Comprehensive Terms of Service governing all MARFI Systems products and services including Launchpad, Raptor, CyberTrustScore, Secureframe, Meter, and BOOST.
These Terms of Service ("Terms") are a legal agreement between you and MARFI Systems, Inc., a California corporation with offices at 2219 Main Street, Santa Monica, CA 90405 ("MARFI," "we," "us"). They govern your access to and use of every MARFI product and service, whether delivered as managed services, software-as-a-service, professional consulting, or a free tool.
By accessing or using any MARFI service, you agree to these Terms. If you do not agree, do not use our services. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization.
These Terms, together with any applicable Service Order, our Rates & Service Level Agreements, and our Privacy Policy, form the complete agreement between you and MARFI.
The following terms have the meanings set out below whenever they appear capitalized in these Terms.
Account, The unique login credentials and associated profile a Client or User creates to access any MARFI service.
Applicable Law, All federal, state, and local laws, regulations, and ordinances that apply to a party’s performance under these Terms.
Authorized User, Any individual whom a Client permits to access MARFI services under the Client’s Account.
Automation Engine, MARFI’s proprietary automation and orchestration platform used to deliver Managed Services.
BOOST, MARFI’s SaaS procurement and licensing program available to all clients. Active Launchpad Clients receive discounted rates.
Client, The organization or individual that enters into a Service Order or subscription for MARFI services.
Client Data, All data, files, configurations, and information that a Client or its Authorized Users upload to, store within, or transmit through MARFI services.
Confidential Information, Any non-public information disclosed by one party to the other that is marked confidential or that a reasonable person would understand to be confidential.
Deliverables, Environment-specific materials MARFI creates for a Client: configuration docs, security reports, audit artifacts, scan results, penetration test reports.
Fees, All amounts payable by Client under a Service Order, subscription, or these Terms.
Launchpad, MARFI’s all-inclusive managed IT platform, including identity management, EDR, email security, backup, security training, RMM, the Automation Engine, and US-based ITDesk.
Managed Services, Ongoing, subscription-based operational services: Launchpad and Meter.
MARFI AI, All AI and ML capabilities MARFI uses in service delivery, including automation, inference, and analysis.
MARFI Platform IP, All proprietary technology owned by MARFI: Launchpad, Raptor (scanning engine, AI pipeline, agent architecture, prompts, orchestration), CyberTrustScore (scoring methodology, algorithms), Automation Engine, MARFI AI, all proprietary code, scripts, workflows, monitoring configs, playbooks, and runbooks.
Meter, MARFI’s networking infrastructure service (SD-WAN, wireless, switching, circuit management) delivered through Meter, Inc.
Professional Services, MARFI’s consulting, engineering, and incident response services, billed on a time-and-materials basis.
Raptor, MARFI’s AI-native penetration testing SaaS platform.
SaaS Products, MARFI’s software-as-a-service offerings: Raptor, CyberTrustScore, and Client access to Secureframe.
Secureframe, MARFI’s compliance platform service, delivered through the Secureframe platform.
Services, Collectively, all Managed Services, SaaS Products, Professional Services, and BOOST offerings provided by MARFI.
Subscription, A recurring arrangement under which Client pays periodic Fees for ongoing access to a MARFI service.
Subscription Term, The period during which a Subscription is active, as specified in a Service Order or at the time of purchase.
User, Any individual who accesses or uses any MARFI service, whether or not associated with a Client Account.
Order Form / Service Order, A written document signed by both parties specifying services, scope, fees, and term for a particular engagement.
Launchpad provides all-inclusive managed IT: identity management (JumpCloud), endpoint detection and response (CrowdStrike), email security (Avanan/Check Point), backup (Dropsuite), security awareness training (PHIN), remote monitoring and management (Atera), the Automation Engine, and a US-based ITDesk. All vendor licensing is included in the per-user fee. Launchpad also includes managed cybersecurity and 24/7 SOC operations, XDR, email security, and incident response, delivered through CrowdStrike and Arctic Wolf partnerships, with MARFI as the single point of accountability.
