Terms of Service | Koh Cyber

1. Cloud Service

The Cloud Service is the Koh email security platform, which analyses Google Workspace inbound email metadata in real time to detect phishing, business email compromise (BEC), spoofing, and spam. The service is delivered via app.kohcyber.com and the associated Google Workspace Marketplace add-on. No email body text or attachments are stored; only metadata and cryptographic hashes are persisted.

2. Plans and fees

Koh subscription plans and pricing
Plan	Fee	Mailboxes	Notes
Starter	$3.00 / seat / month	Up to 25	Billed monthly
Business	$5.00 / seat / month	Unlimited	Billed monthly
Enterprise	Custom	Unlimited	Invoice billing available

Seat counting. A “seat” is one Google Workspace mailbox actively protected by Koh at any point during the billing period. Shared mailboxes (aliases that deliver to an already-counted protected inbox) do not count as additional seats. Administrators may mark designated service accounts and break-glass accounts as billing-excluded in Settings → Users; excluded accounts are not counted toward the monthly seat total.

Fees are billed in advance on a monthly cycle. All fees are in US dollars and exclusive of applicable taxes. If a payment fails, we will retry per our dunning schedule before suspending the service.

3. Free trial

Koh offers two trial tracks, selected during the onboarding wizard:

No-credit-card trial (15 days). No payment information is required. If no credit card is entered before Day 15, the organisation is automatically cancelled and email scanning is suspended. No charge is ever made.
Credit-card trial (30 days). A credit card is required at the plan-selection step. If the subscription is not cancelled before Day 30, the stored payment method is automatically charged at the applicable plan rate. A reminder email is sent on Day 27. You may cancel at any time before Day 30 via Settings → Billing with no charge.

Reminder emails are sent three days before each relevant deadline. It is your responsibility to ensure the admin email address on the account is monitored.

4. Cancellation and data retention

You may cancel your subscription at any time via Settings → Billing. Cancellation takes effect immediately: email scanning is suspended and no further charges are made for the following billing period.

Following cancellation or trial expiry, customer data is retained for 30 days to allow data export, then permanently deleted. “Customer data” means EmailMessage records, ThreatEvent records, AdminAuditLog records, and allow/block-list entries for your organisation. The Org record itself is retained in anonymised form for legal-hold purposes.

To request early deletion before the 30-day window, email legal@kohcyber.com.

5. Acceptable use

In addition to the restrictions in the Standard Terms, you may not:

Use the service to generate, relay, or amplify unsolicited bulk email (spam).
Reverse-engineer, decompile, or attempt to extract the detection models, rule logic, or scoring algorithms used by the service.
Submit synthetic or adversarially crafted messages for the purpose of mapping or evading the detection engine.
Share API keys or session credentials with parties outside your organisation.

6. Support access to customer data

Your explicit consent is required

Koh Cyber staff will never access your organisation’s threat feed, quarantine, or audit log data without (a) an open support ticket that you have submitted, and (b) your explicit in-app consent granted for that specific ticket. This section documents exactly what that access entails.

To assist with a support request, a Koh Cyber support engineer may request read-only access to your organisation’s threat feed, quarantine records, and admin audit log. The following conditions apply:

Consent required. Access is only permitted after you grant explicit per-ticket consent via the in-app consent prompt in Settings → Support Access. Pre-ticked consent or blanket standing authorisation is not used.
Revocable at any time. You may revoke support-access consent at any time in Settings → Support Access. Revocation terminates any active read-only session immediately.
Read-only. Support access is strictly read-only. Koh Cyber staff cannot modify, delete, quarantine, release, or export your data during a support session.
Audit-logged. Every support-access event is recorded in your organisation’s Admin Audit Log with the timestamp, the identity of the Koh Cyber staff member, the support ticket reference, and the data categories accessed. You can review this log at any time in Settings → Audit Log.
Scoped to the open ticket. Consent is scoped to a specific support ticket. When the ticket is resolved or you close the consent window, access is automatically revoked.
No email content accessed. Because Koh does not store email body text or attachments, support engineers cannot access email content under any circumstances.

If you are an EU-based customer, this section satisfies the requirement under GDPR Article 28(3)(b) that sub-processors (including staff operating as processors) only act on the controller’s documented instructions. Your in-app consent serves as that documented instruction for each support event.

7. Sub-processors

We engage the following sub-processors in the delivery of the service. We will provide at least 30 days’ notice (via legal@kohcyber.com or a notice on this page) before adding a new sub-processor that processes customer data.

Koh Cyber sub-processors
Sub-processor	Purpose	Location
Google Cloud Platform	Compute, Cloud SQL, Cloud Storage, Cloud Run	US (us-central1)
Stripe	Payment processing and subscription management	US / EU
Twilio SendGrid	Transactional email (alerts, billing notices)	US
Spamhaus Technology	Domain and IP reputation lookups (no customer PII transferred)	CH / US

8. Uptime and service levels

We target 99.5% monthly uptime for the Starter and Business plans, measured as the percentage of minutes in a calendar month during which the threat detection API is available and responding. Scheduled maintenance windows announced at least 24 hours in advance are excluded from uptime calculations.

Enterprise customers receive a negotiated SLA as part of their order. Support response times are:

Starter / Business: best-effort, typically within 1 business day.
Enterprise: priority SLA as specified in the order.

9. Limitation of liability

To the maximum extent permitted by applicable law, and in addition to any limitations in the Standard Terms:

Aggregate liability cap. Koh Cyber’s total aggregate liability for all claims under or related to these terms (whether in contract, tort, or otherwise) shall not exceed the total fees paid by you in the 12 months immediately preceding the event giving rise to the claim.
Security product carve-out. The service is a threat-detection aid and does not guarantee detection of every threat. Missed detections do not constitute a breach of these terms provided the service has operated materially in accordance with its documentation. Koh Cyber is not liable for losses arising from threats that were not detected.
Consequential damages exclusion. Neither party shall be liable for indirect, incidental, special, exemplary, or consequential damages (including lost profits, data loss, or business interruption) even if advised of the possibility of such damages.

10. Governing law

These Provider-Specific Terms and the Standard Terms are governed by the laws of the State of Arizona, United States, without regard to conflict of law principles. Any disputes shall be resolved in the state or federal courts located in Arizona.

11. Contact

Support: support@kohcyber.com
Legal notices: legal@kohcyber.com
Mailing address: Koh Cyber — address on file with registered agent (see Contact).

These Provider-Specific Terms incorporate by reference the Bonterms Online Cloud Terms v1.0 (“Standard Terms”), © Bonterms, Inc., licensed under CC BY-ND 4.0. The Standard Terms have not been modified. Bonterms is not a law firm; these terms do not constitute legal advice.