Terms of Service - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Start free pentest](/register?intent=free-local-pentest)

[Login](/login)[Start free](/register?intent=free-local-pentest)

[Home](/)[Legal](/legal/terms)Terms of ServiceTerms of Service
================

Last updated: May 2026

Apviso Terms of Service

Introductory Provisions and Definitions
=======================================

These Terms of Service ("**Terms**") govern the rights and obligations of Mikuláš Třos (Apviso), ID No.: 88767221, with its registered office at Krásné Loučky 34/34, 794 01, Krnov, the Czech Republic, as the operator of the Service on the one hand ("**Operator**"), and of natural or legal persons who use, intend to use, or otherwise access the Apviso online service on the other hand ("**User**").

The Apviso Service is a cloud-based control plane and related software for coordinating automated cybersecurity testing performed from self-hosted environments operated by or on behalf of the User. The Service is provided through the web interface available at [https://apviso.com/](/), related APIs, runner enrollment and licensing mechanisms, reporting mechanisms, integrations, and, where applicable, analytical components utilizing artificial intelligence, large language models, and similar technologies. Unless expressly agreed otherwise in a separate written agreement, the Operator does not provide APVISO-managed penetration testing infrastructure, does not operate hosted pentester capacity for the User, does not originate Pentests from infrastructure controlled by the Operator, and does not provide model-provider accounts or model API usage for the User.

The Service is intended to coordinate and document security testing performed by User-operated Runners. The User is solely responsible for deploying, operating, securing, monitoring, and maintaining each Runner and for supplying all model credentials, target credentials, cloud accounts, network access, compute resources, storage, container runtime, logs, secrets management, and other infrastructure required for the Runner to execute Pentests.

These Terms form an integral and binding part of every contract concluded between the Operator and the User in connection with the Service ("**Contract**") and apply to all legal relationships arising in connection with registration, activation of a User Account, ordering of paid Plans, registering or operating Runners, initiating Pentest jobs, accessing Reports, using integrations, and using any additional functionalities of the Platform. Deviating provisions contained in an individual contract, enterprise offer, SLA, DPA, order, or other expressly agreed document shall prevail over these Terms to the extent of the deviation.

The Service is a standardized online product provided under the conditions set forth in these Terms, intended by its nature exclusively for the automated identification and prioritization of potential security risks. Unless expressly agreed otherwise in writing, the Operator does not, as part of the Service, provide individual manual penetration testing, managed security operations, personalized security consulting, legal analysis, expert opinions, compliance audits, certification, or any other professional service with an individually guaranteed result. The User expressly acknowledges and agrees that the Service is a technical tool operating on the basis of probabilistic, heuristic, signature-based, behavioral, and, where applicable, AI-supported methods, and that its outputs may therefore, in particular:

a. be incomplete, temporarily inaccurate, or subject to variation over time;

b. be conditional on the specific configuration of the Target System, the Runner, the selected Preset, the scope of permissions granted, the network visibility available to the Runner, the availability of the Target System, or the AI model used; or

c. be affected by circumstances that the Operator cannot fully control, including User infrastructure, Third-Party Provider terms and availability, model rate limits, model safety filters, and the User's BYOK configuration.

The Service does not constitute a guarantee of the security of the tested system or a warranty for the absence of vulnerabilities. A more detailed description of the nature of the outputs and the limitations of the Service is contained in Article 3 of these Terms.

For the purposes of these Terms, the following definitions apply:

a. "**AI model**" means any artificial intelligence model, large language model, or similar automated technology used in connection with the Service, including a model accessed through BYOK Credentials or through a Third-Party Provider selected or configured by the User;

b. "**BYOK Credentials**" means API keys, access tokens, credentials, account identifiers, configuration values, or similar secrets supplied, controlled, or paid for by the User for the purpose of connecting a Runner, workflow, or integration to an AI model, cloud service, or other Third-Party Provider;

c. "**Civil Code**" means Act No. 89/2012 Coll., the Civil Code, as amended from time to time;

d. "**Control Plane**" means the cloud-hosted portion of the Service operated by the Operator for registration, licensing, dashboards, runner enrollment, job coordination, result ingestion, reporting, integrations, billing, administration, and related API functions;

e. "**Plan**" means a specific pricing and functional mode of the Service, in particular Solo, Launch, Team, Partner, or Enterprise;

f. "**Platform**" means the online environment of the Apviso service accessible via the web interface at , including the Control Plane, user interface, administration sections, dashboards, reporting modules, billing module, APIs, runner enrollment, job coordination, integrations, and related server systems operated by the Operator;

g. "**Preset**" means the selected level of depth and scope of an individual Pentest, such as Quick Check, Launch Review, Full Pentest, or Compliance Evidence, which determines the intensity of testing and the scope of analysis;

h. "**Report**" means any output of the Service, in particular a technical report, overview of findings, risk classification, AI summary, list of recommendations, dashboard output, or other results document or data output generated from data submitted to the Platform by a Runner or by the User;

i. "**Retest**" means a repeated Test of the same or a similar Target System performed to verify that previously identified findings have been eliminated or mitigated;

j. "**Runner**" means software, container images, agents, command-line tools, workers, or other components installed, configured, or operated by or on behalf of the User in a self-hosted environment to claim Pentest jobs from the Control Plane and execute testing from the User's infrastructure, account, network, or other environment selected by the User;

k. "**Pentest**" or "**Test**" means an individual automated security test initiated by the User through the Platform and executed by a Runner against the Target System to the extent and depth corresponding to the selected Preset;

l. "**Service**" means the totality of functionalities provided through the Platform and related Runner software, in particular registration, management of Target Systems, runner enrollment, licensing, job coordination, access to Reports, use of Plans, use of AI-supported features, integrations, and other related tools and components;

m. "**Subscription**" means recurring paid access to a specific Plan for an agreed period, with a specified scope of licensed access, runner capacity, concurrency, target limits, features, support, or other entitlements;

n. "**Target System**" means any website, web application, API, domain, subdomain, IP address, network or application component, infrastructure, local environment, staging environment, private system, or other digital system that the User designates for testing through the Service;

o. "**Third-Party Provider**" means a third party whose infrastructure, software, cloud service, payment solution, API, AI model, data-processing service, hosting environment, or other technological component is used in connection with the Service, whether contracted by the Operator or selected, configured, or paid for by the User;

p. "**User Account**" means an account created by the User for the purpose of accessing and using the Service;

q. "**User Data**" means all data, inputs, configurations, access information, metadata, logs, runner telemetry, results, addresses, identifiers, and other content entered by the User into the Platform, submitted by a Runner to the Platform, or created in connection with the use of the Service.

Terms used in the singular shall include the plural and vice versa, where the context so requires.

Conclusion of the Contract and User Account
===========================================

The contractual relationship between the Operator and the User arises at the moment when the User duly completes registration through the Platform, creates a User Account, expresses unconditional consent to these Terms and, where applicable, other relevant documents, and the Operator makes the Service available to the User. By completing registration, the User confirms that they have fully acquainted themselves with these Terms, that they understand them, and that they accept them without reservation.

