Terms of Service
Effective Date: May 4, 2026
Last Updated: May 4, 2026
These Terms of Service ("Terms") govern your access to and use of the Vendor Vulnerability Pulse API ("VVP" or the "Service") provided by Lyrastone ("we," "us," "our"). By accessing or using VVP, you agree to these Terms.
If you are using VVP through RapidAPI, these Terms supplement the RapidAPI Marketplace Terms of Use. Where these Terms conflict with RapidAPI's terms on matters specific to VVP's data handling, accuracy, and intellectual property, these Terms control.
1. What VVP Does
VVP aggregates publicly available vulnerability and risk intelligence from government and industry sources (including NIST NVD, CISA KEV, and EPSS) to generate vendor risk scores. VVP is an analytical tool. It does not perform security audits, penetration testing, or compliance certification.
2. Your Account and API Access
2.1. API Keys. You access VVP through an API key issued via RapidAPI. You are responsible for keeping your API key secure. Do not share your key or embed it in client-side code.
2.2. Account Responsibility. You are responsible for all activity under your API key. If you believe your key has been compromised, rotate it immediately through RapidAPI and notify us at hello@lyrastone.com.
2.3. Eligibility. You must be at least 18 years old and have the authority to enter into these Terms on behalf of yourself or your organization.
3. Acceptable Use
You may use VVP to:
- Query vendor risk scores for your own business risk assessment
- Integrate VVP data into your internal security and procurement workflows
- Build internal tools and dashboards that consume VVP data
You may not:
- Resell, redistribute, or sublicense raw VVP data or API responses to third parties as a standalone data product
- Use VVP to harass, defame, or unfairly damage the reputation of any vendor based solely on automated scores
- Attempt to reverse-engineer, decompile, or extract VVP's scoring algorithms, weighting models, or calibration logic
- Exceed your plan's rate limits or attempt to circumvent rate limiting
- Use automated means to scrape or bulk-download data beyond your plan's API call allowance
- Use VVP for any purpose that violates applicable law
4. Service Tiers and Rate Limits
| Tier | Monthly Calls | Rate Limit | Price |
|---|---|---|---|
| Free | 50 | 5/min | $0 |
| Basic | 500 | 20/min | $29/mo |
| Pro | 5,000 | 60/min | $99/mo |
| Enterprise | Custom | Custom | Contact us |
Rate limits are enforced per API key. Exceeding your rate limit returns HTTP 429. Tier pricing and limits may change with 30 days' notice.
5. Data Categories and Usage
This is the most important section of these Terms. We distinguish clearly between two categories of data:
5a. Customer Content
What it is: The vendor names you query, the feedback you submit on risk scores, your personalized weight profiles, and any context notes you provide.
Who owns it: You do. Customer Content is yours.
What we do with it: We use your Customer Content solely to deliver the Service to you — generating your risk scores, applying your personalized weights, and improving your individual scoring accuracy through the feedback loop.
What we never do with it:
- We never sell your Customer Content to third parties
- We never share your individual queries, feedback, or weight profiles with other customers
- We never use your identifiable Customer Content in marketing, case studies, or public filings without your separate, explicit written consent
- We never train machine learning models on the substance of your Customer Content
5b. System Performance Data (Telemetry)
What it is: Data about how VVP itself operates — not what you queried, but how the system responded. This includes:
- Calibration events (that a weight adjustment occurred, the magnitude of adjustment, the scoring component affected)
- Aggregate accuracy metrics (what percentage of scores were confirmed as accurate by feedback across all customers)
- System response times and error rates
- Feature usage patterns (which API endpoints are called, which scoring components are most used)
- Aggregate weight distributions across all customers (no individual profiles)
Who owns it: We do. System Performance Data belongs to Lyrastone.
What we do with it: We use System Performance Data to improve, develop, and optimize VVP; create aggregate benchmarks and analytics; validate system performance; support intellectual property filings using only anonymized and aggregated data; and conduct research into risk scoring methodologies.
The key distinction: System Performance Data records how VVP behaves, not what your proprietary data contains. Logging that "a calibration event adjusted the CVE severity weight by +0.15" demonstrates that our scoring algorithm learns and self-corrects. It does not reveal which vendors you assessed or what your security posture looks like.
6. Aggregated and De-Identified Data
Notwithstanding any other provision of these Terms, we may collect, compile, synthesize, and analyze aggregated and de-identified data derived from your use of VVP ("Aggregated Data"). Aggregated Data means information that (a) has been combined with data from other customers or sources, and (b) has been modified such that no individual customer or end user is identifiable or can be re-identified through reasonable means.
We own all right, title, and interest in Aggregated Data. We may use Aggregated Data for any lawful business purpose, including improving VVP, creating benchmarking and analytics, demonstrating system performance, and supporting intellectual property filings.
Aggregated Data is not Customer Content and is not subject to the data use restrictions applicable to Customer Content.
