Terms of Use

1. What GrundScan is

GrundScan is an automated static analysis service that checks ABAP source code against the requirements of BSI IT-Grundschutz APP.4.6. The service produces a security report and, where eligible, issues an automated security analysis certificate.

GrundScan is not a BSI-accredited certification body and does not issue formal BSI certifications. Results reflect automated analysis of the submitted source snapshot and do not substitute a manual security audit.

2. Your code and data

• By submitting code, you confirm that you are authorised to share it with GrundScan for the purpose of security analysis.
• Source code is processed, not stored. Raw source files (GitHub repository contents and uploaded ZIP archives) are accessed solely to run the analysis and are not retained in our database after the scan completes.
• Scan results are stored — the requirement-level outcomes, scores, flagged file paths, and code snippet excerpts shown in your report are stored in our database and associated with your account.
• GitHub tokens are deleted from our database immediately after the scan finishes.
• We do not share your code or results with any third party, except as required by law.

3. Payment and re-scan window

Access to full scan reports, downloads, and certificates requires a one-time payment per scan session.

• Scans with findings (FAILED requirements): Payment unlocks the full report and starts a 14-day re-scan window. During this window, all subsequent scans of the same project are covered — you may re-scan as many times as needed to remediate findings. After 14 days, a new payment is required for the next session.
• Clean scans (no FAILED requirements): Payment provides immediate one-time access to the PDF report, XLSX export, and certificate. No re-scan window applies.

Payments are processed by Stripe. GrundScan does not store payment card details. All sales are final; refunds are handled on a case-by-case basis.

4. Certificates

Certificates issued by GrundScan are valid for 6 months from the date of issue. They attest that automated static analysis was performed and the codebase met the scoring threshold at the time of analysis. They do not guarantee the absence of all security vulnerabilities.

Certificate verification pages (/verify/[token]) are publicly accessible and are intended to be shared with customers and auditors.

5. Limitation of liability

GrundScan provides automated analysis on a best-effort basis. We make no warranty that the analysis is complete, error-free, or sufficient for any specific compliance or procurement requirement. Use of this service does not create any liability on the part of GrundScan for security incidents, data breaches, or failed audits.

6. Acceptable use

You agree not to:

• Submit code you do not have the right to share
• Attempt to reverse-engineer or abuse the analysis engine
• Use the service to generate fraudulent or misleading certificates

7. Changes

We may update these terms from time to time. Continued use of the service after changes constitutes acceptance of the revised terms.

8. Contact

Questions about these terms: hello@grundscan.com