ShieldedStack Software License Agreement

Effective date: 1 June 2026 Replaces all prior Terms of Service.


This Software License Agreement ("Agreement") governs the licensing and use of ShieldedStack software ("Software"). It is entered into between:

  • Licensor: Bytebard, Denmark, with contact address [email protected] ("we", "us", "Licensor"); and
  • Licensee: the legal entity identified in the applicable Order Form ("you", "Customer", "Licensee").
Note on Licensor entity. Bytebard is the Licensor for this Agreement. If Bytebard changes legal form or assigns this Agreement to a successor entity, Licensor will give written notice to Licensee under section 17, with no change to commercial terms.

1. Definitions

TermMeaning
SoftwareThe ShieldedStack on-premises supply-chain security platform, including all container images, command-line tools, documentation, configuration files, and updates provided under this Agreement.
DocumentationThe technical and user documentation published at https://shieldedstack.com/docs or shipped with the Software.
License KeyA signed JSON Web Token (JWT) issued by Licensor that authorises operation of the Software within a defined Scope.
ScopeThe set of limits and entitlements encoded in the License Key (tier, term, installation count, contact email, and feature flags).
InstallationA single deployment of the Software, comprising one or more co-located instances managed as one logical unit under the Installation > Tenant > Workspace > Project hierarchy described in the Documentation.
Order FormA written ordering document (digital signature acceptable) executed by both parties specifying the licensed tier, term, fee, Scope, and any tier-specific terms. The Order Form is binding pricing and scope; this Agreement is binding terms.
License TermThe period defined in the applicable Order Form during which the License Key is valid.
UpdateBug fixes, security patches, and minor versions of the Software made available during the License Term.
UpgradeMajor versions of the Software, which may or may not be included depending on the tier specified in the Order Form.
Open Source ComponentsThird-party open source software incorporated in or distributed with the Software. A current list is maintained at https://shieldedstack.com/legal/oss-attributions.

2. Grant of License

2.1 Subject to payment of the applicable fees and Licensee's compliance with this Agreement, Licensor grants Licensee a non-exclusive, non-transferable, non-sublicensable, worldwide right during the License Term to:

(a) install and run the Software on infrastructure controlled by Licensee, in production and non-production environments, within the Scope defined by the License Key; and

(b) make a reasonable number of copies for backup, archival, and disaster-recovery purposes.

2.2 The license is granted per Installation. The number of permitted Installations and any per-Installation limits are defined in the Order Form and encoded in the License Key.

2.3 Within a single Installation, there are no soft limits on Tenants, Workspaces, or Projects unless explicitly stated in the Order Form. The Software does not enforce artificial scaling caps.

2.4 The license does not grant any right to access Licensor's systems. There are no Licensor-hosted services, accounts, APIs, or control planes required to operate the Software.


3. License Term, Expiration, and Grace Period

3.1 The License Term begins on the date specified in the Order Form and continues for the period stated therein (typically twelve (12) months). This section applies to paid License Keys issued under an Order Form. Trial license expiration is governed by the separate Trial Agreement.

3.2 On expiration of the License Term, the paid License Key becomes expired. The Software does not immediately shut down, refuse to operate, break running pipelines, or interrupt CI/CD workflows. The Software will continue to function and will emit warnings via its standard logging channels.

3.3 Grace period. For seven (7) calendar days following paid License Key expiration, the Software will emit increasingly visible warnings but will not impose any functional restriction. From day eight (8) through day thirty (30) following expiration, the Software may display a persistent warning banner in administrative interfaces, but package proxying, scanning, and policy enforcement remain operational. Licensee remains obligated to renew or cease use as set out in section 3.4.

3.4 If Licensee does not renew the License Term, Licensee must cease using the Software within thirty (30) days of expiration and destroy all copies of the License Key. After thirty (30) days following expiration, the Software may block package proxying, scanning, policy enforcement, and mutating administrative operations until renewal. The control plane may remain available read-only so Licensee can review historical data, export configuration, or decommission the Installation. Licensor otherwise relies on Licensee's contractual compliance.

3.5 Renewals are not automatic. Renewal occurs by execution of a new Order Form. Pricing for renewal terms is fixed for thirteen (13) months from initial Order Form execution; thereafter, Licensor may adjust renewal pricing with at least sixty (60) days' written notice before renewal.


4. Restrictions

Licensee must not:

(a) redistribute, sublicense, sell, lease, rent, or otherwise transfer the Software or the License Key to any third party;

(b) remove, alter, or obscure any proprietary notices, License Key validation logic, or copyright markings in the Software;

(c) use a single License Key across multiple Installations beyond the count specified in the Order Form;

(d) reverse engineer, decompile, or disassemble the Software, except to the extent such activity is expressly permitted by mandatory applicable law, including Articles 5 and 6 of Directive 2009/24/EC on the legal protection of computer programs (interoperability and error correction); or

(e) use the Software, Documentation, or Licensor's non-public technical information to copy or develop a substantially similar commercial product for external distribution, where "substantially similar commercial product" means software whose primary purpose is on-premises package registry proxying with policy enforcement. This restriction does not prevent Licensee from developing internal tools, integrations, policies, workflows, or security controls for Licensee's own use.