In the case of paid services, Plans, runner licenses, add-ons, or other paid functionalities, the Contract in the relevant scope shall be deemed concluded no later than at the moment when the User completes the ordering process and submits a binding order through the relevant confirmation element in the Platform interface that clearly expresses the obligation to pay, in particular "Order with obligation to pay", "Upgrade", "Subscribe", "Pay", "Add Card", "Activate", or another similar confirmation. By submitting a binding order, the User expressly confirms their consent to the price, the scope of the ordered services, and these Terms.

The User consents to the use of means of distance communication in concluding the Contract and acknowledges that the costs associated with internet connection, terminal equipment, Runner infrastructure, container runtime, network connectivity, cloud resources, model-provider accounts, BYOK Credentials, and other related expenses are borne exclusively by the User. The Service requires a stable internet connection between the Platform and each Runner. The Operator shall not be liable for any limitations, reduction in quality, failed Pentest, or unavailability caused by an insufficient, unstable, blocked, rate-limited, misconfigured, or insecure environment on the part of the User or a User-selected Third-Party Provider.

The User is obliged to provide true, accurate, complete, and up-to-date information upon registration and throughout the term of the Contract, and to update such information without undue delay upon any change. The Operator is entitled to consider the information maintained in the User Account as correct and complete until the contrary is proven. The provision of false, incomplete, or misleading information constitutes a material breach of these Terms.

The Operator reserves the right to refuse registration, not to activate the Service, to block an order, or not to permit the conclusion of a Contract, including without stating any reasons, in particular if it has reasonable grounds to suspect that the User is acting or intends to act in violation of applicable law, these Terms, international sanctions regimes, export-control rules, model-provider restrictions, or the rules for safe use of the Service, or if the registration, order, or use of the Service creates a disproportionate legal, security, commercial, or reputational risk for the Operator or third parties.

Access to the Service is conditional upon the existence of a valid and active User Account. The User Account is non-transferable and is intended exclusively for the User who created it, unless the applicable Plan or an individual enterprise agreement expressly provides otherwise, in particular with regard to the management of multiple users, teams, roles, organizations, partners, or client workspaces within a single organizational account.

The User bears full responsibility for the security of their User Account, API keys, runner enrollment tokens, runner authentication tokens, BYOK Credentials, integration credentials, and for all acts and activities carried out through their User Account or Runners, regardless of whether they were performed personally by the User or whether a third party gained access for reasons attributable to the User. The User is, in particular, obliged to:

a. keep login credentials, runner tokens, API keys, BYOK Credentials, integration credentials, and target credentials confidential and adequately secured;

b. choose sufficiently strong and unique passwords and protect access to devices, servers, CI/CD systems, secret stores, and other systems from which they use the Service or operate Runners;

c. prevent unauthorized persons from accessing the User Account, Runners, logs, Reports, secrets, and Target Systems;

d. immediately notify the Operator of any suspected unauthorized access to the User Account, compromise of runner tokens, compromise of BYOK Credentials, compromise of target credentials, or other security incident that may affect the Platform, Runners, Target Systems, or third parties; and

e. make reasonable use of two-factor authentication, role management, audit logs, approval gates, token rotation, network segmentation, least-privilege access, and other additional security features, if enabled by the Platform or reasonably available in the User's environment.

Any deliberate failure to use available security features shall be exclusively at the User's own risk and responsibility, and the Operator shall bear no liability for any consequences arising therefrom.

The Operator is entitled at any time and without prior notice to temporarily restrict or suspend the User Account, revoke or rotate runner tokens, refuse runner enrollment, enforce a change of access credentials, or take other reasonable security measures if it considers this necessary for the protection of the Platform, other users, Third-Party Providers, or third parties, in particular in the event of suspected compromise, a breach of these Terms, suspected unauthorized testing, abnormal runner behavior, or a security incident.

Nature of the Service, Scope of Functionalities, and Nature of Outputs
======================================================================

The Service enables the User to enter Target Systems, register and manage Runners, configure testing parameters, initiate Pentest jobs, coordinate Pentest status through the Control Plane, receive results submitted by Runners, view and export Reports, use integrations, and work with other outputs generated by the Platform, all within the scope corresponding to the selected Plan and these Terms. The scope and availability of individual functionalities depend, in particular, on:

a. the selected Plan, the status and type of the User Account, and the applicable license state;

b. the current availability of the Platform, the Runner, and relevant Third-Party Provider technologies;

c. the selected type of Pentest, the AI model, the Preset, and the Runner configuration;

d. the network visibility, permissions, secrets, and resources made available by the User to the Runner; and

e. whether it is standard self-service use or an individually negotiated enterprise, partner, or embedded mode.

The Operator reserves the right to adjust the scope of functionalities within individual Plans at any time in accordance with Article 8 of these Terms.

The Operator operates the Control Plane. The User operates the Runner. Unless expressly agreed otherwise in writing, the Operator does not host, administer, supervise, or control the runtime environment from which Pentests are executed, and does not control the source IP address, network path, firewall rules, egress permissions, local resource limits, local storage, local logs, local secrets, target credentials, model credentials, or target reachability available to the Runner. The User acknowledges that a Pentest may fail, produce incomplete results, or cause operational effects if the Runner, Target System, network, model provider, or other User-controlled dependency is unavailable, misconfigured, under-resourced, blocked, rate-limited, or otherwise unsuitable.

The Service is intended for automated testing of web applications, API interfaces, domains, subdomains, IP addresses, local, staging, private, and related application components that are reachable from the Runner and are within the User's authorization. Unless expressly stated otherwise in the relevant Plan, an individual enterprise agreement, or another expressly agreed written document, the Service is not intended for testing operational technologies (OT), industrial control systems (ICS/SCADA), safety-critical systems, medical devices, hardware devices, physical security elements, embedded systems, or other systems the testing of which may require specific technical, security, safety, or regulatory procedures exceeding the standard functional scope of the Platform. The Operator shall not be liable for the consequences of using the Service to test systems that, by their nature, fall outside the functional scope defined above.

Within individual Plans or pentesting modes, the Platform may offer varying levels of analysis depth, runner limits, concurrent job limits, active target limits, allowed target visibility, approval gates, scheduled pentesting, various reporting formats, API access, integrations, automatic notifications (webhooks), single sign-on (SSO), team administration, audit logs, governance controls, or other functionalities. The precise scope of functionalities is always determined by the current price list, the product description in the Platform interface, an individual offer, or a separate contract.

The User expressly acknowledges and unconditionally agrees that the Service is an automated tool and that all of its outputs, including Reports, identification of findings, severity classifications, recommendations, AI summaries, and proposed mitigation measures, are of an exclusively supportive, indicative, and informative nature. Unless expressly agreed otherwise in writing, the Operator, in particular:

a. provides no express or implied warranty that the Service will detect all existing vulnerabilities, that findings will be complete, accurate, or optimally prioritized, or that proposed recommendations will be appropriate and applicable in all cases;

b. does not warrant that, following remediation of identified findings, the Target System will be secure, error-free, resistant to attack, or in compliance with any regulatory requirements; and

c. does not warrant that the Service replaces a formal security audit, manual penetration test, certification, compliance assessment, expert opinion, or any other professional evaluation of security status performed by a qualified professional.

