End User License Agreement

Last Updated: October 25, 2024

HoundDog.ai Static Code Scanner

This End User License Agreement (the “Agreement” or “EULA”) is a legal agreement between you (the “Licensee”) and HoundDog.ai (the “Licensor”) for the use of the HoundDog.ai Static Code Scanner software (the “Software”).

1. DEFINITIONS

1.1. “Software” means the HoundDog.ai Static Code Scanner, including all associated components, IDE plugins, extensions, and integrations.

1.2. “Documentation” means any user manuals, technical documentation, and other materials provided by Licensor.

1.3. “Personal Data” means any information relating to an identified or identifiable natural person as defined in applicable data protection laws.

2. LICENSE GRANT

2.1. Subject to the terms of this Agreement and payment of applicable fees, Licensor grants Licensee a non-exclusive, non-transferable license to use the Software.

2.2. The Free Version of the Software includes:

• PII inventory of code repositories

2.3. Paid Versions (Starter and Enterprise) include additional features:

• PII vulnerability detection
• Sensitive data mapping and flow visualization
• Privacy compliance automation
• IDE plugins and extensions
• Source code management platform integrations
• Proactive alerts for vulnerabilities and Data Processing Agreement (DPA) violations

3. SECURITY AND COMPLIANCE

3.1. SOC-2 Type 2 Compliance:

• Licensor maintains SOC-2 Type 2 compliance
• Compliance reports available for review prior to installation

3.2. Software Security:

• Software is written in Rust, a memory-safe programming language

3.3. Documentation and Reports:

• Software Bill of Materials (SBOM) available upon request
• Penetration testing reports available for review
• SOC-2 Type 2 compliance reports accessible to Licensee

4. DATA PROCESSING AND PRIVACY

4.1. Scanner Operation and Data Access:

• Software operates as a Static Application Security Testing (SAST) scanner
• Scans application source code only (not databases, logs, or files)
• Runs locally or within customer CI pipeline (e.g., GitHub Actions, Azure Pipelines, etc.)
• Requires access to application source code for scanning
• Source code remains local and is never uploaded to HoundDog.ai Cloud Platform

4.2. Processing and Output:

• Scanner generates findings and reports related to PII leaks and sensitive data flows
• By default, scanner output is uploaded to HoundDog.ai Cloud Platform
• Scanner can be configured to keep results local using the –no-upload-scan-results flag
• Output contains minimal subset of tokens (variable names, class names, function names) that match sensitive data patterns
• Includes repository links to identified issues
• When using HoundDog.ai IDE Plugins/Extensions (VS Code, IntelliJ, Eclipse, etc.):
  • Scanner findings are displayed only within the IDE
  • Findings from IDE plugins are never transmitted to the Cloud Platform

4.3. Technical and Organizational Measures: The company maintains SOC-2 Type 2 certification and implements comprehensive security measures including:

• Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Maintaining ability to restore data availability and access promptly after incidents
• Enforcing multi-factor authentication (MFA) for all remote access environments, including email systems
• Implementing robust user identification and authorization
• Protecting data during transmission and storage through encryption
• Conducting regular penetration testing
• Maintaining comprehensive vulnerability and patch management program
• Implementing systematic event logging
• Deploying consistent system configurations across the environment
• Performing quarterly access reviews for in-scope system components
• Enforcing vendor management program with security and privacy requirements
• Conducting annual reviews of critical third-party vendors

4.4. Authentication and Sub-processing:

• PropelAuth serves as sub-processor for user authentication to the HoundDog.ai Cloud Platform (https://app.hounddog.ai/) 
• Supports common SSO providers (Okta, Microsoft Entra ID, and others)
• PropelAuth processes minimal personal data limited to:
  • Name
  • Email
  • IP Address

5. DATA RETENTION AND DELETION

5.1. Retention Period:

• Data retained for the duration of active platform usage
• Data deletable upon user request

5.2. Third-Party Data Sharing:

• AWS: Data storage and processing
• Sentry: Error tracking and monitoring
• PropelAuth: Authentication and user management

6. RESTRICTIONS

Licensee shall not:

• Modify, adapt, or create derivative works
• Reverse engineer, decompile, or disassemble the Software
• Remove or alter any proprietary notices
• Transfer or sublicense the Software
• Use the Software for automated decision-making or profiling

7. SUPPORT AND MAINTENANCE

7.1. Licensor shall:

• Maintain system availability and resilience
• Provide timely restoration of access after incidents
• Apply regular security patches and updates
• Conduct regular security assessments

8. WARRANTY AND DISCLAIMER

8.1. Licensor warrants that:

• The Software will perform substantially in accordance with Documentation
• Security measures comply with industry standards
• Software development follows secure coding practices

8.2. Disclaimer:

• SOFTWARE PROVIDED “AS IS” WITHOUT OTHER WARRANTIES
• NO GUARANTEE OF UNINTERRUPTED OR ERROR-FREE OPERATION

9. TERMINATION

9.1. This Agreement may be terminated:

• By either party upon material breach
• Upon discontinuation of Software use
• Per terms specified in service agreement

9.2. Upon termination:

• All licenses terminate
• Licensee must cease Software use
• Personal data handled per retention policies

10. GOVERNING LAW

This Agreement shall be governed by and construed in accordance with applicable laws, without regard to conflicts of law principles.

11. ACCEPTANCE

Use of the Software constitutes acceptance of these terms and conditions. If you do not agree to these terms, do not use the Software.