Please read these Terms of Service carefully before using AppScan Studio. By accessing or using the platform, you agree to be bound by these terms on behalf of yourself and the organisation you represent. If you do not agree to all the terms below, do not use the service.

1. Acceptance of Terms

These Terms of Service ("Terms") constitute a legally binding agreement between QUICKSYNC, UNIPESSOAL LDA, a company registered under the laws of Portugal with tax identification number 518210596 (hereinafter "AppScan", "we", "us", or "our"), and the organisation and its users that access AppScan Studio ("Client", "you", or "your").

By creating an account, logging in, or using any part of AppScan Studio, you confirm that:

• You have the legal authority to enter into this agreement on behalf of your organisation.
• Your organisation accepts these Terms in full.
• You are at least 18 years of age.

2. Description of the Service

AppScan Studio is a web-based Software-as-a-Service (SaaS) platform that analyses OutSystems low-code applications. The service enables users to:

• Submit a publicly accessible application URL for automated scanning.
• Receive structured reports covering modules, screens, roles, access controls, server actions, and mobile build metadata.
• Compare two scan reports side by side to identify changes between versions.
• Generate AI-powered changelogs using the OpenAI GPT API, based on structural scan data.

AppScan Studio is delivered entirely as a web application — no software download, local installation, or client-side configuration is required. Access is provided on a subscription basis, as described in Section 5.

2.1 Third-Party Service Providers

To deliver the service, AppScan Studio relies on the following sub-processors. We are transparent about who they are so you can review their own policies if relevant to your compliance posture:

• OpenAI — used to generate AI-assisted changelogs from anonymised structural scan data. No personal data is transmitted. See Section 6.2 for details.
• Cloudflare — used as the CDN, DDoS-protection layer, and edge security front for the application. Cloudflare may process request metadata (IP address, request path, user-agent) to perform its security function. Cloudflare does not receive your scan data or report contents.
• Amazon Web Services (AWS) — used for hosting infrastructure. Your account data and scan reports are stored on AWS instances located in the EU/EEA region. Data at rest is encrypted using AWS-managed keys.

We do not introduce new sub-processors without first updating these Terms.

3. Permitted Use

3.1 Authorised Use

You may use AppScan Studio solely for lawful purposes and in accordance with these Terms. When submitting a URL for scanning, you represent and warrant that at least one of the following is true:

• You are an authorised owner, administrator, or designated representative of the target application; or
• The target URL is publicly accessible, and you are using the scan results for legitimate analysis, quality assurance, documentation, or development purposes.

The subscription licence grants access to scan OutSystems environments that the subscribing organisation owns, operates, or has been explicitly authorised to audit in writing by the environment owner. AppScan Studio is not licensed for scanning third-party applications without prior written authorisation from the owner of that environment.

3.2 Prohibited Use

You must not use AppScan Studio to:

• Scan applications or systems for which you have no authorisation and no legitimate purpose.
• Use scan results to identify or exploit security vulnerabilities in systems belonging to third parties.
• Violate any applicable law, regulation, or third-party rights.
• Attempt to reverse-engineer, decompile, or extract the source code of AppScan Studio itself.
• Resell, sublicence, or redistribute access to AppScan Studio without prior written consent from AppScan.
• Interfere with or disrupt the integrity or performance of the platform or its underlying infrastructure.

AppScan reserves the right to suspend or terminate accounts that engage in prohibited use, without refund and without prior notice, where immediate action is warranted.

4. User Accounts

AppScan Studio operates on a multi-tenant, company-level account model. Each subscribing organisation has a single company account under which individual users are managed.

• Account registration requires valid organisational details and a business email address.
• The organisation's designated administrator is responsible for managing user access within the account.
• The Client organisation is responsible for all actions taken by its users under the company account.
• Credentials must not be shared between individuals. Each user should have their own login.
• You must notify AppScan promptly at [email protected] if you suspect unauthorised access to your account.

AppScan is not liable for any loss or damage arising from unauthorised access resulting from the Client's failure to maintain adequate security over its credentials.

5. Subscription and Payment

5.1 Free Trial

New accounts are granted a 14-day free trial from the date of account activation. The trial is fully featured, requires no payment method up front, and is intended to let you evaluate the service against your own OutSystems environment(s).

