Security Assessment Authorization Agreement

1. Authorization and legal capacity

• You represent that you are the legal owner of the target domain or have explicit written authorization from the owner to commission third-party security testing.
• You represent that you have authority to bind the organization associated with the target domain to this Agreement.
• You represent that the requested assessment complies with applicable law, regulation, and contractual obligations.
• Domain ownership verification during onboarding (for example DNS, HTML meta tag, or a file-based verification method) is treated as authorization to begin assessment activity for the verified target.
• Misrepresentation of ownership or authorization may result in immediate suspension or termination of service and may be reported to applicable authorities.

2. Scope of assessment

Authorized scope

• The target domain and publicly resolvable subdomains tied to that target.
• Publicly accessible web application endpoints and APIs associated with the target.
• Resources responding directly to requests originating from the target domain.

Out of scope

• Third-party services not under the direct control of the Client.
• Internal or private networks not publicly accessible.
• Domains or subdomains not registered under the verified target.
• Systems and services not directly associated with the specified target.

3. Assessment methodology

Permitted activities

• Automated and AI-assisted vulnerability discovery and validation testing.
• Testing for common vulnerability classes in modern web applications and APIs.
• Evaluation of authentication, session handling, access controls, and business logic.
• Endpoint and parameter enumeration with response-behavior analysis.
• Public-information reconnaissance relevant to the target.
• Proof-of-concept exploit attempts where needed to validate exploitability of a finding.

Prohibited activities

• Denial-of-service or other availability-impacting attack traffic.
• Intentional permanent modification, deletion, or corruption of production data.
• Persistent backdoors, web shells, or malicious persistence mechanisms.
• Social engineering, phishing, or physical security testing.
• Testing outside the explicitly authorized target scope.
• Retention, sharing, or monetization of non-public data found during testing.

4. Confidentiality and data handling

• Findings and reports are provided only through authorized access paths in the DBAudit product.
• If sensitive data is encountered during authorized testing, interaction with that data should stop immediately and exposure should be documented only as needed for the finding.
• DBAudit may disclose information only when required by applicable law or with explicit written Client authorization.

5. Reporting and deliverables

• Findings are delivered through the DBAudit product experience and may include severity, technical detail, exploitability evidence, and remediation guidance.
• Available reporting depth and product capabilities may vary based on the active plan or purchase for the Client account.

6. Limitation of liability and disclaimer of damages

• THE DBAUDIT PLATFORM AND ALL ASSOCIATED TOOLS, SCRIPTS, AUTOMATED CHECKS, AND GENERATED OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
• Security assessment activities, including any scripts, payloads, or automated actions executed through or facilitated by the platform, interact with live systems. You acknowledge and accept all risk of operational impact, data alteration, service disruption, or unintended side-effects arising from such activities.
• TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DBAUDIT AND ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AND AFFILIATES SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION LOSS OF DATA, LOSS OF REVENUE, LOSS OF PROFITS, BUSINESS INTERRUPTION, SYSTEM DOWNTIME, THIRD-PARTY CLAIMS, OR REPUTATIONAL HARM, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE PLATFORM OR ANY ACTION YOU CHOOSE TO TAKE WITH IT — REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF DBAUDIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
• You expressly acknowledge that certain platform capabilities involve inherently dangerous or potentially destructive actions (including but not limited to active exploit validation, credential testing, and payload delivery). Any such action is executed solely at your discretion and under your direction. DBAudit bears no responsibility for the outcome of actions you choose to initiate through the platform.
• Where limitation of consequential or incidental damages is prohibited by law, DBAudit's aggregate liability shall not exceed the total fees paid by you in the twelve (12) months preceding the claim.

7. Abuse enforcement and legal action

• DBAudit actively monitors platform activity for signs of abuse, unauthorized use, or activity that exceeds the scope authorized under this Agreement.
• In the event of actual or suspected abuse — including but not limited to unauthorized testing of third-party targets, deliberate data exfiltration, use of the platform to facilitate attacks, or circumvention of platform controls — DBAudit reserves the right to immediately suspend or permanently terminate account access without prior notice.
• Where abuse is confirmed or credibly suspected, DBAudit will pursue all available legal remedies, including but not limited to civil claims for damages and reporting the activity to relevant law-enforcement authorities and regulatory bodies.
• In connection with any abuse investigation, enforcement action, or lawful request from authorities, DBAudit will collect, retain, and disclose the minimum personally identifiable information ("PII") necessary, which may include: account registration details (name, email address), billing and payment records, IP addresses and session metadata, audit target history, and any communications with DBAudit support. This information may be provided to law-enforcement agencies, courts, affected third parties, or their legal representatives where required or permitted by applicable law.
• You consent to the collection and disclosure of such PII for the purposes described above by accepting this Agreement. This consent is a condition of using the platform.

8. Term and revocation

• This Agreement becomes effective upon acceptance by the Client.
• The Client may revoke authorization by removing verification signals from the target and submitting written notice through official DBAudit support channels.
• DBAudit may suspend or terminate assessment activity on expiration, cancellation, or material breach of this Agreement.

9. Indemnification

The Client agrees to indemnify, defend, and hold harmless DBAudit and its personnel from claims, liabilities, damages, costs, and expenses (including reasonable legal fees) resulting from misrepresentation of authorization, breach of this Agreement, violation of applicable law, or third-party claims alleging unauthorized testing based on Client-provided authorization.

10. Governing law and dispute resolution

This Agreement is governed by applicable law as determined by the controlling terms between DBAudit and the Client. This Agreement is the full understanding between the parties regarding authorization for security assessment activity and supersedes prior representations on this subject.