Terms of Service

Last updated: March 2026

Apviso Terms of Service

Introductory Provisions and Definitions

These Terms of Service ("Terms") govern the rights and obligations of Penterep Security s.r.o., ID No.: 177 49 433, with its registered office at Ševčenkova 570/4, Bosonohy, 642 00 Brno, the Czech Republic, registered in the Commercial Register maintained by the Regional Court in Brno, file no. C 131321, as the operator of the Service on the one hand ("Operator"), and of natural or legal persons who use, intend to use, or otherwise access the Apviso online service on the other hand ("User").

The Apviso Service is a cloud-based software service provided exclusively in the form of software-as-a-service (SaaS), the purpose of which is, in particular, automated cybersecurity testing of web applications, API interfaces, selected domains, subdomains, IP addresses, and, where applicable, other digital systems or infrastructure components, to the extent permitted by the functional settings of the Platform at any given time. The Service is provided exclusively through a web interface available at https://apviso.com/ and related infrastructure, including automated scanning tools, reporting mechanisms, and, where applicable, analytical components utilizing elements of artificial intelligence, large language models, and similar technologies. The Service is not provided in the form of on-premises deployment, reselling, or through third-party distribution channels.

These Terms form an integral and binding part of every contract concluded between the Operator and the User in connection with the Service ("Contract") and apply to all legal relationships arising in connection with registration, activation of a User Account, ordering of paid Plans, initiating individual Scans, using prepaid usage allowances, accessing Reports, and using any additional functionalities of the Platform. Deviating provisions contained in an individual contract, enterprise offer, SLA, DPA, order, or other expressly agreed document shall prevail over these Terms to the extent of the deviation.

The Service is a standardized online product provided under the conditions set forth in these Terms, intended by its nature exclusively for the automated identification and prioritization of potential security risks. Unless expressly agreed otherwise in writing, the Operator does not, as part of the Service, provide individual manual penetration testing, personalized security consulting, legal analysis, expert opinions, compliance audits, certification, or any other professional service with an individually guaranteed result. The User expressly acknowledges and agrees that the Service is a technical tool operating on the basis of probabilistic, heuristic, signature-based, behavioral, and, where applicable, AI-supported methods, and that its outputs may therefore, in particular:

a. be incomplete, temporarily inaccurate, or subject to variation over time;

b. be conditional on the specific configuration of the tested system, the selected Preset, the scope of permissions granted, the availability of the Target System, or the AI model used; or

c. be affected by other circumstances that the Operator cannot fully control.

The Service does not constitute a guarantee of the security of the tested system or a warranty for the absence of vulnerabilities. A more detailed description of the nature of the outputs and the limitations of the Service is contained in Article 3 of these Terms.

For the purposes of these Terms, the following definitions apply:

d. "AI model" means any artificial intelligence model, large language model, or similar automated technology used in the provision of the Service, either directly by the Operator or through a Third-Party Provider;

e. "Civil Code" means Act No. 89/2012 Coll., the Civil Code, as amended from time to time;

f. "PAYG" or "Pay-as-you-go" means an on-demand usage mode in which the User pays for individual Scans, Retests, or other services separately, typically outside or in addition to the Subscription;

g. "Plan" means a specific pricing and functional mode of the Service, in particular Starter, Pro, Business, or Enterprise;

h. "Platform" means the online environment of the Apviso service accessible via the web interface at https://apviso.com/, including the user interface, administration sections, dashboards, reporting modules, the billing module, the interface for running Scans, the API, and related server systems;

i. "Preset" means the selected level of depth and scope of an individual Scan, in particular Low, Medium, High, or Ultra, which determines the intensity of testing, the scope of analysis, and the price of the Scan;

j. "Report" means any output of the Service, in particular a technical report, overview of findings, risk classification, AI summary, list of recommendations, dashboard output, or other results document or data output;

k. "Retest" means a repeated Test of the same or a similar Target System performed to verify that previously identified findings have been eliminated or mitigated;

l. "Scan" or "Test" means an individual automated security test initiated by the User and performed by the Service on the Target System to the extent and depth corresponding to the selected Preset;

m. "Service" means the totality of functionalities provided through the Platform, in particular registration, management of Target Systems, running of Scans, access to Reports, use of Plans, use of AI-supported features, and other related tools and components;

n. "Subscription" means recurring paid access to a specific Plan for an agreed period, with a specified volume or scope of the Service;

o. "Target System" means any website, web application, API, domain, subdomain, IP address, network or application component, infrastructure, or other digital system that the User designates for testing through the Service;

p. "Third-Party Provider" means a third party whose infrastructure, software, cloud service, payment solution, API, AI model, or other technological component is used in the provision of the Service;

q. "User Account" means an account created by the User for the purpose of accessing and using the Service;

r. "User Data" means all data, inputs, configurations, access information, metadata, logs, results, addresses, identifiers, and other content entered by the User into the Platform or created in connection with the use of the Service.

Terms used in the singular shall include the plural and vice versa, where the context so requires.

Conclusion of the Contract and User Account

The contractual relationship between the Operator and the User arises at the moment when the User duly completes registration through the Platform, creates a User Account, expresses unconditional consent to these Terms and, where applicable, other relevant documents, and the Operator makes the Service available to the User. By completing registration, the User confirms that they have fully acquainted themselves with these Terms, that they understand them, and that they accept them without reservation.

In the case of paid services, Plans, individual Scans, or other paid functionalities, the Contract in the relevant scope shall be deemed concluded no later than at the moment when the User completes the ordering process and submits a binding order through the relevant confirmation element in the Platform interface that clearly expresses the obligation to pay, in particular "Order with obligation to pay", "Upgrade", "Subscribe", "Pay", "Add Card", "Scan", or another similar confirmation. By submitting a binding order, the User expressly confirms their consent to the price, the scope of the ordered services, and these Terms.

