astropod get on the waiting list book a demo

legal updated 2026-06-15

Terms of Service

Operated by BellyFoot LLC · Last updated: June 15, 2026

Acceptance of Terms

gastropod.io is a managed cloud service operated by BellyFoot LLC. These Terms of Service were last updated on June 15, 2026. They apply to your use of gastropod.io. By creating an account or using the service, you agree to the Terms and to all policies incorporated by reference. If you use the service for an organization, you confirm that you have authority to bind that organization, and in that case, "you" also refers to that organization.

Introduction

These Terms apply only to the self-service Pro and Business plans. The Enterprise plan is covered by a separate written agreement, and that agreement controls for Enterprise deployments.

1. The service

gastropod.io is a managed cloud platform for software supply-chain artifact intelligence. It proxies and hosts packages across many ecosystems, including npm, Go modules, PyPI, Maven, Debian, RHEL, Alpine, OCI containers, and others. It also resolves dependencies, records provenance, correlates and surfaces advisories, generates and consumes SBOM and VEX context, runs first- and third-party scanners on actual artifacts, maps where artifacts and findings appear in the user environment, and stores artifact intelligence.

2. Editions and software licensing

These Terms apply to the managed cloud service:

  • Cloud service (these Terms). The hosted gastropod.io service you access over the network. You receive a right to use the service, not a copy of the software. The gastropod.io software is proprietary to BellyFoot and is licensed to BellyFoot or its licensors. It is not open source, is not redistributed to you, and you receive no source-code or redistribution rights to it.
  • Enterprise / on-premises (separate agreement). Enterprise, on-premises, and private-federation offerings are provided under a separate commercial agreement.

3. Accounts and authentication

You register an account by signing in through one of the supported identity providers, or by being added to an Organization by an Owner. You are responsible for maintaining the confidentiality of your credentials, API tokens, and other access details, and for all activity that occurs under your account. You must promptly notify us at security@gastropod.io of any actual or suspected unauthorized access or use. Owners are responsible for the members they add and the roles they assign.

4. Right to use the service

Subject to these Terms and your plan, and for as long as your account is active, we grant you a limited, revocable, non-exclusive, non-transferable, non-sublicensable right to access and use the service solely for your own internal business purposes and in accordance with the documentation. All rights not expressly granted are reserved.

5. Plans, billing, and renewals

Plans, allowances, and pricing are listed at /pricing. Customers can pay monthly or annually.

  • Annual billing provides a 15% discount that starts immediately and continues only while the customer stays on annual billing. An annual plan is a 12-month prepaid commitment. Customers cannot switch to monthly billing during the annual term, but they may switch when the term ends. If they switch, the 15% discount ends.
  • Renewal. Subscriptions renew automatically for another term of the same length unless the customer cancels or changes the plan before the current term ends. This applies to both monthly and annual plans.
  • Overages. Plans include monthly storage and data egress allowances. Usage is metered, and overages are billed at the rates stated in the plan.
  • Price changes. We may change base plan pricing on at least 30 days' written notice, effective at your next renewal. We may change overage rates on at least 60 days' written notice.
  • Taxes. Fees are exclusive of taxes. You are responsible for any applicable sales, use, VAT, or similar taxes related to the purchase and use of our software and services.

Fees are non-refundable except where required by law, including amounts prepaid for an annual term.

6. Pro trial

The Pro plan includes a 14-day free trial. Business and Enterprise plans do not offer trials. A valid payment method is required to start a trial. The customer may cancel before the trial ends to avoid charges. If the customer does not cancel, the trial converts to a paid Pro subscription, and the payment method is charged the then-current Pro fee on the chosen billing schedule. Trial use carries no service-level commitments, indemnities, or warranties except where required by law. Users should export any data they want to keep before cancelling, because trial data may be deleted if they do not subscribe.

7. Acceptable use

You may not use the service to distribute malware, phishing kits, illegal content, or other unlawful material. You also may not bypass quota limits, license checks, or access controls. You must not impersonate any person or organization. You may not disrupt the service, scrape it beyond reasonable API use, or reverse engineer, decompile, or disassemble it, except where applicable law prohibits that restriction. You may not resell, rent, lease, sublicense, time-share, or operate the service as a service bureau for others. You may not use proxying, caching, or similar methods to make the service available to unauthorized third parties unless we give written permission. You may not use the service to build or help build a competing product or service, or to do benchmarking or competitive analysis, without prior written consent. You may not perform security, penetration, or load testing without prior written authorization. You must also comply with all export-control and sanctions laws that apply to you or us. We may remove individual artifacts if we reasonably and in good faith believe they violate this section, including malware or infringing content, and we will notify you when we do.

8. Your data and artifacts

You retain ownership of the artifacts you upload and the metadata identifying your Organization. You represent that you own, license, or otherwise legally possess any artifacts, packages, binaries, images, and components you submit or process through the service. You also represent that using them through the service will not violate any third-party rights or any applicable law. You are responsible for the accuracy, legality, and integrity of your data, and for backing up your data.

9. Privacy Policy

The service processes data only to run, secure, support, and improve the service. It may use aggregated and de-identified data for operations and improvement, such as reporting total artifacts proxied in a day. Private artifact contents are not accessed unless needed to operate, secure, or troubleshoot the service, or when required by law. Any access to private artifact contents is logged.

