Terms of Service

1. ACCEPTANCE OF TERMS

By accessing or using the services provided by Root.io, Inc. ("Root," "we," "us," or "our"), including our website at www.root.io, the Root Platform, and any related services (collectively, the "Services"), you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms").

If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind such entities to these Terms.

If you do not agree to these Terms, you may not access or use the Services.

2. DEFINITIONS

"Authorized Users" means Customer's employees, and contractors authorized to access the Services on Customer's behalf.

"Community Images" means container images designated by Root as available without paid subscription, provided without warranty or SLA.

"Customer Configuration Data" means information provided by Customer to enable the Services, including registry credentials, image tags, library specifications, and subscription selections.

"Customer Environment Data" means vulnerability scan results and metadata derived from Customer's subscribed images and libraries.

"Order Form" means a mutually executed ordering document specifying the Services, subscription term, fees, and any additional entitlements.

"Root Image Catalog (RIC)" means Root's catalog of hardened, continuously remediated container images.

"Root Library Catalog (RLC)" means Root's catalog of backported security fixes for application dependencies.

"Root Platform" means Root's proprietary software platform for vulnerability remediation, including access to RIC, RLC, associated APIs, and related documentation.

"Subscribed Images" and "Subscribed Libraries" mean the specific open source images and libraries designated in the Order Form or Root Platform for which Customer has active service level agreement (SLA) entitlements.

3. SERVICES

3.1 Description

The Services consist of container security and vulnerability remediation services delivered through the Root Platform, including:

•   Root Image Catalog (RIC): Access to hardened open source container images with continuous CVE remediation

•   Root Library Catalog (RLC): Backported open source security fixes for application dependencies

•   Root proprietary documentation, APIs, and support services as described in applicable Order Forms

3.2 Service Levels

Root will provide the Services in accordance with the Service Level Agreement ("SLA") available at www.root.io/sla and incorporated herein by reference. Enhanced service levels and additional entitlements may be specified in an Order Form.

3.3 Order Form Hierarchy

The specific Services, entitlements, and terms applicable to Customer are determined by the Order Form. In the event of a conflict between these Terms and a fully executed Order Form , the Order Form shall control with respect to the specific subject matter addressed therein.

4. ACCOUNT AND ACCESS

4.1 Account Registration

To access the Services, Customer must create an account with accurate and complete information. Customer agrees to maintain and update account information as necessary.

4.2 Account Security

Customer is responsible for maintaining the confidentiality of account credentials and for all activities under Customer's account. Customer will notify Root immediately of any unauthorized access or security breach.

4.3 Authorized Users

Customer may permit Authorized Users to access the Services. Customer is responsible for Authorized Users' compliance with these Terms.

5. FEES AND PAYMENT

5.1 Fees

Customer agrees to pay all fees specified in the Order Form. Except as expressly provided in these Terms or the SLA, fees are non-refundable.

5.2 Payment Terms

Unless otherwise specified in the Order Form, fees are due within thirty (30) days of invoice date. Late payments accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law.

5.3 Taxes

Fees are exclusive of all taxes, duties, levies or similar governmental assessments of any nature (collectively, “Taxes”). Customer is responsible for all applicable Taxes, except taxes solely based on Root's net income.

6. ACCEPTABLE USE

6.1 Permitted Use

Customer may use the Services for Customer's internal business purposes in accordance with these Terms and the applicable Order Form.

6.2 Restrictions

In connection with Customer’s use of the Services, Customer agrees not to:

(a)   Use the Services for unlawful purposes or in violation of applicable laws

(b)   Infringe or misappropriate intellectual property rights

(c)   Transmit malicious code or interfere with Service operation

(d)   Attempt unauthorized access to Root systems or data

(e)   Use the Services to develop a competing product or service

(f) Resell, redistribute, or sublicense the Services without authorization

(g)   Remove or modify proprietary notices or markings

(h)   Redistribute Root-provided images or libraries outside Customer's organization except as necessary for Customer's products and services

(i) Engage in pull rates or access patterns that indicate abuse, misconfiguration, or unauthorized redistribution

6.3 Suspension

Root may suspend Customer's access for violation of these Terms with prior notice, or immediately when necessary to protect Service integrity or comply with law.

