Security Flare — Terms of service
Document version: v1 Last reviewed: 2026-06-26 Reviewed by: Security Flare leadership; pending external legal review.
These terms ("Terms") govern your use of the Security Flare service ("Service") operated by Security Flare ("Security Flare", "we", "us"). By creating an account or signing in to the Service you agree to these Terms.
Read this document together with our Privacy policy (how we handle personal information) and Trust & security overview (how we secure your data).
1. Who we are
Security Flare is an Australian operator of a multi-tenant SaaS service that helps Microsoft-centric MSPs and their customer organisations reach and maintain ISO/IEC 27001:2022 certification.
These Terms are governed by the laws of New South Wales, Australia. You and Security Flare submit to the non-exclusive jurisdiction of the courts of New South Wales for any dispute under or relating to these Terms.
2. The Service
The Service includes:
- The ISMS register surfaces (controls, policies, risks, SoA, assets, suppliers, incidents, audits, findings, training, documents, objectives, interested parties, ISMS scope, tasks, audit log)
- The Microsoft Graph evidence-collection pipeline (subject to your admin consent — see §4)
- The XLSX / DOCX exports of the above
- The MSP portfolio view (where applicable)
- The operator and dashboard surfaces required to use the above
We may add, remove, or change features. Material changes (a register being retired, a contracted commitment changing) are notified at least 30 days in advance via the registered admin email on your organisation account and surfaced in the public changelog.
3. Accounts and access
3.1 How accounts are created
A Security Flare account is bound to your Microsoft Entra ID tenant.
The first user from a new Entra tenant lands in pending state until
Security Flare completes out-of-band verification — typically a phone
call to confirm identity. See CLAUDE.md §3.2 in the public repository
for the implementation.
3.2 You are responsible for
- Keeping your Microsoft Entra ID credentials secret. Security Flare never stores them; Microsoft handles authentication.
- Promptly removing accounts of staff who leave your organisation through your Entra ID admin centre.
- The accuracy of compliance content you enter — Security Flare provides the tool; you remain responsible for what your ISMS records.
- Maintaining at least one active organisation administrator at all times.
3.3 We are responsible for
- Keeping the Service available subject to §6.
- Storing the data you enter and the evidence we read on your behalf per the Privacy policy and the security commitments at /trust.
- Notifying you of unauthorised access to your data per the Notifiable Data Breaches scheme (Privacy Act Part IIIC).
4. Microsoft Graph integration
Where you choose to connect Microsoft Graph evidence collection, you
grant Security Flare the application-permission scopes listed in our
Privacy policy §3 by completing the Microsoft /adminconsent
flow. This consent is revocable at any time from your Microsoft Entra
admin centre. Revocation stops Graph reads on the next scheduled run.
You confirm you have authority to grant this consent on behalf of your organisation.
5. Fees and billing
5.1 How we charge
- During the beta cohort, Security Flare arranges billing
out-of-band. Stripe processes payment cards; Security Flare never
stores card numbers. We hold a
stripe_customer_idand the subscription state mirror only. - Once self-serve Checkout ships, plans + prices will be published at https://securityflare.com.au and you will agree to the relevant plan before charge.
5.2 Payment failures
If a recurring charge fails, Stripe retries per its dunning policy. If
the subscription enters unpaid status, Security Flare automatically
suspends your organisation account (status flips to suspended,
written to the audit log). Suspended organisations cannot make tenant
writes; reads stay available so you can export your data. Resuming
payment reverses the suspension within minutes.
5.3 Refunds
We do not offer pro-rata refunds for partial billing periods. Material service failures (extended outages beyond our published commitments) are addressed via service credits per §6.
6. Service availability
We target 99.5% monthly availability, measured over a calendar month, excluding scheduled maintenance windows announced at least 48 hours in advance and force-majeure events. Status is published at /status.