5. Fees and Payment

5.1 License fees are specified in the Order Form. Fees are quoted in Danish kroner (DKK) and are exclusive of VAT and any other applicable taxes.

5.2 Invoices are payable within thirty (30) days of issue unless otherwise stated in the Order Form.

5.3 Fees are non-refundable except as expressly stated in this Agreement (see sections 10.3 and 13.4).

5.4 Late payment may result in non-renewal of the License Term. It does not result in interruption of the Software's operation, consistent with section 3.2.


6. No Telemetry, No Phone-Home, No Audit by Default

This section is a binding commitment by Licensor and a defining property of the Software.

6.1 The Software does not transmit usage data, logs, metrics, identifiers, or any other information to Licensor or any third party during normal operation. License Key validation is performed entirely locally using public-key cryptography.

6.2 Licensor receives no automatic information about Licensee's deployment, configuration, usage patterns, scanned packages, scan results, vulnerability findings, or any other operational data.

6.3 Licensor does not require, perform, or schedule routine audits of Licensee's Software use. Licensor does not request access to Licensee's networks, systems, log files, or personnel as a condition of license compliance.

6.4 Limited license-scope verification. If Licensor obtains specific and reasonable evidence that a License Key is being used outside its issued Scope (for example, a License Key issued to one organisation being detected in use by another), Licensor may submit a written request to the registered contact identified in the License Key for a signed confirmation of:

(a) the number of Installations operating under the License Key; and

(b) the organisation operating those Installations.

A response satisfying this section is the sole license-compliance obligation. No on-site or remote access shall be requested or required.

6.5 Sovereign tier — alternative trust mechanism. Customers licensed under the Sovereign tier may negotiate source code escrow with a mutually agreed independent third party as part of their Order Form, in lieu of any audit provision. Under such an arrangement, Licensor deposits the Software source code with the escrow agent; release conditions are defined in the escrow agreement (typically Licensor insolvency or sustained material breach by Licensor of support obligations).

6.6 Customer-initiated external requests. The no-telemetry commitments in this section do not prevent standard logs from being generated when Licensee chooses to interact with Licensor-operated systems outside normal Software operation, including private container registry pulls, support communications, invoicing, or contract administration. Such logs may include the requesting IP address, timestamp, account or credential identifier, and requested artifact or endpoint. These logs are not Software telemetry and are used only for security, access control, support, billing, and contract administration.


7. Customer Data and Privacy

7.1 All data processed by the Software remains on Licensee's infrastructure. This includes, without limitation, scanned package data, dependency manifests, vulnerability findings, user identities managed by Licensee's Keycloak instance, audit logs, and any other operational data.

7.2 Licensor has no access to Customer Data. Licensor is not a processor or sub-processor of Customer Data under Regulation (EU) 2016/679 (the General Data Protection Regulation). No Data Processing Agreement is required for use of the Software, because no processing relationship exists between Licensor and Licensee with respect to Customer Data.

7.3 The routine personal data Licensor processes in connection with this Agreement is the limited contact information provided by Licensee for invoicing, support, License Key issuance, and contract administration. This processing is governed by Licensor's Privacy Policy at https://shieldedstack.com/privacy-policy.

7.4 Support submissions. If Licensee voluntarily provides logs, screenshots, configuration snippets, package names, vulnerability findings, or other Customer Data to Licensor through support or direct communications, Licensor will process that information only to provide support and administer this Agreement. Licensee should not provide secrets, credentials, private keys, or regulated personal data unless the parties have agreed appropriate handling terms in writing.

7.5 EU data sovereignty. Licensor is established in Denmark. Licensor is not subject to the United States CLOUD Act, FISA Section 702, or analogous extraterritorial disclosure regimes that apply to US-headquartered providers. Licensee is a controller of its own data within its own jurisdiction.


8. Open Source Components

8.1 The Software incorporates Open Source Components. A current list of those components and their licenses is maintained at https://shieldedstack.com/legal/oss-attributions.

8.2 Open Source Components are governed by the terms of their respective open source licenses, not by this Agreement. Nothing in this Agreement restricts Licensee's rights under those licenses.

8.3 Licensor's representations, warranties, and indemnification obligations under this Agreement do not extend to Open Source Components.


9. Support and Updates

9.1 Support level, response times, and update entitlements are determined by the tier specified in the Order Form (Starter, Standard, Enterprise, or Sovereign). Current support definitions are published at https://shieldedstack.com/pricing.