The Service is provided "as is", without any express or implied warranties beyond those expressly set forth in these Terms. The outputs of the Service, including Reports, may not, without more, be used as evidence of compliance with ISO/IEC 27001, SOC 2, PCI DSS, DORA, NIS2, or any other regulatory, certification, or industry standards, unless expressly agreed otherwise in writing. Any use of the outputs of the Service for the purposes of insurance claims, audits, certification, regulatory proceedings, or other formal assessments is exclusively at the User's own responsibility and risk. The User is obliged to independently and adequately verify all outputs of the Service before using them, in particular where they are to serve as a basis for technical, security, commercial, contractual, regulatory, insurance, investment, or other legally or economically significant decisions. The Operator shall not be liable for the consequences of decisions made on the basis of unverified outputs of the Service.

Legitimacy of Testing, Restrictions on Use, and User Responsibility
===================================================================

The User is entitled to use the Service exclusively in relation to such Target Systems for which the User holds, throughout the entire duration of testing, a corresponding and valid legal title and sufficient authorization, in particular ownership rights, the status of an authorized operator, explicit contractual authorization, internal corporate authorization, client authorization, or another demonstrable legal basis entitling the User to perform security tests on the Target System to the extent corresponding to the type of Pentest actually selected, the Preset, the intensity of testing, the network location of the Runner, and the techniques employed. The User expressly and irrevocably represents, warrants, and confirms that, prior to initiating each individual Pentest, the User has independently and with due care assessed that:

a. they are duly authorized to test the relevant Target System on the basis of a valid legal title;

b. the testing does not exceed the scope of the authorization granted;

c. the performance of the Test does not conflict with applicable law, contractual obligations, acceptable use policies, model-provider terms, hosting-provider terms, internal rules of the system owner or operator, or the rights of third parties; and

d. all conditions necessary for the legal, legitimate, proportionate, and secure performance of the testing have been met.

The Service is provided exclusively as a tool for legitimate security testing of Target Systems for which the User holds the appropriate authorization within the meaning of Article 4.1 of these Terms. The Service is not intended for carrying out unauthorized attacks, intrusions into third-party systems, data exfiltration, denial-of-service activities, credential theft, malware deployment, or other activities that could be classified as unauthorized access to computer systems or data within the meaning of the relevant criminal law provisions, or as any other form of cybercrime. Any use of the Service in violation of this provision is exclusively at the User's risk, and the Operator bears no liability for the consequences of such use.

The User acknowledges that, in self-hosted mode, the Platform may rely on runner readiness, license status, target visibility, job metadata, and similar technical checks instead of domain-ownership verification methods such as DNS TXT records, hosted files, or meta tags. Any such technical check serves exclusively for operational routing, license enforcement, and basic safety gating, and does not constitute a legal assessment of the legitimacy of testing, verification of ownership, or authorization on the part of the Operator. Responsibility for the proper assessment of the legitimacy of testing shall always lie exclusively and without exception with the User, regardless of whether the Platform permits the User to initiate a Pentest.

Prior to initiating each Test, the User is obliged to independently and with professional care assess the suitability of testing from a technical standpoint, in particular whether the selected type of Pentest, its intensity, frequency, the network position of the Runner, the BYOK configuration, the AI model used, or the application of certain testing techniques could unreasonably interfere with the availability, performance, stability, integrity, security, contractual parameters, provider terms, or regulatory obligations applicable to the Target System, the User's infrastructure, or third parties.

The User is responsible for configuring the Runner so that it can reach only the systems the User is authorized to test, for adopting reasonable network segmentation and egress controls, for removing unnecessary privileges and secrets from the Runner environment, and for preventing accidental testing of systems outside the approved scope. The User is also responsible for all notices, abuse reports, IP blocks, provider complaints, security alerts, or other consequences arising from the fact that Pentests originate from infrastructure, networks, IP addresses, accounts, or providers selected by or attributable to the User.

The User shall not use the Service for any unlawful, unethical, or abusive conduct. A detailed enumeration of prohibited uses is contained in Article 9 of these Terms.

If the Operator has reasonable grounds to suspect that the User is testing a Target System without proper authorization or otherwise in violation of these Terms or applicable law, the Operator is entitled, without prior notice and without any liability for the consequences of such measure, to refuse to coordinate a Pentest, cancel a pending job, request cancellation of an ongoing job, revoke or suspend a Runner, restrict or block the User Account, suspend access to the Service, request proof of authorization, or take any other reasonable measures to protect its legitimate interests and the interests of third parties. Because Runners operate outside the Operator's infrastructure, the User remains responsible for promptly stopping any Runner or Pentest when required.

At the Operator's request, the User is obliged, without undue delay but no later than within the period specified by the Operator, to credibly demonstrate a valid legal title to test the specific Target System. If the User fails to demonstrate authorization within the required period or in the required manner, the Operator is entitled to treat such testing as unauthorized and to take all measures pursuant to these Terms.

The User expressly acknowledges and unconditionally agrees that the Operator acts exclusively in the capacity of a provider of a generally available technological control plane enabling automated security testing on the basis of inputs, instructions, configurations, Runners, and infrastructure selected or operated by the User. The Operator does not determine which Target System will be tested, who is its owner or authorized operator, whether the testing is legally permissible, whether the necessary authorization has been obtained, whether the selected scope and intensity of testing correspond to the User's authorization, or whether the User's Runner environment is appropriate. All decisions relating, in particular, to:

a. the choice of Target System, testing parameters, and intensity;

b. the timing of the Test and the use of access credentials;

c. the selection, deployment, location, configuration, and operation of the Runner;

d. the selection of the Plan, AI model, Preset, BYOK Credentials, and Third-Party Providers;

e. the manner of handling the outputs of the Service; and

f. the assessment of the legal admissibility and regulatory compliance of the use of the Service in relation to a particular Target System, jurisdiction, infrastructure, provider, or data set,

are made exclusively by the User, solely at their own responsibility and risk.

The User acknowledges that the use of security testing tools may, in certain jurisdictions, contractual relationships, industry regulations, model-provider terms, cloud-provider terms, or regulatory contexts, constitute a sensitive, restricted, or regulated activity. For the purposes of interpretation of these Terms, it is expressly and irrevocably agreed that responsibility for the legality, legitimacy, proportionality, and appropriateness of testing shall always and under all circumstances be borne exclusively by the User, and that the Operator shall bear no liability for any unlawful, unauthorized, or otherwise impermissible use of the Service by the User, even where such use was technically enabled through the Platform or was not detected or blocked by the Operator.

The User undertakes to handle all vulnerabilities, security findings, and other sensitive information discovered through the Service responsibly and in accordance with the principles of coordinated vulnerability disclosure. The User is, in particular, obliged to (i) not exploit an identified vulnerability to gain unauthorized access, exfiltrate data, escalate privileges, or for any other purpose beyond the identification and documentation of the security weakness, (ii) not disclose an identified vulnerability or its details without prior coordination with the owner or authorized operator of the affected Target System, (iii) minimize the impact of testing on the availability, integrity, and confidentiality of the Target System and the data contained therein, and (iv) provide the owner or authorized operator of the Target System with a reasonable period to remediate the identified vulnerability prior to any disclosure, at least to the extent consistent with customary standards in the area of responsible disclosure. The User acknowledges that a breach of this provision may constitute a material breach of these Terms and may simultaneously give rise to the User's liability for harm caused to third parties.

Plans, Prices, and Payment Terms
================================

The Operator offers the Service in various Plans and pricing schemes, the structure, content, and prices of which may change from time to time. Typically, these include Solo, Launch, Team, Partner, and Enterprise Plans, with individual Plans differing mainly in self-hosted runner capacity, active target limits, concurrency, allowed target visibility, available Presets, dashboard availability, scheduled pentesting, governance controls, scope of technical support, availability of integrations, team features, SSO, API, partner or embedded use, and other parameters. A current overview of Plans and their parameters is available in the Platform interface.

Unless expressly stated otherwise in an individual written agreement, the Service is licensed as a self-hosted control plane and runner-coordination service. Fees paid to the Operator purchase access to the Platform and the applicable Plan entitlements. Such fees do not include, and the Operator does not sell, APVISO-hosted pentester capacity, hosted penetration testing infrastructure, cloud compute for Pentests, model-provider usage, model-provider subscriptions, model-provider tokens, bandwidth, storage, target hosting, security tooling outside the Service, or any costs incurred by the User with Third-Party Providers.

The User acknowledges and agrees that all costs of BYOK Credentials, AI model usage, cloud accounts, infrastructure, container runtime, network traffic, CI/CD systems, secret stores, logging systems, observability systems, and other User-controlled or User-selected dependencies are borne exclusively by the User and may be charged directly by the relevant Third-Party Provider under separate terms. The Operator is not responsible for such charges, quotas, rate limits, taxes, provider suspensions, provider policy enforcement, data retention settings, or provider billing disputes.

The Service is provided primarily in the form of a Subscription, under which the User gains access to a specified scope of licensed access for an agreed period. The applicable scope may include runner licenses, concurrent job limits, active target limits, user seats, workspaces, integrations, governance features, support level, partner or embedded use, or other entitlements. Unless expressly agreed otherwise, unused capacity, unused runner slots, unused target slots, unused concurrency, or unused functionality shall not carry over to the next period, shall not be refunded, may not be exchanged for monetary consideration, and may not be transferred to another User.

Plans or functionalities designated in the Platform interface as available only for higher Plans, in particular scheduled pentesting, certain integrations, automatic notifications (webhooks), priority support, custom extensions, API, administration panel, SSO, advanced governance, approval gates, partner capacity, enterprise support, or custom contractual terms, shall not give rise to any legal entitlement on the part of the User unless they are expressly included in the relevant Plan or an individual enterprise agreement. The Operator reserves the right to change the allocation of individual functionalities among Plans at any time.

Enterprise, Partner, or embedded modes may be provided on the basis of a separate offer or an individual agreement, which may contain terms and conditions differing from these Terms, in particular with regard to prices, support, SLA, scope of functionalities, integrations, security measures, deployment, billing, use by client organizations, resale, white-labeling, or liability.

The prices of the Service are stated in the Platform interface, in the current price list, or in an individual offer. Unless expressly stated otherwise, all prices are quoted exclusive of value added tax (VAT) and other similar indirect taxes. VAT at the statutory rate applicable on the date of the taxable supply shall be added to the price where required by applicable law. The User acknowledges that the final price may also be affected by applicable exchange rates, bank charges, or fees of payment intermediaries.

The User is obliged to pay the price of the Service duly and on time by a method enabled by the Platform, in particular by payment card or another accepted online payment method. The Operator is entitled to use the payment services of Third-Party Providers, and the User expressly acknowledges and agrees that the execution and processing of payments may be subject to separate terms and conditions of the relevant payment intermediary, which the User is obliged to independently accept and comply with.

If the Service is provided in the form of a Subscription, the User is obliged to maintain a valid and functional payment method for the entire duration of the Subscription. If the Platform enables automatic renewal of the Subscription, the User expressly agrees that, upon expiry of the agreed period, the price for the subsequent period shall be automatically charged to the User's payment method, unless automatic renewal has been duly deactivated before the expiry of the current period. The User is solely responsible for the timely deactivation of automatic renewal if the User does not wish to renew the Subscription.

If an automatic payment fails for any reason, the Operator is entitled, without further notice, to restrict access to paid functionalities, not to renew the Subscription, to downgrade the User Account to a lower tier, to suspend the ability to initiate further Pentest jobs, to revoke or restrict runner licenses, or to request the User to update their payment details. The Operator shall not be liable for the consequences of Service restrictions caused by payment failure attributable to the User or the User's payment provider.

The Operator reserves the right to unilaterally change the prices of the Service on an ongoing basis. A price change shall not affect a Subscription period for which payment has already been made, unless the change is necessitated by a change in taxes, fees, customs duties, or similar public law payments, which the Operator is obliged to reflect in the price without undue delay. The User shall be informed of any significant price changes in advance via the Platform or by email.

If the User is in default with the payment of any amount due, the Operator is entitled to charge statutory default interest and simultaneously, without further notice, to restrict, suspend, or completely discontinue the provision of the Service until all outstanding amounts, including any accessories thereof, have been paid in full. This shall be without prejudice to the Operator's right to compensation for harm caused by the default.

Running Pentests, Automated Outputs, and Third-Party Provider Services
======================================================================

The User initiates Pentests through the Platform by entering or selecting the Target System, configuring the available parameters, selecting the Preset, ensuring runner readiness, and, where applicable, selecting or configuring the AI model or BYOK settings. The Runner claims the job from the Control Plane and executes the Pentest from the User's environment. By initiating a Pentest, the User confirms that they satisfy all conditions for the legitimacy of testing set out in Article 4 of these Terms.

The User acknowledges that different Presets, AI models, Runners, BYOK configurations, infrastructure types, and network locations may have different prices, processing speeds, testing depths, scopes of analysis, provider restrictions, and natures of outputs. The User is responsible for choosing settings and dependencies that correspond to their needs, permissions, legal obligations, provider terms, and the technical capabilities of the Target System.

The User is solely responsible for installing, configuring, updating, hardening, monitoring, and decommissioning each Runner. This includes, in particular, maintaining a supported operating environment, container runtime, network rules, egress controls, secret storage, BYOK Credentials, target credentials, logging, alerting, backup and deletion policies, local storage, resource limits, and any third-party tools required by the Runner. The Operator may provide installation materials, update channels, container images, checksums, version notices, or health checks, but this does not transfer operational responsibility for the Runner to the Operator.

The Operator is entitled to require minimum supported Runner versions, revoke stale or compromised runner tokens, refuse job assignment to unhealthy, outdated, revoked, or non-compliant Runners, and enforce license, target, concurrency, API, and fair-use limits in the Control Plane. The User has no entitlement to run unsupported Runner versions or to bypass runner readiness, license, or safety checks.

The Operator is entitled at any time to unilaterally establish and adjust the technical, operational, and security limits for the Control Plane, including the number of registered Runners, the number of concurrently coordinated jobs, the frequency of job creation, the maximum job lease duration, the use of the API, access to Reports, result ingestion, or other functionalities of the Platform. These limits may differ depending on the Plan, the current technical state of the Platform, or the current infrastructure load of the Control Plane, and the User shall have no entitlement to the modification thereof. The User is obliged to use the Service reasonably and in accordance with the principles of fair use. For the purpose of protecting the stability, security, and performance of the Platform and the infrastructure of Third-Party Providers, the Operator is entitled to introduce and unilaterally modify technical restrictions at any time, in particular:

a. rate limiting of requests or connections to the Platform;

b. limits on the number of registered Runners or concurrent jobs;

c. restrictions on result ingestion, report exports, or API use;

d. caps on the maximum number of requests to the Control Plane per time unit;

e. throttling of control-plane processing capacity; or

f. other reasonable measures against excessive, automated, or abusive use of the Service's capacity.

