Menu Browse
How It Works Use Cases Compare Chrome Extension Pricing Security Blog Live Demo

Popular Use Cases

Offboarding Automation

Revoke access the moment someone leaves

SOC2 Evidence Collection

Audit-ready evidence in hours, not weeks

License Waste

Find ghost seats draining your SaaS budget

Access Reviews

Automate your quarterly access review process

Hardware Inventory

Build your asset register without spreadsheets

vCISO Partner Portal

Manage all your clients from one portfolio dashboard

Risk Management Workspace

Run a live risk register with budget context
Legal

Terms of Service

Last updated: April 8, 2026

1. Acceptance of Terms

By accessing or using the AutoCISO platform (the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, do not use the Service. These Terms apply to all visitors, users, and others who access or use the Service, including external reviewers and auditors who access it via shared token links.

2. Description of Service

AutoCISO provides an AI-powered identity security and access intelligence platform. The Service includes:

  • Access & asset management: Employee directory, SaaS access inventory, asset tracking, dormant and orphaned account detection, and relationship graph visualisation.
  • Lifecycle management: Onboarding and offboarding workflows, provisioning checklists, and offboarding violation tracking.
  • AI security advisor: A conversational assistant that answers questions using live access to your organisation's employee, asset, access, and remediation data.
  • Risk management workspace: AI-guided risk intake, assisted and expert risk drafting, live risk registers, risk scoring, treatment strategy support, review workflows, and risk budget tracking.
  • ISO 27001 certification management: Scope definition, gap analysis against all 93 Annex A controls, risk register, Statement of Applicability, policy library, evidence vault, access review campaigns, internal audits, backup tests, management reviews, and auditor portal.
  • Evidence automation: Automated collection of compliance evidence from connected integrations, mapped to specific controls.
  • CISO dashboards & reporting: Access concentration analysis, security debt trending, department risk, privilege delta reporting, and export to CSV/PDF.
  • Browser extension: The AutoCISO Audit Collector, which captures SaaS admin page content for AI-based access and asset detection.
  • Public-facing features: Certificate public verification, auditor portal, and access review response forms accessible via secure token links.
  • CISO Partner Portal: A multi-org portfolio management workspace for fractional and virtual CISOs, including a portfolio risk board, cross-org action queue, client health timelines, AI board pack generation, and direct email delivery to client contacts.

3. User Responsibilities

As a user of the Service, you agree to:

  • Provide accurate and complete information when creating an account.
  • Maintain the security of your account credentials and promptly notify us of any unauthorised access.
  • Ensure you have the legal right and all necessary permissions to upload or enter personal data about employees, contractors, or other individuals, including the right to process that data for security, risk management, and compliance purposes.
  • Only use the browser extension to capture pages you are authorised to access within your organisation's SaaS environment, and only where such capture is permitted by the relevant SaaS provider's terms of service.
  • Use the Service in compliance with all applicable laws and regulations, including data protection laws (such as GDPR and CCPA) governing the personal data of individuals whose information is entered into or captured by the Service.
  • Manage access review links, auditor portal links, and public certificate verification links responsibly, and revoke them when they are no longer required.
  • Do not submit risk narratives, interview responses, evidence references, or budget assumptions that you know are false, unlawfully obtained, or outside your authority to disclose.

4. Data Controller & Processor Relationship

When your organisation uploads or enters personal data about employees or other individuals, your organisation is the data controller and AutoCISO is a data processor acting on your instructions. As data controller, you are responsible for ensuring a lawful basis exists for processing that personal data and for responding to data subject rights requests relating to it. A Data Processing Agreement (DPA) is available on request at legal@autociso.io.

5. Browser Extension

The AutoCISO Audit Collector browser extension requires broad host permissions (<all_urls>) to operate on any SaaS admin page. By installing the extension, you acknowledge and agree that:

  • The extension injects a content script into web pages you visit, but does not read, store, or transmit any page content unless you explicitly trigger a capture.
  • When a capture is triggered, a simplified HTML representation of the current page (with password fields and hidden inputs stripped) and, optionally, a screenshot are transmitted to AutoCISO servers for analysis.
  • The page URL, title, and lightweight page signals (headings, navigation link text) are also transmitted to support automatic content-type detection.
  • You are solely responsible for ensuring that capturing and uploading content from any given page is permitted under the terms of service of the relevant SaaS provider and applicable law.

6. Third-Party Integrations & Credentials

The Service allows you to connect third-party applications, including identity providers (GitHub, Google, Microsoft) and productivity tools (Jira). When you do so:

  • You grant AutoCISO the right to use the provided credentials to interact with those services on your behalf, solely to deliver the features you have configured.
  • You are responsible for ensuring that connecting these services and granting AutoCISO access is permitted under those providers' terms of service and your organisation's security policies.
  • Stored credentials are encrypted at rest. You are responsible for rotating or revoking credentials promptly if they are compromised.
  • AutoCISO is not responsible for actions taken by third-party services or for data returned from them.

