Scope Disclaimer
This page describes the limits of the Vendor Risk Evidence Bundle product sold by Palavir LLC at palavir.co/vendor-risk-bundle. By purchasing a bundle the buyer agrees to the terms below.
1. The bundle is not a SOC 2 audit
The Vendor Risk Evidence Bundle is not, and is not represented to be, a SOC 2 Type I or Type II audit. SOC 2 audits are performed by independent licensed Certified Public Accountant firms under the AICPA SSAE 18 attestation standard. Palavir LLC is not a CPA firm and does not issue SOC 2 reports.
2. The bundle is not legal advice
Nothing in the bundle is legal advice, regulatory guidance, or a legal opinion. The buyer should retain qualified legal counsel for any decision that depends on legal interpretation, contracting, or regulatory compliance.
3. Point-in-time data
All findings reflect the state of public surfaces at the moment of the scrape. Vendor configurations change. The bundle is dated. The buyer is responsible for re-running the analysis if currency matters to the decision.
4. Public surfaces only
The engine fetches only public URLs at conventional paths and subdomains, performs standard DNS resolutions, and reads the public TLS handshake. The engine does not authenticate, does not bypass robots.txt-blocked paths, does not perform penetration testing, does not perform vulnerability scanning, and does not attempt any action that would violate the federal Computer Fraud and Abuse Act or analogous state law.
5. No opinion of fitness
Palavir LLC offers no opinion that the target vendor is or is not suitable for the buyer's purpose. The bundle is a fact-pattern. The buyer is solely responsible for any procurement, contracting, integration, or risk-treatment decision made on the basis of the bundle.
6. Absence is not evidence
A surface not found at a conventional URL is not evidence that the target does not have the corresponding control. The vendor may publish that information on a different path, behind authentication, or only on request. The buyer should request the missing information directly from the vendor before drawing conclusions.
7. Compliance check is fuzzy
The Compliance API check uses fuzzy name matching against the OFAC SDN list, the OIG LEIE list, and the SAM.gov exclusion list. An exact match against a federal exclusion list is a serious finding and the buyer should cross-check the official source directly. Lower-confidence matches are name collisions in the vast majority of cases.
8. WHOIS data may be redacted
Many TLDs and registrars redact registrant data under GDPR and ICANN policy. A blank WHOIS record is normal and not a finding.
9. Refund policy
If the engine cannot resolve the target domain at all, Palavir refunds the order in full. Otherwise the bundle is delivered as-is, including the case where most public surfaces are not found. The whole point of the deliverable is a defensible point-in-time record, including the absence of published surfaces. Palavir may at its discretion refund part of the price if the deliverable is materially incomplete.
10. Confidentiality
Palavir does not publish, share, or resell the contents of a bundle. The buyer's order metadata is retained for record-keeping and accounting purposes only. The target vendor is not notified of the order.
11. Independent verification
Palavir reuses Palavir's existing Compliance API for the exclusion screening step. That API is hosted at compliance-api-jet.vercel.app and exposed via RapidAPI as the Federal Exclusion and Sanctions Screener. Source data for the Compliance API is refreshed weekly from OIG, Treasury OFAC, and SAM.gov.
12. Limitation of liability
To the maximum extent permitted by law, Palavir LLC's total aggregate liability arising out of or relating to the Vendor Risk Evidence Bundle is limited to the amount the buyer paid for the bundle ($499 per order). Palavir shall not be liable for indirect, incidental, consequential, special, or punitive damages.
13. Customer authorization responsibility
The customer is responsible for ensuring they have authorization to scan the target domain. Palavir does not verify domain ownership or organizational affiliation. By placing an order the customer represents that they have a legitimate purpose for reviewing the target domain's public trust surfaces and that their use is consistent with applicable law.
Contact
Questions or refund requests: josh@palavir.co.
Pending attorney review. Palavir LLC, 22515 Pontchartrain Drive, Southfield, MI 48034.