If we fall short of this target across two consecutive months we will credit your account 5% of the affected month's subscription on request. Service credits are the sole remedy for an availability shortfall.
7. Data and your rights
You retain ownership of all data you upload to or generate through the Service. We hold an operational licence to host, process, and serve that data back to you per these Terms.
7.1 Export
You can export your data through:
- XLSX register exports (controls, risks, SoA, objectives, interested parties, ISMS scope history, etc.)
- DOCX policy exports
- JSON via the JSON API (cookie-bound)
- A
.ziparchive of evidence files on request to hello@securityflare.com.au within 30 days of account closure
7.2 Deletion
When you close your account we:
- Suspend tenant writes immediately
- Maintain reads + export for 90 calendar days (so you can pull archives)
- Permanently delete your tenant rows after 90 days, except:
audit_logrows are retained for the lifetime of the platform (A.8.15 + the Notifiable Data Breaches forensic requirement); we will scrub fields not legally required to keep on request- Files under Object-Lock-protected R2 prefixes (evidence, policies, exports, Logpush) are retained for the 7-year lock period — see Privacy policy §4 for the rationale and ADR-0014 for the technical commitment
We will confirm deletion of your tenant rows by email.
8. Acceptable use
You agree not to:
- Use the Service to store unlawful, harmful, or fraudulent content
- Attempt to circumvent Security Flare's tenant-isolation boundaries or read data belonging to another organisation
- Reverse-engineer or sublicense the Service except as permitted by Australian law for interoperability
- Use the Service in a way that interferes with another customer's use
Security Flare may suspend an account on reasonable grounds of acceptable-use violation. We will explain the suspension and give you 7 days to remedy where remediation is possible.
9. Intellectual property
Security Flare retains all rights in the Service itself (code, design, the policy templates we ship, the seed control catalogue).
ISO/IEC 27001 and ISO/IEC 27002 verbatim text is © ISO. Security
Flare uses only clause numbers and factual identifiers (control
codes, titles) and paraphrases guidance — see CLAUDE.md §3.6.
You retain all rights in the content you contribute, including the policies you write and the evidence you collect into your tenant.
10. Warranties and liability
10.1 No implied warranties beyond Australian Consumer Law
Where you are a "consumer" under the Australian Consumer Law, your non-excludable consumer guarantees apply. To the extent permitted by law, all other warranties are excluded.
10.2 Limits
To the maximum extent permitted by law, Security Flare's aggregate liability under or in connection with these Terms is limited to the fees paid by you in the 12 months preceding the event giving rise to the claim.
Neither party is liable for indirect, incidental, special, or consequential loss — including lost profits, lost revenue, lost data, or loss of business opportunity — except in cases of wilful misconduct or where Australian law does not permit such exclusion.
10.3 Force majeure
Neither party is liable for failure caused by events outside its reasonable control (natural disaster, war, regulatory order, internet backbone outage, sub-processor failure with a published incident).
11. Confidentiality
Information you share with us that is not generally known (your implementation status, your risk register, your incident details) is confidential. We will not disclose it except:
- To staff and sub-processors who need it to deliver the Service (see Privacy §6)
- As required by law (we will give you reasonable notice unless prohibited from doing so)
12. Changes to these Terms
We may revise these Terms. Material changes are notified at least 30 days in advance via the registered admin email and surfaced in the public changelog. Continued use of the Service after the notice window constitutes acceptance.
The Document-version and Last-reviewed fields at the top of this page identify the current revision.
13. Termination
You can stop using the Service at any time. Contact hello@securityflare.com.au to terminate the contract — termination takes effect at the end of the current billing cycle unless otherwise agreed.
Security Flare can terminate your contract for material breach (non-payment after a 14-day cure period, acceptable-use violation under §8 that you have not remedied) on written notice.
14. Contact
Security Flare hello@securityflare.com.au Address available on request.
Governing law: New South Wales, Australia. Jurisdiction: non-exclusive jurisdiction of the NSW courts.