Terms of Service
Breachday LLC · breachday.io
Effective Date: May 30, 2026
1. Agreement to Terms
These Terms of Service ("Terms") are a legally binding agreement between you or the organization you represent ("Customer," "you," or "your") and Breachday LLC ("Breachday," "we," "us," or "our"), governing your access to and use of the Breachday platform available at app.breachday.io, including all associated features, APIs, exports, and documentation (collectively, the "Service").
By creating an account, clicking 'I agree,' completing checkout, or using the Service in any way, you confirm that you have read, understood, and agree to be bound by these Terms and the Breachday Privacy Policy. If you are accepting on behalf of an organization, you represent and warrant that you have authority to bind that organization.
If you do not agree to these Terms, do not use the Service.
2. Definitions
- "Account" — the registered account associated with an Organization on the Service.
- "Customer Data" — all data, content, files, and materials submitted to the Service by Customer or its users, including scenarios, injects, business continuity program data, playbooks, exercise session logs, generated reports, and AI-generated scenario content produced via the AI Scenario Builder.
- "Exercise Session" — a single live tabletop exercise instance run through the Service.
- "Facilitator" — an authenticated user with permissions to create, configure, and run Exercise Sessions.
- "Observer" — an authenticated user with read-only access to sessions and reports.
- "Participant" — any individual who joins an Exercise Session via room code and optional room password, without a registered Account.
- "Organization" — the company or entity associated with a Customer Account.
- "Subscription" — the paid plan (Starter, Plus, or Pro) and term (1 or 2 years) governing Service access.
- "Subscription Term" — the fixed multi-year period selected at checkout during which the agreed pricing is locked.
- "MSP" — a managed service provider that has entered into a separate MSP agreement with Breachday and manages Client Organizations through the Service.
- "System Templates" — scenario and exercise templates authored by Breachday or adapted from public-domain CISA CTEP materials and made available within the Service.
3. Account Registration and Access
3.1 Account Creation
To access the Service, you must register an Account, verify your email address, and provide accurate, complete organizational information. You are responsible for maintaining the confidentiality of your credentials and for all activity under your Account.
3.2 Participant Access
Exercise Participants join sessions via a room code and optional password without creating an Account. Participants provide only a display name (up to 50 characters). Participant session data — including responses, votes, and hotwash feedback — is associated with the Organization's Exercise Session, not with the Participant as an identified individual. Organizations are responsible for informing Participants about data collection practices before sessions.
3.3 Two-Factor Authentication
Two-factor authentication (TOTP) is available for all authenticated users and is required for certain high-impact actions, including organization deletion and platform-level tenant deletion. You are responsible for securely storing TOTP backup codes.
3.4 Roles and Permissions
Each Organization Account supports three user roles: ADMIN (full management access), FACILITATOR (exercise creation and facilitation), and OBSERVER (read-only). MSP Organizations have additional MSP-specific roles governed by the applicable MSP agreement.
3.5 Eligibility
The Service is designed for business use by individuals 18 years of age or older with legal authority to bind an organization. It is not directed at consumers or minors.
4. Subscriptions and Billing
4.1 Plans
Breachday offers three self-serve subscription tiers: Starter, Plus, and Pro. Feature availability and usage limits are defined per plan within the Service. Current pricing is published at breachday.io/pricing; Stripe Price IDs are authoritative at checkout. Breachday reserves the right to modify plan features with reasonable advance notice.
4.2 Annual and Multi-Year Subscriptions Only
Breachday does not offer month-to-month billing. All Subscriptions are sold on fixed annual terms of one (1) or two (2) years, selected and paid at checkout.
- Pricing is locked for the full Subscription Term at the rate confirmed at checkout, regardless of any subsequent price changes Breachday makes to its standard pricing.
- Longer terms receive a greater discount; the applicable discount is displayed at checkout and confirmed in your order confirmation.
- The full Subscription fee for the elected term is due and payable at the start of the Subscription Term.
- Subscriptions auto-renew by default.
4.3 Free Trial
New Organizations are eligible for a free trial period (default 15 days). A payment method is collected at checkout during trial signup. Unless you cancel before the end of the trial period (via your account billing settings / Stripe Customer Portal), your trial will automatically convert to a paid Subscription and your payment method will be charged. If you abandon checkout before completing trial signup, no charge occurs.
4.4 Cancellation and Post-Cancellation Period
You may cancel your Subscription at any time through your account settings (Settings → Billing → Manage subscription, via the Stripe Customer Portal) or by contacting Breachday. Cancellation does not entitle you to a refund of prepaid fees for the remainder of the Subscription Term.
Upon cancellation, your Organization enters a six (6) month read-only retention period:
- Your account remains accessible but no new Exercise Sessions may be created or run.
