Scanner Terms

Effective April 29, 2026. These terms apply specifically to the free security scanner at clearpath-grc.com/scan. They are in addition to (not in place of) our general Terms of Service and Privacy Policy.

What the scanner does

When you submit a URL, our scanner performs a single HTTP GET request to that URL — the same kind of request any browser would make — and a single TLS handshake to the same host. From the response it inspects:

• Security headers (Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
• TLS configuration (protocol version, certificate validity, expiration window)
• Cookie flags (Secure, HttpOnly, SameSite) on cookies returned in the initial response
• Mixed content (HTTP resources loaded into HTTPS pages, found in the static HTML)
• Client-side credential exposure (regex scan over returned HTML and JavaScript for common API key formats)
• AI feature risk profile (heuristic detection of chat/AI features, plus an LLM-generated informational risk profile when AI features are present)

What the scanner does NOT do

Passive scanning means we do not perform any of the following:

• Probe URLs other than the one you submitted (no path discovery, no admin path checks, no directory enumeration)
• Attempt unauthorized access of any kind
• Send adversarial inputs to chat widgets, AI features, or forms (no prompt injection probing)
• Bypass authentication, rate limits, WAFs, or any other access control
• Use credentials of any kind (we do not store, request, or attempt to use API keys, passwords, or session tokens)
• Inspect resources loaded dynamically by JavaScript after the initial page load

About your data

When you submit a scan we collect: the URL you submitted, your email address, your optional persona answer, and a hashed (not raw) form of your IP address. We log the scan results so we can email them to you and so we can enforce rate limits.

We use your email to deliver the scan results immediately and may follow up at most once or twice if your situation looks like a fit for what ClearPath does. We do not sell or share your email with third parties. Reply with "unsubscribe" to any of our emails to opt out of future contact, or email ethan@clearpath-grc.com.

We do not store the raw IP address. The salted hash we keep is one-way and is used solely for rate-limit lookups.

Rate limits and acceptable use

Free-tier scans are subject to the following limits, enforced server-side:

• One scan per domain per 24 hours
• One scan per IP per 1 hour

You agree not to attempt to circumvent these limits. You agree to use the scanner only on URLs you own or have explicit permission to scan. Submitting URLs you do not have rights to test does not violate our scan, since we only perform passive checks, but it may violate other laws or terms of service that you are responsible for.

Scan results: scope and disclaimers

Scan results are informational only. They are not legal advice, compliance advice, or a guarantee of security. The absence of a finding does not mean your site is secure; the presence of a finding does not establish a vulnerability or liability.

The AI feature risk profile lists categories of risk that may apply to detected AI features (drawn from the OWASP LLM Top 10 framework). These categories are informational. They are not assertions that your specific implementation has a specific vulnerability.

Some checks have known limitations, which we are transparent about in the report itself: we only inspect the initial HTTP response, we use regex-based pattern matching that produces occasional false positives, and we cannot evaluate resources or features that are loaded dynamically by JavaScript.

No warranty

The scanner is provided "as is" and "as available". To the maximum extent permitted by law, ClearPath Compliance and Anchor Technologies LLC disclaim all warranties, express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, accuracy, completeness, and non-infringement. We are not responsible for any decisions made on the basis of scan results, nor for any damages arising from use of the scanner.

Changes

We may update these scanner terms from time to time. Material changes will be reflected in the "Effective" date at the top of this page. Continued use of the scanner after changes constitutes acceptance of the updated terms.

Contact

Questions about these terms or the scanner: ethan@clearpath-grc.com.