Legal

Terms & Conditions

Effective: 25 April 2026 Last updated: 25 April 2026 Jurisdiction: India

These Terms and Conditions ("Agreement") govern all penetration testing and offensive security services ("Services") provided by Vaassec ("we", "us", "our") to any client ("Client", "you"). By submitting an engagement request, signing a Statement of Work, or making payment, you agree to be bound by this Agreement in full.

01 Definitions

Throughout this Agreement the following terms carry the meanings defined below:

  • Engagement — a scoped penetration testing or security assessment project governed by a Statement of Work (SOW).
  • Scope — the specific targets, IP ranges, domains, systems, or assets explicitly authorized for testing, as defined in the SOW.
  • Statement of Work (SOW) — a written document signed by both parties defining the engagement scope, timeline, methodology, and deliverables.
  • Report — the written deliverable produced at engagement conclusion, containing findings, evidence, CVSS scores, and remediation guidance.
  • Confidential Information — any non-public data, findings, credentials, architecture details, or client materials exchanged during the engagement.
  • Authorized Systems — infrastructure, applications, and assets listed in the SOW that the Client has granted written permission to test.

02 Scope of Services

Vaassec provides offensive security services including but not limited to: web application penetration testing, API security assessments, network infrastructure testing, cloud configuration review, and vulnerability research. All services are conducted remotely unless otherwise agreed in writing.

The exact scope of each engagement is defined in the SOW signed prior to testing commencing. Testing will not begin until a fully executed SOW and written authorization are received. No verbal or implied authorizations are accepted.

Any assets, systems, or IP ranges not explicitly listed in the SOW are considered out of scope. Vaassec will not intentionally test out-of-scope targets, though interconnected systems may be identified incidentally during testing.

03 Authorization & Legality

The Client represents and warrants that:

  • They are the lawful owner or have express written authority from the lawful owner of all Authorized Systems.
  • All necessary third-party consents have been obtained — including from cloud providers (AWS, GCP, Azure), hosting companies, CDN providers, and co-location facilities whose terms may restrict security testing.
  • The engagement is lawful under all applicable laws in the Client's jurisdiction, including India's Information Technology Act 2000 and equivalent statutes in other jurisdictions.
  • The Client accepts responsibility for obtaining third-party consents for all assets hosted externally and listed in the SOW.

Vaassec reserves the right to immediately suspend testing if there is any doubt about authorization. Fees for work already performed remain due.

Providing false or incomplete authorization is a criminal offense in most jurisdictions. Vaassec will cooperate fully with law enforcement if misrepresentation is discovered.

04 Client Obligations

To enable a successful engagement the Client agrees to:

  • Provide accurate and complete information about all in-scope assets prior to testing, including IP ranges, domains, application credentials where required, and network topology.
  • Ensure a technically competent point of contact is reachable during all testing windows to handle critical findings, service disruptions, or scope clarifications.
  • Notify all relevant internal teams (SOC, NOC, incident response, legal) of the testing window to prevent false positive alerts being treated as real incidents.
  • Notify any third-party monitoring services of the engagement dates to prevent unnecessary escalation.
  • Maintain full backups of all in-scope systems prior to testing. Vaassec is not responsible for any data loss arising from testing activities.
  • Respond to critical (P0/P1) finding notifications within 4 business hours.

05 Confidentiality

Both parties agree to treat all information exchanged during the engagement as strictly confidential. This includes all vulnerability findings, exploit chains, proof-of-concept code, client infrastructure details, and report contents.

Vaassec will not disclose, sell, or use Client data for any purpose other than delivering the agreed services. All engagement data is deleted within 90 days of final Report delivery.

Vaassec operators handle all engagement data in encrypted environments and communicate over secure channels only. These confidentiality obligations survive the termination of this Agreement for five (5) years.

06 Deliverables & Intellectual Property

Upon full payment, Vaassec delivers a written Report containing: an executive summary, technical findings, CVSS scores, reproduction steps, supporting evidence, and step-by-step remediation guidance. Reports are delivered in PDF format; Markdown export is available on request.

