Sign up
Trust CenterTerms of Service

Sekyr Varde Terms of Service

The terms governing access to and use of the Varde service. The Sekyr Data Processing Terms (DPA) are incorporated by reference and form an integral part of these Terms.

DocumentTerms of Service
Version2.0
Effective date[●] 2026
Supersedesv1.0 (effective 27.11.2025)

These Terms of Service (“Terms”) govern access to and use of the Varde service (“Varde” or the “Service”) provided by Sekyr AS, a company registered in Norway with registered office in Oslo (“Sekyr”, “we”, “us”, “our”). By creating an account, by prefixing a container registry URL with sekyr.com/, or by otherwise accessing or using Varde, the customer (“Customer”, “you”) agrees to be bound by these Terms. If you accept these Terms on behalf of an entity, you represent and warrant that you have authority to bind that entity, and “Customer” refers to that entity.

These Terms incorporate by reference the Sekyr Data Processing Terms (DPA) published at the Sekyr Trust Center. The DPA forms an integral part of these Terms and applies automatically to all Customers globally whenever Sekyr processes Customer Personal Data in providing the Service; no separate signature is required (see Section 6.2).

01Definitions

For the purposes of these Terms:

“Service” / “Varde”
The OCI pull-through proxy, container-image instrumentation, and runtime-reporting service described in Section 2, together with the dashboard, APIs, and Documentation.
“Customer Images”
The container images that Customer routes through Varde for instrumentation.
“Varde Binaries”
The patched copies of ELF binaries and the transient reporter that Sekyr adds as a single overlay layer.
“Telemetry”
The execution-context data described in Section 3.
“Execution Report”
A single event emitted on execution of an instrumented binary.
“Security Event”
An Execution Report that contributes to a security alert.
“Documentation”
The technical materials at sekyr.com (including /product and /docs).
“Trust Center”
Sekyr’s published trust pages at sekyr.com/trust and the documents linked there, including the Information & Cyber Security Policy (sekyr.com/security-policy), the Incident Response Plan (sekyr.com/incident-response), the Sub-processor list (sekyr.com/sub-processors), and the Data Processing Terms.
“Data Processing Terms” or “DPA”
The Sekyr Data Processing Terms published at the Trust Center and incorporated into these Terms by reference.
GDPR terms
Personal Data”, “controller”, “processor”, “processing”, “data subject”, “Personal Data Breach”, and “supervisory authority” have the meanings given in the GDPR, as further defined in the DPA.

02The Service

2.1 General. Varde is an OCI (Open Container Initiative) Distribution-Spec pull-through proxy and container-image instrumentation and runtime-reporting service that provides execution-level security visibility within containerized environments. On first pull of a given digest, Varde analyzes a Customer Image, patches the ELF binaries it identifies, and serves the original image plus a single added layer containing the patched binaries and a transient reporter (collectively, the “Varde Binaries”). Original layers are served byte-for-byte unchanged; the entrypoint is not rewritten; image signatures and provenance are not modified. Instrumentation is performed at pull time via a content-addressed pull-through cache. Sekyr does not permanently store original Customer image layers; only the Sekyr-added layer is retained in the cache.

2.2 Operation. A patched binary’s observation code activates only upon execution of that binary inside an instrumented container. On activation it forks a transient reporter process that captures execution-context information, emits one Execution Report to the Sekyr analysis engine, and exits. The Service does not block, prevent, kill, signal, throttle, or otherwise interfere with command execution, and runs no host daemon, kernel module, or eBPF program.

2.3 Scope; detection-only. Varde provides reporting and visibility into binary executions and high-risk or anomalous command activity (e.g., command injection, suspicious exec chains, lateral movement, unexpected outbound connections, living-off-the-land patterns). Varde is detection-only and is not an enforcement, prevention, protection, EDR (Endpoint Detection & Response), or RASP (Runtime Application Self-Protection) mechanism, and is not a substitute for host- or kernel-level controls.

2.4 Early access. The Service is currently offered in early access and may be provided free of charge during that period. Features, performance characteristics (including pull overhead), coverage, and limits may change. Beta or early-access features are provided “as is” and may be modified or withdrawn.

03Telemetry and Data Collection

3.1 Mandatory Telemetry. Upon execution of an instrumented binary, Varde collects and transmits:

  • (a) command/binary name;
  • (b) execution timestamp;
  • (c) image identifier and digest;
  • (d) detection type or rule identifier;
  • (e) container username;
  • (f) container hostname;
  • (g) binary path;
  • (h) environment variables present at the time of execution (subject to filtering as described in the Documentation; see Section 3.4);
  • (i) stdout and stderr output;
  • (j) network diagnostic information including IP addresses and ports;
  • (k) process lineage / parent PID chain and execution context;
  • (l) mounted volume information;
  • (m) crash logs and error details.

These fields are collected by design and cannot be disabled individually.