Meter provides SD-WAN, wireless, switching, and circuit management through a partnership with Meter, Inc. Meter is an optional add-on and is not included in base Launchpad pricing.
Raptor is a self-service AI-native penetration testing platform. It uses a 13-agent DAG pipeline to identify vulnerabilities, map attack surfaces, and generate compliance-mapped reports across 18 frameworks.
CyberTrustScore is a free domain security scanning tool that scores a domain’s security posture based on publicly observable data (DNS, email authentication, SSL, headers). No account is required for basic scans.
Secureframe provides compliance documentation, audit preparation, and continuous monitoring for SOC 2, NIST 800-171, ISO 27001, HIPAA, PCI DSS, CMMC, GDPR, and FedRAMP (Advisory).
BOOST is a SaaS procurement and licensing program available to all clients. Active Launchpad Clients receive discounted BOOST rates; non-Launchpad clients pay standard published rates. MARFI handles vendor management, renewals, and negotiations. BOOST is invoiced separately from all other MARFI services.
MARFI provides consulting, engineering, and incident response services on a time-and-materials basis. Current rates are published at marfi.io/legal/rsla. All engagements carry a four-hour minimum. Launchpad Clients receive a 50% discount on published rates.
MARFI may update, modify, or discontinue features of any service. For material changes that reduce functionality, MARFI will provide 30 days’ written notice. Each engagement is governed by a Service Order or subscription that references these Terms.
Managed Services are engaged through Service Orders. SaaS Products are engaged through subscriptions. Each references these Terms and specifies services, scope, fees, and term.
Launchpad, Monthly in arrears, per active managed identity.
BOOST, Monthly in advance. Non-refundable for the billing period.
Raptor, Per-assessment or monthly subscription. Processed via Stripe.
Professional Services, Monthly in arrears with itemized time entries.
All invoiced amounts are due Net 30 from the invoice date. All amounts are in US dollars. Client is responsible for applicable taxes (sales, use, VAT) excluding taxes on MARFI’s net income.
Required Use of MARFI Billing Portal
Client must process all MARFI invoices using MARFI’s billing portal at billing.marfi.app/client. MARFI will NOT use third-party client-specific vendor portals including but not limited to RAMP, Bill.com, Coupa, or similar accounts payable platforms.
Accepted Payment Methods
MARFI processes payments through the following methods:
Stripe Payment Processing
Direct Bank Transfer
Payment processing fees (if applicable) are the responsibility of the paying party and are not included in invoiced amounts. Client may choose the payment method that best suits their needs.
Undisputed amounts not paid by the due date accrue interest at the lesser of 1.5% per month (18% per annum) or the maximum rate permitted by applicable law, consistent with §5.7.
Client must raise invoice disputes in writing within 15 days of the invoice date. The parties will work in good faith to resolve disputes within 30 days. Undisputed portions remain due on the original schedule.
MARFI will provide 30 days’ written notice before changing rates. Rate changes apply to the next billing period following the notice.
Each invoice is due on the date stated on the invoice or, absent a stated date, upon receipt. Any amount not paid when due is past due and, from the original due date until paid in full, accrues a late charge equal to the lesser of 1.5% per month (18% per annum) or the maximum rate permitted by applicable law, in addition to the Fees owed.
Phased Escalation. Without waiving any other right or remedy, MARFI may, in its sole discretion:
Suspension does not relieve the Client of any payment obligation, and Fees continue to accrue during any suspension. The Client is responsible for all costs of collection, including collection-agency fees, court costs, and reasonable attorneys’ fees. Restoration of suspended services is conditioned on payment of all past-due amounts and accrued late charges, plus a reactivation fee at MARFI’s then-current rate. MARFI will not delete Client Data solely on account of suspension; post-termination data return is governed by §8 and §16. MARFI is not liable for any loss, damage, exposure, or other consequence arising from suspension or termination for nonpayment.