7. INTELLECTUAL PROPERTY

7.1 Root Ownership

Root and its licensors retain all rights, title, and interest in and to the Root Platform, the Services, and all related Deliverables, andmethodologies, including but not limited to all intellectual property and other proprietary rights therein. These Terms do not grant Customer any rights except the limited licenses expressly stated herein.

7.2 License to Services

Subject to these Terms and payment of applicable fees, Root grants Customer a limited, non-exclusive, non-transferable, non-sublicensable license during the subscription term to use the Services to:

(a)   Access and use the Root Platform for internal business purposes

(b)   Pull, deploy, and use Subscribed Images and Subscribed Libraries in Customer's environments

(c)   Redistribute Root-provided images and libraries solely as incorporated into Customer's products and services

7.3 Open Source Licensing

All Root-provided images and libraries, including Community Images and those provided in the Root Image Library, maintain their underlying open source licenses. Root publishes patches, including those in the Root Library Catalog, in compliance with applicable open source license requirements. Customer's use of open source components is subject to their respective licenses. More information on Root’s commitment to open source license compliance and software transparency can be found here.

7.4 Deliverables License

Root grants Customer a perpetual, royalty-free license to use SBOMs, VEX statements, diff files, and related documentation delivered as part of the Services under this Agreement (the “Deliverables”) for Customer's internal compliance, audit, and security purposes. Root retains ownership of the Deliverables, including all related methodologies, formats, and tooling.

7.5 Feedback

Customer grants Root a perpetual, royalty-free, worldwide license to use any feedback, suggestions, or ideas provided by Customer for any purpose without obligation.

8. DATA

8.1 Customer Configuration Data

Customer retains ownership of Customer Configuration Data. Customer grants Root a license to use Customer Configuration Data solely to provide the Services.

8.2 Customer Environment Data

Root may process Customer Environment Data to provide the Services, including vulnerability scanning and remediation. Root does not acquire ownership of Customer's underlying software or source code.

8.3 Aggregated Data

Root may collect and use aggregated, anonymized data derived from Service usage for product improvement, research, analytics, and benchmarking, provided such data does not identify Customer.

8.4 Usage Data

Root may collect diagnostic, technical, and usage information to operate, maintain, and improve the Services.

9. CONFIDENTIALITY

9.1 Definition

"Confidential Information" means non-public information disclosed by either party that is designated as confidential or reasonably should be understood to be confidential given its nature and circumstances of disclosure.

9.2 Obligations

Each party agrees to: (a) use Confidential Information only as necessary to exercise rights or perform obligations under these Terms; (b) protect Confidential Information using at least the same degree of care used to protect its own confidential information, but no less than reasonable care; (c) not disclose Confidential Information except to employees, contractors, and agents with a need to know who are bound by confidentiality obligations at least as protective as these Terms.

10. WARRANTIES AND DISCLAIMERS

10.1 Root Warranties

Root warrants that:

(a)   The Services will perform materially as described in the documentation

(b)   Root has the authority to enter into these Terms and grant the licenses herein

(c)   Root-provided fixes will be built from source in accordance with SLSA standards

10.2 Disclaimer

EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." ROOT DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

ROOT DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE, OR THAT ALL VULNERABILITIES WILL BE REMEDIATED.

10.3 Security Disclaimer

CUSTOMER ACKNOWLEDGES THAT VULNERABILITY REMEDIATION CANNOT GUARANTEE ELIMINATION OF ALL SECURITY RISKS. ROOT'S SERVICES ARE ONE COMPONENT OF A COMPREHENSIVE SECURITY PROGRAM AND DO NOT REPLACE CUSTOMER'S RESPONSIBILITY FOR OVERALL SECURITY.

11. LIMITATION OF LIABILITY

11.1 Liability Cap

EXCEPT FOR EXCLUDED CLAIMS, NEITHER PARTY'S TOTAL AGGREGATE LIABILITY ARISING UNDER OR RELATED TO THESE TERMS SHALL EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO ROOT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY.