- All previously generated reports, session data, and exported files remain available for download throughout the retention period.
- Breachday will send reminder emails at 30 days and 5 days before the end of the retention period.
- If you do not delete your Organization or renew your Subscription before the end of the six-month retention period, all Customer Data — including reports, scenarios, business continuity program data, and playbooks — will be permanently and irreversibly deleted.
- To retain your data beyond the retention period, you must export your data before expiry or purchase a new Subscription.
Permanent deletion is executed automatically by Breachday's scheduled data lifecycle process. This deletion cannot be reversed once completed.
4.5 Organization Self-Deletion
An Organization ADMIN may permanently delete the Organization at any time via account settings (requires 2FA confirmation and organization slug entry). This action immediately and irreversibly deletes all Customer Data, cancels any active Stripe subscription, and removes all associated user accounts. There is no recovery after self-deletion.
4.6 MSP-Managed Organizations
Client organizations managed by an MSP under a separate MSP agreement are subject to the billing and data lifecycle terms of that agreement and are exempt from the standard subscription lapse and auto-deletion policy described above. Contact Breachday for MSP-specific terms.
4.7 Taxes
Subscription fees are exclusive of applicable taxes. Where required by law, Breachday or its payment processor (Stripe) will collect and remit applicable sales, use, VAT, or similar taxes. You are responsible for any taxes imposed on your Organization's use of the Service.
4.8 Payment Processing
Payments are processed by Stripe. Breachday does not store raw payment card data. By subscribing, you agree to Stripe's terms of service. In the event of payment failure, Breachday will notify you via email. Failure to resolve a payment failure may result in suspension of the Service and, ultimately, entry into the cancellation and data retention timeline described in Section 4.4.
5. Acceptable Use
5.1 Permitted Use
The Service is provided solely for lawful business purposes — specifically, designing, facilitating, analyzing, and documenting cybersecurity and business continuity tabletop exercises within your Organization or with authorized third parties.
5.2 Prohibited Conduct
You agree not to:
- Use the Service for any unlawful purpose or in violation of any applicable law or regulation
- Upload, store, or transmit actual sensitive personal data, protected health information (PHI), live payment card data, classified information, or real credentials in Exercise Sessions, scenarios, or playbooks
- Attempt to access, scrape, or exfiltrate any other Organization's data, accounts, or systems through the Service
- Attempt to bypass tenant isolation, rate limits, room access controls, or any other security mechanism of the Service
- Distribute malware, viruses, or other malicious code through any feature of the Service
- Reverse engineer, decompile, or attempt to extract the source code of the Service
- Resell, sublicense, or white-label the Service except as expressly permitted under a Breachday MSP agreement
- Use automated means to access the Service in a manner that places unreasonable load on the platform infrastructure
- Misrepresent Breachday-provided CISA CTEP-derived scenario templates as official U.S. government exercises or materials
- Upload playbook content that infringes third-party intellectual property rights
5.3 Enforcement
Breachday reserves the right to suspend or terminate any Account that violates this Acceptable Use policy, with or without prior notice depending on the severity of the violation.
6. Customer Data and Intellectual Property
6.1 Customer Data Ownership
Customer retains all right, title, and interest in and to Customer Data. Breachday does not own Customer Data.
6.2 License to Process Customer Data
By using the Service, Customer grants Breachday a limited, non-exclusive, royalty-free license to access, store, process, and transmit Customer Data solely as necessary to: (a) provide and operate the Service; (b) generate exports and reports on Customer's behalf; (c) maintain backups and ensure data integrity; and (d) comply with applicable legal obligations or enforce these Terms. This license terminates upon permanent deletion of Customer Data in accordance with these Terms.
6.3 No AI Training on Customer Data
Breachday does not use Customer Data — including exercise scenarios, injects, session logs, participant responses, business continuity program data, or generated reports — to train, fine-tune, or improve machine learning or artificial intelligence models. Customer Data is used exclusively to operate the Service.
Where Customer uses the AI Scenario Builder feature, scenario prompts and structural parameters are routed through OpenRouter under Zero Data Retention (ZDR) settings, meaning input and output data is not stored beyond the duration of the API request, not logged for retention, and not used for model training by OpenRouter or its upstream model providers. Free-tier models that do not support ZDR are disabled on Breachday's OpenRouter account.
6.4 Breachday Intellectual Property
Breachday retains all right, title, and interest in the Service, including the platform, application code, UI/UX, algorithms, Breachday-authored System Templates, and all intellectual property therein. These Terms do not grant you any ownership interest in the Service or its underlying technology.