MARFI will issue invoices within 365 days of the service date. Client has no obligation to pay invoices issued after that window.
Licensing procured through BOOST or bundled within Launchpad may carry vendor-imposed reserved quantities or fixed commitment terms. Such licensing is billed in full and remains due through the end of its committed term regardless of actual usage and regardless of the cancellation, reduction, suspension, or termination of any MARFI service, as set out in §21.3. The Client’s obligation to procure MARFI-sourced licensing exclusively through MARFI, and the prohibition on using MARFI’s pricing or invoicing to circumvent MARFI as reseller of record, are set out in §21.3; breach of those obligations entitles MARFI to the remedies described therein. Acceptance of licensing or payment of any invoice that includes such licensing constitutes acceptance of the associated commitment terms.
All MARFI Platform IP remains the exclusive property of MARFI Systems, Inc. Nothing in these Terms or any Service Order transfers ownership of MARFI Platform IP to Client or any third party.
Deliverables created specifically for Client, configuration documents, security reports, audit artifacts, scan results, penetration test reports, and environment-specific materials, are Client’s property. MARFI assigns all rights in such Deliverables to Client upon creation, subject to MARFI’s retained rights in any embedded Platform IP.
MARFI grants Client a non-exclusive, non-transferable, revocable license to use MARFI Platform IP solely as embedded in Deliverables and solely for Client’s internal business purposes. This license terminates upon termination of the applicable services.
Client will not reverse engineer, decompile, disassemble, or create derivative works from any MARFI Platform IP.
Access to third-party platforms embedded in MARFI services (JumpCloud, CrowdStrike, Secureframe, Meter, etc.) is contingent on an active service engagement. Client acquires no independent license rights to those platforms through MARFI.
Client grants MARFI a non-exclusive, limited license to use Client Data solely for the purpose of delivering the Services.
Any suggestions, enhancement requests, or feedback Client provides regarding MARFI services may be used by MARFI without restriction or obligation.
Our Privacy Policy is incorporated by reference and governs how MARFI collects, uses, and protects personal information.
For Managed Services, Client is the data controller and MARFI is the data processor. For SaaS Products, Client is generally the controller of data it submits to the platform.
Client Data remains Client’s property at all times. MARFI processes Client Data solely for service delivery. MARFI does not sell, rent, or share Client Data for advertising or profiling.
MARFI does not train AI models on Client Data. AI capabilities are used for real-time inference only. If MARFI changes an AI model provider used in service delivery, MARFI will provide 30 days’ written notice.
If MARFI confirms a security breach affecting Client Data, MARFI will notify Client within 72 hours of confirmation.
This sub-section applies only where a Service Order or MSA expressly states that MARFI will store, process, or transmit Controlled Unclassified Information (CUI) or Covered Defense Information (CDI). Where it applies: (a) MARFI will implement the NIST SP 800-171 security requirements applicable to the in-scope systems, consistent with DFARS 252.204-7012; (b) MARFI will report cyber incidents affecting in-scope CUI/CDI to Client without undue delay and, where designated, assist with the rapid report to DoD via DIBNet within 72 hours of discovery, and will preserve affected media and provide reasonable forensic cooperation; (c) MARFI will flow the substance of DFARS 252.204-7012 to any subcontractor handling in-scope CUI/CDI, unaltered except to identify the parties; and (d) any external cloud used for in-scope CUI/CDI will meet the FedRAMP Moderate baseline (or equivalent). Except as a Service Order states, MARFI’s framework alignment is advisory and does not by itself satisfy Client’s own CMMC, DFARS, or contract obligations; Client remains responsible for its own compliance.
Upon termination, MARFI will provide Client Data in machine-readable formats within 30 days of Client’s written request.
MARFI will delete Client Data within 90 days of termination, but only after receiving a signed deletion request from an authorized Client representative. MARFI will not unilaterally delete Client Data. MARFI will provide written certification of deletion upon completion.
Contracts, invoices, and audit logs are retained for three years after termination regardless of a deletion request. Anonymized and aggregated data that cannot identify Client or any individual is retained indefinitely.
MARFI acts as a service provider under the CCPA/CPRA. MARFI does not sell personal information.
A current list of subprocessors is maintained at trust.marfi.io. MARFI provides 30 days’ notice before engaging a new subprocessor. Client has a 15-day objection window following notice.
Both parties agree to protect the other party’s Confidential Information with the same degree of care they use for their own confidential materials, and no less than reasonable care.
MARFI’s Confidential Information includes, without limitation: platform and system architecture and methodologies; pricing, quotes, invoices, discount structures, margins, and vendor pricing and agreements; internal processes, runbooks, and know-how; the Automation Engine and all automations, scripts, and orchestration logic; software, identity, and infrastructure configurations, tenants, and the Managed Assets (§21.4) provisioned for Launchpad and all other tooling; source code, AI and agent prompts, model and scanning pipelines, and scoring algorithms; security findings and posture data; and product roadmaps. All of the foregoing is MARFI Confidential Information whether or not marked or designated "confidential." For the avoidance of doubt, MARFI’s pricing, quotes, and invoices are Confidential Information, and any use of them to obtain, renew, or circumvent licensing is additionally governed by §21.3.
Includes Client Data, systems information, business processes, scan results, vulnerability reports, and penetration test findings.
Information is not Confidential Information if it: (a) was already known to the receiving party without restriction; (b) is or becomes publicly available through no fault of the receiving party; (c) is independently developed without reference to the disclosing party’s information; (d) is disclosed by a third party without restriction; or (e) is required to be disclosed by law or court order.
If a party is legally compelled to disclose the other party’s Confidential Information, it will: (a) promptly notify the other party (where legally permitted); (b) limit disclosure to the minimum required; and (c) seek a protective order where practicable.
Confidentiality obligations survive for three years after termination of all services. Raptor penetration test findings and vulnerability reports remain Confidential Information regardless of how they were obtained.
Reports & attestations
SOC 2 Type I & Type II, independent reports, available under NDA. HIPAA, Business Associate Agreements signed with covered Clients; HIPAA addendum to our SOC 2 examination (HIPAA has no certification regime).
Aligned (frameworks we map to, not certifications held)
ISO 27001, NIST 800-171, CMMC, CIS; FedRAMP (advisory).
Our trust center is available at trust.marfi.io. MARFI’s SOC 2 Type II report is available upon request under NDA.
BEYOND THE EXPRESS WARRANTIES ABOVE, ALL SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." MARFI DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
MARFI will defend, indemnify, and hold Client harmless from third-party claims arising from:
Client will defend, indemnify, and hold MARFI harmless from third-party claims arising from:
Raptor Indemnification Note: Client’s indemnification obligations for Raptor use under §13.2.5 are in addition to (not in lieu of) MARFI’s liability limitations under §12. Client bears full responsibility for all consequences of penetration testing activities.
These Terms take effect when Client first accesses any MARFI service.
The Client may cancel any product or service for convenience by providing MARFI with at least thirty (30) calendar days’ prior written notice (notice by email is sufficient). This thirty (30) day minimum notice applies to all MARFI products and services. Cancellation is effective at the end of the billing period in which the notice period expires, and the Client remains responsible for all Fees accruing through the effective date, together with any licensing obligations under an active reserved-quantity or commitment term (see §21).
Each MARFI product and service is subscribed and cancellable independently. Cancellation, reduction, suspension, or termination of one product or service (for example, Launchpad) does not constitute, and shall not be construed as, cancellation of any other product or service (for example, Launchpad DIB, Meter, Raptor, CyberTrustScore, or BOOST). A separate cancellation notice, properly communicated by the Client and acknowledged and accepted by MARFI in writing, is required for each product or service the Client wishes to cancel. The Client’s continued use of, or payment for, any service constitutes the Client’s continued acceptance of these Terms as to that service.
