Terms of Service

By creating an account or using Audito, you agree to these terms. If you don't agree, don't use the service.

You must be at least 16 years old, or the higher minimum age set by the laws of your country. If you're using Audito on behalf of an organization, you confirm you're authorized to bind that organization to these terms.

Audito is a tool for tracking the security posture of the things your software depends on. That includes:

• Open-source library vulnerabilities (CVEs and advisories from public sources).
• Dependency staleness and deprecation across the libraries you register.
• Health and incident signals for the third-party SaaS your stack depends on.
• Optional GitHub integration that keeps your dependency inventory in sync with your repositories and can propose upgrade pull requests.
• Programmatic access through API tokens and an MCP server, so you can query Audito from your own tools and agents.
• Team workflows around triage, finding decisions, and weekly digest emails.

Audito is informational. It is not a substitute for a professional security audit, penetration testing, incident response, or legal advice. A green dashboard in Audito is not a certification that your software is safe.

Authentication is handled by our identity provider. You can sign in with email or with a connected provider such as Google or GitHub. You're responsible for keeping your sign-in credentials and any connected identity providers secure, and for all activity under your account.

Organization workspaces

Audito data lives inside organization workspaces. Any member of an organization can read and write the org's workspace data — libraries, dependencies, services, audit log entries, finding decisions, GitHub connections, and digest settings. Make sure you trust the people you invite. We don't enforce per-resource permissions inside an org.

API tokens

You can mint API tokens for programmatic and MCP access. A token acts on behalf of your account and workspace — treat it like a password, don't share it, and revoke it if it may have leaked. You're responsible for everything done with a token you create.

Tell us promptly if you suspect unauthorized access to your account, your tokens, or your organization's workspace.

Connecting GitHub is optional. By installing the Audito GitHub App, you authorize Audito to access the repositories you select and you confirm that you have the right to connect them and to grant the permissions requested.

What the integration does

• Reads dependency manifests and lockfiles from the repositories you grant, to keep the matching Audito libraries in sync when you push.
• May post a check summarizing dependency findings for a push.
• If — and only if — you enable it, opens draft pull requests proposing dependency upgrades. This bot is opt-in and off by default.

Your responsibility for proposed changes

Remediation pull requests are suggestions. They are opened as drafts and are never merged automatically. You are responsible for reviewing, testing, and deciding whether to merge any proposed change. We don't warrant that an upgrade is compatible with your code, and we're not liable for build failures, regressions, downtime, or other consequences arising from a change you merge.

You can revoke access or uninstall the Audito GitHub App from GitHub at any time, which stops syncing and ends the integration.

When you use Audito, you agree not to:

• Upload manifests, lockfiles, SBOMs, or other content, or connect repositories, that you don't have the right to scan or share.
• Use Audito to attack, probe, fingerprint, or exfiltrate data from third-party services or vendors. The status pages, changelogs, and advisory feeds we fetch are public; you must not point Audito at endpoints you're not authorized to query.
• Reverse-engineer, decompile, scrape, or load-test the service, or try to circumvent rate limits, API token controls, or access controls.
• Resell, sublicense, or pass the service off as your own product.
• Use Audito for anything illegal, or to harass, defame, or harm others.

Audito aggregates data from public sources, including OSV.dev, npm and PyPI registries, GitHub Advisories, vendor status pages, and RSS changelog feeds. We don't generate vulnerability data ourselves.

Those sources can be incomplete, late, or wrong. A finding may be published days after a CVE is assigned, scoped narrowly, or fixed by a patch we haven't yet picked up. We make a best-effort attempt to keep your view current, but we don't warrant that it is complete or accurate.

The same applies to any upgrade Audito proposes: it's a best-effort suggestion based on this public data, not a guarantee that the new version is safe or compatible.

A clean Audito report is not a guarantee that your software is secure. Use Audito as one signal alongside real audits, code review, and your own judgment.

We don't offer a service-level agreement today. The service may be unavailable for planned maintenance, infrastructure issues, or other reasons, with or without notice.

Audito also depends on third-party feeds and providers — including OSV, package registries, GitHub, our hosting, database, and authentication providers, our payment processor, and our email provider. Their outages affect us, and handling them is outside our control.