If the User exceeds the established limits or uses the Service in a manner that the Operator reasonably considers excessive, disproportionate, involving automated access outside the permitted API, or otherwise abusive, the Operator is entitled, without prior notice, to limit, slow down, reject, or suspend the User's access to the Service, without any liability for the consequences of such measure.

The Operator is entitled not to coordinate a Pentest, to cancel a pending job, to request interruption or termination of an ongoing job, to revoke runner tokens, or to reject results, if the Pentest could jeopardize the security or stability of the Platform, other users, Third-Party Providers, the Target System, or third parties, if it gives rise to reasonable suspicion of unauthorized testing, if it is contrary to applicable law, or if it is necessary for technical, security, regulatory, or operational reasons. If a Pentest or other activity of the User through the Service causes or may cause a security incident, outage, disruption of availability, integrity, or confidentiality of the Target System or a third-party system, a complaint from the owner or operator of the affected system, or another serious operational impact, the Operator is entitled, without prior notice and without any liability for the consequences of such measure, in particular to:

a. cancel pending jobs or request cancellation of ongoing jobs;

b. suspend or restrict the User Account;

c. revoke or restrict Runner enrollment and runner tokens;

d. contact the owner or operator of the affected system to coordinate the resolution of the incident; and

e. forward relevant information to the competent public authorities if required by law or if necessary to protect the legitimate interests of the Operator, affected third parties, or the public interest.

The User is obliged to provide the Operator with all necessary cooperation in resolving such an incident without undue delay, including by stopping or isolating any Runner, preserving relevant logs, rotating compromised credentials, notifying affected parties where required, and cooperating with the relevant provider, owner, operator, or authority.

The User expressly acknowledges and agrees that certain test modes and Presets may cause increased load on the Target System, trigger detection by defense tools, temporarily affect the availability, performance, or stability of the tested system, result in blocks or abuse reports against the User's IP addresses or accounts, or cause other operational effects, including the potential for data loss. The assessment of the adequacy of such risk and the adoption of appropriate preventive measures are always the sole responsibility of the User.

The Service may, in providing certain functionalities, utilize artificial intelligence systems, large language models, automated classification mechanisms, summarization tools, or other similar technologies. In self-hosted BYOK mode, such technologies are typically accessed through accounts, credentials, endpoints, and provider settings supplied or selected by the User. The User expressly acknowledges and unconditionally agrees that:

a. these technologies are inherently probabilistic and non-deterministic in nature, and their outputs may be inaccurate, incomplete, outdated, biased, subject to hallucination, blocked by provider policy, or otherwise objectively limited;

b. any Report, text summary, mitigation proposal, severity classification, prioritization, explanation, recommendation, or other output created in whole or in part using the AI model does not constitute a legal warranty, technical guarantee, binding expert opinion, certification, or any other authoritative opinion;

c. the Operator expressly does not warrant that the AI model will always correctly, completely, and reliably evaluate the significance, severity, priority, or context of a particular finding;

d. the Operator is not responsible for the availability, accuracy, pricing, content policies, rate limits, data retention, training settings, security, confidentiality, legal compliance, or contractual terms of any AI model or model-provider account selected, configured, or paid for by the User; and

e. if the Platform allows the User to select a specific AI model or level of processing, this choice may have a significant impact on the price, speed, scope, depth, and quality of the outputs provided, and the Operator shall not be liable for ensuring that the specific AI model selected will be optimal, sufficient, or suitable for the User's intended purpose.

The User is obliged to independently, adequately, and with professional care verify and validate all AI-supported outputs before making any significant technical, operational, contractual, compliance, investment, insurance, regulatory, or other decision with legal or economic consequences on the basis thereof. The Operator shall not be liable for any harm arising from the User's acceptance of an AI output as the sole, decisive, or predominant basis for a decision without proper independent verification.

The Service may be wholly or partially dependent on infrastructure, APIs, cloud services, payment gateways, AI models, container registries, package repositories, or other tools and components provided by Third-Party Providers. The Operator does not warrant their availability, compatibility, accuracy, continuity, or security, nor shall it be liable for any changes to their documentation, prices, terms, functionality, or discontinuation of support. Any change, restriction, or outage of a Third-Party Provider's service may have a direct impact on the scope, quality, availability, or price of the Service, without this in itself giving rise to any liability on the part of the Operator towards the User.

If technically necessary for the proper provision of the Service, certain User Data, technical inputs, metadata, parts of Reports, or other relevant information may be processed, transferred, or stored via the infrastructure of Third-Party Providers used by the Operator, including outside the European Economic Area, provided that this is in accordance with applicable law. Where the User independently configures a Runner, integration, AI model, or Third-Party Provider to receive Target System data, credentials, findings, logs, prompts, outputs, or other content, the User is solely responsible for the legality and contractual basis of that processing and transfer. The scope and conditions of processing by the Operator are governed by the relevant personal data protection documents, any personal data processing agreements, and standard contractual clauses, where applicable.

Personal Data, Data in Target Systems, and Confidential Information
===================================================================

The User expressly acknowledges and agrees that in the course of using the Service, not only may personal data related to the registration and administration of the User Account be processed, but also that during automated testing, data residing in the Target System - including personal data, special categories of personal data, operational data, trade secrets, health data, customer data, authentication data, financial data, or other sensitive or regulated information - may be technically affected, accessed, captured, or otherwise processed by the Runner, by User-controlled infrastructure, by User-selected Third-Party Providers, or, to the extent submitted to the Platform, by the Operator.

The User is solely responsible for ensuring that they hold all requisite legal authorizations and consents and have fulfilled all statutory obligations necessary to enter the Target System into the Service, to initiate testing against it, to operate the Runner, to provide BYOK Credentials, and, where applicable, to permit the processing of any data accessed in the course of such testing. This responsibility applies in particular where the Target System is used to process third-party personal data, special categories of personal data, sensitive data, internal corporate data, or otherwise regulated content. The Operator shall bear no liability for any breach of the User's obligations in the area of personal data protection.

If the User uses the Service in an environment where personal data may be processed within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), or other applicable personal data protection legislation, the User is obliged to independently assess, at their own expense, whether the use of the Service, the operation of a Runner, the selected AI model, the selected Third-Party Providers, the submission of data to the Platform, or the use of Reports requires the conclusion of a separate personal data processing agreement, the adoption of additional technical and organizational measures, the performance of a data protection impact assessment (DPIA), the provision of information to the data subjects concerned, the obtaining of relevant consents, or the fulfillment of other regulatory obligations.

