DRAFT — pending legal review. Not a final contract. Use of the pre-GA service is governed by the most recent version of these terms; we may revise materially before launch. v0.1 · 2026-06-13
Legal · Terms

Terms of Service

Last updated: 2026-06-13 · Operator: pentes.io (Adnan Bassem, sole proprietor) · Contact: legal@pentes.io

These terms govern your use of pentes.io. The core rule is simple: you may only scan assets you have cryptographically proven you own, the platform enforces that rule at the worker, and every scan is backed by an immutable authorization record. Everything else in these terms exists to make that promise legally durable.

1. Parties and acceptance

These terms are between you (or the legal entity you represent) and pentes.io ("we", "us"). By creating an account or running a scan you accept these terms. If you are entering into them on behalf of an organization, you confirm you have authority to bind that organization.

2. The service

pentes.io is an attack-surface monitoring service. We run non-destructive security checks (currently nuclei, OWASP ZAP in baseline mode, and testssl.sh) against assets you've cryptographically proven you own, structure the findings as SARIF 2.1.0, triage them with an LLM, and render an interactive report. We are explicitly not an exploitation tool or pentesting agency; we do not run intrusive templates, auth brute-forcing, or active exploitation modules.

3. Authorization and scope

  1. Verification gate. Before a scan runs, you must prove ownership of the target via a DNS TXT record, file path, or HTTP response header. Our worker re-verifies that proof at the moment of scan start.
  2. Per-scan authorization agreement. Each scan you start records a contractual statement — a click-through agreement — confirming you are authorized to test the asset and accept the scope of the checks. We store this immutably in our audit log.
  3. Scope enforcement is architectural. The worker, not policy, restricts targets to verified assets. UI checks are advisory only.
  4. Indirect targets. If your verified asset includes third-party endpoints (CDN edge nodes, OAuth providers, hosting infrastructure), scanning those is your responsibility under any contracts and laws that govern them. We will pause or terminate scans against asset configurations that appear to violate this section.

4. Acceptable use

You agree not to:

Violations may result in immediate suspension, termination, forfeiture of prepaid fees, and referral to law enforcement where warranted.

5. Your account

You are responsible for safeguarding your credentials and for all activity under your account. Notify us at security@pentes.io as soon as you suspect unauthorized use. We may suspend accounts that show signs of compromise to protect the audit log integrity.

6. Fees and billing

7. Findings, reports, and your data

Findings, SARIF blobs, and rendered reports about your assets are your data. We process them as your processor (see DPA). You grant us a limited, non-exclusive licence to store, process, and display them in order to operate the service for you. We do not use your data to train any third-party AI model.

8. Intellectual property

The pentes.io platform, brand, design system, and source code are ours (or our licensors'). The open-source scanners we orchestrate (nuclei, ZAP, testssl.sh) are governed by their respective licences. Nothing in these terms transfers our IP to you beyond the licence to use the service.

9. Warranty disclaimer

The service is provided "as is" and "as available". We disclaim all warranties to the maximum extent permitted by law, including any implied warranties of merchantability, fitness for a particular purpose, non-infringement, and accuracy of findings. Security scanning cannot enumerate every vulnerability; absence of a finding is not a guarantee of absence of a vulnerability.

10. Limitation of liability

To the maximum extent permitted by law, neither party is liable for indirect, consequential, incidental, special, or punitive damages, or for lost profits, lost revenue, or loss of data. Our aggregate liability to you under these terms is capped at the greater of (a) the fees you paid us in the 12 months preceding the claim or (b) US$100.

Nothing in this section limits liability for gross negligence, fraud, or anything else that cannot be limited under applicable law.

11. Indemnity

You will defend and indemnify us against any third-party claim arising from (a) your submission of an asset you did not own or were not authorized to test, (b) your breach of section 4 (Acceptable Use), or (c) your use of a finding or report to take action against a third party.

12. Term and termination

These terms apply for as long as you have an account. Either of us may terminate for any reason on 30 days' notice; we may terminate immediately for material breach of section 3 or section 4. Termination does not affect (a) accrued payment obligations or (b) our retention of the audit log under section 5 of the Privacy Policy.

13. Governing law and disputes

These terms are governed by the laws of the operator's jurisdiction (to be finalized as part of company formation pre-GA). Pending finalization we'll resolve disputes in good faith via email first, mediation second, and litigation only as a last resort. This section will be updated before GA launch with concrete jurisdiction and dispute-resolution mechanics; if you need that detail now, email legal@pentes.io.

14. Changes to these terms

Material changes will bump the version stamp at the top of this page and be announced to account holders by email at least 14 days before they take effect. Continued use after the effective date is acceptance of the new terms.

15. Contact