Terms of Service

These Terms of Service (the “Terms”) govern your access to and use of the Sift Health website, scanning service, dashboard, API, and reports (together, the “Service”). By requesting a scan, creating an account, or otherwise using the Service, you agree to these Terms. If you use the Service on behalf of an organization, you represent that you have authority to bind that organization, and “you” refers to it.

If you do not agree to these Terms, do not use the Service.

Sift Health is an automated scanner that identifies publicly observable risk indicators on healthcare websites: third-party tracking technologies, transport security configuration, security headers, form handling, privacy-policy disclosures, and basic infrastructure hygiene.

The Service is not a HIPAA compliance audit, a certification, a penetration test, or a legal determination of any kind. Regulatory obligations depend on administrative, physical, and technical safeguards that no external scan can observe. Reports, scores, and grades are informational risk indicators only. Every report carries a structured disclaimer to this effect, and that disclaimer is part of the report: it may not be removed, including on white-labeled exports.

Scans operate within hard boundaries that are part of the Service’s design, not configurable options:

• Passive and read-only. Scans issue standard crawler-equivalent GET and HEAD requests. They never submit forms, post data, test credentials, attempt authentication bypass, or perform any intrusion or exploitation technique.
• Public pages only. Scans evaluate only publicly accessible pages: the same content any visitor or search-engine crawler can reach. Nothing behind a login is requested, ever.
• Bounded. A scan reads robots.txt and the sitemap, visits a small bounded set of pages (roughly 15–20), and stops.
• Not an audit. Scan output does not constitute a formal compliance audit, assessment, or certification of the scanned website.

You agree that you will:

• only configure recurring, automated monitoring for domains you own or are authorized to assess, and complete domain verification before doing so;
• not present a Sift Health report, score, or grade as a compliance certification, audit result, or legal opinion, to a client, a regulator, or anyone else;
• not attempt to evade rate limits, automate unverified on-demand scans at scale, resell raw scan capacity, or use the Service to harass or harm the operator of any website;
• not submit protected health information (PHI) or other sensitive personal data through the Service, including the contact form;
• not reverse engineer, disrupt, or probe the Service itself beyond use through its documented interfaces.

We may suspend or terminate access for violations of this section.

Some features require an account and an organization workspace. You are responsible for safeguarding your credentials and API keys and for activity under your account. Keep your contact email accurate: it is how we deliver alerts and service notices. Seats, sites, and scan volumes are governed by your plan.

Paid plans are billed in advance on a recurring basis through our payment processor (Stripe). Pricing shown during our early-access period is draft pricing and may change with notice before your next renewal. Taxes may apply.

You can cancel at any time from the billing portal; cancellation takes effect at the end of the current billing period. Except where required by law, fees are non-refundable. After cancellation, your scan history remains exportable for a limited window (currently 90 days, draft) on our retention schedule.

Reports reflect observations of publicly accessible pages at scan time. Websites change; findings can become stale, and automated detection can produce false positives and false negatives. Review findings with your own counsel or security advisor before acting on them.

Public report pages are excluded from search-engine indexing by design. You are responsible for how you share report links and exports.

We retain all rights in the Service, including its software, signature catalogs, scoring methodology, and documentation. You retain all rights in your website and its content; you grant us a limited license to fetch and analyze its publicly accessible pages and to store the resulting observations in order to provide the Service. Reports generated for you may be used by you for your internal purposes and, on agency plans, shared with the relevant client.

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, WE DO NOT WARRANT THAT SCAN RESULTS ARE COMPLETE OR ERROR-FREE, THAT THE SERVICE WILL IDENTIFY EVERY RISK INDICATOR PRESENT ON A WEBSITE, OR THAT A FAVORABLE SCORE MEANS A WEBSITE OR ITS OPERATOR SATISFIES ANY LEGAL OR REGULATORY OBLIGATION.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER SIFT HEALTH NOR ITS SUPPLIERS WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, DATA, OR GOODWILL, ARISING FROM OR RELATED TO THE SERVICE, INCLUDING RELIANCE ON ANY REPORT, SCORE, OR FINDING. OUR AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE SERVICE IS LIMITED TO THE GREATER OF (A) THE AMOUNTS YOU PAID US IN THE TWELVE MONTHS BEFORE THE CLAIM AROSE AND (B) ONE HUNDRED US DOLLARS.

You will defend and indemnify Sift Health against claims arising from your misuse of the Service, including configuring monitoring for domains you were not authorized to assess or presenting reports as compliance certifications.

We may update the Service and these Terms. For material changes to the Terms we will give notice (for example by email or an in-product notice) before they take effect. Continued use of the Service after the effective date constitutes acceptance.

Governing law and venue will be specified here once confirmed with counsel. Until then, this section is an acknowledged placeholder in the draft.

Questions about these Terms? Reach us through the contact form. Please do not include PHI.