The Operator processes personal data to the extent and under the conditions set out in the separate [Privacy Policy](/legal/privacy), or in a separate personal data processing agreement, if such an agreement is concluded. Unless expressly agreed otherwise in a DPA or another written agreement, the Operator's personal-data processing role is limited to the Platform, User Account, billing, support, security, diagnostics, result ingestion, reporting, integrations, and other data actually submitted to or generated by the Control Plane. The Operator does not assume responsibility for personal data processed solely within the User's Runner, local environment, model-provider account, cloud account, or other User-selected Third-Party Provider.

The User shall not submit to the Platform any personal data, special-category data, secrets, access credentials, production data, confidential customer data, or regulated data that is not reasonably necessary for use of the Service. The User remains responsible for configuring Runners and integrations to minimize unnecessary collection, prompt content, logs, screenshots, request/response bodies, evidence snippets, and other sensitive material.

All non-public information that one contracting party discloses to the other in connection with the Contract or in the course of its performance, and which is confidential by its nature, is expressly designated as confidential, or the confidentiality of which can reasonably be assumed, shall be deemed confidential information. The recipient of such information is entitled to use it exclusively to the extent necessary for the performance of the Contract, is obliged to protect it with at least the same degree of care as it devotes to the protection of its own confidential information, and may not disclose it to third parties without a legal basis or prior written consent.

The confidentiality obligation does not apply to information that was demonstrably publicly known, was known to the recipient prior to its disclosure, was duly disclosed to the recipient by a third party without breach of confidentiality, or whose disclosure is required by law or a binding decision of a public authority.

The User expressly acknowledges and agrees that the Operator is entitled to retain technical logs, audit records, metadata, telemetry data, access records, records of initiated Pentests, runner status records, configuration records, IP addresses, device identifiers, and other operational and security records related to the use of the Service for a reasonable period necessary to ensure the security of the Platform, detect and prevent misuse, investigate security incidents, comply with legal and regulatory obligations, resolve disputes, conduct forensic analysis, perform technical diagnostics, and improve the Service. The Operator is entitled to disclose such records to the competent public authorities on the basis of a binding decision or a statutory requirement. The retention period for individual categories of records is governed by applicable law, the Operator's internal policies, and the principles of personal data processing.

Complaints, Defects, Service Availability, and Operational Changes
==================================================================

The User expressly acknowledges and unconditionally agrees that, given the inherent nature of cybersecurity testing, self-hosted execution, third-party model usage, and automated processing, a uniform, complete, exhaustive, or unchanging Test result cannot be guaranteed. Differing results may objectively arise depending on the time of the Test, the current system configuration, the state of defense mechanisms, the Runner environment, the network position of the Runner, the scope of access granted, the selected Preset, the AI model used, the BYOK configuration, the availability of Third-Party Provider services, network conditions, or other technical circumstances beyond the Operator's control. In particular, the following shall expressly not be considered a defect of the Service:

a. a particular Pentest did not identify a specific vulnerability or security risk;

b. the User expected a different scope, depth, runtime, model behavior, or number of findings;

c. the prioritization or classification of the severity of findings does not correspond to the User's subjective assessment or expectations;

d. the output does not contain all the information that the User would prefer or consider necessary;

e. the Service did not lead to a specific security, commercial, regulatory, or compliance outcome;

f. the Target System was attacked, compromised, or otherwise affected by a security incident even after the Pentest was performed and the recommendations contained in the outputs of the Service were implemented;

g. a Pentest failed, was incomplete, or produced different results because of the Runner, User infrastructure, insufficient resources, network reachability, provider blocks, rate limits, BYOK Credentials, model-provider behavior, target credentials, local configuration, or unsupported Runner versions; or

h. the User incurred costs, throttling, account review, suspension, or policy enforcement by a Third-Party Provider as a result of the User's BYOK configuration, infrastructure, or use of the Service.

The User is entitled to report an actual technical defect of the Platform without undue delay after discovering it or after the User should have discovered it with the exercise of professional care, via the contact e-mail  or another communication channel expressly designated by the Operator. In the notification, the User is obliged to sufficiently specify the nature of the reported defect, its manifestations, and the relevant circumstances, and to provide all cooperation necessary for the Operator to review and assess the reported defect, including relevant runner version information, job identifiers, logs that the User is legally permitted to disclose, and reproduction steps.

The Operator shall assess the reported defect within a reasonable period, having regard to its nature, complexity, and impact. If the complaint is found to be justified, the Operator is entitled, at its sole discretion, to remedy the defect, to provide a reasonable discount on the price, to offer an alternative remedy, or to provide another reasonable solution corresponding to the nature and severity of the defect. Unless the User is a consumer, the right to withdraw from the Contract on the grounds of a minor breach of obligation and the right to compensation for harm exceeding the limitations set out in Article 11 of these Terms are expressly excluded.

If the User is a consumer, their rights arising from defective performance shall apply to the extent that they cannot be excluded under mandatory legal provisions. No provision of these Terms shall be construed as depriving the consumer of statutory rights that cannot be contractually limited.

The Operator expressly does not guarantee continuous, uninterrupted, error-free, or secure availability of the Service. The User acknowledges and agrees that the Platform may be temporarily unavailable or restricted, in particular due to planned or unplanned maintenance, security intervention, technical failure, outage or restriction of cloud infrastructure, outage or change of Third-Party Provider services, system overload, cyber-attacks, force majeure, or other circumstances beyond the reasonable control of the Operator. The Operator does not guarantee the availability, continuity, security, or performance of User-operated Runners, User infrastructure, Target Systems, User-selected model providers, cloud providers, networks, or other User-controlled dependencies.

The Operator reserves the right to modify, update, expand, restrict, technically adjust, optimize, or restructure the Service at any time and without the User's prior consent, including changes to the user interface, runner enrollment, runner version requirements, reporting methods, vulnerability categorization, pricing logic, workflows, AI model support, supported integrations, and types of Pentests and Presets, provided that this does not violate mandatory legal provisions or individually agreed obligations expressly agreed in writing. The Operator is further entitled, for security, technical, regulatory, licensing, provider, or commercial reasons, to temporarily or permanently restrict, suspend, or entirely disable a specific functionality, Preset, AI model integration, pentesting technique, Runner version, or an entire Plan, if it considers this necessary or justified. In such a case, the Operator shall endeavor to ensure that the impact on existing Users is proportionate; however, the User expressly acknowledges that in the dynamically evolving field of cybersecurity and artificial intelligence, rapid product changes may be objectively justified, necessary, and unavoidable.

Unless expressly stated otherwise in a separate SLA or individual enterprise agreement, the User shall have no entitlement to any compensation, discount, damages, or other performance for the temporary unavailability, limitation, modification, or discontinuation of any functionality of the Service, except where such entitlement arises from mandatory legal provisions or from individual obligations of the Operator expressly agreed in writing.

Prohibited Use, Suspension, and Termination of the User Account
===============================================================

The User is obliged to use the Service exclusively in accordance with these Terms, applicable laws and regulations, the rights of third parties, accepted standards of ethical conduct, the legitimate interests of the Operator, the terms of relevant Third-Party Providers, and the fundamental principles of safe, responsible, and ethical cybersecurity testing. Any use of the Service in violation of these requirements is prohibited.