The User consents to the use of means of distance communication in concluding the Contract and acknowledges that the costs associated with internet connection, terminal equipment, technical facilities, and other related expenses are borne exclusively by the User. The Service requires a stable internet connection; the User is obliged to ensure, prior to using the Service, that their connection is sufficient for the proper functioning of the Platform. The Operator shall not be liable for any limitations, reduction in quality, or unavailability of the Service caused by an insufficient or unstable internet connection on the part of the User.

The User is obliged to provide true, accurate, complete, and up-to-date information upon registration and throughout the term of the Contract, and to update such information without undue delay upon any change. The Operator is entitled to consider the information maintained in the User Account as correct and complete until the contrary is proven. The provision of false, incomplete, or misleading information constitutes a material breach of these Terms.

The Operator reserves the right to refuse registration, not to activate the Service, to block an order, or not to permit the conclusion of a Contract, including without stating any reasons, in particular if it has reasonable grounds to suspect that the User is acting or intends to act in violation of applicable law, these Terms, international sanctions regimes, or the rules for safe use of the Service, or if the registration, order, or use of the Service creates a disproportionate legal, security, commercial, or reputational risk for the Operator or third parties.

Access to the Service is conditional upon the existence of a valid and active User Account. The User Account is non-transferable and is intended exclusively for the User who created it, unless the applicable Plan or an individual enterprise agreement expressly provides otherwise, in particular with regard to the management of multiple users, teams, or roles within a single organizational account.

The User bears full responsibility for the security of their User Account and for all acts and activities carried out through their User Account, regardless of whether they were performed personally by the User or whether a third party gained access to the User Account for reasons attributable to the User. The User is, in particular, obliged to:

s. keep their login credentials confidential and adequately secure the email address associated with their User Account;

t. choose a sufficiently strong and unique password and protect access to the device from which they use the Service;

u. prevent unauthorized persons from accessing the User Account;

v. immediately notify the Operator of any suspected unauthorized access to the User Account, compromise of access credentials, or other security incident that may affect the Platform, Target Systems, or third parties; and

w. make reasonable use of two-factor authentication, role management, audit logs, and other additional security features, if enabled by the Platform, taking into account the sensitivity of the Target Systems and the data processed in connection with the Service.

Any deliberate failure to use available security features shall be exclusively at the User's own risk and responsibility, and the Operator shall bear no liability for any consequences arising therefrom.

The Operator is entitled at any time and without prior notice to temporarily restrict or suspend the User Account, to enforce a change of access credentials, or to take other reasonable security measures if it considers this necessary for the protection of the Platform, other users, Third-Party Providers, or third parties, in particular in the event of suspected compromise of the User Account, a breach of these Terms, suspected unauthorized testing, or a security incident.

Nature of the Service, Scope of Functionalities, and Nature of Outputs

The Service enables the User to enter Target Systems, configure testing parameters, initiate individual Scans, draw on prepaid or individually purchased capacities, view and export test results, and work with Reports and other outputs generated by the Platform, all within the scope corresponding to the selected Plan and these Terms. The scope and availability of individual functionalities depend, in particular, on:

x. the selected Plan, the status and type of the User Account;

y. the current availability of the relevant technologies;

z. the selected type of Scan, the AI model, or the Preset; and

a. whether it is standard self-service use or an individually negotiated enterprise mode.

The Operator reserves the right to adjust the scope of functionalities within individual Plans at any time in accordance with Article 8 of these Terms.

The Service is intended for automated testing of web applications, API interfaces, domains, subdomains, IP addresses, and related application components accessible through standard network protocols. Unless expressly stated otherwise in the relevant Plan, an individual enterprise agreement, or another expressly agreed written document, the Service is not intended for testing internal networks, operational technologies (OT), industrial control systems (ICS/SCADA), mobile applications, hardware devices, physical security elements, embedded systems, or other systems the testing of which may require specific technical, security, or regulatory procedures exceeding the standard functional scope of the Platform. The Operator shall not be liable for the consequences of using the Service to test systems that, by their nature, fall outside the functional scope defined above.

Within individual Plans or scanning modes, the Platform may offer varying levels of analysis depth, price tiers, numbers of Scans and Retests included, scheduled scanning, queue prioritization, various reporting formats, API access, integrations, automatic notifications (webhooks), single sign-on (SSO), team administration, or other functionalities. The precise scope of functionalities is always determined by the current price list, the product description in the Platform interface, an individual offer, or a separate contract.

The User expressly acknowledges and unconditionally agrees that the Service is an automated tool and that all of its outputs, including Reports, identification of findings, severity classifications, recommendations, AI summaries, and proposed mitigation measures, are of an exclusively supportive, indicative, and informative nature. Unless expressly agreed otherwise in writing, the Operator, in particular:

b. provides no express or implied warranty that the Service will detect all existing vulnerabilities, that findings will be complete, accurate, or optimally prioritized, or that proposed recommendations will be appropriate and applicable in all cases;

c. does not warrant that, following remediation of identified findings, the Target System will be secure, error-free, resistant to attack, or in compliance with any regulatory requirements; and

d. does not warrant that the Service replaces a formal security audit, manual penetration test, certification, compliance assessment, expert opinion, or any other professional evaluation of security status performed by a qualified professional.

The Service is provided "as is", without any express or implied warranties beyond those expressly set forth in these Terms. The outputs of the Service, including Reports, may not, without more, be used as evidence of compliance with ISO/IEC 27001, SOC 2, PCI DSS, or any other regulatory, certification, or industry standards, unless expressly agreed otherwise in writing. Any use of the outputs of the Service for the purposes of insurance claims, audits, certification, regulatory proceedings, or other formal assessments is exclusively at the User's own responsibility and risk. The User is obliged to independently and adequately verify all outputs of the Service before using them, in particular where they are to serve as a basis for technical, security, commercial, contractual, regulatory, insurance, investment, or other legally or economically significant decisions. The Operator shall not be liable for the consequences of decisions made on the basis of unverified outputs of the Service.