Audito offers a free tier and one or more paid subscription plans. The features, limits, and price of each plan are shown at checkout and on our pricing page; those are the terms that apply to your subscription.

Paid plans are billed in advance on a recurring basis (monthly or annually, as selected) through our third-party payment processor. By subscribing, you authorize us and the processor to charge your payment method on each renewal until you cancel. Where a plan is billed per seat, adding members to your organization may increase your charge.

You can cancel at any time from the billing portal. Cancellation stops future renewals; your paid access continues until the end of the period you've already paid for. Except where required by law, fees already paid are non-refundable and we don't pro-rate partial periods.

If a payment fails and stays unresolved beyond a short grace period, we may downgrade your organization to the free tier — which limits access to paid features — while preserving your data so you can recover by updating your payment method.

Taxes, foreign exchange fees, and payment processor fees are your responsibility unless we say otherwise in writing. We may change pricing or plan features going forward; we'll give reasonable advance notice of changes that affect an active paid subscription before they take effect at your next renewal.

Your content

You keep ownership of the content you put into Audito — registered libraries, dependency lists, imported manifests, repository data you connect, notes, finding decisions, and so on. You grant us a limited, worldwide, non-exclusive, royalty-free license to host, copy, transmit, and process that content solely to operate the service for you and your organization (for example, to scan a manifest, sync a connected repository, render it in the UI, propose an upgrade, or send your weekly digest).

Our service

Audito's code, brand, name, logos, designs, and UI are ours. These terms don't grant you any license to use them outside of using the service as intended. You may publish screenshots that show your own data — that's fine.

Feedback

If you send us suggestions, we may use them without obligation. We'll never publicly attribute feedback to you without asking.

You can delete your account at any time through your account profile. Deleting your account will purge the associated workspace data per our Privacy Policy. If you're the last member of an organization, deleting your account also deletes the organization's data.

We may suspend or terminate accounts that materially violate these terms, place undue load on the service, or put other users at risk. When it's reasonable to do so, we'll notify you first and give you a chance to fix the issue.

Sections that are meant to survive termination — including data accuracy disclaimers, intellectual property, disclaimers, limitation of liability, indemnification, and governing law — keep applying after your account ends.

The service is provided "as is" and "as available", without warranties of any kind — express, implied, or statutory — including any warranty of merchantability, fitness for a particular purpose, non-infringement, or that vulnerability data or proposed upgrades are accurate or complete. To the maximum extent permitted by applicable law, we disclaim all such warranties.

To the maximum extent permitted by law, Audito and the people who run it are not liable for indirect, incidental, special, consequential, or punitive damages, or for lost profits, lost data, or business interruption — even if we've been advised that they're possible.

Our total aggregate liability for any claim arising out of or relating to the service is capped at the greater of (a) the amount you paid us in the twelve months before the event giving rise to the claim, or (b) USD 100. Some jurisdictions don't allow some of these limits; in that case the limits apply to the maximum extent permitted by local law.

Nothing in these terms limits any liability that cannot be limited under the mandatory law that applies to you as a consumer.

You agree to defend, indemnify, and hold Audito harmless from claims and costs (including reasonable legal fees) arising out of your misuse of the service — including but not limited to a breach of the acceptable-use rules in section 5, content you upload or repositories you connect that you didn't have the right to, or your violation of a third-party's rights through your use of the service.

These terms are governed by the laws of the Republic of Chile, without regard to conflict-of-law rules. Any dispute arising out of or relating to the service will be brought before the competent ordinary courts of Santiago, Chile.

If you're a consumer and the mandatory consumer-protection law of the country where you live gives you the right to bring a claim before your local courts, nothing here takes that right away from you.

Audito is currently operated by an individual based in Chile, not yet through a registered company. When a legal entity is formed to operate Audito, we'll update this section with its name and registered domicile and notify you under the “Changes to these terms” section.

We may update these terms from time to time. When we make a material change — for example, anything that meaningfully affects your rights, fees, or how we handle your content — we'll notify you by email or with an in-app banner before it takes effect. Smaller edits (clarifications, typos) we may publish without notice.

The "last updated" date at the top of this page always reflects the current version. Continuing to use Audito after a change means you accept the updated terms.

Questions about these terms? Email support@audito.dev.