Subscriptions end at the conclusion of the current billing period. No prorated refunds on annual plans unless MARFI terminates for convenience.
§5 (accrued Fees), §7 (IP), §8 (Data), §9 (Confidentiality), §10 (Security), §11 (Warranties), §12 (Liability), §13 (Indemnification), §15 (Non-Solicitation), §19 (Dispute Resolution), and §20 (General Provisions).
Applies to Managed Services (Launchpad) only. The transition period is 90 calendar days, and all timeframes in this Section run from the final service end date, the effective date on which the applicable service terminates or expires, and not from the date of the termination or cancellation notice.
For the avoidance of doubt, Transition Assistance does not include, and MARFI is under no obligation to provide, the transfer, assignment, migration, or release of any proprietary configurations, automations, processes, runbooks, tenants, or the software licensing that comprises the Launchpad stack (collectively, the "Managed Assets," as defined in §21.4). MARFI retains sole and exclusive ownership of the Managed Assets, and any transfer of Managed Assets occurs only if expressly agreed by both parties in a signed writing, which MARFI is not obligated to enter into.
Billed at Launchpad Client professional services rates during the transition period, and at published rates after the transition period ends.
MARFI will not destroy Client Data until it receives a signed deletion request from an authorized Client representative. Written certification of deletion provided. Retained Records kept for three years.
The following activities are prohibited when using any MARFI service:
Raptor Authorization & Law Enforcement Cooperation:
Neither party is liable for failure to perform (other than payment obligations) caused by events beyond its reasonable control: acts of God, pandemics, government actions, cyberattacks on third-party infrastructure, cloud/SaaS provider failures, natural disasters, war, and civil unrest.
Raptor performs ACTIVE penetration testing, not passive vulnerability scanning. It probes, injects, attempts exploitation, and escalates privileges against live systems. The following terms govern all use of Raptor and are critical to your legal protection and ours.
Authorization & Consent
By initiating any scan, Client represents and warrants that:
MARFI may request proof of written authorization before, during, or after any scan. Failure to provide proof within 5 business days of request constitutes grounds for immediate account suspension and data preservation for potential law enforcement disclosure.
Client must maintain authorization documentation for a minimum of 3 years following any scan.
Assumption of Risk
Client acknowledges and accepts that penetration testing inherently carries risk of system disruption, service degradation, data corruption, or downtime. MARFI IS NOT LIABLE for any damage, downtime, data loss, service interruption, business disruption, lost revenue, or consequential damages arising from or related to any Raptor scan, regardless of whether such damage was foreseeable.
Prohibited Use & Law Enforcement Cooperation
Client must not use Raptor to:
MARFI retains complete logs of all scan activity, including target IPs/domains, scan parameters, timestamps, user identity, and results.
In the event of suspected misuse, unauthorized scanning, or illegal activity, MARFI may (and reserves the right to): (a) immediately suspend Client’s access without notice; (b) preserve all scan logs and account data; (c) disclose scan logs, account information, and any related data to law enforcement authorities, regulatory bodies, or affected third parties WITHOUT prior notice to Client and WITHOUT Client’s consent; (d) cooperate fully with any investigation.
Scan Results & Reports
Limitations & Disclaimers
Client shall indemnify, defend, and hold harmless MARFI from and against ALL claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from Client’s use of Raptor, including but not limited to unauthorized scanning, misuse of scan results, or violation of any law.
Nature of Service
Accounts, Alerts & Public Database
Widget & Embedding License
MARFI offers an embeddable CyberTrustScore widget that third parties may display on their websites subject to the following terms:
Limitations, Data Use & Discontinuation
Acceptable Use & Rate Limits
Unsolicited Scan Removal Requests
Because CyberTrustScore analyzes only publicly available data and does not access, probe, or test any system, domain owners who object to being scanned may request removal from the CyberTrustScore database by using the contact form. MARFI will process removal requests within 30 days. Removal does not prevent the domain from being re-scanned if a third party initiates a new scan.
Availability & Pricing
Billing
Service Scope
Termination
Anti-Circumvention & Reseller of Record
MARFI is the Client’s authorized Value-Added Reseller (VAR), agent of record, and procurement intermediary for all software licensing sourced, quoted, bundled, or managed through BOOST or any MARFI service. For the duration of the engagement, the Client shall procure such licensing exclusively through MARFI and shall not use MARFI’s pricing, quotes, invoices, vendor agreements, license keys, or vendor relationships to acquire, renew, transfer, or re-register licensing directly or through any third party. Any attempt by the Client to circumvent, bypass, disintermediate, or remove MARFI as the reseller or agent of record, including using MARFI-provided pricing or invoicing to obtain equivalent licensing elsewhere, or transferring a MARFI-sourced license away from MARFI’s reseller account without MARFI’s prior written consent, constitutes a material breach of these Terms. Upon any such breach, MARFI reserves and may exercise any and all rights and remedies available at law or in equity, including recovery of all resulting damages, lost margin and commissions, vendor chargebacks, restocking and cancellation penalties, and its reasonable attorneys’ fees and costs, and the immediate suspension or termination of services. This provision survives termination of the Agreement.
Reserved Quantities & Commitment Terms
Certain licenses procured through BOOST or bundled within Launchpad carry vendor-imposed reserved quantities, minimum quantities, or fixed commitment terms (for example, annual or multi-year commitments). The Client is and remains responsible for payment of the full committed quantity and value of any such licensing for the entirety of its committed term, regardless of actual usage and regardless of whether Launchpad, BOOST, or any related MARFI service is cancelled, reduced, suspended, or terminated before the end of that term. Cancellation of Launchpad or any other service does not reduce, offset, or terminate the Client’s payment obligations for licensing under an active commitment term, which shall continue to be invoiced and remain due in full through the end of the communicated term. The applicable commitment term, reserved quantity, and associated obligations for any license may be communicated to the Client (i) verbally during a meeting that is recorded with the Client’s knowledge and consent, or (ii) in writing, including by email. The Client’s acceptance of such licensing, and/or the Client’s payment of any invoice that includes such licensing, each independently constitutes the Client’s acceptance of, and binding agreement to, the associated reserved-quantity and commitment terms.
Launchpad is provided solely as a managed service. All software licensing, SaaS and cloud subscriptions, vendor tenants and accounts, identity and device configurations, security policies, automations, scripts, runbooks, documentation, integrations, API keys, and all other assets that MARFI creates, procures, provisions, configures, deploys, or maintains in connection with Launchpad (collectively, the "Managed Assets") are and shall remain the sole and exclusive property and intellectual property of MARFI. MARFI licenses, provisions, and operates the Managed Assets on the Client’s behalf for the limited duration of the active engagement only.
The Client receives a limited, revocable, non-exclusive, non-transferable, non-sublicensable right to use the Managed Assets solely while the applicable subscription is active and all Fees are current. MARFI reserves all right, title, and interest in and to the Managed Assets, and nothing in these Terms transfers, assigns, or grants ownership of any Managed Asset to the Client.
Upon expiration, cancellation, or termination of Launchpad for any reason, MARFI is under no obligation to assign, transfer, migrate, release, hand off, or otherwise deliver any Managed Asset, including any tenant, license, subscription, configuration, credential, or administrative access, to the Client or to any successor, alternate, or third-party service provider. Any such transition, if offered by MARFI, is provided solely at MARFI’s discretion under a separate signed written transition agreement and is subject to MARFI’s then-current transition and professional-services fees. Return of Client Data is governed by §8 (Data & Privacy) and §16 (Transition Assistance); for clarity, Client Data does not include the Managed Assets.
For questions about these Terms of Service or your service agreement, contact MARFI’s legal team. Any custom terms in your Master Service Agreement (MSA) will govern where they conflict with the above.
MARFI Systems, Inc.
2219 Main Street, Santa Monica, CA 90405