Legitimacy of Testing, Restrictions on Use, and User Responsibility

The User is entitled to use the Service exclusively in relation to such Target Systems for which the User holds, throughout the entire duration of testing, a corresponding and valid legal title and sufficient authorization, in particular ownership rights, the status of an authorized operator, explicit contractual authorization, internal corporate authorization, or another demonstrable legal basis entitling the User to perform security tests on the Target System to the extent corresponding to the type of Scan actually selected, the Preset, the intensity of testing, and the techniques employed. The User expressly and irrevocably represents, warrants, and confirms that, prior to initiating each individual Scan, the User has independently and with due care assessed that:

e. they are duly authorized to test the relevant Target System on the basis of a valid legal title;

f. the testing does not exceed the scope of the authorization granted;

g. the performance of the Test does not conflict with applicable law, contractual obligations, internal rules of the system owner or operator, or the rights of third parties; and

h. all conditions necessary for the legal, legitimate, and secure performance of the testing have been met.

The Service is provided exclusively as a tool for legitimate security testing of Target Systems for which the User holds the appropriate authorization within the meaning of Article 4.1 of these Terms. The Service is not intended for carrying out unauthorized attacks, intrusions into third-party systems, data exfiltration, or other activities that could be classified as unauthorized access to computer systems or data within the meaning of the relevant criminal law provisions, or as any other form of cybercrime. Any use of the Service in violation of this provision is exclusively at the User's risk, and the Operator bears no liability for the consequences of such use.

The User acknowledges that the Operator may, but is not obliged to, require verification of the Target System through the Platform prior to initiating a Scan. Any such verification serves exclusively for the technical confirmation of the User's control over the Target System and does not constitute a legal assessment of the legitimacy of testing, verification of ownership, or any form of authorization on the part of the Operator. Responsibility for the proper assessment of the legitimacy of testing shall always lie exclusively and without exception with the User, regardless of whether the Platform requires verification or not.

Prior to initiating each Test, the User is obliged to independently and with professional care assess the suitability of testing from a technical standpoint, in particular whether the selected type of Scan, its intensity, frequency, the AI model used, or the application of certain testing techniques could unreasonably interfere with the availability, performance, stability, integrity, security, or contractual parameters of the Target System, or cause harm to third parties.

The User shall not use the Service for any unlawful, unethical, or abusive conduct. A detailed enumeration of prohibited uses is contained in Article 9 of these Terms.

If the Operator has reasonable grounds to suspect that the User is testing a Target System without proper authorization or otherwise in violation of these Terms or applicable law, the Operator is entitled, without prior notice and without any liability for the consequences of such measure, to refuse to perform, interrupt, or terminate the Scan, to restrict or block the User Account, to suspend access to the Service, to request proof of authorization, or to take any other reasonable measures to protect its legitimate interests and the interests of third parties.

At the Operator's request, the User is obliged, without undue delay but no later than within the period specified by the Operator, to credibly demonstrate a valid legal title to test the specific Target System. If the User fails to demonstrate authorization within the required period or in the required manner, the Operator is entitled to treat such testing as unauthorized and to take all measures pursuant to these Terms.

The User expressly acknowledges and unconditionally agrees that the Operator acts exclusively in the capacity of a provider of a generally available technological tool enabling automated security testing on the basis of inputs, instructions, and configurations entered by the User. The Operator does not determine which Target System will be tested, who is its owner or authorized operator, whether the testing is legally permissible, whether the necessary authorization has been obtained, or whether the selected scope and intensity of testing correspond to the User's authorization. All decisions relating, in particular, to:

i. the choice of Target System, testing parameters, and intensity;

j. the timing of the Test and the use of access credentials;

k. the selection of the Plan, AI model, and Preset configuration;

l. the manner of handling the outputs of the Service; and

m. the assessment of the legal admissibility and regulatory compliance of the use of the Service in relation to a particular Target System, jurisdiction, infrastructure, or data set,

are made exclusively by the User, solely at their own responsibility and risk.

The User acknowledges that the use of security testing tools may, in certain jurisdictions, contractual relationships, industry regulations, or regulatory contexts, constitute a sensitive, restricted, or regulated activity. For the purposes of interpretation of these Terms, it is expressly and irrevocably agreed that responsibility for the legality, legitimacy, proportionality, and appropriateness of testing shall always and under all circumstances be borne exclusively by the User, and that the Operator shall bear no liability for any unlawful, unauthorized, or otherwise impermissible use of the Service by the User, even where such use was technically enabled through the Platform or was not detected or blocked by the Operator.

The User undertakes to handle all vulnerabilities, security findings, and other sensitive information discovered through the Service responsibly and in accordance with the principles of coordinated vulnerability disclosure. The User is, in particular, obliged to (i) not exploit an identified vulnerability to gain unauthorized access, exfiltrate data, escalate privileges, or for any other purpose beyond the identification and documentation of the security weakness, (ii) not disclose an identified vulnerability or its details without prior coordination with the owner or authorized operator of the affected Target System, (iii) minimize the impact of testing on the availability, integrity, and confidentiality of the Target System and the data contained therein, and (iv) provide the owner or authorized operator of the Target System with a reasonable period to remediate the identified vulnerability prior to any disclosure, at least to the extent consistent with customary standards in the area of responsible disclosure. The User acknowledges that a breach of this provision may constitute a material breach of these Terms and may simultaneously give rise to the User's liability for harm caused to third parties.

plans, Prices, and Payment Terms

The Operator offers the Service in various Plans and pricing schemes, the structure, content, and prices of which may change from time to time. Typically, these include Starter, Pro, Business, and Enterprise Plans, with individual Plans differing mainly in the number of Scans and Retests included, available Presets, depth and scope of analysis, dashboard availability, scheduled scanning, queue prioritization, scope of technical support, availability of integrations, team features, SSO, API, and other parameters. Individual Scans are run in the selected Preset, which determines the depth, scope, and price of the Scan. A current overview of Plans and their parameters is available in the Platform interface.

The Service is provided in the form of a Subscription, under which the User gains access to a specified scope of the Service for an agreed period, or in the form of PAYG, under which individual Scans or other services are paid for separately without any commitment to recurring performance. The concurrent use of both modes within a single User Account is not excluded, provided that the Platform so permits.

If a specific Plan or the purchase process indicates that, upon exhaustion of the included Scans, the User may continue in PAYG mode, the User acknowledges and agrees that each additional Scan shall be charged separately in accordance with the current price list or the price displayed in the Platform interface at the time of ordering. Users with an active Subscription may benefit from preferential PAYG pricing compared to Users without a Subscription; the specific amount of any such discount is determined exclusively by the current price list or the Platform interface, and the Operator reserves the right to change it at any time. The specific scope of services included in the price of an individual Scan, including any Retest included therein, is determined by the current price list or the Platform interface.

The volume of included Scans, Retests, or other capacities is tied to the relevant Subscription period, unless expressly stated otherwise in writing. Unless expressly agreed otherwise, unused capacities shall not carry over to the next period, shall not be refunded, may not be exchanged for monetary consideration, and may not be transferred to another User. The User has no entitlement to any compensation for unused capacities.

Plans or functionalities designated in the Platform interface as available only for higher Plans — in particular scheduled scanning, certain integrations, automatic notifications (webhooks), priority support, custom extensions (custom skills), API, administration panel, or dedicated infrastructure — shall not give rise to any legal entitlement on the part of the User unless they are expressly included in the relevant Plan or an individual enterprise agreement. The Operator reserves the right to change the allocation of individual functionalities among Plans at any time.

Enterprise mode may be provided on the basis of a separate offer or an individual agreement, which may contain terms and conditions differing from these Terms, in particular with regard to prices, support, SLA, scope of functionalities, integrations, security measures, deployment, billing, or liability.

The prices of the Service are stated in the Platform interface, in the current price list, or in an individual offer. Unless expressly stated otherwise, all prices are quoted exclusive of value added tax (VAT) and other similar indirect taxes. VAT at the statutory rate applicable on the date of the taxable supply shall be added to the price where required by applicable law. The User acknowledges that the final price may also be affected by applicable exchange rates, bank charges, or fees of payment intermediaries.

The User is obliged to pay the price of the Service duly and on time by a method enabled by the Platform, in particular by payment card or another accepted online payment method. The Operator is entitled to use the payment services of Third-Party Providers, and the User expressly acknowledges and agrees that the execution and processing of payments may be subject to separate terms and conditions of the relevant payment intermediary, which the User is obliged to independently accept and comply with.

If the Service is provided in the form of a Subscription, the User is obliged to maintain a valid and functional payment method for the entire duration of the Subscription. If the Platform enables automatic renewal of the Subscription, the User expressly agrees that, upon expiry of the agreed period, the price for the subsequent period shall be automatically charged to the User's payment method, unless automatic renewal has been duly deactivated before the expiry of the current period. The User is solely responsible for the timely deactivation of automatic renewal if the User does not wish to renew the Subscription.

If an automatic payment fails for any reason, the Operator is entitled, without further notice, to restrict access to paid functionalities, not to renew the Subscription, to downgrade the User Account to a lower tier, to suspend the ability to initiate further Scans, or to request the User to update their payment details. The Operator shall not be liable for the consequences of Service restrictions caused by payment failure attributable to the User or the User's payment provider.

In the case of PAYG mode, the price of an individual Scan, Retest, or other service is payable at the time of ordering or immediately thereafter, depending on the specific settings of the purchase process in the Platform. The User expressly acknowledges and agrees that by initiating such a service, the User incurs an immediate and unconditional obligation to pay the applicable price.

The Operator reserves the right to unilaterally change the prices of the Service on an ongoing basis. A price change shall not affect a Subscription period for which payment has already been made or any individual service that has already been duly ordered and paid for, unless the change is necessitated by a change in taxes, fees, customs duties, or similar public law payments, which the Operator is obliged to reflect in the price without undue delay. The User shall be informed of any significant price changes in advance via the Platform or by email.

If the User is in default with the payment of any amount due, the Operator is entitled to charge statutory default interest and simultaneously, without further notice, to restrict, suspend, or completely discontinue the provision of the Service until all outstanding amounts, including any accessories thereof, have been paid in full. This shall be without prejudice to the Operator's right to compensation for harm caused by the default.

Running Scans, Automated Outputs, and Third-Party Provider Services

The User initiates Scans through the Platform by entering or selecting the Target System, performing any verification of the Target System required by the Platform, and configuring the available parameters, in particular the Preset, the payment method, and, where applicable, the AI model, if the selection of an AI model is enabled in the relevant user flow. By initiating a Scan, the User confirms that they satisfy all conditions for the legitimacy of testing set out in Article 4 of these Terms.

The User acknowledges that different Presets or different AI models may have different prices, processing speeds, testing depths, scopes of analysis, and natures of outputs. The User is responsible for choosing settings that correspond to their needs, permissions, and the technical capabilities of the Target System.

The Operator is entitled at any time to unilaterally establish and adjust the technical, operational, and security limits for running Scans, the number of concurrently running tests, the frequency of testing, the speed of queries, the maximum run time, the use of the API, access to Reports, or other functionalities of the Platform. These limits may differ depending on the Plan, the current technical state of the Platform, or the current infrastructure load, and the User shall have no entitlement to the modification thereof. The User is obliged to use the Service reasonably and in accordance with the principles of fair use. For the purpose of protecting the stability, security, and performance of the Platform and the infrastructure of Third-Party Providers, the Operator is entitled to introduce and unilaterally modify technical restrictions at any time, in particular:

n. rate limiting of requests or connections;

o. limits on the number of concurrent operations (concurrency limits);

p. restrictions on the volume of data transferred and the frequency of crawling;

q. caps on the maximum number of requests per time unit (request caps);

r. throttling of connection speeds or processing capacity; or

s. other reasonable measures against excessive, automated, or abusive use of the Service's capacity.

