Free CBOM Service Terms

Last updated: January 2026

1. Service Description

The Free CBOM Generation Service ("Service") provided by PQC Consultancy, powered by INKASEC ("we", "us", "our"), allows users to upload source code archives and receive a Cryptographic Bill of Materials (CBOM) identifying cryptographic algorithms, protocols, and patterns in their code.

This Service is provided free of charge subject to the limitations and terms set out below. By using the Service, you agree to be bound by these terms.

2. Service Limitations

The Free CBOM Service is subject to the following limitations:

2.1 Usage Limits

• 3 scans per email address per rolling 30-day period
• 5 scans per IP address per rolling 24-hour period
• 50MB maximum file size per upload
• 50,000 files maximum per archive

2.2 Time Limits

• Upload links expire 30 minutes after generation
• Download links can only be used once
• Undownloaded results are automatically deleted after 7 days

2.3 Scope of Analysis

The free Service provides:

• Detection of cryptographic algorithms and patterns in source code
• Reachability analysis (determining which crypto is actually executed from entry points)
• Call path tracing from entry points to cryptographic usage
• CycloneDX 1.6 format CBOM output
• Categorisation by algorithm type, severity, and quantum vulnerability

The free Service does not include:

• Third-party dependency scanning (scanning libraries and packages you depend on)
• Infrastructure or configuration scanning (servers, certificates, HSMs)
• Expert review or recommendations
• Migration roadmaps or remediation guidance
• Priority support or consultation

These advanced features are available in our paid service tiers.

3. Supported File Formats

The Service accepts source code archives in the following formats:

• ZIP (.zip)
• TAR (.tar)
• Gzipped TAR (.tar.gz, .tgz)
• Zstandard TAR (.tar.zst, .tzst)

4. Supported Languages

The scanner analyses code written in the following languages:

• Go, Python, Java, JavaScript, TypeScript
• C, C++, C#, Rust
• Ruby, PHP, Kotlin, Swift, Scala
• And other common programming languages

5. Data Handling and Privacy

5.1 Source Code

• Your source code is uploaded over encrypted TLS 1.3 connections
• Source code is stored encrypted at rest using AES-256
• Source code is processed in an isolated cloud environment
• Source code is automatically deleted immediately after processing, or within 24 hours if processing fails
• We do not retain, share, or use your source code for any purpose other than generating your CBOM
• No human reviews your source code unless you explicitly request support

5.2 Generated Results

• Your CBOM is available for one-time download only
• After download, the CBOM file is immediately deleted from our servers
• If not downloaded, results are automatically deleted after 7 days

5.3 Audit Records

We retain the following information permanently for audit, security, and abuse prevention purposes:

• Email address used to request the scan
• IP address of the request
• Timestamps (request, upload, completion, download)
• Project name provided
• File size and filename of uploaded archive
• Aggregate scan statistics (languages detected, findings count by severity)
• Terms acceptance confirmation

We do not retain:

• Your source code
• The generated CBOM file
• Detailed finding information or file paths from your code

For full details on how we handle personal data, see our Privacy Notice.

6. Acceptable Use

You agree to use the Service only for lawful purposes. You must not:

• Upload malicious code, viruses, or malware
• Upload code you do not have the legal right to scan
• Attempt to circumvent usage limits or abuse the Service
• Use automated tools to bulk-submit scans
• Use disposable or temporary email addresses
• Interfere with or disrupt the Service

We reserve the right to block access or terminate accounts that violate these terms.

7. Intellectual Property

You retain all intellectual property rights in your source code. By uploading code to the Service, you grant us a limited, temporary licence solely to process your code and generate the CBOM. This licence terminates immediately upon deletion of your source code.

The generated CBOM is provided to you for your use. We claim no ownership over the CBOM output.

8. Disclaimer of Warranties

The Service is provided "as is" and "as available" without warranties of any kind, either express or implied, including but not limited to:

• Accuracy or completeness of the CBOM output
• Detection of all cryptographic usage in your code
• Fitness for a particular purpose
• Uninterrupted or error-free operation

The free Service is intended as an introductory tool. For comprehensive cryptographic assessments with professional review and recommendations, please consider our paid services.

9. Limitation of Liability

To the fullest extent permitted by law, PQC Consultancy and INKASEC shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from:

• Your use of or inability to use the Service
• Any errors, omissions, or inaccuracies in the CBOM output
• Unauthorised access to or alteration of your data
• Any other matter relating to the Service

Our total liability for any claim arising from the free Service shall not exceed GBP 0 (zero pounds).

10. Indemnification

You agree to indemnify and hold harmless PQC Consultancy, INKASEC, and their officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable legal fees) arising from your use of the Service or violation of these terms.

11. Service Availability

We reserve the right to:

• Modify, suspend, or discontinue the free Service at any time without notice
• Change these terms at any time (continued use constitutes acceptance)
• Limit or restrict access for any reason
• Introduce or modify usage limits

12. Governing Law

These terms are governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

For questions about these terms or the Service, please contact us:

Email: contact@pqcconsultancy.com
Website: pqcconsultancy.com/contact