norppa.io

Terms of Service

Last updated: 26 April 2026

These Terms of Service ("Terms") govern your access to and use of the norppa.io platform and services ("Service"). By subscribing to or using the Service, you agree to these Terms on behalf of your organisation ("Customer").

The Service is provided exclusively to businesses and other legal entities. If you are a consumer (an individual acting outside the scope of any trade or profession), you may not use the Service.

1. The Service

norppa.io provides automated external security intelligence and NIS2 supply chain risk monitoring. The Service continuously monitors publicly available and intelligence-source data relating to domains and organisations submitted by the Customer, and delivers findings and compliance reports.

The Service is provided on an "as available" basis. We do not guarantee that the Service will identify every security issue or that all findings are exhaustive. Security intelligence by nature is probabilistic and incomplete — our findings represent a best-effort assessment based on available sources at the time of scanning.

2. Authorisation and Permitted Use

By submitting a domain or organisation for monitoring, the Customer represents and warrants that:

  • The Customer has a legitimate business reason to monitor the submitted entity (e.g. an existing supplier, partner, or the Customer's own organisation).
  • The Customer has obtained any necessary consents or has a legitimate interest under applicable law to request external security intelligence on the submitted entity.
  • The submitted domains and entities are not used for unlawful purposes.

The Service may not be used to monitor individuals, to facilitate harassment, or for any purpose that violates applicable law. We reserve the right to suspend the Service immediately if we determine that submitted targets are being used in violation of these Terms.

2.1 Standard scanning methodology (supplier and third-party domains)

For all supplier and third-party domains submitted under a standard subscription, norppa.io uses exclusively non-intrusive, publicly available methods. These methods do not require any access to the target's systems and are conducted in a manner consistent with applicable Finnish and EU law, including the Computer Crimes Act (rikoslaki 38:8). Methods include:

  • DNS record lookups (A, MX, TXT, SPF, DMARC, DNSSEC).
  • Certificate Transparency log queries (publicly logged TLS certificates).
  • Reading publicly accessible HTTP/HTTPS response headers from the target's own web servers.
  • Queries to third-party threat-intelligence and internet-scan databases (such as Shodan, Censys, and similar commercial feeds that aggregate previously collected data).
  • Publicly available breach and credential-exposure databases.
  • Official business and corporate registries.
  • Publicly accessible code repositories.

These checks do not involve authentication attempts, active port scanning initiated by norppa.io, payload-based vulnerability testing, or any method that would constitute unauthorised access under Finnish or EU law. Checks that require authenticated access (such as MFA status verification) are not performed on third-party domains and are reported as unverified.

2.2 Full Scan add-on (own domain)

The Full Scan add-on enables deeper active external checks on a single designated domain. By activating the Full Scan add-on and designating a domain, the Customer warrants that:

  • The Customer is the registered owner of the designated domain, or has obtained explicit written authorisation from the domain owner to conduct external security testing; and
  • The Customer accepts sole responsibility for ensuring that the active checks are lawful in the jurisdiction in which the target infrastructure is located.

Active checks enabled by the Full Scan add-on may include external port enumeration, banner grabbing, and externally observable vulnerability indicators. These checks are performed only on the single domain designated by the Customer at the time of add-on activation. norppa.io uses all legally permissible methods, including active external techniques, for security research on its own infrastructure.

2.3 Supplier relationship requirement

norppa.io is a supply chain security monitoring tool, not a general-purpose domain intelligence platform. All domains submitted for monitoring must represent entities with which the Customer has an existing or prospective legitimate business relationship (e.g. suppliers, vendors, technology partners, or the Customer's own group companies). Submitting domains for competitive intelligence, market research, or any purpose unrelated to the Customer's own supply chain risk management is not a permitted use.

3. Subscriptions and Payment

3.1 Billing options

The Service is available on two billing cycles:

  • Monthly billing: Fees are charged each month at the monthly rate. No prepayment is required. The subscription period begins on the date your subscription is activated.
  • Annual billing: Fees for the full year are charged in a single payment at the time of subscription activation. Annual plans include two months of service at no additional charge compared to twelve months of monthly billing.

3.2 Renewal and cancellation

Monthly subscriptions renew automatically each month. You may cancel at any time via the account settings page in your dashboard, or by emailing [email protected]. Cancellation takes effect at the end of the current billing period; no further charges are made after that date. Annual subscriptions renew automatically for a further year unless cancelled at least 30 days before the renewal date. No refunds are issued for the unused portion of a paid period following cancellation.

3.3 Price changes

We may adjust pricing at renewal. We will notify you by email at least 60 days before any price change takes effect. Continuing to use the Service after a price change constitutes acceptance.

3.4 Late payment

Overdue invoices accrue interest at the rate prescribed by the Finnish Interest Act (Korkolaki 633/1982). We may suspend access to the Service if payment is more than 14 days overdue.

4. Confidentiality

Each party agrees to keep the other party's confidential information — including findings, reports, and technical details of the Service — confidential and not to disclose it to third parties without prior written consent. This obligation survives termination for a period of three years. Reports generated by the Service are the Customer's confidential information.

5. Intellectual Property

Reports and findings delivered to the Customer are owned by the Customer. The methodology, software, algorithms, and infrastructure underlying the Service remain the exclusive property of norppa.io. The Customer receives no licence to the underlying technology beyond the right to use the Service during the subscription period.

6. Limitation of Liability

To the maximum extent permitted by Finnish law:

  • norppa.io is not liable for any indirect, consequential, incidental, or special damages arising from use of the Service or reliance on any findings.
  • norppa.io's total aggregate liability for any claim arising under or in connection with these Terms is limited to the fees paid by the Customer in the 12 months preceding the claim.
  • norppa.io makes no warranty that findings are complete, accurate, or free from error. The Customer is solely responsible for decisions taken on the basis of findings.
  • norppa.io is not liable for security incidents that occur at the Customer or its suppliers regardless of whether such incidents could have been detected by the Service.

7. Customer Liability for Misuse

The Customer shall compensate norppa.io for any third-party claims, damages, and costs (including reasonable legal fees) directly caused by: (a) the Customer's submission of targets that the Customer did not have authorisation to monitor; (b) the Customer's material breach of these Terms; or (c) the Customer's violation of applicable law in connection with use of the Service.

8. Service Availability and Changes

We aim for high availability but do not commit to a specific uptime SLA on standard plans. Customers on custom contracts may request SLA terms. We reserve the right to modify, suspend, or discontinue any part of the Service with 30 days' notice. In the event of discontinuation, we will provide a pro-rated refund for any prepaid period.

9. Termination

Either party may terminate these Terms immediately if the other party materially breaches these Terms and fails to remedy the breach within 14 days of written notice. norppa.io may also terminate immediately if the Customer violates Section 2 (Authorisation and Permitted Use).

Upon termination, the Customer's access to the Service ceases. Customer data is retained for 90 days post-termination to allow retrieval of reports, after which it is permanently deleted.

10. Governing Law and Disputes

These Terms are governed by the laws of Finland, excluding its conflict-of-law provisions. Any dispute arising from these Terms shall be submitted to the exclusive jurisdiction of the District Court of Helsinki (Helsingin käräjäoikeus) as the court of first instance.

11. Changes to These Terms

We may update these Terms. Material changes will be notified by email at least 30 days before taking effect. Continued use of the Service after the effective date constitutes acceptance. The current version is always available at norppa.io/terms.

12. Contact

Legal notices and formal correspondence: [email protected]

The Service is operated by Norteris Oy (Business ID 3621127-2), Sturenkatu 26, 00510 Helsinki, Finland.