Prohibited use includes, but is not limited to:

a. unauthorized testing of third-party systems or testing exceeding the scope of the authorization granted;

b. obtaining unauthorized access to data or systems, exfiltration, copying, or unauthorized processing of data;

c. use of the Service for the purpose of exploiting identified vulnerabilities, or any active exploitation of identified vulnerabilities for purposes beyond their identification and documentation;

d. lateral movement within systems, attempts to escalate privileges, or attempts to gain unauthorized privileged access;

e. creating attack scenarios without proper authorization, or using the Service as a tool for reconnaissance of Target Systems for the purpose of preparing or facilitating an attack;

f. denial-of-service activity, destructive testing, malware deployment, credential theft, persistence, cryptomining, botnet operation, phishing, spam, social engineering, or other offensive activity exceeding legitimate testing;

g. attempting to compromise the availability, integrity, or security of the Platform, Runners not controlled by the User, other users, Third-Party Providers, or any third-party system;

h. circumventing technical restrictions, license checks, runner limits, safety gates, authentication mechanisms, metering, or security mechanisms of the Platform;

i. unauthorized sharing of access to a User Account, runner token, API key, BYOK Credential, target credential, or payment mechanism;

j. systematically obtaining non-public information about the functioning of the Platform, reverse engineering, decompiling, modifying, or bypassing the Runner or Platform outside the rights expressly granted by these Terms or mandatory law;

k. uploading malicious code to the Platform, submitting unlawful content, or accessing the Platform by automated means outside of the permitted API;

l. using the Service, Runner, Reports, methodology, prompts, workflows, or outputs to build, train, benchmark, improve, operate, or commercialize a competing product or service without the Operator's prior express written consent;

m. reselling, sublicensing, white-labeling, embedding, or providing the Service as a managed service to third parties unless expressly permitted by the applicable Partner, Enterprise, or other written agreement; or

n. any other action that may cause harm to the Operator, other users, Third-Party Providers, or third parties.

The Service is intended exclusively for the identification and prioritization of potential security weaknesses and must not be used to carry out any offensive activities exceeding this purpose.

If the User breaches these Terms, the Operator is entitled, depending on the severity and nature of the breach, and on a cumulative basis, in particular to:

a. notify the User of the breach and request rectification;

b. temporarily restrict some or all functionalities;

c. suspend the User Account;

d. block a specific Target System;

e. cancel pending Pentest jobs or request termination of ongoing Pentest jobs;

f. revoke, rotate, or restrict runner tokens, runner enrollment, API keys, or integration access;

g. cancel the Subscription without entitlement to a refund of the price paid; or

h. terminate the Contract with immediate effect.

The selection of the specific measure shall be at the sole discretion of the Operator.

The Operator is also entitled to terminate the User Account or the Contract without compensation if the User is in default with payment, if the User Account has not been actively used for an extended period and the Operator decides to deactivate it, or if the further provision of the Service has ceased to be possible or reasonable from a legal, technical, provider, licensing, or security standpoint.

Prices paid shall not be refunded upon termination of the User Account or the Contract for reasons attributable to the User, and the User shall have no entitlement to any compensation for unused capacities, unless mandatory legal provisions expressly provide otherwise.

Intellectual Property, Licenses, and Rights to Outputs
======================================================

All intellectual property rights in the Platform, the Service, the Runner software, source and object codes, container images, databases, algorithms, technical solutions, workflows, architecture, Report structures, texts, design, graphic elements, documentation, trademarks, trade names, trade secrets (know-how), and all other components of the Service belong exclusively to the Operator or its licensing partners. The User is not entitled to challenge, contest, register, or otherwise interfere with these rights in any way.

For the duration of the Contract, the Operator grants the User a limited, non-exclusive, non-transferable, non-sublicensable, and revocable authorization to access the Platform and to install and operate the Runner solely to the extent necessary for proper utilization of the Service in accordance with these Terms and the selected Plan. This authorization expressly does not include the right to further license, sublicense, reproduce, transfer, modify, decompile, reverse engineer, rent, sell, make available to third parties, provide as a service to third parties, remove license or telemetry controls, circumvent technical restrictions, or otherwise commercially exploit the Service outside the expressly agreed purpose.

Without the prior express written consent of the Operator, the User may not conduct, publish, or make available to third parties any comparative evaluations (benchmarks), comparative tests, performance analyses, evaluations of detection accuracy or completeness, comparisons with competing products or services, or other systematic evaluations of the Service or its outputs. The User further may not use the Service, its outputs, Reports, methodology, architecture, workflows, prompts, Runner behavior, or any knowledge gained through the use of the Service for the purpose of developing, improving, training, or operating a competing product or service, competitive analysis, or other commercial exploitation for the benefit of a direct or indirect competitor of the Operator. A breach of this provision constitutes a material breach of these Terms.

The User remains the sole holder of rights to the User Data uploaded to or submitted through the Platform, but grants the Operator a non-exclusive, worldwide, royalty-free, and revocable authorization to use, process, transfer, store, analyze, and otherwise handle such data to the extent necessary for the provision of the Service, ensuring security, performing diagnostics and providing technical support, preventing misuse, fulfilling legal obligations, and improving the operational characteristics of the Service. The Operator is further entitled to use such data in aggregated, statistical, pseudonymized, or anonymized form, where technically and legally permissible. The Operator expressly and bindingly declares that User Data submitted to the Platform, including data accessed in the course of testing Target Systems and submitted by a Runner, shall not be used by the Operator for training, fine-tuning, reinforcement learning, or other machine learning of AI models, unless the User grants express, informed, and separate consent for such specific use. This declaration does not govern independent processing by a model provider or other Third-Party Provider selected, configured, or paid for by the User.

Reports and other outputs of the Service may be used by the User for their internal security, operational, remediation, customer assurance, audit-support, and compliance purposes. Unless expressly agreed otherwise in writing, the User may not present, publish, or make the outputs of the Service available to third parties in a manner that would create the impression that the Operator has provided an individual audit, expert, certification, compliance, or legal opinion where this is not the case. The User may share Reports with its employees, contractors, advisors, auditors, insurers, investors, customers, or regulators to the extent reasonably necessary for legitimate security, contractual, compliance, or remediation purposes, provided that the User remains responsible for confidentiality, context, accuracy, and non-misleading presentation. A breach of this provision constitutes a material breach of these Terms.

Liability, Indemnification, and Exclusion of Certain Claims
===========================================================

To the maximum extent permitted by applicable law, the Operator's liability shall be limited exclusively to harm caused by a demonstrable and culpable breach of its obligations under these Terms or the Contract, which constitutes a typical, direct, and reasonably foreseeable consequence of such breach at the time of conclusion of the Contract. The Operator is expressly not liable for:

a. indirect harm, consequential harm, lost profits, loss of business opportunities, loss of data, loss of goodwill or reputation, business interruption, costs of replacement solutions, or other similar pecuniary or non-pecuniary harm that is not a direct and typical consequence of a breach of the Operator's obligations;

b. harm resulting from unauthorized, unlawful, or otherwise impermissible use of the Service, incorrect configuration of the Pentest, incorrect interpretation or application of the Report, inappropriate choice of AI model or Preset, or absence of testing authorization;

c. harm resulting from the operation, misconfiguration, compromise, unavailability, insufficient resources, insecure deployment, or failure of a Runner, User infrastructure, Target System, network, cloud account, CI/CD system, secret store, BYOK Credentials, target credentials, or User-selected Third-Party Provider;

d. harm resulting from the failure, change, terms, policy enforcement, pricing, rate limits, model behavior, or outage of Third-Party Provider services, force majeure, intervention by public authorities, cyber-attacks, or security incidents on the part of the User or a third party;

e. provider charges, model charges, cloud charges, bandwidth charges, incident-response costs, abuse-handling costs, IP reputation harm, account suspension, or other consequences arising from Pentests originating from infrastructure, accounts, or providers selected by or attributable to the User; or

f. harm caused by the User's failure to ensure adequate independent verification and validation of the outputs of the Service.

