aneo
Aneo B.V.

Terms of Service

These Terms of Service, including the Master Terms and Regional Addenda, govern access to and use of aneo websites, applications, products, and services provided by Aneo B.V. They are written for business users and organizations evaluating or using Framework-Pro, IncidentAI, and related aneo services. These Terms have been effective since 19 November 2025 and were last updated on 24 June 2026.

Last updated: 24 June 2026

1. Contracting entity and scope

The contracting entity is Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands. These Terms apply to aneo.io, related product surfaces, and all subdomains and aliases operated by Aneo B.V., including examples such as www.aneo.io, app.aneo.io, api.aneo.io, docs.aneo.io, and status.aneo.io.

These Terms govern your access to and use of Aneo websites, applications, software products, hosted services, support, documentation, generated output, and related services, together referred to as the Services. If you use the Services for an organization, you accept these Terms for that organization and confirm that you have authority to do so.

2. Definitions

Products means aneo software applications made available as cloud or SaaS products, including Framework-Pro and IncidentAI, and any downloadable software or plugins delivered electronically if Aneo B.V. offers them. Services means hosted services, support, onboarding, professional services, documentation, and other service features provided by Aneo B.V. Offerings means Products and Services together. References to the Services include the Products unless the context clearly requires otherwise.

Customer Content means documents, tickets, questionnaire answers, prompts, outputs, policies, reports, evidence notes, incident records, uploads, and other materials submitted to or generated through the Services by or for a customer.

3. Accounts and eligibility

You must provide accurate account, billing, organization, and contact information. You are responsible for protecting credentials, managing authorized users, maintaining appropriate access controls, and ensuring users comply with these Terms.

You are responsible for all activity under your accounts unless the activity results from Aneo B.V.'s failure to meet its own security obligations under an applicable agreement.

4. Subscriptions, orders, and product access

A subscription, order, or accepted product purchase gives you a limited, non-exclusive, non-transferable right to use the relevant Offerings during the applicable term and within the applicable scope, plan limits, documentation, and order terms.

You may not resell, lease, sublicense, misuse, reverse engineer, or provide access to the Offerings except as allowed by these Terms, the documentation, or a signed agreement.

If Aneo B.V. provides downloadable software or plugins, Aneo B.V. grants you a limited, non-exclusive, non-transferable license to install and use that software during the applicable term for internal business purposes and in accordance with the documentation. You may not copy, modify, reverse engineer, or create derivative works except to the extent permitted by law.

Cloud Products and Services are provisioned to your account. Downloadable Products, if offered, are delivered electronically. No physical goods are supplied unless an order expressly states otherwise.

5. Framework-Pro

Framework-Pro is a self-service product for security framework readiness, including ISO 27001:2022 and NIST CSF 2.0 framework selection, control mapping, policy generation, and supporting document generation.

Framework-Pro outputs are draft business documents and readiness materials. You remain responsible for review, approval, implementation, evidence collection, audit preparation, and professional advice where required.

6. IncidentAI

IncidentAI is an enterprise AI-assisted security incident management and ticketing product. Access is provisioned by aneo after demo, onboarding, customer setup, and any required agreement or order form.

IncidentAI supports incident classification, triage, ownership, timelines, MITRE ATT&CK mapping support, response records, and analysis. You remain responsible for operational decisions, containment, notification, communications, legal review, and incident response execution.

7. Free, trial, and beta features

Free, trial, preview, pilot, or beta Offerings are provided as is, may be limited or throttled, may change at any time, and may be ended by Aneo B.V. unless a signed agreement states otherwise.

Support is provided according to your plan, order, or signed agreement. Beta features may not be covered by service level targets, support commitments, or availability commitments.

8. Customer Content

You retain ownership of Customer Content. You grant Aneo B.V. a limited license to host, process, transmit, display, secure, back up, and generate output from Customer Content as needed to provide, support, secure, and improve the contracted Services and prevent abuse.

You are responsible for the accuracy, legality, appropriateness, and quality of Customer Content and for obtaining all rights, permissions, notices, and legal bases needed to submit it to the Services.

9. AI features and responsible use

The Services may use AI to classify, summarize, draft, map, or analyze security workflow information. AI outputs are informational and require human review before use.

AI outputs are not legal advice, not a security guarantee, not a compliance certification, and not a substitute for qualified professionals, accredited auditors, legal counsel, privacy advisers, security specialists, or accountable customer decision-making.

Aneo B.V. may use vetted third-party model providers and subprocessors to deliver AI features. Customer Content is not used to train foundation models unless you opt in or agree in writing. Zero-retention mode and EU data residency options may be available on supported plans or configurations.

10. Acceptable use

You must use the Services lawfully, responsibly, and in accordance with these Terms, the documentation, the Acceptable Use Policy, and any applicable agreement.

You must not violate law, infringe rights, upload malware, bypass security controls, disrupt the Services, probe systems without authorization, share credentials, overload the platform, or submit prohibited data without a written agreement.

11. Privacy and data protection

Aneo B.V. processes personal data as described in the Privacy Policy and, where applicable, the Data Processing Agreement. For Customer Content containing personal data, Aneo B.V. generally acts as processor and the customer organization generally acts as controller.

Where international transfers occur, Aneo B.V. uses appropriate safeguards where required, such as Standard Contractual Clauses, the UK Addendum, the Swiss addendum, data processing agreements, and vendor due diligence.

12. Security

Aneo B.V. applies reasonable technical and organizational measures designed to protect the Services and Customer Content, including encryption in transit, access controls, logging, monitoring, backups, vulnerability management, and role-based access practices.

You are responsible for secure customer-side configuration, user permissions, identity provider security, endpoint security, exported data, and review of generated output.

13. Third-party services

The Services may include links, integrations, identity providers, payment providers, AI model providers, hosting providers, analytics tools, support tools, or other third-party services. Third-party services are governed by their own terms and policies.

Aneo B.V. is not responsible for third-party services that it does not control, except to the extent required by an applicable data processing agreement or mandatory law.

14. Fees, payment, and taxes

Fees are stated on the applicable pricing page, checkout page, order form, subscription agreement, or invoice. Fees exclude taxes unless stated otherwise. You are responsible for applicable taxes, duties, levies, bank charges, and payment provider fees where applicable.

Invoices are due as stated in the applicable order, checkout, invoice, or signed agreement. Framework-Pro may support online payment through the aneo portal. IncidentAI pricing and payment terms are normally handled through an enterprise order or agreement.

15. Refunds and cancellations

Refunds, cancellations, subscription changes, and renewal terms are governed by the applicable order, subscription terms, enterprise agreement, and Refund Policy.

Unless a signed agreement or mandatory law states otherwise, digital product purchases that have generated, accessed, exported, or downloaded output are generally non-refundable.

16. Intellectual property

Except for Customer Content, the Services and all related software, designs, workflows, text, documentation, templates, generated formats, user interfaces, graphics, logos, product names, and intellectual property are owned by Aneo B.V. or its licensors.

No rights are granted except as expressly set out in these Terms, product functionality, documentation, or a signed agreement.

17. Feedback

If you provide feedback, ideas, suggestions, or improvement requests, Aneo B.V. may use them without restriction or compensation, provided we do not use your confidential information in violation of an applicable agreement.

18. Publicity

Aneo B.V. may use your organization name and logo in a customer list or sales materials unless your order form states otherwise or you opt out by written notice.

19. Term, suspension, and termination

These Terms start when you first use the Services and continue while you use the website, maintain an account, or have an active product subscription or order.

Aneo B.V. may suspend or terminate access for material breach, non-payment, security risk, legal risk, suspected abuse, harm to the Services, or where required by law. You may terminate as set out in the applicable order, subscription terms, or agreement. Upon termination, you must stop using the affected Services except as needed to export Customer Content through available tools during any permitted post-termination access period.

20. Data export and deletion

During the applicable term, available export tools may allow you to export Customer Content. After termination, Aneo B.V. will delete or de-identify Customer Content according to the applicable agreement, data processing terms, retention settings, backup cycle, and legal obligations.

Deletion from active systems is typically completed within 30 days after the applicable termination or deletion trigger, and deletion from backups occurs within a commercially reasonable backup retention period unless law requires longer retention.

21. Warranty disclaimer

The website and Services are provided as is and as available unless a signed agreement states otherwise. Aneo B.V. disclaims all warranties to the maximum extent permitted by law, including merchantability, fitness for a particular purpose, non-infringement, uninterrupted operation, error-free operation, and specific outcomes.

Aneo B.V. does not warrant that generated output will be complete, accurate, current, compliant, suitable for your organization, accepted by customers, or accepted by auditors.

22. Limitation of liability

To the maximum extent permitted by law, Aneo B.V.'s total liability for all claims in any 12-month period is limited to the fees paid by you for the relevant Services in that period, unless a signed agreement states a different limit.

Aneo B.V. is not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, business, goodwill, data, use, opportunity, or anticipated savings. These limits apply even if a remedy fails its essential purpose. Nothing in these Terms limits liability that cannot be limited under applicable law.

23. Indemnities

You will indemnify Aneo B.V. against third-party claims, losses, liabilities, damages, costs, and expenses arising from Customer Content, unlawful use, breach of these Terms, infringement of third-party rights, or misuse of the Services.

Aneo B.V. will indemnify you for third-party claims alleging that the Services, as provided by Aneo B.V. and used within scope, infringe third-party intellectual property rights, except for claims based on Customer Content, use outside scope, customer configuration, modifications not made by Aneo B.V., or combinations with products, services, data, or processes not provided by Aneo B.V.

Each party must provide prompt notice of an indemnified claim, give reasonable assistance, and allow the indemnifying party to control the defense and settlement, provided any settlement does not impose an admission of fault or non-monetary obligation on the indemnified party without consent.

24. Export controls and sanctions

You must not use, export, re-export, provide, or access the Services in violation of export control, sanctions, embargo, anti-bribery, anti-corruption, anti-money laundering, or similar laws. You must not permit access by restricted parties or in prohibited regions.

25. Governing law and disputes

These Terms are governed by the laws of The Netherlands, excluding conflict-of-law rules, unless mandatory local law requires otherwise.

Disputes will be finally resolved by arbitration under the rules of the Netherlands Arbitration Institute in Amsterdam, in English, before one arbitrator, unless a signed agreement states another forum or mandatory law requires another process. Either party may seek interim or injunctive relief in a competent court.

26. Order of precedence

Regional addenda for specific jurisdictions form part of these Terms and prevail over the Master Terms for users in those regions. If a regional addendum conflicts with the Master Terms, the relevant regional addendum controls for that user.

If there is a conflict between these Terms and a signed order form, data processing agreement, subscription agreement, statement of work, or enterprise agreement, the signed document controls for the relevant conflict.

Product-specific terms, regional addenda, and data protection terms may supplement these Terms.

27. Regional addenda

The following addenda apply to users in the named regions and modify or supplement the Master Terms. If an addendum conflicts with the Master Terms, the addendum prevails for users in that region.

EU, EEA, Switzerland, and United Kingdom: Aneo B.V. will act as processor for Customer Content that contains personal data, except where Aneo B.V. acts as controller for account data and service operations. The Data Processing Agreement forms part of these Terms. Where Aneo B.V. or its subprocessors transfer personal data outside the EEA, Switzerland, or the UK, Aneo B.V. will use approved transfer tools such as EU Standard Contractual Clauses, the UK IDTA or Addendum, Swiss addendum, adequacy decisions, or other lawful transfer mechanisms. Aneo B.V. maintains a current subprocessor list and aims to provide 15 days' advance notice for material changes where required by agreement or law.

For supported plans, customers may choose EU data residency for Customer Content. Some telemetry, account, billing, support, security, and operational data may be processed outside the EU as described in the Privacy Policy. Aneo B.V. will assist with data subject requests and regulatory enquiries in accordance with the DPA. If local law treats a micro-business as a consumer, mandatory consumer rights that cannot be waived will apply.

United States: for California residents and similar state privacy laws where applicable, Aneo B.V. will process personal information as a service provider or processor where required, will not sell or share personal information as those terms are defined by applicable law, and will honor similar state privacy obligations where they apply. Marketing emails will comply with CAN-SPAM and you can opt out through provided links. The Services are not directed to children and are intended for business use by adults.

APAC and rest of world: Aneo B.V. aims to honor applicable local privacy laws, including examples such as Singapore PDPA, Australia Privacy Act, Brazil LGPD, India DPDP, and other laws where they apply to your use of the Services. Mandatory consumer protections that cannot be waived under local law will apply. If these Terms are translated, the English version controls if there is a conflict unless mandatory law states otherwise.

28. Linked policies and notices

These Terms should be read together with the Privacy Policy at https://www.aneo.io/privacy-policy/, Cookie Policy at https://www.aneo.io/cookie-policy/, Data Processing Agreement at https://www.aneo.io/dpa/, Sub-processors page at https://www.aneo.io/subprocessors/, Responsible AI page at https://www.aneo.io/responsible-ai/, Acceptable Use Policy at https://www.aneo.io/acceptable-use/, Security Overview at https://www.aneo.io/security-overview/, Responsible Disclosure page at https://www.aneo.io/responsible-disclosure/, Disclaimer at https://www.aneo.io/disclaimer/, and Refund Policy at https://www.aneo.io/refund-policy/.

29. Changes

Aneo B.V. may update these Terms from time to time. Material changes may be notified through the website, product, account email, or other reasonable method. Continued use after the effective date means you accept the updated Terms.

30. Notices and contact

Notices to Aneo B.V. can be sent to legal@aneo.io unless a signed agreement specifies another address. Notices to you may be sent to the email address in your account profile, order, or customer record.

General enquiries can be sent to hello@aneo.io. Contact page: https://www.aneo.io/contact/.

Postal address: Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands.