Penetration Testing Terms of Service
Effective Date: April 4, 2025
Last Updated: April 4, 2025
1. DEFINITIONS
1.1 "Assessment" refers to the security testing and evaluation services provided by Provider as detailed in the Statement of Work.
1.2 "Confidential Information" means any non-public information disclosed by either party to the other party, either directly or indirectly, in writing, orally, or by inspection of tangible items, including but not limited to technical data, trade secrets, know-how, research, product plans, products, services, customers, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration information, marketing or finance documents, and other business information.
1.3 "Deliverables" means the reports, analyses, and other materials to be provided to Client as specified in the Statement of Work.
1.4 "Services" means the penetration testing and security assessment services to be performed by Provider as described in the Statement of Work.
1.5 "Statement of Work" or "SOW" means the document detailing the specific Services to be performed by Provider, including the scope, timeline, targets, and limitations of the Assessment.
1.6 "Target Systems" means the specific computer systems, networks, applications, devices, or other assets that will be subject to the Assessment as specified in the Statement of Work.
2. SERVICES
2.1 Scope of Services. Provider shall perform the Services in accordance with the Statement of Work attached hereto and incorporated by reference. Any changes to the scope of Services must be agreed upon in writing by both parties.
2.2 Performance Standard. Provider shall perform the Services in a professional manner consistent with industry standards for security testing. Provider shall assign qualified personnel with appropriate skills and experience to perform the Services.
2.3 Client Responsibilities. Client shall:a) Provide Provider with all necessary access, information, and assistance required to perform the Services;b) Ensure that it has the right to authorize Provider to perform the Services on the Target Systems;c) Designate a primary point of contact for coordination with Provider; andd) Notify relevant third parties, including hosting providers and managed service providers, as necessary, about the planned Assessment.
3. AUTHORIZATION AND COMPLIANCE
3.1 Testing Authorization. Client represents and warrants that it has full authority to authorize Provider to perform the Services on the Target Systems. If any Target System is owned, operated, or hosted by a third party, Client warrants that it has obtained explicit permission from such third party for Provider to perform the Services on those systems.
3.2 Legal Compliance. Both parties shall comply with all applicable local, state, national, and international laws and regulations in connection with the performance and receipt of the Services. Provider reserves the right to refuse to perform any requested activities that it reasonably believes would violate any applicable law or regulation.
3.3 Acceptable Use. Provider shall follow any applicable acceptable use policies identified by Client in the Statement of Work when performing the Services.
4. RISK ACKNOWLEDGMENT AND LIMITATION OF LIABILITY
4.1 Inherent Risks. Client acknowledges that security testing by its nature involves inherent risks, including but not limited to:a) Temporary degradation of system performance;b) Temporary system unavailability;c) Unexpected system crashes or failures;d) Data corruption or loss; ande) Exposure of security vulnerabilities that could potentially be exploited by malicious actors if not promptly addressed.
4.2 Limitation of Liability. To the maximum extent permitted by law:a) Provider's total cumulative liability for any and all claims arising out of or related to this Agreement shall not exceed the total fees paid by Client to Provider under the applicable Statement of Work.b) In no event shall Provider be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, including but not limited to lost profits, lost data, business interruption, or other economic loss, whether based in contract, tort, strict liability, or otherwise, even if Provider has been advised of the possibility of such damages.c) Provider shall not be liable for any damages or issues arising from pre-existing vulnerabilities in Client's systems, except to the extent that Provider's actions directly and proximately cause such vulnerabilities to be exploited resulting in data breach or system compromise.
4.3 Exclusions. The limitations of liability in Section 4.2 shall not apply to:a) Either party's indemnification obligations under Section 9;b) Damages arising from either party's gross negligence, willful misconduct, or fraud; orc) Provider's breach of its confidentiality obligations under Section 6.
4.4 Force Majeure. Neither party shall be liable for any failure or delay in performing its obligations under this Agreement if such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, terrorism, riots, war, epidemics, pandemics, power failures, or Internet or telecommunications failures.