9.2 Updates and Upgrades are delivered via Licensor's private container registry. Access credentials are scoped to the License Key and rotated as needed.

9.3 Licensor uses commercially reasonable efforts to provide security patches in a timely manner. Licensor makes no commitment to backport patches to versions older than the most recent two minor versions, except where required under Enterprise or Sovereign Order Forms.


10. Warranty

10.1 Licensor warrants that, for thirty (30) days following the start of the initial License Term, the Software will perform materially in accordance with the Documentation when used in a supported environment as described in the Documentation.

10.2 Licensor warrants that, to the best of Licensor's knowledge as of the Effective Date of the applicable Order Form, the Software does not knowingly contain malware, undisclosed back doors, or undisclosed telemetry.

10.3 Sole remedy for warranty breach. If the Software fails to conform to the warranty in section 10.1 during the warranty period, Licensee shall notify Licensor in writing with reproducible details. Licensor shall, at its option:

(a) correct the non-conformance within a commercially reasonable time;

(b) provide a workaround that allows continued material use; or

(c) refund the pro-rata portion of fees paid for the unused remainder of the License Term and terminate this Agreement.

This is Licensee's sole and exclusive remedy for breach of the warranty in section 10.1.


11. Disclaimers

11.1 EXCEPT AS EXPRESSLY SET OUT IN SECTION 10, THE SOFTWARE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE.

11.2 TO THE MAXIMUM EXTENT PERMITTED BY LAW, LICENSOR DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

11.3 Licensor does not warrant that the Software will be uninterrupted, error-free, or free from all vulnerabilities, or that it will detect all malicious packages or supply-chain attacks. Supply-chain security is a defence-in-depth discipline; the Software is one component of a Licensee security programme.


12. Limitation of Liability

12.1 TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION, OR LOSS OF GOODWILL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.2 EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION, SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY LICENSEE TO LICENSOR UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

12.3 The limitations in this section do not apply to:

(a) Licensee's payment obligations;

(b) breach of confidentiality under section 14;

(c) liability that cannot be excluded or limited under mandatory applicable law (including liability for death, personal injury caused by negligence, and fraud).


13. IP Indemnification

13.1 Licensor's obligation. Licensor shall defend Licensee against any third-party claim that the Software, as provided by Licensor and used by Licensee in accordance with this Agreement, infringes a copyright, trade secret, or registered patent valid in the European Union, and shall pay any damages finally awarded by a court of competent jurisdiction or agreed in a written settlement signed by Licensor.

13.2 Conditions. Licensor's obligations under section 13.1 are conditional on Licensee:

(a) notifying Licensor in writing of the claim within ten (10) business days of becoming aware of it;

(b) granting Licensor sole control of the defence and settlement (Licensor shall not settle in a manner that imposes any liability on Licensee without Licensee's consent); and

(c) providing reasonable cooperation, at Licensor's expense.

13.3 Exclusions. Licensor has no obligation under section 13.1 to the extent the claim arises from:

(a) modifications to the Software made by anyone other than Licensor;

(b) use of the Software in combination with software, hardware, data, or services not provided or approved by Licensor, where the combination causes the infringement;

(c) Open Source Components (governed by their own licenses);

(d) Licensee's continued use of an allegedly infringing version after Licensor has provided a non-infringing update or workaround; or

(e) Licensee's failure to use the Software within the Scope of the License Key.

13.4 Licensor's options. If the Software becomes, or in Licensor's reasonable opinion is likely to become, the subject of an infringement claim, Licensor may at its option and expense:

(a) procure the right for Licensee to continue using the Software;

(b) modify the Software to make it non-infringing while preserving substantially equivalent functionality; or

(c) terminate this Agreement and refund the pro-rata portion of fees paid for the unused remainder of the License Term.

13.5 Cap. Licensor's total cumulative liability under this section 13, when aggregated with all other liability under this Agreement, is subject to the cap in section 12.2.

13.6 Licensee's obligation. Licensee shall defend, indemnify, and hold Licensor harmless against any third-party claim arising from (a) Licensee's use of the Software in violation of this Agreement or applicable law, (b) Licensee's modifications to the Software, or (c) data or content processed by the Software at Licensee's direction.

13.7 Sole remedy. This section 13 states each party's entire liability and exclusive remedy for third-party intellectual-property claims.


14. Confidentiality

14.1 "Confidential Information" means non-public information disclosed by one party ("Discloser") to the other ("Recipient") that is identified as confidential or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure. The License Key, Order Form pricing, and the Software's non-public technical details are Confidential Information of Licensor.

14.2 Each party shall protect the other's Confidential Information using at least the same degree of care it uses for its own confidential information (and in no event less than reasonable care), and shall use it only as necessary to perform under this Agreement.