The service uses a limited number of sub-processors, including an offsite storage provider for encrypted disaster-recovery backups. A current sub-processor list is available on request, and material changes to sub-processors will be given reasonable notice. Customer data is encrypted at rest.

The service may also support federation between gastropod instances. In federation, only limited artifact information is exchanged. Public federation shares limited public package and version sightings, plus related advisory or VEX status. It does not expose private packages, pull or download history, internal usage, or private dependency chains. Information from another instance is used only to help local analysis. It is not automatically treated as a verified finding and does not override local policy. Your instance verifies the information and applies local policy before acting. Participation in federation is optional.

10. Disclaimers

Advisories, scan results, and similar outputs are provided for information only. This includes vulnerability correlations, SBOM and VEX data, scanner findings, provenance records, blast-radius maps, and risk ratings. These outputs may depend on third-party data, public data, and scanners you choose. They may be incomplete, delayed, or inaccurate. If a third-party scanner is used, its results are provided by that scanner, and no warranty is given for them. The outputs are not legal advice. You must validate findings yourself. You are responsible for decisions made from them, including open-source license obligations and compliance choices.

11. Third-party and open-source components

The packages, artifacts, and components you proxy, host, or retrieve through the service are owned by and licensed from their respective publishers and are subject to their own license terms and notices. We grant you no rights in those upstream components, and you are responsible for complying with their licenses. The service itself may also include third-party or open-source components subject to their own license terms, which govern those components.

12. Confidentiality

Each party will protect the other's Confidential Information using at least the care it uses to protect its own (and no less than reasonable care), and will use it only to perform under these Terms. "Confidential Information" includes non-public commercial, technical, and operational information. This does not cover information that is or becomes public through no fault of the receiver, was independently developed, or is required to be disclosed by law (with notice where allowed).

13. Service availability and support

We will use commercially reasonable efforts to make the service available, excluding planned maintenance and circumstances outside our reasonable control.

  • The Pro plan is provided on a best-effort basis, with no uptime commitment, and includes community and email support.
  • The Business plan includes a 99.9% monthly uptime commitment and business-hours support. Where an uptime commitment applies, service credits are the sole remedy for failing to meet it. Credits are calculated based on the percentage of downtime in the monthly billing cycle that falls below the 99.9% commitment (that is, downtime exceeding 0.1% of the month). A credit request must be made within 30 days, or the credit is waived.

14. Warranties and disclaimers

We will use commercially reasonable efforts to operate the service in substantial conformity with its published documentation. Otherwise, the service is provided "as is" and "as available," without warranties of any kind, express or implied, including merchantability, fitness for a particular purpose, non-infringement, or uninterrupted operation. Some jurisdictions do not allow these disclaimers; in that case, they apply to the maximum extent permitted by law.

15. Limitation of liability

To the fullest extent allowed by law, neither party is liable for indirect, incidental, consequential, special, or exemplary damages, including lost profits, even if those damages were foreseeable. Each party's total liability under or related to the Terms is capped at the fees paid in the 12 months before the claim arose. This section does not limit liability that cannot be limited by law, including liability for gross negligence or willful misconduct.

16. Indemnification

You must defend and indemnify BellyFoot against third-party claims tied to: artifacts you uploaded that infringe others' rights; your breach of Section 7 (Acceptable use); and your breach of Section 8 (Your data and artifacts). BellyFoot must defend and indemnify you against claims that the service, as provided by BellyFoot, infringes a U.S. patent or U.S. copyright. Both sides must give prompt notice of any claim and provide reasonable cooperation in the defense.

17. Suspension and termination

These Terms remain in effect until terminated. The user may terminate by canceling all plans in the account. The company may terminate for a material breach if the breach is not cured within 30 days after notice. It may terminate immediately for an uncured breach that cannot be fixed, such as unlawful use. The company may also suspend access in whole or in part, and will give notice when practical. Suspension may occur if the use threatens service security, integrity, or availability, harms other customers, is required to stop by law, or involves overdue fees that remain unpaid after notice. After termination, the company will provide data export access for at least 30 days, after which it may delete the data, except for data it is allowed or required to keep. Certain provisions survive termination, including fees owed, intellectual property, confidentiality, disclaimers, limitation of liability, indemnification, and governing law.

18. Governing law

These Terms are governed by the laws of the State of Delaware, USA, without regard to its conflicts-of-laws rules. The exclusive venue for disputes is the state and federal courts located in Delaware, and each party consents to that venue and waives objections to it.

19. Changes

We may update these Terms by posting an updated version at this URL and revising the "last updated" date. Material changes will be announced at least 30 days in advance to the email on your account. Continued use after the effective date constitutes acceptance.

20. General

The user's plan or order, plus incorporated documents (such as the Privacy Policy and the service-level terms included in this TOS), are part of the agreement. If there is a conflict, the plan or order controls for plan-specific items like allowances, overage rates, and service levels. Otherwise, these Terms control. Neither party may assign the Terms without the other party's consent, except in connection with a merger or a sale of substantially all assets to a successor. Neither party is responsible for delay or failure caused by events beyond reasonable control. If any provision is unenforceable, the rest remains effective. Failure to enforce a provision once does not waive the right to enforce it later. These Terms and the referenced documents form the entire agreement between the parties for the service.

21. Contact

Questions about these Terms: legal@gastropod.io. Security disclosures: see /security. Privacy and data-subject requests: privacy@gastropod.io.