If the User exceeds the established limits or uses the Service in a manner that the Operator reasonably considers excessive, disproportionate, involving automated access outside the permitted API, or otherwise abusive, the Operator is entitled, without prior notice, to limit, slow down, reject, or suspend the User's access to the Service, without any liability for the consequences of such measure.

The Operator is entitled not to perform a Scan, to interrupt or terminate it, or to reject its results, if its performance could jeopardize the security or stability of the Platform, the infrastructure of Third-Party Providers, other users, or third parties, if it gives rise to reasonable suspicion of unauthorized testing, if it is contrary to applicable law, or if it is necessary for technical, security, regulatory, or operational reasons. If a Scan or other activity of the User through the Service causes or may cause a security incident, outage, disruption of availability, integrity, or confidentiality of the Target System or a third-party system, a complaint from the owner or operator of the affected system, or another serious operational impact, the Operator is entitled, without prior notice and without any liability for the consequences of such measure, in particular to:

t. immediately stop, interrupt, or terminate the ongoing Scan or other User activity;

u. suspend or restrict the User Account;

v. contact the owner or operator of the affected system to coordinate the resolution of the incident; and

w. forward relevant information to the competent public authorities if required by law or if necessary to protect the legitimate interests of the Operator, affected third parties, or the public interest.

The User is obliged to provide the Operator with all necessary cooperation in resolving such an incident without undue delay.

The User expressly acknowledges and agrees that certain test modes and Presets may cause increased load on the Target System, trigger detection by defense tools, temporarily affect the availability, performance, or stability of the tested system, or cause other operational effects, including the potential for data loss. The assessment of the adequacy of such risk and the adoption of appropriate preventive measures are always the sole responsibility of the User.

The Service may, in providing certain functionalities, utilize artificial intelligence systems, large language models, automated classification mechanisms, summarization tools, or other similar technologies, whether directly through the Operator's own infrastructure or through Third-Party Providers. The User expressly acknowledges and unconditionally agrees that:

x. these technologies are inherently probabilistic and non-deterministic in nature, and their outputs may be inaccurate, incomplete, outdated, biased, subject to hallucination, or otherwise objectively limited;

y. any Report, text summary, mitigation proposal, severity classification, prioritization, explanation, recommendation, or other output created in whole or in part using the AI model does not constitute a legal warranty, technical guarantee, binding expert opinion, certification, or any other authoritative opinion;

z. the Operator expressly does not warrant that the AI model will always correctly, completely, and reliably evaluate the significance, severity, priority, or context of a particular finding; and

a. if the Platform allows the User to select a specific AI model or level of processing, this choice may have a significant impact on the price, speed, scope, depth, and quality of the outputs provided, and the Operator shall not be liable for ensuring that the specific AI model selected will be optimal, sufficient, or suitable for the User's intended purpose.

The User is obliged to independently, adequately, and with professional care verify and validate all AI-supported outputs before making any significant technical, operational, contractual, compliance, investment, insurance, regulatory, or other decision with legal or economic consequences on the basis thereof. The Operator shall not be liable for any harm arising from the User's acceptance of an AI output as the sole, decisive, or predominant basis for a decision without proper independent verification.

The Service may be wholly or partially dependent on infrastructure, APIs, cloud services, payment gateways, AI models, or other tools and components provided by Third-Party Providers. The Operator does not warrant their availability, compatibility, accuracy, continuity, or security, nor shall it be liable for any changes to their documentation, prices, terms, functionality, or discontinuation of support. Any change, restriction, or outage of a Third-Party Provider's service may have a direct impact on the scope, quality, availability, or price of the Service, without this in itself giving rise to any liability on the part of the Operator towards the User.

If technically necessary for the proper provision of the Service, certain User Data, technical inputs, metadata, parts of Reports, or other relevant information may be processed, transferred, or stored via the infrastructure of Third-Party Providers, including outside the European Economic Area, provided that this is in accordance with applicable law. The scope and conditions of such processing are governed by the relevant personal data protection documents, any personal data processing agreements, and standard contractual clauses, where applicable.

Personal Data, Data in Target Systems, and Confidential Information

The User expressly acknowledges and agrees that in the course of using the Service, not only may personal data related to the registration and administration of the User Account be processed, but also that during automated testing, data residing in the Target System — including personal data, special categories of personal data, operational data, trade secrets, health data, customer data, authentication data, financial data, or other sensitive or regulated information — may be technically affected, accessed, captured, or otherwise processed.

The User is solely responsible for ensuring that they hold all requisite legal authorizations and consents and have fulfilled all statutory obligations necessary to enter the Target System into the Service, to initiate testing against it, and, where applicable, to permit the processing of any data accessed in the course of such testing. This responsibility applies in particular where the Target System is used to process third-party personal data, special categories of personal data, sensitive data, internal corporate data, or otherwise regulated content. The Operator shall bear no liability for any breach of the User's obligations in the area of personal data protection.

If the User uses the Service in an environment where personal data may be processed within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), or other applicable personal data protection legislation, the User is obliged to independently assess, at their own expense, whether the use of the Service requires the conclusion of a separate personal data processing agreement, the adoption of additional technical and organizational measures, the performance of a data protection impact assessment (DPIA), the provision of information to the data subjects concerned, the obtaining of relevant consents, or the fulfillment of other regulatory obligations.

The Operator processes personal data to the extent and under the conditions set out in the separate Privacy Policy, or in a separate personal data processing agreement, if such an agreement is concluded.