6.5 CISA CTEP Templates
Certain scenario templates available on Plus and Pro plans are adapted from CISA Cybersecurity Tabletop Exercise Package (CTEP) materials published under TLP:CLEAR. These templates are derived from public domain U.S. government content. Customer may use, modify, and export cloned versions of these templates within the Service. Customer must not represent adapted templates as official CISA or U.S. government materials.
6.6 Feedback
If you provide feedback, suggestions, or improvement ideas to Breachday, you grant Breachday a perpetual, irrevocable, worldwide, royalty-free license to use that feedback without restriction or compensation to you.
7. Exports and the Public Scenario Builder
7.1 Exports
The Service generates exercise reports, scenario exports, and crisis communication documents on demand in PDF, DOCX, and JSON formats. Downloaded export files (PDF, DOCX) are generated at the time of request via transient server-side processing and are not stored in Breachday's file storage. Customer is solely responsible for the security, retention, and use of exported files once downloaded.
7.2 Report Data Persistence
Report data (structured JSON payload and facilitator notes) may be persisted within the Service on plans that support it, allowing reports to be regenerated on demand. Customers on plans that persist report data may access regenerated reports during the post-cancellation retention period described in Section 4.4.
7.3 Public Scenario Builder (/build)
The public scenario builder at breachday.io/build is available without an Account. Draft data entered in the public builder is stored in your browser's local storage only. When exporting a scenario to PDF or DOCX, the draft content is sent to Breachday's servers transiently to generate the file, but is never stored or retained. Breachday has no access to, and no responsibility for, draft content entered in the public builder. You should export your work before clearing browser storage or switching devices, as locally stored data may be permanently lost.
8. Exercise Participants and Room Access
Exercise Participants join sessions via a room code and optional room password shared by the Facilitator. The security of that room code and password is the Organization's operational responsibility — Breachday does not control how these are shared or by whom.
Participants have no contractual relationship with Breachday. Organizations are responsible for ensuring Participants are informed of data collection practices (display name, session responses, votes, and hotwash feedback) appropriate to the Organization's workplace policies.
Room passwords are cryptographically hashed for verification. A facilitator-viewable copy is encrypted at rest.
9. System Templates
Breachday provides System Templates (Breachday-authored and CISA CTEP-derived) available to eligible plan tiers. CISA CTEP templates are available on Plus and Pro plans only. Customers may clone System Templates and customize them within their Organization. Cloned templates become Customer Data and are subject to the terms governing Customer Data.
Breachday may update, add, or retire System Templates at any time. Cloned and customized copies already in a Customer's Organization are not affected by changes to System Templates.
10. MSP and Reseller Program
Organizations participating in the Breachday MSP program operate under a separate MSP agreement that governs client slot licensing, client organization management, white-label report options, facilitator access grants, and billing arrangements. MSP agreements supplement and, in the event of conflict, control over these Terms with respect to MSP-specific obligations.
When an MSP Organization is deleted, all managed Client Organizations are deleted first. MSP administrators are responsible for notifying affected clients before initiating deletion.
11. Support and Platform Administration
11.1 Customer Support
Support is provided via in-app support tickets. Breachday staff may create internal notes on tickets that are not visible to the Customer. Support response times are not guaranteed for self-serve plans; Enterprise agreements may specify response time commitments.
11.2 Platform Administration
Breachday personnel with platform admin access may, in the course of operating and supporting the Service:
- View tenant and organization records for support and billing purposes
- Trigger password resets for authenticated users
- Provision or revoke platform admin access
- Delete tenant organizations (requiring 2FA confirmation)
- Manage MSP accounts and client relationships
All platform admin actions are recorded in a tamper-evident audit log that captures the admin user ID, action type, entity reference, and timestamp. Breachday does not access Customer Data except as necessary to provide support or comply with legal obligations.
12. Availability and Service Changes
Breachday will use commercially reasonable efforts to maintain Service availability. No uptime SLA is guaranteed for self-serve Subscriptions. Service functionality depends on third-party infrastructure providers. Breachday is not liable for downtime or delays caused by third-party infrastructure providers.
Breachday reserves the right to modify, add, or remove Service features with reasonable notice. Features described as 'planned,' 'coming soon,' or 'Enterprise only' in marketing materials are not commitments and are not guaranteed to ship or ship on any particular timeline.
13. Sensitive and Regulated Data
Breachday is a tabletop exercise simulation platform. Customers may use the Service to simulate scenarios involving sensitive topics (ransomware, data breaches, etc.). Breachday is not designed or certified for the storage or processing of actual:
- Protected Health Information (PHI) under HIPAA
- Payment card data subject to PCI DSS
- Classified or government-restricted information
- Personally identifiable information beyond what is necessary for exercise facilitation
Breachday is not a HIPAA Business Associate by default. If you require a Business Associate Agreement (BAA), contact Breachday at compliance@breachday.io before submitting any PHI. Customer is solely responsible for ensuring that content uploaded to the Service complies with applicable regulations.