• The trial period and its end date are visible inside the application at all times.
• A countdown banner appears within the app starting 14 days before the trial ends.
• If the trial ends without conversion to a paid subscription, login is blocked and the account moves to a read-only "expired" state. No data is deleted at this point — see Section 6 for retention.
• A trial may be extended at AppScan's sole discretion on written request.

5.2 Pricing Model

Access to AppScan Studio is priced as a flat annual subscription fee per OutSystems factory (environment). There is no limit on the number of users per account under the standard subscription. Per-environment pricing applies regardless of which AppScan plan you are on.

5.3 Billing and Payment

• Subscription fees are billed annually in advance.
• Payment is due within the number of days specified in the invoice or order form.
• Failure to pay by the contract end date results in suspension of access until payment is received. See Section 5.5 for the expiry behaviour.

5.4 Cancellation and Renewal

• Either party may cancel the subscription by providing written notice to the other party.
• Upon cancellation, access to the service continues until the end of the current paid annual period.
• No refunds are provided for unused time within an active annual subscription period.
• The subscription does not auto-renew without your explicit confirmation; an invoice is issued for the next annual period and access continues only once that invoice is paid.

5.5 Contract Expiry

When the contract end date stored against your account passes (either at the end of a trial or at the end of an unrenewed paid period), access is suspended automatically. You will see a notice on the login screen and be unable to start new scans. Existing scan data and reports remain stored under your account for 60 days after the contract end date — see Section 6.4 for the full retention timeline.

5.6 Changes to Pricing

AppScan reserves the right to change subscription prices with at least 30 days' written notice. Continued use of the service after a price change takes effect constitutes acceptance of the new pricing. Price changes never apply retroactively to an annual period you have already paid for.

6. Data and Privacy

6.1 Scan Data Storage

Scan results, including the structured JSON reports produced by AppScan Studio, are stored securely in our database. Each client's data is logically isolated from other clients' data through our multi-tenant architecture. We do not share, sell, or otherwise disclose your scan results to third parties.

6.2 Use of Third-Party Sub-Processors

As listed in Section 2.1, AppScan Studio uses three third-party service providers — OpenAI, Cloudflare, and Amazon Web Services — to deliver the service. Each receives a different, minimal slice of data:

• OpenAI (AI changelog generation). When you request an AI-powered changelog, anonymised structural data derived from your scan reports (module names, screen names, action names) is transmitted to the OpenAI API. No personal data about end-users of the target application is included. By using the AI changelog feature, you acknowledge and consent to this processing in accordance with OpenAI's terms of service and privacy policy.
• Cloudflare (edge security & CDN). All traffic to AppScan Studio passes through Cloudflare's edge network for DDoS protection, TLS termination, and bot mitigation. Cloudflare processes request metadata (IP address, request path, user-agent) but does not receive your scan data or report contents. Cloudflare acts as a sub-processor under its own DPA and SCCs.
• Amazon Web Services (hosting). All application servers and databases run on AWS infrastructure located in the EU/EEA region. Data at rest is encrypted using AWS-managed keys. AWS acts as a sub-processor under the AWS GDPR DPA and applicable SCCs.

AppScan does not share, sell, or otherwise disclose your scan results to any other third party.

6.3 General Privacy

AppScan processes personal data (such as account registration details) in accordance with applicable data protection law, including the General Data Protection Regulation (GDPR) as applicable in Portugal and the EU, and the Lei Geral de Proteção de Dados (LGPD) as applicable to our Brazilian clients. Our full Privacy Policy is available on the AppScan Studio platform.

6.4 Retention and Deletion Timeline

This section sets out exactly when scan data, reports, and account records are deleted from our systems. Two distinct triggers apply:

• Immediate deletion (self-cancellation). If you self-cancel a trial from inside the application, OR if AppScan processes a paid-subscription cancellation request from you, all data associated with your account is permanently deleted on confirmation. There is no recovery.
• Suspension then deletion (lapsed contract). When a contract end date passes without renewal or active cancellation, your account is immediately suspended (login blocked, no new scans). Existing scan data and reports remain stored for 60 days after the contract end date to give you the option to renew without losing them. After 60 days, all data associated with the account is permanently deleted on a routine sweep. We do not extend the 60-day window automatically.

The only exception to "permanently deleted" is the trial-abuse prevention hash described in our Privacy Policy §4.1 — a one-way SHA-256 of the deleted email is kept for 90 days to block immediate re-registration with the same address. The plaintext email itself is never retained.

7. Intellectual Property

7.1 AppScan Studio Platform

AppScan Studio, including its software, design, algorithms, output format, and all associated intellectual property, is and remains the exclusive property of QUICKSYNC, UNIPESSOAL LDA. Nothing in these Terms grants you any ownership right, title, or interest in or to the platform.

7.2 Client Reports

Scan reports generated from your submitted URLs belong to your organisation. You retain full ownership of the data and reports produced for your account. AppScan is granted a limited licence to store and process that data solely for the purpose of providing the service.

7.3 Feedback

If you provide feedback, suggestions, or ideas about AppScan Studio, you grant AppScan a perpetual, royalty-free licence to use that feedback without obligation to you.

8. Disclaimer of Warranties

AppScan Studio is provided "as is" and "as available". We make reasonable efforts to ensure the accuracy and reliability of the service, but we do not guarantee:

• That scan results are complete, exhaustive, or error-free.
• That the information in a report accurately reflects the current state of the target application at any time other than the moment of the scan.
• That the service will be available without interruption, or that defects will always be corrected promptly.

Scans reflect publicly available information at the time of scanning. Target applications may change after a scan is performed, and AppScan assumes no responsibility for decisions made on the basis of outdated scan data.

To the maximum extent permitted by applicable law, AppScan disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement.

9. Limitation of Liability

To the fullest extent permitted by law, AppScan and its directors, employees, and contractors shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to your use of AppScan Studio, including but not limited to:

• Loss of profits, revenue, or business opportunities.
• Loss of data or reputational harm.
• Damages arising from decisions made on the basis of scan results.

In any event, AppScan's total aggregate liability to you for any claims arising under or in connection with these Terms shall not exceed the total fees paid by your organisation to AppScan in the three (3) months immediately preceding the event giving rise to the claim.

Some jurisdictions do not allow the exclusion of certain warranties or limitation of liability for certain types of damages, so some of the above limitations may not apply to you.

10. Governing Law and Jurisdiction

These Terms are governed by and construed in accordance with the laws of Portugal, without regard to its conflict of law principles.

Any disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of Portugal, unless mandatory local consumer protection law in another jurisdiction requires otherwise.

We serve clients in both Portugal and Brazil. Brazilian clients are also subject to applicable provisions of Brazilian consumer and data protection law (including the LGPD) where those provisions provide mandatory protections that cannot be contractually waived.

11. Changes to These Terms

AppScan reserves the right to update or modify these Terms at any time. When we make material changes, we will notify you by:

• Sending a notification to the email address associated with your account; and/or
• Displaying a prominent notice within the AppScan Studio platform.

Changes take effect 14 days after notification, unless a longer notice period is required by applicable law. Your continued use of the service after that date constitutes acceptance of the revised Terms. If you do not agree to the updated Terms, you may cancel your subscription before the changes take effect.

12. General Provisions

12.1 Entire Agreement

These Terms, together with any applicable order form or subscription agreement, constitute the entire agreement between you and AppScan regarding the service and supersede all prior agreements, representations, and understandings.

12.2 Severability

If any provision of these Terms is found to be unenforceable or invalid under applicable law, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will continue in full force and effect.

12.3 Waiver

AppScan's failure to enforce any provision of these Terms shall not constitute a waiver of that provision or any other provision.

12.4 Assignment

You may not assign or transfer your rights or obligations under these Terms without AppScan's prior written consent. AppScan may assign these Terms in connection with a merger, acquisition, or sale of assets, with notice to you.

13. Contact Information

If you have any questions about these Terms, or need to reach us regarding your account, please contact us:

• Company: QUICKSYNC, UNIPESSOAL LDA
• Tax ID (NIF): 518210596
• Email: [email protected]

Thank you for using AppScan Studio.