1. Acceptance of terms
These Terms of Service ("Terms") are a binding agreement between you (or the entity you represent) and DeepSecret ("DeepSecret", "we", "us"). By creating an account, signing in, installing or using the DeepSecret CLI, or otherwise accessing the Service, you agree to these Terms. If you are entering into these Terms on behalf of an organization, you represent that you have authority to bind that organization, and "you" refers to that organization.
If you do not agree to these Terms, do not use the Service.
2. The Service
DeepSecret provides an identity-to-identity end-to-end encrypted secret exchange platform, including a hosted control plane, a single-binary command-line interface (secret <command>), and supporting websites (collectively, the "Service"). Encryption is performed on the sender's device using HPKE (RFC 9180) with a hybrid X25519MLKEM768 KEM and AES-256-GCM AEAD; integrity is provided by dual Ed25519 (RFC 8032) and ML-DSA-65 (FIPS 204) signatures. Ciphertext is stored in an S3-compatible bucket that you own and configure (Section 5).
3. Accounts & authentication
- Google Sign-In. Authentication is provided exclusively via Google OAuth 2.0. You are responsible for the security of the Google account you sign in with.
- Identity binding. On first sign-in, your CLI generates Ed25519 and ML-DSA-65 signing keypairs and ML-KEM-768 and X25519 KEM keypairs. Private keys never leave your device. You are responsible for safeguarding the device on which keys are stored.
- Accuracy. Account information must be accurate and current. Notify us promptly of any unauthorized use of your account.
- API keys. Long-lived API keys issued for CI/CD use are bearer credentials. Treat them as secrets; rotate or revoke them when compromised.
4. Organizations & roles
DeepSecret organizations are scoped to a verified DNS domain. Owners and administrators are responsible for managing actor membership, role assignments (owner / admin / actor), and policy configuration. Organization administrators may view audit logs, manage actors, and configure organization-wide policies. Org-wide policies override less-restrictive sender-specified policies; the Service stamps each enforced policy with its source.
5. Bring-your-own bucket (BYOB)
You provide and maintain the S3-compatible storage bucket(s) used to store ciphertext. You are responsible for: provisioning the bucket, configuring access credentials with appropriate least-privilege permissions, paying any storage and egress fees charged by your storage provider, and lifecycle/retention policies on that bucket. The Service writes encrypted payloads to your bucket and reads them on behalf of authorized recipients; we do not retain a copy of your ciphertext on our infrastructure.
Loss of access to your bucket (for example, deleted credentials, deleted bucket, or storage-provider outage) will prevent the Service from delivering ciphertext stored there.
6. Acceptable use
You agree not to:
- Use the Service to violate any law or third-party right, or to send malware or unlawful content;
- Reverse engineer, decompile, or attempt to derive source code, except to the extent permitted by applicable law notwithstanding this restriction;
- Probe, scan, or test the vulnerability of the Service except under a written authorization (for example, a coordinated disclosure program);
- Interfere with or disrupt the integrity or performance of the Service, including by abusing rate limits or exceeding documented quotas;
- Use the Service to impersonate another person or misrepresent your affiliation;
- Resell, sublicense, or provide the Service to third parties as a hosted service without our written consent;
- Use the Service to develop a competing product, or to train generalized AI/ML models on data obtained through the Service.
7. Fees, billing & trials
- Pricing. Paid plans are billed per active actor per month, with any minimums and currency described on the pricing page. Enterprise plans are billed according to a separate order form.
- Taxes. Fees are exclusive of applicable taxes; you are responsible for those taxes.
- Payment. Subscription fees are charged in advance. Unpaid amounts may, after notice, result in suspension of paid features.
- Refunds. Except where required by law or expressly stated in an order form, fees are non-refundable.
- Trials and free tiers. Where offered, trial or free-tier access is provided "as is" and may be modified or terminated at any time.
8. Customer content
"Customer Content" means any data you upload, transmit, or otherwise submit through the Service, including the plaintext of secrets you encrypt locally and the ciphertext stored in your bucket. As between the parties, you retain all rights in Customer Content. You grant DeepSecret a limited, worldwide, royalty-free license to host, transmit, and process Customer Content solely as necessary to provide the Service to you and consistent with our Privacy Policy. We do not have access to plaintext and cannot read the contents of secrets.
You represent and warrant that you have the rights necessary to upload Customer Content and that doing so does not violate law or any third-party right.
9. Intellectual property
DeepSecret and its licensors retain all right, title, and interest in and to the Service, including software, design, documentation, and trademarks. Subject to these Terms, DeepSecret grants you a non-exclusive, non-transferable, revocable license to access and use the Service during the term. No rights are granted by implication or estoppel.
Open-source components of the CLI are licensed under their respective licenses, which control over these Terms with respect to those components.
10. Confidentiality
Each party will protect the other's non-public information disclosed under these Terms with the same degree of care it uses to protect its own confidential information (and no less than reasonable care), and will use such information only to exercise rights and perform obligations under these Terms.
11. Beta & pre-release features
Features designated as "beta", "preview", "experimental", or similar are provided for evaluation purposes, may be modified or discontinued at any time, and are excluded from any service-level commitments and from the warranties below.
12. Warranties & disclaimers
The Service is provided "as is" and "as available." Except as expressly stated in a separate written agreement, DeepSecret disclaims all warranties, express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the Service will be uninterrupted, error-free, or secure against every adversary, or that any defects will be corrected.
13. Limitation of liability
To the maximum extent permitted by law: (a) neither party will be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenue, data, or goodwill, even if advised of the possibility; and (b) each party's aggregate liability arising out of or relating to these Terms and the Service will not exceed the fees you paid to DeepSecret for the Service in the twelve (12) months preceding the event giving rise to the claim, or one hundred US dollars (USD $100), whichever is greater. The foregoing limitations do not apply to liability that cannot be limited under applicable law.
14. Indemnification
You will defend, indemnify, and hold harmless DeepSecret from and against any third-party claims, damages, liabilities, costs, and reasonable attorneys' fees arising out of (a) your Customer Content, (b) your use of the Service in violation of these Terms or applicable law, or (c) your infringement or misappropriation of any third-party right.
15. Term & termination
- These Terms remain in effect while you have an account or are using the Service.
- You may terminate your account at any time. Paid subscriptions terminate at the end of the then-current billing period unless otherwise specified in an order form.
- We may suspend or terminate access for material breach (with notice and a reasonable cure period where practicable), for non-payment, or where required by law.
- Sections that by their nature should survive termination (including ownership, confidentiality, disclaimers, limitation of liability, indemnity, and governing law) survive.
16. Export controls & sanctions
The Service includes cryptographic functionality. You represent that you are not located in, and will not access the Service from, a country subject to comprehensive US sanctions, and that you are not on any restricted-party list. You will comply with all applicable export-control and sanctions laws.
17. Governing law & disputes
These Terms are governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws principles. The state and federal courts located in Delaware have exclusive jurisdiction over any dispute arising out of or relating to these Terms, and the parties consent to that jurisdiction and venue. Nothing in this section limits a party's right to seek injunctive or equitable relief in any court of competent jurisdiction.
18. Changes to these Terms
We may modify these Terms from time to time. Material changes will be communicated by email to account administrators or by a prominent notice on the website at least 30 days before they take effect, except where a shorter period is required by law or to address a security or legal issue. Your continued use of the Service after the effective date of revised Terms constitutes acceptance.
19. Contact
Questions about these Terms? Email hello@deepsecret.io. For privacy and data-rights requests, see our Privacy Policy.