The Client owns all rights to the Report produced for their specific engagement. Vaassec retains ownership of all testing methodologies, tooling, scripts, and techniques. Nothing in this Agreement transfers ownership of Vaassec's underlying intellectual property to the Client.

Vaassec may reference engagements in aggregate anonymized statistics without disclosing Client identity or specific findings, unless the Client explicitly prohibits this in writing.

07 Payment Terms

Payment terms are as specified in the SOW. Standard terms are:

  • 50% deposit required before testing commences.
  • Remaining 50% due within 14 days of Report delivery.
  • Enterprise engagements follow custom payment schedules agreed in the SOW.
  • Free surface scans carry no payment obligation but are subject to all other terms in this Agreement.

Late payments are subject to interest at 1.5% per month or the maximum permitted by applicable law. Final Report delivery may be withheld until full payment is received. Deposits are non-refundable once scoping and preparation work has begun.

08 Limitation of Liability

To the maximum extent permitted by applicable law, Vaassec's total cumulative liability arising out of or relating to any engagement shall not exceed the total fees paid by the Client for that specific engagement.

Vaassec shall not be liable for any indirect, incidental, consequential, special, or punitive damages — including loss of revenue, data loss, reputational harm, or business interruption — even if advised of the possibility of such damages.

Penetration testing inherently carries risk to live systems. The Client acknowledges this risk and agrees that Vaassec acts in good faith within the agreed scope. System disruptions caused by legitimate in-scope testing activities do not constitute grounds for claims against Vaassec.

09 Risk Acknowledgment

The Client explicitly acknowledges and accepts that:

  • Penetration testing simulates a real attack. Services, servers, or applications may become temporarily unavailable or behave unexpectedly during testing.
  • Exploit attempts may trigger application crashes, log anomalies, or temporary performance degradation. This is inherent to realistic security testing.
  • Testing against live production systems carries higher disruption risk than staging environments. The Client accepts this risk where production systems are in scope.
  • Automated tools used during reconnaissance may trigger rate limiting or WAF rules. The Client is responsible for whitelisting testing IP ranges if continuity is required.
  • Vulnerabilities identified during testing may indicate pre-existing compromises. Vaassec is not responsible for attacker activity that predates the engagement.

10 Termination

Either party may terminate an engagement by providing written notice. Upon termination:

  • Vaassec will immediately cease all testing activities on the Client's systems.
  • The Client is responsible for fees covering all work completed up to the termination date.
  • Vaassec will deliver a partial report covering findings discovered prior to termination, where feasible.
  • All confidentiality obligations remain in full force after termination.

Vaassec may terminate immediately without notice if the Client misrepresents authorization, requests testing of unauthorized systems, or engages in conduct that could expose Vaassec to legal liability.

11 Data Handling

Any personal data or sensitive information encountered during testing is handled with strict discretion. Vaassec operators will not exfiltrate, read, or retain personal data beyond what is necessary to demonstrate proof of access for reporting purposes.

Engagement data is stored encrypted and accessible only to operators assigned to the engagement. Data is not shared with third parties under any circumstances except where required by law. Vaassec does not use engagement data for commercial purposes, research, or training datasets.

12 Governing Law & Disputes

This Agreement is governed by and construed in accordance with the laws of India. Any dispute arising out of or in connection with this Agreement that cannot be resolved amicably shall be subject to the exclusive jurisdiction of the courts of India.

Before initiating formal legal proceedings, both parties agree to attempt good-faith negotiation for a period of 30 days from written notice of the dispute.

13 Amendments

Vaassec reserves the right to update these Terms and Conditions at any time. Material changes will be communicated via the website with at least 14 days' notice before taking effect. Engagements already in progress continue under the terms in effect at SOW signing.

14 Contact

For any questions, concerns, or disputes regarding these Terms and Conditions:

  • Email: contact@vaassec.com
  • Response time: within 24 hours on business days
  • PGP key available on request for secure communication