StandardtermsgoverningPenteorTechnologyLimitedsecuritytesting,vulnerabilityscanning,andconsultancyservices.
Penteor delivers all engagement services with reasonable skill and care. Manual penetration testing is conducted during standard business hours (09:00–18:00 EET/EEST (UTC+2/+3), business days only), while automated vulnerability scanning may operate around the clock. Retesting of identified findings is provided at no additional charge during the active testing round and throughout the seven-day post-delivery support period that follows delivery. Retest requests may be submitted within thirty (30) days of the original report. Any critical-severity vulnerability discovered during an engagement is reported to the client immediately upon confirmation. All client data is stored within facilities certified in accordance with ISO/IEC 27001 and encrypted. Penteor will not commence testing against any target without prior written authorization from the client, and will not intentionally cause denial-of-service conditions unless explicitly agreed in a separate scope addendum. Hour estimates provided in proposals are indicative guidance and do not constitute binding commitments.
Scan by Penteor encompasses asset discovery, vulnerability management, and continuous automated scanning, all of which are provided on an "as is" and "as available" basis. Scans execute against enabled targets continuously, twenty-four hours a day. The client bears sole responsibility for ensuring that all configured targets are accurate and that the client holds proper authorization to scan them. Any liability arising from the scanning of unauthorized or incorrectly specified targets rests entirely with the client.
Radar by Penteor is an open-source intelligence (OSINT) gathering and passive reconnaissance service provided on an "as-is" basis. The service queries publicly available third-party data sources to identify potential threats, where a "threat" is defined as any information that could enable harm to the client's assets or operations. Penteor does not control the accuracy or completeness of third-party data sources and makes no warranties in that regard. All recommendations generated through the Radar service are advisory in nature. The client is solely responsible for evaluating and implementing any recommended actions, and for all outcomes resulting from such implementation.
The client must grant and maintain all necessary authorizations for Penteor to perform the agreed services. Full cooperation is required, including providing credentials, access to systems, and relevant documentation in a timely manner. The client is responsible for its own network connectivity and infrastructure stability during engagements. Unauthorized access to the services by third parties must be prevented by the Client. The client must promptly notify Penteor of any compromised systems or third parties that may be affected by testing activities. All targets must be owned by the client or the client must hold written consent from the target owner. Service credentials must be secured using strong passwords, changed at least every ninety days. Failure to provide timely notice of material issues by the Client constitutes a material breach of the agreement. Penteor reserves the right to suspend services in the event of a client breach.
Penteor may revise its standard service rates at any time upon at least thirty (30) days' prior written notice, though the rate applicable to a specific engagement is fixed at the time of booking. Invoices are issued according to the schedule set out in the client portal. Payment is due immediately upon receipt of the invoice for card and direct debit transactions, and within fourteen days for bank transfer. In the event of overdue payment, Penteor may suspend services and charge interest at a rate of four percent above the applicable base rate on unpaid amounts. All prices quoted are exclusive of applicable taxes, including VAT, which will be added where required. Any unused credit balance on the client account expires automatically twelve months after being credited.
Subscription fees for the Scan and Radar services are displayed within the client portal at the time of activation. Each subscription renews automatically at the end of its current term until terminated by the Client via the portal or in writing. Penteor may adjust subscription rates with a minimum of thirty days' prior notice before the next renewal date. No refund will be issued for any remaining unused portion of a subscription period following cancellation.
Penteor offers an optional installment payment arrangement, typically structured over a twelve-month period. Upon activation, the client's account balance is credited immediately. Monthly amounts are collected via direct debit or card payment on a recurring basis. A one-time setup fee may apply at the discretion of Penteor. The installment arrangement renews automatically unless canceled by either party. Early cancellation triggers the full outstanding balance becoming immediately due and payable. If a scheduled payment is missed and not remedied within twenty-four hours, Penteor reserves the right to cancel the installment plan and suspend access to the portal and all associated services.
All intellectual property rights in the services, the portal, methodologies, tools, and deliverable frameworks belong to and remain the exclusive property of Penteor. Intellectual property inherent in client-supplied data remains with the client. The client grants Penteor a limited, revocable license to display the client's trademarks and branding solely for the purpose of delivering the agreed services. The client must not copy, decompile, reverse-engineer, or redistribute any part of the portal or service infrastructure. The development of products or services that compete with any Penteor offering using knowledge or access gained through the engagement is strictly prohibited.