The total cumulative liability of the Operator for all claims of the User arising from or in connection with the Contract, regardless of the legal basis (contractual, tortious, unjust enrichment, or other), is, to the maximum extent permitted by law, limited to an amount corresponding to the aggregate of payments actually made by the User to the Operator for the Service during the twelve (12) months immediately preceding the first event giving rise to the claim. This limitation shall apply even if the Operator was advised of the possibility of such harm arising.

The User irrevocably undertakes to indemnify and hold harmless the Operator, its shareholders, members of statutory bodies, employees, associates, hosting providers, Third-Party Providers, contractual partners, representatives, and their respective legal successors, and to compensate them for all harm, damage, costs, penalties, fines, reasonable costs of legal representation, litigation costs, and other expenses incurred by them as a result of or in connection with (i) the User's breach of these Terms, (ii) unauthorized or unjustified testing, (iii) violation of applicable law, (iv) infringement of the rights of third parties, (v) the falsity, incompleteness, or misleading nature of the User's representations and warranties contained in these Terms, (vi) the User's operation, configuration, or use of Runners, BYOK Credentials, AI models, Third-Party Providers, target credentials, or infrastructure, or (vii) claims of third parties raised in connection with the User's use of the Service.

Term of the Contract, Termination, and Consumer Rights
======================================================

The Contract is concluded for an indefinite period, unless expressly stated otherwise for a specific Plan, order, or individual agreement. Individual Subscriptions are agreed for the period specified in the relevant offer or in the Platform interface and are automatically renewed in accordance with the payment provisions of these Terms, unless the User expressly agrees otherwise or duly deactivates automatic renewal.

The User is entitled to cancel their User Account at any time and to cease using the Service in accordance with the procedure set out in the Platform interface. Cancellation of the User Account shall not affect any accrued and due obligations to pay the price, obligations arising from indemnification commitments, obligations to stop or decommission Runners where necessary, or any other claims of the Operator that arose prior to the effective date of termination of the Contract.

The Operator is entitled to withdraw from or terminate the Contract, or to suspend the User Account, with immediate effect and without prior notice, in particular if the User breaches these Terms, notably the provisions on the legitimacy of testing, prohibited use, runner operation, BYOK Credentials, or the User's obligations, if the User is in default with the payment of any amount due, if the User uses the Service in a manner that threatens the Platform, other users, Third-Party Providers, or third parties, or if the further provision of the Service is not possible or reasonable for legal, technical, security, licensing, provider, or regulatory reasons.

If the User is a consumer, the Operator provides them with the pre-contractual information required by law through these Terms, the Platform interface, and the relevant ordering process.

The User-consumer expressly acknowledges that the Service constitutes the provision of services and the delivery of digital content not supplied on a tangible medium within the meaning of Section 1837(a) and (l) of the Civil Code. The User-consumer expressly agrees that the Service shall be provided immediately after the conclusion of the Contract, i.e. before the expiry of the withdrawal period, and acknowledges that by the provision of the Service, or the commencement of performance, their right to withdraw from the Contract shall expire to the extent permitted by mandatory law.

Governing Law, Dispute Resolution, and Final Provisions
=======================================================

The Contract and all legal relationships arising therefrom or related thereto, including questions of its formation, validity, effectiveness, interpretation, and termination, shall be governed by the laws of the Czech Republic, in particular the Civil Code. If the User is a consumer, this shall not affect the mandatory provisions of the law of the country of their habitual residence that afford them a higher level of protection.

The contracting parties undertake to resolve all disputes arising from or in connection with the Contract primarily by amicable negotiation, in good faith and with reasonable efforts to reach a mutually acceptable solution. If the dispute is not resolved amicably within thirty (30) days of written notification of the dispute to the other party, the courts of the Czech Republic having subject-matter and territorial jurisdiction shall have jurisdiction to decide the dispute; in the case of entrepreneurs, the parties agree that local jurisdiction shall lie with the court having jurisdiction over the Operator's registered office, unless mandatory legal provisions provide otherwise.

If the User is a consumer, they have the right to out-of-court resolution of any disputes arising from or in connection with the Contract through the Czech Trade Inspection Authority ([www.coi.cz](https://www.coi.cz/) or [www.adr.coi.cz](https://www.adr.coi.cz/)), Central Inspectorate, with its registered office at Gorazdova 1969/24, 120 00 Prague 2, Czech Republic, e-mail: . Out-of-court resolution of a consumer dispute is initiated upon the application of the User-consumer, which may be submitted in particular in writing, by oral statement recorded in a protocol, or electronically via an online form available on the website of the Czech Trade Inspection Authority.

The Operator reserves the right to unilaterally amend, supplement, or replace these Terms with a new version, in particular in the event of a change to the Service, a change in applicable legal regulations, a change in the business or technical model, a change in the terms of Third-Party Providers, a change in market conditions, or for another similarly serious and objectively justified reason. The User shall be informed of the change within a reasonable period prior to its effective date, in an appropriate manner, in particular through the Platform or by notification sent to the e-mail address specified in the User Account.

The amendment to the Terms shall take effect on the date specified by the Operator, but no earlier than upon the expiry of a reasonable period from its notification to the User, unless earlier implementation is necessary to fulfill legal obligations, security measures, regulatory requirements, provider requirements, or to address other urgent reasons. If the User continues to use the Service after the amendment takes effect, such continued use shall be deemed consent to the amended version of the Terms. If the User does not agree with the amendment, the User is entitled to terminate the Contract before the amendment takes effect in accordance with the procedure set out in these Terms.

If any provision of these Terms is found to be invalid, illegal, unenforceable, or ineffective, this shall not affect the validity, effectiveness, and enforceability of the remaining provisions. The contracting parties undertake to replace such provision with a valid and enforceable provision whose economic and legal meaning is as close as possible to that of the original provision.

The Operator is entitled to transfer, assign, or otherwise dispose of its rights and obligations under the Contract or related thereto to a third party, in particular in connection with the transfer of the business or a part thereof, transformation, merger, division, restructuring, sale of a product, or another similar corporate transaction, without the prior consent of the User. The User is not entitled to transfer, assign, or otherwise dispose of the Contract or the rights and obligations arising therefrom without the prior express written consent of the Operator.

The User expressly agrees that all communication between the Operator and the User may take place electronically, in particular via e-mail, the Platform interface, or the User Account. The User acknowledges and agrees that all notifications, confirmations, and other communications made in electronic form meet the requirement of written form within the meaning of the relevant legal regulations.

Operator's contact details:

a. mailing address: Mikuláš Třos, Krásné Loučky 34/34, Czech Republic;

b. e-mail address: .

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.