Penetration Testing Service Agreement

This Penetration Testing Service Agreement ("Agreement") is a legal contract between the Service Provider ("Vendor") and the user or entity accessing the Service ("User"). By accessing the SaaS platform, initiating a scan, or viewing results, the User agrees to be bound by these terms.

1. Nature of the Service

The Service provides automated security assessments designed to identify common vulnerabilities.

  • Intrusive Testing: These tests are, by their nature, intrusive. While the Service is designed to identify flaws without intent to cause harm, the process involves interacting with systems in ways that may mimic a malicious attack.
  • Identification Only: The tests are intended solely to identify vulnerabilities, not to disrupt operations. However, the User acknowledges that identifying certain vulnerabilities requires payloads that may impact target system stability.

2. Disclaimer of Warranties & Accuracy

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE".

  • No Guarantee of Accuracy: The Vendor is under no conditions responsible for the accuracy, completeness, or reliability of the test results.
  • Guidance Only: Results provide strong guidance to assist in correcting common vulnerabilities but do not constitute an exhaustive security audit.
  • No Certification: The Vendor offers no certification, "seal of approval," or formal compliance validation (e.g., SOC2, PCI-DSS) based on these results.
  • Disclaimer of Implied Warranties: The Vendor disclaims all implied warranties, including Merchantability and Fitness for a Particular Purpose.

3. Mandatory Professional Verification

The output of this Service consists of automated findings.

  • Expert Review Required: All results must be verified by a qualified cybersecurity professional before any remediation actions are taken.
  • Independent Consultation: Users should consult with independent security experts to interpret findings and assess their specific infrastructure impact.

4. Limitation of Liability

IN NO EVENT SHALL THE VENDOR, ITS AFFILIATES, OR EMPLOYEES BE LIABLE FOR ANY INCIDENTAL, SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, INCLUDING:

  • Service Disruptions: If vulnerabilities found during testing cause system crashes, downtime, or service interruptions, the Vendor is not responsible.
  • Data Loss: The Vendor is not liable for corruption or loss of data resulting from intrusive testing.
  • Financial Loss: The Vendor is not liable for loss of profits, business interruption, or third-party claims.
  • Liability Cap: In no event shall the Vendor's total liability exceed the amount paid by the User for the Service in the twelve (12) months preceding the claim.

5. Indemnification

The User agrees to indemnify, defend, and hold harmless the Vendor from and against any third-party claims, damages, or legal fees (including reasonable attorneys' fees) arising from:

  • Unauthorized Testing: Testing performed on systems for which the User does not have explicit, written authorization.
  • Third-Party Disruptions: Any impact or downtime caused to a third party's infrastructure (e.g., hosting providers or downstream clients).
  • Regulatory Fines: Any penalties (e.g., GDPR, HIPAA) resulting from the intrusive nature of tests initiated by the User.

6. User Representations and Warranties

By using the Service, the User represents and warrants that:

  1. Authorization: They possess the legal authority to conduct intrusive testing on the target systems.
  2. Backups: They have performed a full and verifiable backup of all data and system configurations on the target system immediately prior to testing.
  3. Environment: They understand that testing in production is at their sole risk and that testing in a staging or development environment is strongly recommended.

7. Pre-Scan Authorization (Click-to-Accept)

Each time a scan is initiated, the User reaffirms the following:

  • I have the legal authority to test this target.
  • I have backed up all target data.
  • I assume all risk for system instability or downtime.
  • I acknowledge that results are not certified and must be verified by a professional.

8. Report Disclaimer

The following notice is incorporated into every report generated by the Service:

NOTICE: This report is for informational purposes only. The findings contained herein are generated via automated intrusive testing. The Vendor makes no warranty regarding the accuracy of these results. This report does NOT constitute a security certification. All findings MUST be verified by a qualified cybersecurity professional before remediation. The User assumes all liability for system impacts resulting from these tests.