11.2 Exclusion of Damages

EXCEPT FOR EXCLUDED CLAIMS, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, REVENUE, DATA, BUSINESS OPPORTUNITIES, OR COSTS OF PROCUREMENT OF SUBSTITUTE SERVICES, REGARDLESS OF FORESEEABILITY OR WHETHER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11.3 Excluded Claims

The limitations in Sections 11.1 and 11.2 do not apply to:

(a)   A party's gross negligence or willful misconduct

(b)   A party's indemnification obligations under Section 12

(c)   Customer's breach of Section 6 (Acceptable Use)

(d)   Customer's payment obligations

11.4 Allocation of Risk

THE LIMITATIONS IN THIS SECTION REFLECT AN INFORMED, VOLUNTARY ALLOCATION OF RISK AND ARE AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES.

12. INDEMNIFICATION

12.1 By Root

Root will defend, indemnify, and hold Customer harmless from third-party claims alleging that the Services (excluding open source components provided under their own licenses) infringe such third party's intellectual property rights, and pay resulting damages and costs, provided Customer: (a) promptly notifies Root of the claim; (b) gives Root sole control of the defense and settlement; (c) provides reasonable cooperation.

Root's obligations do not apply to claims arising from: (a) Customer's modifications to the Services; (b) combination with products not provided by Root; (c) use in violation of these Terms; (d) open source components governed by their own licenses.

12.2 By Customer

Customer will defend, indemnify, and hold Root harmless from third-party claims arising from: (a) Customer's use of the Services in violation of these Terms; (b) Customer's violation of applicable laws.

13. TERM AND TERMINATION

13.1 Term

These Terms are effective upon Customer's first access to the Services and continue until terminated. The subscription term for paid Services is specified in the Order Form.

13.2 Renewal

Unless otherwise specified in the Order Form, subscriptions automatically renew for successive periods equal to the initial term unless either party provides written notice of non-renewal at least thirty (30) days before the renewal date.

13.3 Termination for Cause

Either party may terminate for material breach if the breach is not cured within thirty (30) days of written notice specifying the breach.

13.4 Termination for SLA Failure

Customer may terminate for material SLA failure as provided in the SLA, subject to the conditions and cure periods specified therein.

13.5 Termination by Root

Root may suspend or terminate Customer's access immediately upon notice for: (a) violation of Acceptable Use provisions; (b) non-payment exceeding thirty (30) days; (c) as required by law.

13.6 Effect of Termination

Upon termination:

(a)   Customer's license to access the Services terminates

(b)   Customer must pay any outstanding fees

(c)   Each party must return or destroy Confidential Information upon request

(d)   Root will provide reasonable transition assistance for thirty (30) days following termination

(e)   Provisions that by their nature should survive will survive, including Sections 7.4, 8.3, 9, 10.2, 10.3, 11, 12, and 14

13.7 Refund

Except as expressly provided in the SLA for termination due to material SLA failure, fees are non-refundable and no refund shall be due upon termination.

14. GENERAL PROVISIONS

14.1 Governing Law

These Terms are governed by the laws of the State of Delaware, without regard to conflict of laws principles.

14.2 Dispute Resolution

Any dispute shall be resolved in the state or federal courts located in Delaware. Each party consents to personal jurisdiction in such courts.

14.3 Entire Agreement

These Terms, together with the SLA, Privacy Policy, and any Order Forms, constitute the entire agreement between the parties regarding the subject matter hereof and supersede all prior agreements and understandings.

14.4 Amendments

Root may modify these Terms by posting updated terms at www.root.io/terms. Material changes will be communicated with at least thirty (30) days notice. Continued use after the effective date constitutes acceptance. Material modifications do not apply to existing subscription terms until renewal.

14.5 Assignment

Customer may not assign these Terms without Root's prior written consent. Root may assign these Terms in connection with a merger, acquisition, or sale of substantially all its assets. Any attempted assignment in violation hereof is void.

14.6 Waiver

Failure to enforce any provision is not a waiver of that provision or any other provision.

14.7 Severability

If any provision is held unenforceable, the remaining provisions continue in full force and effect.

14.8 Export Compliance

Customer may not export or re-export the Services except in compliance with applicable export control laws. Customer represents it is not located in, or a national of, any embargoed country or on any restricted party list.

14.9 Notices

Notices to Root: legal@root.io

Notices to Customer: The email address associated with Customer's account

14.10 Independent Contractors

The parties are independent contractors. Nothing creates an employment, agency, or partnership relationship.