third parties for marketing purposes

See our Privacy Policy for detailed information about how we handle your data.

11. Service Availability

We strive to maintain high availability but do not guarantee uninterrupted access to the Service. We reserve the right to modify, suspend, or discontinue the Service at any time with reasonable notice.

12. Intellectual Property

The Service and its original content, features, and functionality are owned by LeakLoop and are protected by intellectual property laws. You may not copy, modify, or create derivative works without our permission.

13. Limitation of Liability

THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND. WE ARE NOT LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES. OUR TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT YOU PAID FOR THE SERVICE IN THE PAST 12 MONTHS.

Nothing in these Terms excludes, restricts, or modifies any consumer guarantee, right, or remedy conferred by the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) that cannot lawfully be excluded.

14. Indemnification

You agree to indemnify, defend, and hold harmless LeakLoop, its officers, directors, and employees from and against any claims, damages, losses, liabilities, costs, or expenses (including reasonable legal fees) arising out of or related to:

Your use of the Service
Your violation of these Terms
Your failure to obtain necessary employee consents or provide required notices
Any third-party claims relating to data you provided to LeakLoop

15. Termination

We may terminate or suspend your account at any time for violation of these Terms. Upon termination, your right to use the Service ceases immediately. You may also cancel your account at any time.

16. Changes to Terms

We reserve the right to modify these Terms at any time. We will notify you of material changes via email or through the Service. Continued use after changes constitutes acceptance of the new Terms.

17. Governing Law

These Terms are governed by and construed in accordance with the laws of New South Wales, Australia. Each party irrevocably submits to the non-exclusive jurisdiction of the courts of New South Wales, Australia, and courts entitled to hear appeals from those courts, in respect of any proceedings arising out of or in connection with these Terms.

18. Force Majeure

Neither party will be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond its reasonable control, including but not limited to: natural disasters, acts of government, internet or telecommunications failures, third-party service outages, cyberattacks, pandemics, or civil unrest. The affected party must promptly notify the other party and use reasonable efforts to mitigate the impact.

19. Dispute Resolution

In the event of a dispute arising out of or in connection with these Terms, the parties agree to the following process:

Negotiation: The parties will first attempt to resolve the dispute through good-faith negotiations for a period of 30 days from written notice of the dispute.
Mediation: If the dispute is not resolved through negotiation, the parties agree to participate in mediation administered by a mutually agreed mediator before commencing litigation.
Litigation: If mediation fails or a party does not participate within 30 days of a mediation request, either party may commence proceedings in accordance with Section 17 (Governing Law).

20. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect. The invalid or unenforceable provision will be deemed modified to the minimum extent necessary to make it valid and enforceable, while preserving the original intent of the parties.

21. Entire Agreement

These Terms, together with the Privacy Policy (including the Data Processing Addendum contained therein), constitute the entire agreement between you and LeakLoop with respect to the Service. These Terms supersede all prior or contemporaneous communications, proposals, and agreements, whether oral or written, between you and LeakLoop regarding the Service.

22. Notices

All legal notices under these Terms must be in writing and sent to:

LeakLoop: legal@leakloop.com
Customer: The email address associated with the Customer's account

Notices are deemed received when delivered by email (on the next business day) or by post (five business days after sending by registered mail).

23. Assignment

You may not assign or transfer your rights or obligations under these Terms without our prior written consent. LeakLoop may assign its rights and obligations under these Terms to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees to be bound by these Terms.

24. Waiver

No failure or delay by either party in exercising any right, power, or remedy under these Terms will operate as a waiver of that right, power, or remedy. A single or partial exercise of any right, power, or remedy does not preclude any other or further exercise of that or any other right, power, or remedy.

25. Contact Us

If you have questions about these Terms, please contact us at:

Legal inquiries: legal@leakloop.com
General support: support@leakloop.com