5. TESTING PROTOCOLS AND SAFEGUARDS
5.1 Testing Methodology. Provider shall conduct the Assessment using industry-standard methodologies and tools as described in the Statement of Work. Provider shall take reasonable precautions to minimize the risk of damage or disruption to the Target Systems.
5.2 Testing Hours. Unless otherwise specified in the Statement of Work, Provider shall conduct testing during mutually agreed upon times, which may include off-peak hours to minimize potential business disruption.
5.3 Emergency Stop Procedure. Provider shall implement an emergency stop procedure whereby Client may request immediate suspension of testing activities in the event of unexpected system issues. Client shall designate emergency contacts in the Statement of Work who are authorized to invoke this procedure.
5.4 Backup Requirement. Client acknowledges that it is solely responsible for ensuring that all Target Systems and associated data are properly backed up before the Assessment begins.
6. CONFIDENTIALITY
6.1 Mutual Confidentiality. Each party shall maintain the confidentiality of the other party's Confidential Information and shall not disclose such Confidential Information to any third party without the prior written consent of the disclosing party. Each party shall use the same degree of care to protect the other party's Confidential Information as it uses to protect its own Confidential Information of similar nature, but in no case less than reasonable care.
6.2 Vulnerability Information. All information regarding security vulnerabilities discovered during the Assessment shall be treated as Confidential Information of the Client.
6.3 Permitted Disclosures. Notwithstanding the foregoing, either party may disclose Confidential Information:a) To its employees, contractors, and advisors who have a need to know such information, provided that such persons are bound by confidentiality obligations no less protective than those contained herein;b) As required by law or regulation, or in response to a valid order of a court or other governmental authority, provided that the disclosing party gives the other party prior written notice of such disclosure to allow the other party to seek a protective order or other appropriate remedy; orc) With the prior written consent of the disclosing party.
6.4 Return of Confidential Information. Upon termination of this Agreement or upon the disclosing party's request, the receiving party shall promptly return or destroy all Confidential Information of the disclosing party in its possession or control.
6.5 Survival. The confidentiality obligations set forth in this Section 6 shall survive the termination or expiration of this Agreement for a period of five (5) years.
7. INTELLECTUAL PROPERTY
7.1 Pre-existing Materials. Each party shall retain all rights, title, and interest in and to its pre-existing intellectual property, including but not limited to methodologies, tools, techniques, software, and know-how used in performing or receiving the Services.
7.2 Deliverables. Subject to payment in full of all fees due under this Agreement, Provider grants to Client a perpetual, non-exclusive, non-transferable license to use the Deliverables for Client's internal business purposes.
7.3 Restrictions. Client shall not:a) Modify, adapt, alter, translate, or create derivative works from the Deliverables without Provider's prior written consent;b) Distribute, sublicense, lease, rent, loan, or otherwise transfer the Deliverables to any third party without Provider's prior written consent;c) Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or underlying ideas or algorithms of any tools or software provided by Provider; ord) Remove, alter, or obscure any proprietary notices on the Deliverables.
8. TERM AND TERMINATION
8.1 Term. This Agreement shall commence on the Effective Date and continue until completion of the Services as specified in the Statement of Work, unless earlier terminated in accordance with this Section 8.
8.2 Termination for Convenience. Client may terminate this Agreement or any Statement of Work for convenience upon thirty (30) days' prior written notice to Provider. In the event of such termination, Client shall pay Provider for all Services performed and expenses incurred up to the effective date of termination.
8.3 Termination for Cause. Either party may terminate this Agreement for cause upon written notice if the other party materially breaches this Agreement and fails to cure such breach within fifteen (15) days after receiving written notice of the breach.
8.4 Effect of Termination. Upon termination of this Agreement:a) Provider shall immediately cease performing the Services;b) Client shall pay Provider for all Services performed and expenses incurred up to the effective date of termination;c) Each party shall return or destroy all Confidential Information of the other party in accordance with Section 6.4; andd) The provisions of Sections 4, 6, 7, 9, 10, and 11 shall survive termination.