14. Disclaimers
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
THE SERVICE IS A SIMULATION AND TRAINING TOOL. BREACHDAY DOES NOT WARRANT THAT USE OF THE SERVICE CONSTITUTES COMPLIANCE WITH ANY REGULATORY REQUIREMENT, SATISFIES ANY AUDIT STANDARD, OR REFLECTS ACTUAL INCIDENT RESPONSE READINESS. EXERCISE REPORTS ARE INFORMATIONAL ONLY AND DO NOT CONSTITUTE LEGAL, REGULATORY, OR PROFESSIONAL ADVICE.
AI-GENERATED CONTENT PROVIDED BY THE PLATFORM — INCLUDING SCENARIOS GENERATED BY THE AI SCENARIO BUILDER AND WEEKLY SCENARIO RECOMMENDATIONS — IS INFORMATIONAL ONLY, DOES NOT CONSTITUTE PROFESSIONAL SECURITY, LEGAL, OR COMPLIANCE ADVICE, AND BREACHDAY MAKES NO WARRANTY AS TO ITS ACCURACY, COMPLETENESS, OR FITNESS FOR ANY PARTICULAR COMPLIANCE PURPOSE. CUSTOMER IS SOLELY RESPONSIBLE FOR REVIEWING, EDITING, AND VALIDATING AI-GENERATED SCENARIO CONTENT BEFORE USE IN EXERCISES.
15. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL BREACHDAY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF DATA, LOST PROFITS, OR BUSINESS INTERRUPTION, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE, EVEN IF BREACHDAY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
BREACHDAY'S TOTAL CUMULATIVE LIABILITY TO YOU ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE TOTAL FEES PAID BY YOU TO BREACHDAY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
16. Indemnification
You agree to indemnify, defend, and hold harmless Breachday LLC and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the Service in violation of these Terms or applicable law; (b) Customer Data, including any claim that it infringes or misappropriates third-party rights; (c) Participants' use of the Service facilitated by your Organization; or (d) your Organization's failure to inform Participants of applicable data handling practices.
17. Term and Termination
17.1 Term
These Terms remain in effect for the duration of your Subscription Term and any post-cancellation retention period, and continue to govern use of any data or exports in your possession after termination.
17.2 Termination by Customer
You may cancel your Subscription at any time. Cancellation takes effect at the end of the current Subscription Term (no refund of prepaid fees), and your Organization enters the six-month read-only retention period described in Section 4.4.
17.3 Termination by Breachday
Breachday may suspend or terminate your Account immediately for cause, including material breach of these Terms, violation of the Acceptable Use policy, fraudulent activity, or legal requirement. Where feasible, Breachday will provide notice and an opportunity to cure before termination.
17.4 Survival
Sections governing intellectual property, confidentiality, disclaimers, limitation of liability, indemnification, and governing law survive termination of these Terms.
18. Copyright and DMCA
Breachday respects intellectual property rights. If you believe that content available through the Service infringes your copyright, please send a written notice to compliance@breachday.io including: (a) identification of the copyrighted work; (b) identification of the infringing material and its location; (c) your contact information; (d) a statement of good faith belief; and (e) a statement under penalty of perjury that the information is accurate and you are authorized to act on the copyright owner's behalf.
19. Modifications to Terms
Breachday may modify these Terms at any time. Material changes will be communicated via email to your registered address or a prominent in-Service notice at least 14 days before the effective date. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you must cancel your Subscription before the effective date.
20. Governing Law and Disputes
These Terms are governed by the laws of the State of Colorado, without regard to conflict of law principles. Any dispute that cannot be resolved through good-faith negotiation will be submitted to binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, with proceedings in Denver, Colorado. Either party may seek emergency injunctive relief in any court of competent jurisdiction without waiving arbitration rights.
21. General Provisions
- Entire Agreement: These Terms, together with the Privacy Policy and any applicable MSP agreement or Enterprise order form, constitute the entire agreement between the parties regarding the Service.
- Severability: If any provision is found unenforceable, the remaining provisions remain in full force.
- Waiver: Failure to enforce any provision is not a waiver of future enforcement.
- Assignment: You may not assign these Terms without Breachday's prior written consent. Breachday may assign in connection with a merger, acquisition, or asset sale.
- Force Majeure: Neither party is liable for delays caused by circumstances beyond their reasonable control, including infrastructure outages at third-party providers.
- Notices: Legal notices to Breachday must be sent to compliance@breachday.io.
22. Contact
For questions about these Terms: