Terms of Service

Who we are

Bastion is run by Amish, a UK-based sole trader. You can reach us at support@bastion.wiki. These terms cover the Bastion website and the paid service. The open-source CLI has its own licence, covered below.

What Bastion is (and isn't)

Bastion runs automated security checks against known patterns and tells you what it finds. A scan is a snapshot. It reflects the checks we run, on the day you run them, against the issues we know how to detect. A high score means your project passed our checks. It does not mean your project is secure, and we'd never claim it does.

New vulnerabilities appear all the time, including after your scan. Bastion can't see the future and doesn't pretend to.

Best effort, not a guarantee

Our checks cover the issues we see most often in real projects, but they're not a substitute for a professional penetration test or security audit. Bastion might miss things. It might flag something that turns out to be fine. If a breach would be catastrophic for your project, invest in a dedicated security review as well.

Your call, your responsibility

We show you what we find and explain how to fix it. Whether you act on it is up to you. The security of your project stays your responsibility. We're here to help, not to own the outcome.

Only scan what's yours

Only scan websites, domains, and code that you own or have explicit permission to test. Scanning someone else's infrastructure without permission isn't just against these terms. In the UK and most other places it can be a criminal offence. We'll suspend or close accounts we see misusing the scanner, and we may have to cooperate with lawful requests about serious misuse.

The same rule applies however you run Bastion: the web scanner, the CLI, or the GitHub Action.

One thing worth knowing: a URL scan isn't passive. It sends real HTTP requests to the target site. They're lightweight, read-only checks, nothing intrusive, but they're still traffic arriving at someone's server, which is exactly why permission matters.

If misuse causes us trouble

If you break these terms, most obviously by scanning something you had no right to scan, and someone brings a claim against us because of what you did, you agree to cover the costs and losses we face as a result. This isn't about honest mistakes in your own projects. It's about making sure the consequences of misuse stay with the person who misused.

Your account

You need to be at least 18 to hold an account. Keep your login details to yourself and give us a real email address, since it's how we reach you about your account and these terms. You're responsible for what happens under your account. If you think someone else has access to it, tell us and change your password.

Plans, billing, and renewals

Paid subscriptions are sold through Lemon Squeezy, who act as the merchant of record. Your subscription renews automatically, monthly or yearly depending on your plan, until you cancel. You can cancel any time from your billing portal, and you keep access until the end of the period you've paid for. We don't do partial-month clawbacks.

If we change prices, the new price applies from your next renewal, and we'll email you before it does.

Refunds

If you take out a paid plan and it's not for you, email us within 30 days of first signing up and we'll refund you in full. No forms, no quiz.

After that, refunds for renewals are at our discretion, but we're reasonable people. If something's gone wrong, talk to us.

Your legal rights

Nothing in these terms takes away rights the law gives you. If you're a consumer, you have legal rights about services being carried out with reasonable care and digital content being of satisfactory quality, and remedies if they're not. These terms sit alongside those rights, not in place of them.

Open source and the paid service

The Bastion CLI is released under the MIT Licence. Fork it, modify it, ship it. Like all open-source software, the CLI comes as-is, with no warranty, under the terms of that licence.

These Terms of Service govern the Bastion website and paid service, which are separate from the open-source CLI and are not open source.

The security badge

If your plan includes the embeddable badge, it displays the score from a scan you ran. Display it honestly: on the site it was generated for, showing the score the scan produced. Don't edit the score or put a badge on a site that was never scanned. We can disable badges that misrepresent a scan. The badge reports a self-run scan result. It isn't a certification, and you shouldn't present it as one.

Availability and changes to the service

We work to keep Bastion up and running, but we don't guarantee uninterrupted availability, and sometimes we'll take it down briefly for maintenance. We may add, change, or retire features. If we ever shut down the paid service entirely, we'll refund the unused part of your subscription.

Liability

First, the part the law writes for us: nothing in these terms excludes or limits liability where the law says it can't be excluded or limited. That includes liability for death or personal injury caused by negligence, and for fraud. Your statutory rights as a consumer stay intact.

Beyond that, here's the deal. Bastion is a scanning tool, not an insurance policy. We're not liable for indirect or consequential losses such as lost revenue, lost data, security breaches in your project, or downtime, whether they come from using Bastion or from not acting on what it found. For everything else, our total liability is capped at what you've paid us in the 12 months before the claim. If you're on the free tier and have paid us nothing, our total liability is capped at £50.

Ending things

You can stop using Bastion and delete your account whenever you like. We can suspend or close accounts that break these terms, most obviously scanner misuse, and we'll tell you why unless the situation is serious enough that we can't.

Changes to these terms

These terms may change. If we make a material change, we'll email you at least 14 days before it takes effect. If you don't like a material change, cancel before it takes effect and we'll refund the unused part of any subscription. Minor fixes, like typos or clarifications, just get updated here with a new date.

Governing law

These terms are governed by the law of England and Wales, and disputes go to the courts of England and Wales. If you live elsewhere in the UK or in the EU, you keep any protections and local court rights your own consumer law gives you. And if a court ever decides one part of these terms isn't enforceable, the rest still stands.

Get in touch

Questions? Email support@bastion.wiki.