7. Opt-Out of Aggregate Data Inclusion
By default, your de-identified System Performance Data and Aggregated Data contribute to VVP's aggregate datasets as described above.
You may opt out. Contact us at hello@lyrastone.com or use the opt-out endpoint in the API (when available). Opting out means:
- Your feedback and weight profiles are used only for your own personalization
- Your data is excluded from any aggregate analysis, benchmarking, or IP validation dataset
- The core VVP service continues to work normally for you — opting out does not degrade functionality
8. Accuracy and Disclaimers
8.1. Data Sources. VVP aggregates data from publicly available government and industry sources. We do not generate vulnerability data ourselves. The accuracy, completeness, and timeliness of upstream sources are outside our control.
8.2. Not a Substitute for Professional Judgment. VVP scores are one input into your risk assessment process. They are not a substitute for professional security audits, compliance certifications, or expert judgment.
8.3. No Warranty. VVP is provided "as is" and "as available." To the maximum extent permitted by applicable law, we disclaim all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, accuracy, and non-infringement. We do not warrant that VVP will be uninterrupted, error-free, or that scores will be accurate or complete.
9. Limitation of Liability
To the maximum extent permitted by applicable law, in no event will Lyrastone be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, data, use, or goodwill, arising out of or in connection with these Terms or your use of VVP.
Our total aggregate liability for all claims arising out of or relating to these Terms or VVP will not exceed the greater of (a) the amounts you paid us in the 12 months preceding the claim, or (b) one hundred U.S. dollars ($100).
10. Intellectual Property
10.1. Our IP. VVP, including its scoring algorithms, weighting models, calibration logic, user interface, documentation, and all related intellectual property, is owned by Lyrastone. These Terms do not grant you any rights to our intellectual property except the limited right to use VVP as described here.
10.2. Your IP. You retain all rights in your Customer Content. We claim no ownership over the data you submit to VVP.
10.3. Feedback. If you provide us with suggestions, ideas, or feedback about VVP, we may use that feedback without restriction or obligation to you.
11. Termination
11.1. By You. You may stop using VVP at any time by discontinuing API calls and canceling your subscription through RapidAPI.
11.2. By Us. We may suspend or terminate your access if you violate these Terms, if required by law, or if we discontinue VVP. We will make reasonable efforts to provide notice before termination except in cases of abuse or legal requirement.
11.3. Effect of Termination. On termination, your right to access VVP ends. We will delete your Customer Content (personalized weight profiles, feedback history) within 90 days of termination unless required by law to retain it. Aggregated Data that has already been de-identified is not subject to deletion.
12. Changes to These Terms
We may update these Terms from time to time. We will notify you of material changes by posting the updated Terms here and updating the "Last Updated" date. For material changes affecting data handling or pricing, we will provide at least 30 days' notice. Continued use of VVP after the effective date constitutes acceptance.
13. Governing Law and Disputes
These Terms are governed by the laws of Spain, without regard to conflict of law principles. Any disputes arising from these Terms will be resolved in the courts of Barcelona, Spain. For EU consumers, this does not affect your rights under mandatory consumer protection laws of your country of residence.
14. Contact
Questions about these Terms?
Lyrastone
Email: hello@lyrastone.com
Web: lyrastone.com
Privacy Policy
Effective Date: May 4, 2026
Last Updated: May 4, 2026
This Privacy Policy explains what data Vendor Vulnerability Pulse ("VVP") collects, how we use it, how long we keep it, and what rights you have. We keep this plain and specific.
1. Who We Are
VVP is operated by Lyrastone, based in Barcelona, Spain. For GDPR purposes, Lyrastone is the data controller.
Contact: hello@lyrastone.com
2. What Data We Collect
We collect exactly the following. No more.