3.2 No continuous monitoring. Telemetry is generated only when an instrumented binary executes. There is no persistent or background monitoring; a workload that executes no patched binary emits nothing.

3.3 Customer responsibility. Customer acknowledges that Telemetry content may include personal data, secrets/credentials, confidential information, or sensitive operational information depending on workload configuration, and is solely responsible for ensuring that its collection and use through Varde is lawful and that it has a valid legal basis for any personal data present in its workloads.

3.4 Field-scope reconciliation. Sekyr’s Documentation describes environment-variable capture as limited to non-sensitive values (“env (filtered)”). To the extent of any conflict between Section 3.1 and the Documentation as to the scope of environment-variable or output capture, the narrower description controls, and Sekyr will align its published materials accordingly.

04Data Retention

4.1 Standard. Execution Reports that do not contribute to a Security Event are deleted after thirty (30) days.

4.2 Security Events. Reports contributing to a Security Event are retained as evidence until deleted by Customer or until termination of the Service, whichever occurs first.

4.3 Anonymized analytics. Sekyr may retain and use data derived from Telemetry that has been aggregated and anonymized such that it no longer identifies, and cannot reasonably be used to identify, any Customer, individual, or Customer environment, for statistical analysis, security research, product development, and service improvement. Source Telemetry is deleted or anonymized within the windows in Sections 4.1–4.2.

05Customer Responsibilities

5.1 Image rights. Customer represents it has all rights necessary to provide, instrument, cache, serve, and distribute Customer Images through Varde.

5.2 Lawful use. Customer is responsible for its compliance with applicable laws.

5.3 Account security. Customer is responsible for safeguarding its credentials and for all activity under its account. SAML 2.0 single sign-on is available on all customer plans.

5.4 Acceptable use. Customer shall not: (a) instrument or monitor images it is not authorized to instrument or monitor; (b) use the Service for unlawful or unauthorized offensive-security operations; (c) interfere with, disable, or circumvent the Varde Binaries or the reporting function; (d) access Sekyr systems beyond the permitted scope; (e) reverse engineer or attempt to derive Sekyr’s instrumentation method or detection logic; or (f) use the Service to build or benchmark a competing product.

06Sekyr Responsibilities; Security; Data Processing

6.1 Service operation. Sekyr maintains appropriate technical and organizational measures for the secure operation of the Service, as described in the Trust Center and in the Annexes to the Data Processing Terms.

6.2 Data processing; automatic application of the DPA. Sekyr processes Customer data only to provide, secure, and improve the Service as set out in these Terms and the Data Processing Terms (DPA) published at the Trust Center. The DPA is incorporated into these Terms by reference and applies automatically to all Customers globally whenever Sekyr processes Customer Personal Data in providing the Service, regardless of which data protection laws apply to that processing, and without the need for any separately signed data processing agreement. Acceptance of these Terms constitutes the Customer’s documented processing instructions and the parties’ agreement to the DPA, including (where applicable) deemed execution of the Standard Contractual Clauses incorporated therein.

6.3 Security commitments. Sekyr operates an information-security program governed by its published Information & Cyber Security Policy and conducted in line with the requirements of ISO/IEC 27001, including encryption in transit and at rest, least-privilege role-based access, append-only logging, and a documented Incident Response Plan. Sekyr’s current published commitments and certification status are maintained in the Trust Center, which controls in the event of any inconsistency with marketing materials.

6.4 Non-guarantee. Varde is detection-only and does not guarantee detection of all malicious activity. In particular, it does not detect attacks that never execute a binary or open a socket (e.g., pure in-process memory corruption), statically-linked binaries it cannot identify, kernel-level exploits or rootkits, or build-time supply-chain compromise before an image reaches the registry.

07Intellectual Property

7.1 Sekyr IP. All rights, title, and interest in Varde, the instrumentation method, the Varde Binaries, detection logic, filters, and infrastructure are and remain Sekyr’s exclusive property.

7.2 Customer IP. Customer retains ownership of its Customer Images. Sekyr does not store the original image layers.

7.3 License to Sekyr. Customer grants Sekyr a limited, non-exclusive, worldwide, royalty-free license to fetch, instrument, cache, serve, and process Customer Images and Telemetry solely to provide, secure, and improve the Service consistent with these Terms.

7.4 Feedback. Customer grants Sekyr a perpetual, irrevocable, royalty-free license to use feedback and suggestions without restriction.

08Fees and Payment

The Service is currently provided free of charge during early access. If Sekyr introduces fees, it will provide advance notice together with the applicable plan terms. Fees are exclusive of taxes (including Norwegian VAT/merverdiavgift where applicable), and undisputed amounts are due in accordance with the applicable order or invoice.

09Term, Suspension, and Termination

9.1 Term. These Terms apply from first use of the Service until terminated.

9.2 Termination for convenience. Either party may terminate at any time by ceasing use and/or closing the account, subject to surviving provisions.

9.3 Suspension. Sekyr may suspend the Service for misuse, violation of law, security threats, or non-payment, with notice where practicable and immediately where required to protect the Service or comply with law.

9.4 Effect of termination. On termination, Customer must cease use of instrumented images and delete all copies. Sekyr handles Customer Personal Data in accordance with the Data Processing Terms (deletion or return on termination). Sections 3.3, 4, 7, 10, 11, 12, 14, and the Data Processing Terms survive termination to the extent stated therein.

10Disclaimers

The Service is provided “as is” and “as available.” To the maximum extent permitted by applicable law, Sekyr disclaims all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement, and does not warrant that the Service will be uninterrupted, secure, or error-free. Customer assumes all risk arising from its deployment and use of the Service.

11Limitation of Liability

11.1 Cap. To the maximum extent permitted by applicable law, each party’s aggregate liability arising out of or relating to the Service is capped at the total fees paid by Customer in the twelve (12) months preceding the event giving rise to the claim. Where the Service is provided free of charge, the parties intend the aggregate cap to be a nominal amount of NOK 10,000, subject to mandatory law.

11.2 Exclusions. Neither party is liable for indirect, incidental, consequential, special, or punitive damages, or for lost profits, revenue, goodwill, or data.

11.3 Carve-outs. Nothing in these Terms limits liability that cannot be limited under Norwegian mandatory law, including liability for gross negligence (grov uaktsomhet), willful misconduct, or personal injury. The interaction of this cap with liability under the Data Processing Terms and any incorporated Standard Contractual Clauses is addressed in the Data Processing Terms.

12Confidentiality

Each party will protect the other’s confidential information using at least reasonable care and will use it only to perform under these Terms. Sekyr’s security documentation made available under NDA (e.g., penetration-test reports, certification materials) is Sekyr confidential information.

13Changes to the Service and Terms

Sekyr may revise detection logic, telemetry formats, filtering, and infrastructure in its discretion and may introduce customer-defined rules without amendment to these Terms. Sekyr may update these Terms; for material changes Sekyr will provide reasonable advance notice (e.g., by email and/or in-product or Trust Center notice). Continued use after the effective date of an update constitutes acceptance. The current version is always posted in the Trust Center.

14General

14.1 Governing law. These Terms are governed by Norwegian law, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods.

14.2 Venue. The exclusive venue for disputes is Oslo District Court (Oslo tingrett), subject to any mandatory protections available to consumers or to a controller/data subject under data protection law.

14.3 Force majeure. Neither party is liable for any delay or failure to perform (other than payment obligations) due to events beyond its reasonable control, including natural disasters, war, terrorism, civil unrest, labor disputes, internet/telecommunications/power outages, third-party infrastructure or Sub-processor outages, cyber-attacks, and governmental actions or changes in law.

14.4 Assignment. Customer may not assign these Terms without Sekyr’s prior written consent. Sekyr may assign to an affiliate or in connection with a merger, acquisition, reorganization, or sale of substantially all assets.

14.5 Export control and sanctions. Each party will comply with applicable export-control and economic-sanctions laws. Customer represents that it is not subject to, and will not use the Service in violation of, such restrictions.

14.6 Entire agreement; order of precedence. These Terms (including the Annexes and documents incorporated by reference, including the Data Processing Terms) constitute the entire agreement between the parties regarding the Service and supersede prior agreements on the subject matter. In the event of conflict, the following order of precedence applies: (1) any incorporated Standard Contractual Clauses or UK Addendum, where and to the extent they apply; (2) the Data Processing Terms; (3) the body of these Terms; (4) Annex 1 to these Terms and the Annexes to the Data Processing Terms; (5) the Documentation and Trust Center.

14.7 Severability; waiver; notices. If any provision is held unenforceable, the remainder remains in effect and the provision is reformed to the minimum extent necessary. No waiver is implied by failure to enforce. Notices to Sekyr may be sent to the contact addresses published in the Trust Center; notices to Customer may be sent to its account email.

14.8 Subcontractors and beta features. Sekyr may engage Sub-processors in accordance with the Data Processing Terms. Beta and early-access features are provided “as is” and may be changed or withdrawn at any time.

A1Annex 1: Service-Specific Operational Terms

Compatibility
The current, authoritative compatibility matrix (supported and tested container registries, orchestrators, and CPU architectures) is published and maintained in the Documentation at sekyr.com/product. Sekyr may extend or adjust the compatibility matrix without amendment to these Terms.
Pull-path only
Pushes continue to go to Customer’s own upstream registry; Sekyr operates on the pull path only and does not accept pushes.
Availability / continuity
Images are cached locally by Customer’s runtime once pulled, so an outage of the Sekyr cache does not affect workloads already running; on a cache miss for a new digest the Service must be reachable to instrument and serve the image. Service status is published.

The Sekyr Data Processing Terms (DPA) are published at the Sekyr Trust Center and form an integral part of these Terms. No separate signature is required.

← Back to Trust CenterDocument version 2.0 · Effective [●] 2026