14.3 The obligations in this section do not apply to information that (a) is or becomes publicly available without breach of this Agreement, (b) was rightfully known to Recipient before disclosure, (c) is rightfully received from a third party without confidentiality obligation, or (d) is independently developed without use of the Confidential Information.

14.4 Recipient may disclose Confidential Information to the extent required by law or court order, provided Recipient gives Discloser prompt written notice (where legally permitted) and reasonable cooperation to seek a protective order.

14.5 Licensor receives no Confidential Information by virtue of the Software's operation, consistent with section 6. Confidential Information disclosed under this Agreement is limited to information exchanged through direct communication channels (email, support tickets, contract negotiation).


15. Term and Termination

15.1 Term. This Agreement begins on the Effective Date of the first Order Form executed under it and continues for so long as any Order Form remains in effect.

15.2 Termination for material breach. Either party may terminate this Agreement and all outstanding Order Forms for material breach by the other party that remains uncured thirty (30) days after written notice describing the breach with reasonable particularity.

15.3 Termination for insolvency. Either party may terminate immediately on written notice if the other party becomes insolvent, makes an assignment for the benefit of creditors, files for bankruptcy protection, or has a receiver appointed.

15.4 Effect of termination. On termination:

(a) Licensee's right to use the Software ends, except as provided in section 3.4 for ordinary expiration;

(b) Licensee shall destroy all License Keys and certify destruction in writing on Licensor's reasonable request;

(c) Licensor shall delete or return any Confidential Information of Licensee in its possession, except as required to be retained by law; and

(d) Each party shall pay any amounts owed as of the date of termination.

15.5 Survival. The following sections survive termination: 4 (Restrictions, with respect to retained copies pending destruction), 6.1–6.3 (Licensor's no-telemetry commitments, perpetually), 8 (Open Source Components), 11 (Disclaimers), 12 (Limitation of Liability), 13 (IP Indemnification, with respect to claims arising from pre-termination use), 14 (Confidentiality, for three (3) years following termination), 16 (Export Control), 18 (Governing Law), and this section 15.5.


16. Export Control

Licensee shall comply with all applicable export-control and sanctions laws, including EU regulations and any other regulations applicable to Licensee's jurisdiction. Licensee shall not export or re-export the Software to any prohibited destination, end user, or end use.


17. Assignment

17.1 Neither party may assign this Agreement without the other party's prior written consent, except that Licensor may assign this Agreement without consent (a) to a successor entity in connection with the formation of Licensor's corporate entity (as referenced in the introduction), (b) to an affiliate, or (c) in connection with a merger, acquisition, or sale of substantially all assets. Licensor shall give Licensee written notice of any such assignment.

17.2 This Agreement binds and benefits the parties' permitted successors and assigns.


18. Governing Law and Dispute Resolution

18.1 This Agreement is governed by the laws of Denmark, excluding its conflict-of-laws rules and excluding the United Nations Convention on Contracts for the International Sale of Goods.

18.2 The parties shall first attempt to resolve disputes through good-faith negotiation between senior representatives for thirty (30) days following written notice of the dispute.

18.3 Any unresolved dispute shall be brought exclusively before the Copenhagen City Court (Københavns Byret) as the venue of first instance, with appeal rights under Danish law.

18.4 Notwithstanding section 18.3, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property or Confidential Information.


19. Order of Precedence

In the event of conflict among the documents governing the relationship, the order of precedence is:

  1. The applicable Order Form (most specific, controls);
  2. This Agreement;
  3. The Documentation.

The Documentation is not a source of contractual obligation; it describes the Software as configured by Licensor.


20. General Provisions

20.1 Entire agreement. This Agreement, together with the applicable Order Form and any documents expressly incorporated by reference, is the entire agreement between the parties regarding the Software and supersedes all prior agreements, including the previously published Terms of Service dated 17 October 2025.

20.2 Amendments. Amendments to this Agreement must be in writing and signed by both parties. Changes to this Agreement apply only to renewal terms, not to active License Terms. A current License Term is governed by the version of this Agreement in effect at the time the Order Form was executed.

20.3 Notices. Notices to Licensor shall be sent to [email protected] with a copy to [email protected]. Notices to Licensee shall be sent to the email and postal address specified in the Order Form.

20.4 Severability. If any provision is held invalid or unenforceable, the remainder remains in effect, and the invalid provision shall be reformed to the minimum extent necessary to be enforceable while preserving its intent.

20.5 No waiver. A party's failure to enforce any right under this Agreement is not a waiver of that right.

20.6 Force majeure. Neither party is liable for delay or failure to perform (other than payment obligations) due to causes beyond its reasonable control.

20.7 Independent contractors. The parties are independent contractors. Nothing in this Agreement creates an agency, partnership, or joint venture.

20.8 Language. This Agreement is executed in English. If translated into another language, the English version controls.


21. Contact

Questions about this Agreement should be directed to [email protected] with a copy to [email protected].