All non-public information that one contracting party discloses to the other in connection with the Contract or in the course of its performance, and which is confidential by its nature, is expressly designated as confidential, or the confidentiality of which can reasonably be assumed, shall be deemed confidential information. The recipient of such information is entitled to use it exclusively to the extent necessary for the performance of the Contract, is obliged to protect it with at least the same degree of care as it devotes to the protection of its own confidential information, and may not disclose it to third parties without a legal basis or prior written consent.

The confidentiality obligation does not apply to information that was demonstrably publicly known, was known to the recipient prior to its disclosure, was duly disclosed to the recipient by a third party without breach of confidentiality, or whose disclosure is required by law or a binding decision of a public authority.

The User expressly acknowledges and agrees that the Operator is entitled to retain technical logs, audit records, metadata, telemetry data, access records, records of initiated Scans, configuration records, IP addresses, device identifiers, and other operational and security records related to the use of the Service for a reasonable period necessary to ensure the security of the Platform, detect and prevent misuse, investigate security incidents, comply with legal and regulatory obligations, resolve disputes, conduct forensic analysis, perform technical diagnostics, and improve the Service. The Operator is entitled to disclose such records to the competent public authorities on the basis of a binding decision or a statutory requirement. The retention period for individual categories of records is governed by applicable law, the Operator's internal policies, and the principles of personal data processing.

Complaints, Defects, Service Availability, and Operational Changes

The User expressly acknowledges and unconditionally agrees that, given the inherent nature of cybersecurity testing and automated processing, a uniform, complete, exhaustive, or unchanging Test result cannot be guaranteed. Differing results may objectively arise depending on the time of the Test, the current system configuration, the state of defense mechanisms, the scope of access granted, the selected Preset, the AI model used, the availability of Third-Party Provider services, network conditions, or other technical circumstances beyond the Operator's control. In particular, the following shall expressly not be considered a defect of the Service:

b. a particular Scan did not identify a specific vulnerability or security risk;

c. the User expected a different scope, depth, or number of findings;

d. the prioritization or classification of the severity of findings does not correspond to the User's subjective assessment or expectations;

e. the output does not contain all the information that the User would prefer or consider necessary;

f. the Service did not lead to a specific security, commercial, regulatory, or compliance outcome; or

g. the Target System was attacked, compromised, or otherwise affected by a security incident even after the Scan was performed and the recommendations contained in the outputs of the Service were implemented.

The User is entitled to report an actual technical defect of the Service without undue delay after discovering it or after the User should have discovered it with the exercise of professional care, via the contact e-mail [email protected] or another communication channel expressly designated by the Operator. In the notification, the User is obliged to sufficiently specify the nature of the reported defect, its manifestations, and the relevant circumstances, and to provide all cooperation necessary for the Operator to review and assess the reported defect.

The Operator shall assess the reported defect within a reasonable period, having regard to its nature, complexity, and impact. If the complaint is found to be justified, the Operator is entitled, at its sole discretion, to remedy the defect, to provide a reasonable discount on the price, to offer an alternative remedy, or to provide another reasonable solution corresponding to the nature and severity of the defect. Unless the User is a consumer, the right to withdraw from the Contract on the grounds of a minor breach of obligation and the right to compensation for harm exceeding the limitations set out in Article 11 of these Terms are expressly excluded.

If the User is a consumer, their rights arising from defective performance shall apply to the extent that they cannot be excluded under mandatory legal provisions. No provision of these Terms shall be construed as depriving the consumer of statutory rights that cannot be contractually limited.

The Operator expressly does not guarantee continuous, uninterrupted, error-free, or secure availability of the Service. The User acknowledges and agrees that the Service may be temporarily unavailable or restricted, in particular due to planned or unplanned maintenance, security intervention, technical failure, outage or restriction of cloud infrastructure, outage or change of Third-Party Provider services, system overload, cyber-attacks, force majeure, or other circumstances beyond the reasonable control of the Operator.

The Operator reserves the right to modify, update, expand, restrict, technically adjust, optimize, or restructure the Service at any time and without the User's prior consent, including changes to the user interface, reporting methods, vulnerability categorization, pricing logic, workflows, AI models used, supported integrations, and types of Scans and Presets, provided that this does not violate mandatory legal provisions or individually agreed obligations expressly agreed in writing. The Operator is further entitled, for security, technical, regulatory, licensing, or commercial reasons, to temporarily or permanently restrict, suspend, or entirely disable a specific functionality, Preset, AI model, integration, scanning technique, or an entire Plan, if it considers this necessary or justified. In such a case, the Operator shall endeavor to ensure that the impact on existing Users is proportionate; however, the User expressly acknowledges that in the dynamically evolving field of cybersecurity and artificial intelligence, rapid product changes may be objectively justified, necessary, and unavoidable.

Unless expressly stated otherwise in a separate SLA or individual enterprise agreement, the User shall have no entitlement to any compensation, discount, damages, or other performance for the temporary unavailability, limitation, modification, or discontinuation of any functionality of the Service, except where such entitlement arises from mandatory legal provisions or from individual obligations of the Operator expressly agreed in writing.

Prohibited Use, Suspension, and Termination of the User Account

The User is obliged to use the Service exclusively in accordance with these Terms, applicable laws and regulations, the rights of third parties, accepted standards of ethical conduct, the legitimate interests of the Operator, and the fundamental principles of safe, responsible, and ethical cybersecurity testing. Any use of the Service in violation of these requirements is prohibited.

