Additional Third-Party Terms
Effective May 14, 2026
(for Integrated Services)
1. Purpose
This Third-Party Software and Open Source Components Policy (this “Policy”) describes the third-party software components, including open source software, that may be included in or accessed through Cleanstart, Inc. (“Cleanstart”, the “Company”) products and services. This Policy supplements the Master Service and License Agreement (the “MSA”) and the Service Level Agreement (the “SLA”) between Cleanstart and the customer (the “Customer”), and is intended to provide transparency regarding the composition, licensing, and provenance of Cleanstart products and to clarify the respective rights and responsibilities of Cleanstart and Customer with respect to such components. Capitalised terms used but not defined in this Policy have the meanings given in the MSA.
In the event of any conflict between this Policy and the MSA, the MSA shall control with respect to the subject matter hereof.
2. Composition of Cleanstart Products
Each Cleanstart product, including without limitation Cleanstart Containers (formerly known as Hardened Images or Cleanstart Images), Cleanstart FIPS-validated images, and any successor or derivative product offerings (each, a “Product”), is composed of the following:
- Cleanstart-authored materials: hardening configurations, build recipes, build pipelines, signing attestations, security advisories, documentation, the SBOM (as defined below), the Provenance Attestation (as defined below), and other materials authored by Cleanstart.
- Third-Party Software: software components that are not authored by Cleanstart, including (i) open source software (“OSS”) and (ii) where applicable, commercial third-party software and integrated services made available pursuant to additional licence terms.
The composition of each Product is documented in the SBOM made available with that Product.
3. Open Source Software
3.1 Definition. “OSS” means software licensed under an open source licence meeting the definition promulgated by the Open Source Initiative (located at https://opensource.org/), or identified as an open source licence by the SPDX License List (located at https://spdx.org/licenses/).
3.2 Upstream Licensing. All OSS components included in Cleanstart Products are licensed to Customer by their respective upstream maintainers or licensors under the applicable open source licence terms identified in the SBOM made available with each Product. Cleanstart does not relicense, sublicense, or modify the licence terms of any OSS component included in the Products. Nothing in this Policy, the MSA, the SLA, or any related Order Form is intended to limit Customer's rights under, or grant Customer rights that supersede, the terms of any OSS licence. Customer's rights to use, modify, or redistribute any OSS component included in a Product are governed solely by the applicable OSS licence and not by the MSA.
3.3 Scope of Cleanstart's Licence Grant. The licence granted by Cleanstart to Customer under the MSA, and the ownership and intellectual property rights asserted by Cleanstart, extend only to the Cleanstart-authored materials identified in Section 2 of this Policy. Such licence and rights do not extend to any underlying OSS or other Third-Party Software contained within or accessed through the Products.
4. Software Bill of Materials
4.1 SBOM Disclosure. For each Product made generally available, Cleanstart publishes a Software Bill of Materials (“SBOM”) in industry-standard formats, including:
- Standard SBOM: SPDX 2.3 format, generated using widely-recognised tooling (including syft).
- Cleanstart Enhanced SBOM: SPDX 3.0 format, generated by the Cleanstart Enhanced SBOM Generator, providing additional enriched metadata for each component.
- CycloneDX: where applicable and as required for specific compliance use cases.
4.2 SBOM Contents. The SBOM identifies, for each component contained in the Product, the following information where available: Component name and version; Package manager type (for example, apk, deb, rpm, npm, pypi, go); Declared licence using SPDX licence identifiers where available; Upstream supplier, maintainer, or originator; Upstream source location (repository URL); Cryptographic hashes; and Other relevant component metadata.
4.3 SBOM as Authoritative Disclosure. The SBOM constitutes Cleanstart's complete and authoritative disclosure of the Third-Party Software components contained in the applicable Product. Cleanstart's disclosure obligations with respect to such components are satisfied upon making the SBOM available to Customer through the Cleanstart Delivery Portal or such other delivery mechanism as Cleanstart may designate from time to time.
4.4 SBOM Licensing. Cleanstart releases each SBOM under the Creative Commons CC0 1.0 Universal (Public Domain Dedication) licence, enabling Customer to freely use, share, and rely on SBOM data for compliance, security, and operational purposes.
5. Provenance Attestation
5.1 Provenance Disclosure. For each Product made generally available, Cleanstart publishes a build provenance attestation (the “Provenance Attestation”) conformant with the Supply chain Levels for Software Artifacts (SLSA) framework and the in-toto attestation specification.
5.2 Provenance Contents. The Provenance Attestation identifies, for each Product: The build source repository and the cryptographic commit reference from which the Product was built; The build platform and builder identity; The build invocation identifier; The cryptographic digest of the resulting Product image; and Such additional metadata as required to enable independent verification of build integrity and origin.
5.3 Cryptographic Signing. Cleanstart Products are cryptographically signed using industry-standard tooling (including Sigstore Cosign), and Provenance Attestations are recorded in tamper-evident transparency logs where applicable, enabling Customer to verify the integrity and origin of each Product they deploy.
6. Commercial Third-Party Components
Certain Products may include commercial third-party software components, or rely on integrated third-party services, that are subject to licence terms, service agreements, and policies imposed by their respective owners or licensors (“Commercial Third-Party Terms”). Where applicable, such components and the associated Commercial Third-Party Terms are identified in the documentation accompanying the affected Product or, where applicable, in an addendum to this Policy.
Customer must comply with all Commercial Third-Party Terms applicable to the components contained in the Products Customer uses, including without limitation licensing restrictions, usage limits, data handling requirements, and acceptable use obligations. In some cases, Customer may be required to hold a separate, valid licence directly from the third-party licensor before Customer is entitled to use the affected Product. Where Cleanstart's or Customer's licence to any such commercial component expires or is terminated for any reason, Cleanstart may suspend or terminate Customer's access to the affected Product, and Cleanstart will use commercially reasonable efforts to provide a substantially equivalent Product for the remainder of the then-applicable subscription term, where feasible.
Cleanstart does not assume liability for a Customer's failure to comply with any Commercial Third-Party Terms.
7. Customer Responsibilities
Customer is responsible for:
- Reviewing the SBOM and the applicable Third-Party Software licence terms for each Product that Customer uses;
- Complying with the obligations imposed by such licences, including any attribution, notice, or redistribution requirements;
- Ensuring that Customer's use, modification, layering, or redistribution of any Cleanstart Product does not violate any applicable Third-Party Software licence;
- Complying with any Commercial Third-Party Terms applicable to the components within the Products Customer uses, including obtaining any separate third-party licences required for Customer's use; and
- Verifying the Provenance Attestation for any Product where Customer requires cryptographic assurance of Product origin or integrity prior to deployment.
8. Cleanstart's Role
Cleanstart curates, hardens, and packages Third-Party Software and Cleanstart-authored materials into the Products, signs each Product release, and publishes the accompanying SBOM and Provenance Attestation. Cleanstart does not modify upstream source code in ways that change the licence terms of any OSS component.
9. Limitation of Liability and Disclaimer
Cleanstart disclaims responsibility for interruptions, failures, vulnerabilities, defects, or deficiencies originating solely from Third-Party Software or from integrated third-party services beyond Cleanstart's reasonable control. Remedies and service credits provided under the SLA do not extend to outages or defects caused by such Third-Party Software or services, except as expressly stated in the SLA. Cleanstart's obligations and liabilities under this Policy are further limited by, and subject to, the warranty disclaimers, exclusions of damages, and Limitations of Liability set forth in the MSA, all of which apply in full to any claim arising under or in connection with this Policy. Cleanstart makes no warranty, representation, or guarantee regarding the accuracy, completeness, or fitness for any particular purpose of any Third-Party Software, OSS, or commercial third-party component included in or accessed through the Products, except to the extent expressly set forth in the MSA.
10. Updates to this Policy
Cleanstart may update this Policy from time to time, provided that no such update shall materially and adversely diminish Customer's rights under the then-current Order Form for the remainder of its subscription term. The current version of this Policy is published at https://www.cleanstart.com/legal. Customer is encouraged to review this Policy periodically to remain familiar with its current terms.
11. Contact
Questions regarding this Policy, the SBOM, or the Provenance Attestation may be directed to Cleanstart's security and legal teams through the Cleanstart Delivery Portal or via the contact mechanisms published at https://www.cleanstart.com/contact-us.