7. AI-Generated Content

The AI security advisor and other AI-powered features generate responses based on the data in your account and AI model outputs. This includes AI-guided risk interview questions and summaries, extracted facts, inferred scoring, treatment strategy recommendations, and derived risk-budget suggestions. These outputs are informational only. They do not constitute professional security, legal, compliance, financial, or certification advice, and should not be relied upon as such. AutoCISO makes no warranty as to the accuracy, completeness, or fitness for purpose of AI-generated content. Use of the ISO 27001 certification management tools does not guarantee that your organisation will achieve or maintain certification; certification decisions are made solely by accredited certification bodies.

8. Data Privacy & AI Processing

AutoCISO uses AI models (including third-party providers such as Anthropic) to process captured HTML, screenshots, AI chat context, and risk-management inputs such as interview answers, free-text risk descriptions, extracted facts, draft summaries, and budget or loss assumptions you provide in the Service. We implement technical and procedural controls designed to reduce unnecessary sensitive data exposure before data reaches AI providers, but you remain responsible for the lawfulness and appropriateness of the data you submit. Your use of the Service is also governed by our Privacy Policy.

9. Intellectual Property

The Service and its original content, features, and functionality are and will remain the exclusive property of AutoCISO and its licensors. You may not reproduce, distribute, or create derivative works of any part of the Service without express written permission.

10. Subscription & Payments

Certain parts of the Service are billed on a subscription basis (Free, Seed, Growth, and Scale tiers). Usage limits apply per tier, including limits on connected applications, monthly audit runs, and monthly AI chat requests. You will be billed in advance on a recurring and periodic basis. Payments are processed through our third-party payment processor, Paddle. By subscribing, you agree to their terms and conditions.

10a. Partner Program

Overview. The AutoCISO Partner Program operates through two mutually exclusive billing tracks. Each managed organization is on exactly one track at any time. Partners may switch an organization between tracks; track changes take effect as described below.

Track A — Referral Payout. When an organization signs up via a Partner's referral link, or is switched to the Referral track, the organization's subscription billing remains directly between the organization and AutoCISO. The Partner earns a cash payout equal to 20% of each successful monthly subscription payment made by the referred organization. Payouts are generated only while the organization has an active paid subscription; free-plan, trial, failed-payment, and cancelled organizations generate no payout. Payouts are disbursed according to AutoCISO's standard payout schedule and are not account credits.

Track B — Managed Discount (vCISO Portal). When a vCISO Partner enrolls an organization via the partner portal and selects the Managed billing track, the Partner pays AutoCISO directly for that organization's subscription at a discounted rate. The discount tier is determined by the Partner's count of eligible managed-track organizations (those on the Managed track with an active paid subscription) at the start of each billing cycle: Starter (2–5 eligible orgs): 20% discount; Pro (6–14 eligible orgs): 25% discount; Elite (15+ eligible orgs): 30% discount. A minimum of 2 eligible managed-track organizations is required to enter any discount tier. Tier changes take effect at the start of the next billing cycle. The discount applies to the Partner's payment to AutoCISO and does not affect the organization's own pricing or billing relationship with AutoCISO. Track B requires at least the Seed plan and an active partner registration.

Track Switching. (a) Referral to Managed: the switch takes effect immediately upon confirmation. The Partner assumes billing responsibility for the organization from that point; any referral payout accrued for the current billing period up to the switch date is forfeited. (b) Managed to Referral: the organization's billing reverts to AutoCISO direct at the start of the following calendar month. The Partner begins earning the 20% referral payout from the first successful payment received from the organization in that month onward.

Partner Obligations. The Partner is responsible for obtaining appropriate authorization from each client organization before enrolling them. The Partner may not use the portal to access client data for purposes other than security advisory services. The Partner is solely responsible for any separate commercial arrangements made with client organizations regarding pricing, invoicing, or service fees; these are outside the scope of this agreement.

Fraud and Abuse. AutoCISO reserves the right to terminate a Partner's account, forfeit pending referral payouts, and reverse discounts if fraudulent org enrollment, artificial inflation of the managed-org count, or misuse of the partner program is detected.

Account Closure. Upon voluntary account closure, pending referral payouts not yet disbursed are forfeited. Payouts accrued during the final billing cycle are not disbursed if the account is closed before the payout date.

11. Termination

We may terminate or suspend your account and bar access to the Service immediately, without prior notice or liability, under our sole discretion, for any reason whatsoever and without limitation, including but not limited to a breach of the Terms.

12. Limitation of Liability

In no event shall AutoCISO, nor its directors, employees, partners, agents, suppliers, or affiliates, be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, loss of profits, data, use, goodwill, or other intangible losses, resulting from your access to or use of or inability to access or use the Service.

13. Changes to Terms

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material, we will provide at least 30 days' notice prior to any new terms taking effect. Material changes to the Partner Program terms will be communicated to active partners via email with at least 14 days' notice.

14. Contact Us

If you have any questions about these Terms, please contact us at legal@autociso.io.