2a. Data You Provide Directly
| Data Point | What It Is | Why We Collect It |
|---|---|---|
| API key hash | A one-way hash of your RapidAPI API key | Identify your account without storing your actual key |
| Customer ID hash | A one-way hash derived from your API key | Link your feedback and preferences to your account |
| Vendor queries | The vendor names or identifiers you submit for risk scoring | Generate your risk scores |
| Feedback verdicts | Your assessment of score accuracy (too_high / too_low / accurate) | Improve your personalized scoring through the Bayesian calibration loop |
| Component feedback | Which specific scoring components you flag as over- or under-weighted | Fine-tune your personalized weight profile |
| Context notes | Optional text you attach to feedback submissions | Additional context for calibration (stored only for your account) |
| Subscription tier | Your RapidAPI plan level | Apply correct rate limits and feature access |
2b. Data Generated Automatically
| Data Point | What It Is | Why We Collect It |
|---|---|---|
| Bayesian weight profiles | Your personalized scoring weights, adjusted over time by your feedback | Deliver personalized risk scores that improve with use |
| Calibration events | Records that a weight adjustment occurred: which component, direction, magnitude | System performance monitoring and product improvement |
| API request metadata | Timestamp, endpoint called, response time, HTTP status code | Service reliability, debugging, rate limiting |
| IP address | Your IP address at time of API call | Rate limiting (in-memory only, not persisted to database) |
2c. Data We Do NOT Collect
- We do not collect your name, email, phone number, or physical address through VVP itself (RapidAPI handles account registration separately under their privacy policy)
- We do not collect your company name unless you voluntarily include it in context notes
- We do not track your browsing activity, use cookies, or deploy tracking pixels on the VVP API
- We do not access any of your internal systems, networks, or security infrastructure
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Deliver the Service | Vendor queries, API key hash | Contract performance (Art. 6(1)(b)) |
| Personalize your scoring | Feedback verdicts, component feedback, Bayesian weights | Contract performance (Art. 6(1)(b)) |
| Product improvement | Aggregated and de-identified System Performance Data | Legitimate interest (Art. 6(1)(f)) |
| System validation | Aggregated and de-identified calibration metrics | Legitimate interest (Art. 6(1)(f)) |
| Intellectual property | Aggregated Data only (no individual customer identifiable) | Legitimate interest (Art. 6(1)(f)) |
| Security and abuse prevention | API request metadata, IP address (in-memory) | Legitimate interest (Art. 6(1)(f)) |
4. What We NEVER Do With Your Data
We commit to the following, without exception:
- We never sell your data to third parties. Not your queries, not your feedback, not your usage patterns. Never.
- We never share your individual data with other customers. Your weight profiles, feedback history, and query patterns are yours alone.
- We never use identifiable Customer Content in public filings. Any data used in patent applications, research publications, or marketing materials is anonymized and aggregated.
- We never train machine learning models on the substance of your queries. Your vendor queries are used to generate your scores, not to train our algorithms.
- We never use your data for advertising, profiling, or behavioral targeting.
5. Data Retention
| Data Type | Retention | What Happens After |
|---|---|---|
| API request metadata (logs) | 90 days | Automatically deleted |
| Feedback records | 1 year | Automatically deleted; aggregate statistics retained |
| Bayesian weight profiles | Account lifetime | Deleted within 90 days of account closure |
| Calibration events (individual) | 1 year | Deleted; aggregate metrics retained |
| Aggregated and de-identified data | Indefinite | Contains no individual customer information |
| IP addresses | Not persisted | Held in memory during rate-limit window only |
6. Your Rights
Depending on your location, you may have the following rights. We honor all of them regardless of where you are:
Access. Request a copy of the data we hold about your account. Email hello@lyrastone.com with "Data Access Request" in the subject line.
Deletion. Request deletion of your Customer Content. Email hello@lyrastone.com with "Data Deletion Request." We will delete your data within 30 days. Aggregated Data already de-identified is not subject to deletion.
Correction. If any data we hold about you is inaccurate, you can request correction.
Portability. Request your data in a structured, machine-readable format (JSON).
Opt-Out of Aggregate Analysis. See Section 7 below.
Object. Under GDPR Article 21, you have the right to object to processing based on legitimate interest.
Complaint. You may file a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority.
7. Opt-Out of Aggregate Data Inclusion
By default, your de-identified System Performance Data contributes to VVP's aggregate datasets.
To opt out: Email hello@lyrastone.com with "Aggregate Data Opt-Out" in the subject line, or use the opt-out API endpoint (when available).
What opting out means:
- Your feedback and calibration events are used only to personalize your scoring
- Your data is excluded from aggregate analysis, benchmarking reports, and IP validation datasets
- VVP continues to work normally — no functionality is degraded
What opting out does not affect:
- We still process your queries to generate your scores
- We still apply your feedback to your personalized weight profile
- API request metadata is still logged for 90 days for security and debugging
8. Data Security
We protect your data with:
- Hashing: Your API key and customer ID are stored as one-way hashes. We cannot reverse them.
- Separation: Customer Content and System Performance Data are stored in separate database tables with different access controls.
- Encryption: Data in transit is encrypted via TLS. Data at rest uses standard cloud provider encryption.
- Access control: Only authorized Lyrastone systems access customer databases. No human reads individual customer data in the normal course of operations.
- Minimization: We collect only what is listed in Section 2. No more.
9. International Data Transfers
VVP is hosted on Google Cloud Platform in the United States. If you are located outside the United States, your data is transferred to and processed in the US. We rely on Google Cloud's Standard Contractual Clauses (SCCs) for EU-to-US transfers, as required by GDPR Chapter V.
10. Children
VVP is a B2B security intelligence API. It is not directed at individuals under 18. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated policy here and update the "Last Updated" date. For material changes, we will provide at least 30 days' notice.
12. Contact Us
For any privacy-related questions, data requests, or concerns:
Lyrastone
Email: hello@lyrastone.com
Web: lyrastone.com
For GDPR-specific inquiries, include "GDPR" in your subject line for priority routing.