Terms of Service & Privacy Policy | Breacher.ai
Important Notice

This Platform provides tools for authorized security testing only. By using this Platform, you acknowledge that you are solely responsible for ensuring all activities conducted through this Platform are lawful and properly authorized. Unauthorized use of this Platform to conduct any activities without proper consent is strictly prohibited and may violate federal, state, and international laws.

Part I — Terms of Service
Section 01

Definitions

"Platform" means the Breacher social engineering simulation software, services, APIs, and related tools provided by the Platform operator.

"Platform operator" means the entity that owns and operates the Platform and provides the services to Platform Customer.

"Platform Customer" means any entity or individual that has entered into a contract with the Platform operator to use the Platform, including MSPs conducting security assessments on behalf of clients, red team consultants and penetration testing firms, internal information security teams conducting authorized testing, and any other authorized users who have accepted these Terms.

"Target Organization" means any company, entity, or organization whose employees or systems are the subject of Simulations conducted through the Platform.

"Target Individual" means any person who is the recipient of simulated social engineering activities conducted through the Platform.

"Simulation" means any social engineering test, phishing campaign, vishing call, smishing message, deepfake content, or other security assessment activity conducted through the Platform.

"Voice Clone" / "Deepfake Content" means any AI-generated audio, video, or visual content that replicates or simulates the voice, likeness, or identity of a real person.

"Customer Data" means all data uploaded, submitted, or generated by Platform Customer through use of the Platform, including employee lists, contact information, campaign configurations, simulation results, voice samples, likeness data, and analytics.

"Third-Party Services" means external services integrated with or used by the Platform, including but not limited to cloud infrastructure, AI, voice synthesis, and communications providers.

"Platform Operator Infrastructure" means any website, web application, server, network, IP address range, domain, subdomain, or other infrastructure operated by, hosted on behalf of, or attributable to the Platform operator, including all assets reachable at breacher.ai and its subdomains.

Section 02

Acceptance of Terms

By accessing or using the Platform, Platform Customer agrees to be bound by these Terms of Service and Privacy Policy (collectively, "Terms"). If Platform Customer does not agree to these Terms, Platform Customer must not use the Platform.

Platform Customer represents and warrants that they have the legal authority to bind themselves and, if applicable, their organization to these Terms.

Order of Precedence. If Platform Customer has entered into a written Master Services Agreement ("MSA") with the Platform operator, the terms of the MSA shall control and supersede these Terms in the event of any conflict. These Terms apply only to the extent not addressed or inconsistent with the MSA.

Application to Non-Customers. Section 5 (Website Access and Unauthorized Scanning) applies to all persons and entities accessing Platform Operator Infrastructure, regardless of whether they are Platform Customers and regardless of whether they have agreed to any other portion of these Terms.

Section 03

Authorization and Consent Requirements

3.1 General Authorization

Platform Customer represents, warrants, and covenants that prior to conducting any Simulation through the Platform:

  • (a)Platform Customer has obtained all necessary authorizations, permissions, and consents required by applicable law to conduct the Simulation;
  • (b)Platform Customer has verified that the Simulation complies with all applicable federal, state, local, and international laws and regulations;
  • (c)Platform Customer has the legal right to target the Target Organization and Target Individuals;
  • (d)The Simulation falls within the scope of a legitimate security assessment engagement.
3.2 Employee Data Upload Attestation

By uploading employee information, contact lists, or any personal data to the Platform, Platform Customer attests that: they have obtained all necessary consents from the Target Organization and, where required by law, from Target Individuals; they accept full responsibility for obtaining such consent; they have provided adequate notice to Target Individuals regarding the nature and purpose of security testing as required by applicable law; and they indemnify and hold harmless the Platform operator from any claims arising from insufficient or invalid consent.

3.3 Voice Clone and Deepfake Consent

By uploading voice samples, images, videos, or other biometric data, Platform Customer represents and warrants that:

  • (a)Platform Customer has obtained explicit, informed consent from each individual whose voice, likeness, or identity will be replicated;
  • (b)Such consent includes authorization to create AI-generated content replicating the individual's voice or likeness for security testing purposes;
  • (c)The individual being cloned is an authorized representative of the Target Organization;
  • (d)Platform Customer will not use Voice Clones or Deepfake Content for any purpose other than authorized security testing;
  • (e)Platform Customer accepts full liability for any misuse of Voice Clone or Deepfake Content.
3.4 Third-Party Engagements

When Platform Customer conducts Simulations on behalf of a third party, Platform Customer attests that they have a valid contractual relationship with the Target Organization authorizing the security assessment, the Simulation scope falls within the authorized engagement, all necessary permissions have been obtained, and Platform Customer bears sole responsibility for ensuring proper authorization chains are in place.

3.5 Written Authorization Requirement

Prior to conducting any Simulation, Platform Customer must provide the Platform operator with written authorization from the Target Organization describing the scope of the authorized security assessment. Failure to provide such authorization may result in suspension or termination of Platform access. The Platform operator may disclose such authorization to law enforcement, regulators, or legal counsel where reasonably necessary.

3.6 Biometric Data and Voice/Likeness Consent

Platform Customer represents and warrants that it has obtained prior written, informed consent from each individual whose biometric data is used, specifically authorizing: (a) the capture of voice, image, or likeness data; (b) the creation of AI-generated content replicating that voice or likeness for security testing; (c) the processing of such data by the Platform and its subprocessors; and (d) the retention and deletion practices described in this Privacy Policy. Platform Customer indemnifies the Platform operator from any claims arising from failure to obtain legally sufficient biometric consent.

Section 04

Prohibited Uses

Platform Customer shall not use the Platform to:

Conduct any Simulation without proper authorization from the Target Organization
Engage in actual fraud, identity theft, financial crimes, or any illegal activity
Harvest credentials or personal data for purposes other than authorized security testing
Create Voice Clones or Deepfake Content without explicit individual consent
Harass, threaten, defame, or cause emotional distress to any individual
Distribute malware, ransomware, or other malicious code
Violate any applicable law, regulation, or third-party rights
Access, test, or target systems or individuals outside the authorized scope
Resell, sublicense, or provide Platform access to unauthorized third parties
Attempt to reverse engineer, decompile, or extract source code from the Platform
Use the Platform in violation of export control laws or sanctions regulations
4.1 Monitoring and Enforcement Rights

The Platform operator reserves the right to monitor, review, and audit Simulations for compliance. Platform Customer acknowledges that the Platform operator may review campaign content, targets, and configuration prior to or during execution. The Platform operator may suspend or terminate any Simulation or account that appears to violate these Terms, without prior notice.

Section 05

Website Access and Unauthorized Scanning

5.1 Scope and Application

This Section applies to all persons and entities — including, without limitation, individuals, organizations, security vendors, ratings providers, threat intelligence companies, scrapers, crawlers, and automated agents — that access, attempt to access, or transmit traffic to or from any Platform Operator Infrastructure, regardless of whether such persons are Platform Customers and regardless of whether they have agreed to any other portion of these Terms. Any access to Platform Operator Infrastructure constitutes acknowledgment of, and agreement to, this Section.

5.2 Scope of Authorized Access

Authorized access to Platform Operator Infrastructure is limited to ordinary, good-faith, human-driven use of publicly available pages and services for their intended commercial and informational purposes. All other forms of access are unauthorized unless and until the Platform operator grants prior written consent. The Platform operator's silence, inaction, non-detection, or technical accessibility of any resource shall not be construed as authorization.

5.3 Prohibited Activities

Without prior written consent from the Platform operator, the following activities directed at Platform Operator Infrastructure are expressly unauthorized and prohibited:

  • (a)Automated scanning, crawling, scraping, indexing, or bulk retrieval, except for compliant indexing by general-purpose search engines that respect robots.txt directives;
  • (b)Vulnerability scanning, port scanning, fuzzing, network reconnaissance, penetration testing, red-team activity, or any other unsolicited security assessment;
  • (c)Bypassing, circumventing, or attempting to defeat any technical protection measure, rate limit, IP block, authentication mechanism, CAPTCHA, or access control;
  • (d)Accessing or attempting to access any non-public account, page, area, dataset, or system;
  • (e)Misattributing the source, destination, ownership, or operator of any traffic, IP address, domain, or asset associated with Platform Operator Infrastructure, including in any security rating, score, risk profile, threat-intelligence feed, or research output;
  • (f)Distributing, publishing, marketing, or commercializing the output of any activity described in (a)–(e), including in security ratings, scoring products, threat intelligence, research publications, or competitive marketing materials;
  • (g)Any activity that materially interferes with the operation of Platform Operator Infrastructure, degrades its performance, or imposes an unreasonable load.
5.4 Revocation of Authorization

The Platform operator may revoke any prior or implied authorization at any time, with or without notice, including by means of an IP block, technical countermeasure, written demand, or notice posted on Platform Operator Infrastructure. Continued access following revocation is unauthorized and may give rise to liability under the federal Computer Fraud and Abuse Act and analogous state laws.

5.5 Bona Fide Security Research

Persons identifying suspected vulnerabilities in Platform Operator Infrastructure in good faith are encouraged to submit a coordinated disclosure to support@breacher.ai before conducting any further testing. Coordinated disclosure does not retroactively authorize prior unauthorized access, but the Platform operator will, in its sole discretion, consider good-faith coordinated disclosure when evaluating whether to pursue remedies.

5.6 Reservation of Rights and Remedies

The Platform operator expressly reserves all rights and remedies arising from unauthorized access to, scanning of, or misattribution involving Platform Operator Infrastructure, including, without limitation, claims under: the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the Florida Computer Abuse and Data Recovery Act, Fla. Stat. § 668.801 et seq.; the Florida Computer-Related Crimes Act, Fla. Stat. § 815 et seq.; the Lanham Act, 15 U.S.C. § 1125(a), where misattribution is involved; the Florida Deceptive and Unfair Trade Practices Act, Fla. Stat. § 501.201 et seq.; common-law trespass to chattels and trade libel; breach of contract; injunctive and equitable relief; and recovery of actual damages, statutory damages, attorneys' fees, and costs to the fullest extent permitted by law. Failure to exercise any remedy on any occasion shall not constitute a waiver of that remedy or any other.

Section 06

Platform Customer Responsibilities

Legal Compliance. Platform Customer is solely responsible for ensuring that all use of the Platform complies with all applicable laws and regulations, including the Computer Fraud and Abuse Act (CFAA), state computer crime laws, wiretapping and electronic surveillance laws, data protection and privacy regulations (GDPR, CCPA, etc.), anti-fraud statutes, employment laws, and telecommunications regulations.

Industry-Specific Compliance. Platform Customer acknowledges that certain industries are subject to additional regulatory requirements (HIPAA for healthcare, PCI-DSS for payment card data, GLBA for financial institutions, etc.) and is solely responsible for understanding and complying with any applicable industry-specific regulations.

Documentation. Platform Customer is responsible for maintaining adequate documentation of authorizations, consents, and engagement scope for all Simulations. Platform Customer must retain copies of all authorizations and consents for at least two (2) years following each Simulation.

Account Security. Platform Customer is responsible for maintaining the security of their account credentials and for all activities conducted under their account.

Cooperation with Investigations. Platform Customer agrees to cooperate fully with any inquiry, investigation, or legal request relating to Simulations conducted through the Platform, including providing proof of authorization and consent within 24 hours of request.

Sanctions Representation. Platform Customer represents that it is not located in, organized under the laws of, or owned or controlled by parties in sanctioned jurisdictions, and agrees to comply with all applicable U.S. sanctions programs administered by OFAC and applicable export control laws.

Section 07

Disclaimer of Warranties

Section 08

Limitation of Liability

Liability Cap. To the maximum extent permitted by law, the total aggregate liability of the Platform operator arising out of or related to these Terms shall not exceed the total fees paid by Platform Customer in the one (1) month preceding the event giving rise to the claim, unless otherwise specified in an applicable MSA. This limitation shall not apply to claims arising from the Platform operator's gross negligence, willful misconduct, or data protection obligations.

The Platform Is a Tool. The Platform operator provides the technical capabilities for conducting Simulations but does not control, direct, or assume responsibility for how Platform Customer uses those capabilities. All liability for the conduct of Simulations rests solely with Platform Customer.

Section 09

Indemnification

Platform Customer agrees to indemnify, defend, and hold harmless the Platform operator, its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

  • (a)Platform Customer's use of the Platform;
  • (b)Any Simulation conducted by Platform Customer;
  • (c)Platform Customer's breach of these Terms;
  • (d)Platform Customer's violation of any law, regulation, or third-party rights;
  • (e)Any claim by a Target Individual or Target Organization;
  • (f)Platform Customer's failure to obtain required authorizations or consents;
  • (g)Any use of Voice Clones or Deepfake Content created through the Platform;
  • (h)Any dispute between Platform Customer and any third party.

This indemnification obligation shall survive termination of these Terms. The Platform operator provides technical tools only and does not design, direct, control, or participate in any Simulation. Platform Customer acts independently and not as an agent, partner, or representative of the Platform operator.

Section 10

Third-Party Services

The Platform utilizes Third-Party Services including cloud infrastructure, AI, voice synthesis, and communications providers. Platform Customer acknowledges that use of the Platform may be subject to the terms of service and acceptable use policies of these Third-Party Services, and that the Platform operator is not responsible for their availability, performance, or policies.

Where the Platform utilizes enterprise APIs, Customer Data is not used by those providers to train generalized AI or voice models. The Platform operator contracts for enterprise tiers of these services that prohibit model training on Customer Data.

Section 11

Termination

The Platform operator may suspend or terminate Platform Customer's access to the Platform immediately, without prior notice or liability, for any reason, including breach of these Terms, suspected unauthorized or illegal use, request by law enforcement or government agency, or at the Platform operator's sole discretion.

Upon termination, Platform Customer's right to use the Platform will immediately cease. Sections 3, 4.1, 5, 6, 7, 8, 9, 13, and Part II (Privacy Policy) shall survive termination.

Section 12

Modifications to Terms

The Platform operator reserves the right to modify these Terms at any time. Material changes will be communicated to Platform Customer through the Platform or via email. Continued use of the Platform after such modifications constitutes acceptance of the updated Terms.

Section 13

Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the United States and the State of Florida, without regard to conflict of law principles.

Any dispute arising out of or relating to these Terms or the Platform shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, except that either party may seek injunctive relief in any court of competent jurisdiction. Arbitration will take place in Florida, and each party will bear its own attorneys' fees unless the arbitrator awards otherwise.

Carve-Out for Section 5 Claims. Notwithstanding the foregoing, claims by the Platform operator arising out of or related to Section 5 (Website Access and Unauthorized Scanning), including without limitation claims for unauthorized access, scanning, or misattribution involving Platform Operator Infrastructure, may be brought in any court of competent jurisdiction in Florida, and the Platform operator may seek injunctive relief, damages, and any other available remedy in such forum.

Part II — Privacy Policy
Section 14

Information We Collect

For all personal data relating to Target Individuals, Platform Customer acts as the Data Controller and the Platform operator acts solely as a Data Processor processing such data on behalf of Platform Customer.

14.1 Platform Customer Account Information

We collect information provided during account registration and use, including company name, contact information, billing details, and account credentials.

14.2 Target Data

We collect and process data that Platform Customer uploads or generates through the Platform, including employee lists and contact information (names, email addresses, phone numbers), organizational structure and department information, campaign configuration and targeting parameters, and Simulation results (click rates, response rates, credential submissions for testing purposes, call recordings, message interactions).

14.3 Voice and Likeness Data

For Voice Clone and Deepfake Content creation, we collect voice samples and audio recordings, images and video content, and AI-generated models derived from such samples. Raw voice, video, and image samples are deleted immediately after processing. Only the resulting voice or likeness model is retained to enable continued service delivery.

14.4 Biometric Data Handling and Retention

Voice samples, likeness data, and biometric inputs are used solely to create Voice Clones and Deepfake Content for the Platform Customer that provided the data. Raw audio, video, and image files are deleted immediately after processing and model creation. Resulting voice or likeness models are retained solely to provide ongoing services to that specific Platform Customer and are never used to train generalized models or for any other purpose. Biometric data is not sold, disclosed, or used for any purpose other than providing the Platform services to the originating Platform Customer.

14.5 Usage and Technical Data

We automatically collect log data, IP addresses, browser information, Platform usage patterns and feature utilization, and performance and error data.

Section 15

How We Use Information

We use collected information to: provide and maintain the Platform; process and execute Simulations as directed by Platform Customer; generate reports and analytics; improve Platform functionality and develop new features; communicate with Platform Customer about their account and services; ensure Platform security and prevent abuse; and comply with legal obligations.

Processing of Target Individual data is performed solely on the lawful basis determined by Platform Customer as Data Controller. The Platform operator does not determine the lawful basis for Target Individual processing.

Section 16

Data Sharing and Disclosure

Third-Party Service Providers. We share data with Third-Party Services necessary to operate the Platform, including OpenAI, Anthropic, AWS, ElevenLabs, Deepgram, and Daily. These providers process data in accordance with their respective privacy policies and our data processing agreements. A list of subprocessors may be provided upon request.

Legal Compliance. We will disclose information when required to do so by law or in response to valid legal process, including subpoenas, court orders, search warrants, national security letters, or other lawful requests by public authorities. Where legally permitted, we will attempt to notify Platform Customer of such requests.

Protection of Rights. We may disclose information when we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

Business Transfers. In the event of a merger, acquisition, or sale of assets, Customer Data may be transferred to the acquiring entity.

Section 17

Data Retention

We retain Customer Data for as long as Platform Customer's account remains active and as requested by Platform Customer. Platform Customer may request deletion of specific data or their entire account at any time.

Only resulting voice or likeness models (not raw audio, video, or image files) may be retained to enable continued service delivery and customer-requested re-training for that specific Platform Customer. Raw audio, video, and image samples are deleted immediately after processing. Models may be deleted upon Platform Customer request, subject to legal retention requirements.

We may retain certain data as required by law or for legitimate business purposes, such as maintaining security logs or complying with legal obligations, even after account termination.

Section 18

International Data Transfers

The Platform operates from the United States. If Platform Customer is located outside the United States, Platform Customer acknowledges that their data will be transferred to and processed in the United States.

For Platform Customers subject to GDPR or UK GDPR, we rely on appropriate legal mechanisms for international data transfers, which may include Standard Contractual Clauses or other lawful transfer mechanisms.

Platform Customer is responsible for ensuring that their use of the Platform complies with applicable data protection laws in their jurisdiction, including obtaining any necessary consents for international data transfers.

Section 19

GDPR and International Privacy Rights

For Platform Customers and Target Individuals located in the EEA, United Kingdom, or other jurisdictions with similar privacy laws, the following rights may apply:

Right to Access Personal Data
Right to Rectification of Inaccurate Data
Right to Erasure ("Right to Be Forgotten")
Right to Restrict Processing
Right to Data Portability
Right to Object to Processing
Rights Related to Automated Decision-Making

Platform Customer, as the controller of Target Individual data, is responsible for responding to data subject requests from Target Individuals. The Platform operator will provide reasonable assistance to Platform Customer in fulfilling such requests. The Platform operator's Data Processing Addendum ("DPA") is incorporated by reference into these Terms.

Section 20

California Privacy Rights

For California residents, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may provide additional rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of sale or sharing, and the right to non-discrimination for exercising privacy rights. We do not sell personal information. To exercise these rights, contact us using the information provided in Section 25.

Section 21

Data Security

We implement reasonable administrative, technical, and physical security measures designed to protect Customer Data. We are actively pursuing SOC 2 certification to demonstrate our commitment to security best practices.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect Customer Data, we cannot guarantee absolute security. Platform Customer is responsible for maintaining the security of their account credentials.

Section 22

AI and Machine Learning

The Platform uses artificial intelligence and machine learning technologies, including large language models provided by OpenAI and Anthropic, and voice synthesis technology provided by ElevenLabs and Deepgram.

Customer Data may be processed by these AI systems to generate Simulation content, create Voice Clones, and provide Platform functionality. Platform Customer acknowledges that AI-generated content may not be perfect and should be reviewed before use. The Platform operator is not responsible for any inaccuracies or unintended outputs generated by AI systems.

Section 23

Children's Privacy

The Platform is not intended for use against or involving individuals under the age of 18. Platform Customer represents and warrants that no Target Individuals are minors and agrees to indemnify the Platform operator for any violation of this provision.

Section 24

Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify Platform Customer of material changes through the Platform or via email. Continued use of the Platform after such changes constitutes acceptance of the updated Privacy Policy.

Section 25

Contact Information

For questions about these Terms or our privacy practices, Platform Customer should contact their designated account representative or refer to the contact information provided in their service agreement.

General Inquiries
Questions about these Terms or your data
support@breacher.ai
Acknowledgment
Acknowledgment and Acceptance

BY USING THE PLATFORM, PLATFORM CUSTOMER ACKNOWLEDGES THAT THEY HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS OF SERVICE AND PRIVACY POLICY. PLATFORM CUSTOMER FURTHER ACKNOWLEDGES THAT THEY ARE SOLELY RESPONSIBLE FOR ENSURING THAT ALL USE OF THE PLATFORM IS LAWFUL AND PROPERLY AUTHORIZED, AND THAT THE PLATFORM OPERATOR PROVIDES ONLY A TOOL AND ASSUMES NO LIABILITY FOR HOW THAT TOOL IS USED. PLATFORM CUSTOMER ACCEPTS FULL RESPONSIBILITY FOR ANY LEGAL CONSEQUENCES ARISING FROM THEIR USE OF THE PLATFORM, INCLUDING BUT NOT LIMITED TO CIVIL LIABILITY, CRIMINAL PROSECUTION, REGULATORY PENALTIES, AND THIRD-PARTY CLAIMS.

Appendix A
Appendix A

In-Product Biometric Consent Notice

The following consent notice must be presented at the point of voice or likeness capture within the Platform:

Implementation Requirements
  • Require an unchecked-by-default checkbox labeled "I Agree"
  • Provide a link to the Privacy Policy and a short retention summary
  • Capture and retain: timestamp, IP address, campaign identifier, and identity of consenting individual (as available)