Prohibited use includes, but is not limited to:

h. unauthorized testing of third-party systems or testing exceeding the scope of the authorization granted;

i. obtaining unauthorized access to data or systems, exfiltration, copying, or unauthorized processing of data;

j. use of the Service for the purpose of exploiting identified vulnerabilities, or any active exploitation of identified vulnerabilities for purposes beyond their identification and documentation;

k. lateral movement within systems, attempts to escalate privileges, or attempts to gain unauthorized privileged access;

l. creating attack scenarios without proper authorization, or using the Service as a tool for reconnaissance of Target Systems for the purpose of preparing or facilitating an attack;

m. attempting to compromise the availability, integrity, or security of the Platform, or circumventing technical restrictions or security mechanisms of the Platform;

n. unauthorized sharing of access to a User Account, or misuse of the payment mechanism;

o. systematically obtaining non-public information about the functioning of the Platform, reverse engineering, uploading malicious code to the Platform, or accessing the Platform by automated means outside of the permitted API; or

p. any other action that may cause harm to the Operator, other users, Third-Party Providers, or third parties.

The Service is intended exclusively for the identification and prioritization of potential security weaknesses and must not be used to carry out any offensive activities exceeding this purpose.

If the User breaches these Terms, the Operator is entitled, depending on the severity and nature of the breach, and on a cumulative basis, in particular to:

q. notify the User of the breach and request rectification;

r. temporarily restrict some or all functionalities;

s. suspend the User Account;

t. block a specific Target System;

u. terminate a running Scan;

v. cancel the Subscription without entitlement to a refund of the price paid; or

w. terminate the Contract with immediate effect.

The selection of the specific measure shall be at the sole discretion of the Operator.

The Operator is also entitled to terminate the User Account or the Contract without compensation if the User is in default with payment, if the User Account has not been actively used for an extended period and the Operator decides to deactivate it, or if the further provision of the Service has ceased to be possible or reasonable from a legal, technical, or security standpoint.

Prices paid shall not be refunded upon termination of the User Account or the Contract for reasons attributable to the User, and the User shall have no entitlement to any compensation for unused capacities, unless mandatory legal provisions expressly provide otherwise.

Intellectual Property, Licenses, and Rights to Outputs

All intellectual property rights in the Platform, the Service, the software, their source and object codes, databases, algorithms, technical solutions, workflows, architecture, Report structures, texts, design, graphic elements, documentation, trademarks, trade names, trade secrets (know-how), and all other components of the Service belong exclusively to the Operator or its licensing partners. The User is not entitled to challenge, contest, register, or otherwise interfere with these rights in any way.

For the duration of the Contract, the Operator grants the User a limited, non-exclusive, non-transferable, non-sublicensable, and revocable authorization to use the Service exclusively to the extent necessary for its proper utilization in accordance with these Terms and the selected Plan. This authorization expressly does not include the right to further license, sublicense, reproduce, transfer, modify, decompile, reverse engineer, rent, sell, make available to third parties, provide as a service to third parties (reselling), or otherwise commercially exploit the Service outside the expressly agreed purpose.

Without the prior express written consent of the Operator, the User may not conduct, publish, or make available to third parties any comparative evaluations (benchmarks), comparative tests, performance analyses, evaluations of detection accuracy or completeness, comparisons with competing products or services, or other systematic evaluations of the Service or its outputs. The User further may not use the Service, its outputs, Reports, methodology, architecture, workflows, or any knowledge gained through the use of the Service for the purpose of developing, improving, training, or operating a competing product or service, competitive analysis, or other commercial exploitation for the benefit of a direct or indirect competitor of the Operator. A breach of this provision constitutes a material breach of these Terms.

The User remains the sole holder of rights to the User Data uploaded to the Platform, but grants the Operator a non-exclusive, worldwide, royalty-free, and revocable authorization to use, process, transfer, store, analyze, and otherwise handle such data to the extent necessary for the provision of the Service, ensuring security, performing diagnostics and providing technical support, preventing misuse, fulfilling legal obligations, and improving the operational characteristics of the Service. The Operator is further entitled to use such data in aggregated, statistical, pseudonymized, or anonymized form, where technically and legally permissible. The Operator expressly and bindingly declares that User Data, including data accessed in the course of testing Target Systems, shall not be used for training, fine-tuning, reinforcement learning, or other machine learning of AI models, whether by the Operator or by Third-Party Providers, unless the User grants express, informed, and separate consent for such specific use.

Reports and other outputs of the Service may be used by the User exclusively for their internal security, operational, and compliance purposes. Unless expressly agreed otherwise in writing, the User may not present, publish, or make the outputs of the Service available to third parties in a manner that would create the impression that the Operator has provided an individual audit, expert, certification, compliance, or legal opinion where this is not the case. A breach of this provision constitutes a material breach of these Terms.

Liability, Indemnification, and Exclusion of Certain Claims

To the maximum extent permitted by applicable law, the Operator's liability shall be limited exclusively to harm caused by a demonstrable and culpable breach of its obligations under these Terms or the Contract, which constitutes a typical, direct, and reasonably foreseeable consequence of such breach at the time of conclusion of the Contract. The Operator is expressly not liable for:

x. indirect harm, consequential harm, lost profits, loss of business opportunities, loss of data, loss of goodwill or reputation, business interruption, costs of replacement solutions, or other similar pecuniary or non-pecuniary harm that is not a direct and typical consequence of a breach of the Operator's obligations;

y. harm resulting from unauthorized, unlawful, or otherwise impermissible use of the Service, incorrect configuration of the Scan, incorrect interpretation or application of the Report, inappropriate choice of AI model or Preset, or absence of testing authorization;

z. harm resulting from the failure or change of Third-Party Provider services, force majeure, intervention by public authorities, cyber-attacks, or security incidents on the part of the User or a third party; or

a. harm caused by the User's failure to ensure adequate independent verification and validation of the outputs of the Service.

The total cumulative liability of the Operator for all claims of the User arising from or in connection with the Contract, regardless of the legal basis (contractual, tortious, unjust enrichment, or other), is, to the maximum extent permitted by law, limited to an amount corresponding to the aggregate of payments actually made by the User to the Operator for the Service during the twelve (12) months immediately preceding the first event giving rise to the claim. This limitation shall apply even if the Operator was advised of the possibility of such harm arising.

The User irrevocably undertakes to indemnify and hold harmless the Operator, its shareholders, members of statutory bodies, employees, associates, hosting providers, Third-Party Providers, contractual partners, representatives, and their respective legal successors, and to compensate them for all harm, damage, costs, penalties, fines, reasonable costs of legal representation, litigation costs, and other expenses incurred by them as a result of or in connection with (i) the User's breach of these Terms, (ii) unauthorized or unjustified testing, (iii) violation of applicable law, (iv) infringement of the rights of third parties, (v) the falsity, incompleteness, or misleading nature of the User's representations and warranties contained in these Terms, or (vi) claims of third parties raised in connection with the User's use of the Service.

Term of the Contract, Termination, and Consumer Rights

The Contract is concluded for an indefinite period, unless expressly stated otherwise for a specific Plan, order, or individual agreement. Individual Subscriptions are agreed for the period specified in the relevant offer or in the Platform interface and are automatically renewed in accordance with Article 5.9 of these Terms, unless the User expressly agrees otherwise or duly deactivates automatic renewal.

The User is entitled to cancel their User Account at any time and to cease using the Service in accordance with the procedure set out in the Platform interface. Cancellation of the User Account shall not affect any accrued and due obligations to pay the price, obligations arising from indemnification commitments, or any other claims of the Operator that arose prior to the effective date of termination of the Contract.

The Operator is entitled to withdraw from or terminate the Contract, or to suspend the User Account, with immediate effect and without prior notice, in particular if the User breaches these Terms, notably the provisions on the legitimacy of testing, prohibited use, or the User's obligations, if the User is in default with the payment of any amount due, if the User uses the Service in a manner that threatens the Platform, other users, Third-Party Providers, or third parties, or if the further provision of the Service is not possible or reasonable for legal, technical, security, licensing, or regulatory reasons.

If the User is a consumer, the Operator provides them with the pre-contractual information required by law through these Terms, the Platform interface, and the relevant ordering process.

The User-consumer expressly acknowledges that the Service constitutes the provision of services and the delivery of digital content not supplied on a tangible medium within the meaning of Section 1837(a) and (l) of the Civil Code. The User-consumer expressly agrees that the Service shall be provided immediately after the conclusion of the Contract, i.e., before the expiry of the withdrawal period, and acknowledges that by the provision of the Service, or the commencement of performance, their right to withdraw from the Contract shall expire.

Governing Law, Dispute Resolution, and Final Provisions

The Contract and all legal relationships arising therefrom or related thereto, including questions of its formation, validity, effectiveness, interpretation, and termination, shall be governed by the laws of the Czech Republic, in particular the Civil Code. If the User is a consumer, this shall not affect the mandatory provisions of the law of the country of their habitual residence that afford them a higher level of protection.

The contracting parties undertake to resolve all disputes arising from or in connection with the Contract primarily by amicable negotiation, in good faith and with reasonable efforts to reach a mutually acceptable solution. If the dispute is not resolved amicably within thirty (30) days of written notification of the dispute to the other party, the courts of the Czech Republic having subject-matter and territorial jurisdiction shall have jurisdiction to decide the dispute; in the case of entrepreneurs, the parties agree that local jurisdiction shall lie with the court having jurisdiction over the Operator's registered office, unless mandatory legal provisions provide otherwise.

If the User is a consumer, they have the right to out-of-court resolution of any disputes arising from or in connection with the Contract through the Czech Trade Inspection Authority (www.coi.cz or www.adr.coi.cz), Central Inspectorate -- ADR Department, with its registered office at Gorazdova 1969/24, 120 00 Prague 2, Czech Republic, e-mail: [email protected]. Out-of-court resolution of a consumer dispute is initiated upon the application of the User-consumer, which may be submitted in particular in writing, by oral statement recorded in a protocol, or electronically via an online form available on the website of the Czech Trade Inspection Authority.

The Operator reserves the right to unilaterally amend, supplement, or replace these Terms with a new version, in particular in the event of a change to the Service, a change in applicable legal regulations, a change in the business or technical model, a change in the terms of Third-Party Providers, a change in market conditions, or for another similarly serious and objectively justified reason. The User shall be informed of the change within a reasonable period prior to its effective date, in an appropriate manner, in particular through the Platform or by notification sent to the e-mail address specified in the User Account.

The amendment to the Terms shall take effect on the date specified by the Operator, but no earlier than upon the expiry of a reasonable period from its notification to the User, unless earlier implementation is necessary to fulfill legal obligations, security measures, regulatory requirements, or to address other urgent reasons. If the User continues to use the Service after the amendment takes effect, such continued use shall be deemed consent to the amended version of the Terms. If the User does not agree with the amendment, the User is entitled to terminate the Contract before the amendment takes effect in accordance with the procedure set out in these Terms.

If any provision of these Terms is found to be invalid, illegal, unenforceable, or ineffective, this shall not affect the validity, effectiveness, and enforceability of the remaining provisions. The contracting parties undertake to replace such provision with a valid and enforceable provision whose economic and legal meaning is as close as possible to that of the original provision.

The Operator is entitled to transfer, assign, or otherwise dispose of its rights and obligations under the Contract or related thereto to a third party, in particular in connection with the transfer of the business or a part thereof, transformation, merger, division, restructuring, sale of a product, or another similar corporate transaction, without the prior consent of the User. The User is not entitled to transfer, assign, or otherwise dispose of the Contract or the rights and obligations arising therefrom without the prior express written consent of the Operator.

The User expressly agrees that all communication between the Operator and the User may take place electronically, in particular via e-mail, the Platform interface, or the User Account. The User acknowledges and agrees that all notifications, confirmations, and other communications made in electronic form meet the requirement of written form within the meaning of the relevant legal regulations.

Operator's contact details:

b. mailing address: Penterep Security s.r.o., Ševčenkova 570/4, Bosonohy, 642 00 Brno, Czech Republic;

c. telephone number: +420 778 709 707;

d. e-mail address: [email protected].