9. INDEMNIFICATION
9.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Client and its officers, directors, employees, and agents from and against any and all third-party claims, actions, suits, proceedings, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) to the extent arising out of or resulting from:a) Provider's gross negligence or willful misconduct in performing the Services; orb) Provider's material breach of this Agreement.
9.2 Client Indemnification. Client shall defend, indemnify, and hold harmless Provider and its officers, directors, employees, and agents from and against any and all third-party claims, actions, suits, proceedings, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) to the extent arising out of or resulting from:a) Client's failure to obtain proper authorization for Provider to perform the Services on the Target Systems;b) Client's material breach of this Agreement; orc) Client's use of the Deliverables in a manner not authorized by this Agreement.
9.3 Indemnification Procedure. The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim, suit, or proceeding for which indemnity is claimed; (b) allow the indemnifying party to control the defense and settlement of such claim; and (c) reasonably cooperate with the indemnifying party in the defense and settlement of such claim at the indemnifying party's expense. The indemnifying party shall not settle any claim in a manner that adversely affects the indemnified party's rights without the indemnified party's prior written consent, which shall not be unreasonably withheld.
10. REPRESENTATIONS AND WARRANTIES
10.1 Mutual Representations. Each party represents and warrants that:a) It has the full power and authority to enter into this Agreement and perform its obligations hereunder;b) The execution and delivery of this Agreement does not violate any agreement, obligation, or law to which it is subject; andc) It shall comply with all applicable laws and regulations in performing its obligations under this Agreement.
10.2 Provider Warranties. Provider warrants that:a) The Services will be performed in a professional and workmanlike manner consistent with industry standards; andb) To Provider's knowledge, the Deliverables will not infringe any third-party intellectual property rights.
10.3 Client Warranties. Client warrants that:a) It has obtained all necessary permissions and authorizations to allow Provider to perform the Services on the Target Systems;b) It has implemented reasonable backup procedures for the Target Systems; andc) It will not use the Deliverables for any illegal purpose.
10.4 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, PROVIDER MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICES OR DELIVERABLES WILL IDENTIFY ALL SECURITY VULNERABILITIES IN THE TARGET SYSTEMS, OR THAT THE TARGET SYSTEMS WILL BE SECURE FROM ALL SECURITY THREATS AFTER COMPLETION OF THE SERVICES.
11. GENERAL PROVISIONS
11.1 Independent Contractors. The relationship between the parties is that of independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship between the parties.
11.2 Non-Solicitation. During the term of this Agreement and for one (1) year thereafter, neither party shall, directly or indirectly, solicit or attempt to solicit for employment any employees or contractors of the other party who were involved in the provision or receipt of the Services, without the prior written consent of the other party.
11.3 Assignment. Neither party may assign this Agreement or any of its rights or obligations hereunder without the prior written consent of the other party, except that either party may assign this Agreement to a successor in connection with a merger, acquisition, or sale of all or substantially all of its assets.
11.4 Notices. All notices required or permitted under this Agreement shall be in writing and shall be deemed delivered when delivered in person, by email (with confirmation of receipt), or by registered or certified mail, return receipt requested, to the addresses specified in the Statement of Work.
11.5 No Waiver. The failure of either party to enforce any provision of this Agreement shall not be construed as a waiver of such provision or the right of such party to enforce such provision or any other provision.
11.6 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
11.7 Entire Agreement. This Agreement, together with the Statement of Work, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral.
11.8 Amendment. This Agreement may be amended only by a written instrument signed by both parties.
11.9 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of California USA, without regard to its conflict of laws principles.
11.10 Dispute Resolution. Any dispute arising out of or relating to this Agreement shall be resolved through binding arbitration conducted in accordance with the rules of the American Arbitration Association. The arbitration shall take place in San Francisco, California USA. The decision of the arbitrator shall be final and binding on the parties.
11.11 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.