Both parties undertake to comply with all applicable data protection legislation, including the General Data Protection Regulation (GDPR). Where Penteor processes personal data on behalf of the client in the capacity of a data processor (person acting on behalf of the controller) pursuant to Article 28 GDPR, a separate Data Processing Agreement (DPA) will be executed between the parties prior to any such processing. Both Penteor and the client commit to implementing appropriate technical and organizational measures in accordance with Article 32 of the GDPR to safeguard personal data. In the event of a personal data breach, the affected party must notify the other within twenty-four hours of becoming aware of the incident.
Neither party shall disclose the other party's confidential information to any third party without prior written consent. All details of the services provided, including methodologies, pricing, and engagement structure, constitute Penteor's confidential information. Client data, including vulnerability reports and assessment findings, constitutes the client's confidential information. Disclosure is permitted solely to employees or contractors who have a legitimate need to access the information for the purposes of the engagement, provided they are bound by equivalent confidentiality obligations. Disclosure may also be made where required by law or regulation. A breach of confidentiality obligations entitles the non-breaching party to seek injunctive or other equitable relief.
The client agrees to indemnify, defend, and hold harmless Penteor, its directors, officers, and employees from and against all claims, damages, losses, liabilities, and expenses (including reasonable legal fees and costs) arising out of or relating to the client's use of the services, any breach of the agreement by the client, or any infringement of intellectual property rights caused by client-supplied materials or instructions. This indemnification obligation is conditional upon Penteor providing prompt written notice of the claim, reasonable cooperation in the defense, and granting the client sole authority and control over the conduct of the defense and settlement.
All services are provided on an "as is" and "as available" basis. To the maximum extent permitted by applicable law, Penteor shall not be liable for any indirect, incidental, special, or consequential damages, including but not limited to lost profits, lost revenue, loss of data, or business interruption, regardless of the legal basis of liability. Penteor's total aggregate liability under or in connection with the agreement shall in no event exceed the total fees actually paid by the client during the twelve-month period immediately preceding the event giving rise to the claim. Nothing in these terms limits or excludes liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot lawfully be excluded or limited under applicable law.
Neither party shall be liable for delays or failures in performance resulting from events beyond the reasonable control of the affected party, including natural disasters, acts of government, or widespread network failures (force majeure). The parties are independent contractors; nothing in the agreement creates a partnership, joint venture, or employment relationship. No third party has any right to enforce any term of the agreement. The Client may not assign or transfer the agreement without Penteor's prior written consent. The agreement, together with all referenced documents, constitutes the entire understanding between the parties and supersedes all prior negotiations and representations. If any provision is found to be unenforceable, the remaining provisions continue in full effect. No waiver of any breach shall constitute a waiver of any subsequent breach. Either party may terminate the agreement by giving thirty days' written notice of a material breach that remains uncured. Either party may also terminate immediately upon the other party's insolvency. The agreement is governed by the laws of the applicable jurisdiction.
Key terms used throughout this agreement have the meanings set out below. "Agreement" refers to the contract formed by these terms and any applicable order or Statement of Work (SOW). The "Post-Delivery Support Period" (Aftercare Period) is the seven calendar days immediately following delivery of the final report. "Business Day" means any day other than a Saturday, Sunday, or public holiday. "Confidential Information" encompasses all non-public information disclosed by either party. "Client Data" means data provided by the client or generated through the services. "Data Protection Laws" include the GDPR and the ePrivacy Directive as applicable. "Fees" are the charges set out in the portal or statement of work. A "Finding Retest" is the re-examination of a previously reported vulnerability. "Normal Testing Hours" are 09:00 to 18:00 EET/EEST (UTC+2/+3) on business days. "Penetration Testing" is the authorized simulation of attacks against a target. A "Personal Data Breach" has the meaning defined in the GDPR. "Portal" means the Penteor client platform. "Services" covers all offerings provided under the agreement. "Target" is any system, application, or network authorized for testing. "User" is any individual granted access to the portal by the client.