Terms of Service
Effective date: [FILL: YYYY-MM-DD when this is published]
DRAFT — pending legal review. Have a lawyer review the liability cap, indemnification, dispute-resolution venue, and any state-specific consumer protection provisions before publishing at
pentestai.xyz/terms. Particularly important: confirm the arbitration clause is enforceable in your jurisdiction, and whether you need a separate Master Services Agreement for Enterprise contracts.
These Terms of Service ("Terms") form a binding agreement between you and [FILL: legal entity name, e.g. "pentest-ai, Inc., a Delaware corporation" or "pentest-ai LLC, a [state] limited liability company"] ("we", "us", "our") and govern your use of:
- the pentest-ai CLI (open source, MIT licensed) when used in conjunction with our cloud services;
- the pentest-ai SaaS dashboard at
app.pentestai.xyzand any subdomain; - the MCP server when it connects to our cloud APIs;
- the pentestai.xyz marketing site and supporting domains.
These Terms incorporate by reference the Privacy Policy, the Acceptable Use Policy, and the Cookie Policy. By using any of the Service, you agree to all of them.
1. Authorization to test (CRITICAL)
The Service is offensive security tooling. You are solely responsible for ensuring you have explicit, written authorization to test every target. The detailed rules are in the Acceptable Use Policy. A violation of the AUP is a violation of these Terms and may result in immediate account termination and referral to law enforcement.
We do not authorize you to test anything. We provide a tool. Misuse is your liability.
2. Account terms (paid tiers)
To use the dashboard you must:
- Provide accurate registration information and keep it current
- Be at least 18 years of age and legally capable of entering this contract in your jurisdiction
- Not share your login credentials with anyone outside your organization
- Use one account per natural person; for shared use, purchase Team seats
- Promptly notify us at
[email protected]if you believe your account has been compromised
We may suspend or terminate accounts that:
- Are in non-payment status (past due > 14 days)
- Violate the AUP (Section 1 of these Terms)
- Abuse the dashboard infrastructure (automated scraping, scope-bypass attempts, mass-create workspaces, etc.)
- Are used for or in connection with illegal activity
- Are flagged by a credible abuse report (see AUP Section 6)
3. Pricing and billing
| Tier | Price | Bills via |
|---|---|---|
| Open Source CLI | Free | (MIT licensed) |
| Pro | $39/mo or $32/mo on annual | Stripe (monthly or yearly) |
| Team | $59/seat/mo or $47/seat/mo on annual | Stripe |
| Enterprise | $2,500/mo+ | Invoice (Net 30) |
| Engagement-as-a-Service | $15,000+ per engagement | Invoice (project SOW) |
Pricing is in USD. Annual plans are billed up-front and are non-refundable mid-cycle except as required by law (see Section 4). Monthly plans cancel at the end of the current billing period. Price changes get 30 days' notice via email; existing annual plans honor the original price until renewal.
Taxes are the customer's responsibility unless we are legally required to collect (e.g., EU VAT, US sales tax in jurisdictions where we have nexus).
4. Refunds
- Monthly plans, first 14 days: full refund, no questions asked. Email
[email protected]within 14 days of your first paid invoice. - Annual plans, first 30 days: pro-rated refund. After 30 days, no refunds.
- Engagement-as-a-Service: governed by the project SOW.
- Disputes: if Stripe initiates a chargeback, we may suspend the account pending resolution.
We are not required to refund where the account was terminated for AUP violations.
5. Open source license
The CLI portion of the Service (the public GitHub repository at 0xSteph/pentest-ai) is licensed under the MIT License. You may use, modify, and redistribute the OSS portion under the MIT terms. The MIT License governs the OSS code; these Terms govern the cloud features, the dashboard, the website, and any optional cloud sync the CLI performs against our servers.
The dashboard server-side code is closed-source and is not covered by the MIT License.
6. Intellectual property
We retain ownership of:
- The pentest-ai trademark, logo, and brand assets
- The dashboard application code (closed-source server side)
- The marketing content at
pentestai.xyz - Aggregate, anonymized analytics derived from Service usage
You retain ownership of:
- Your engagement data, findings, and reports generated by the tool
- Any custom playbooks, configurations, or branding you upload
- Source code you scan with the tool (we don't store source; we store findings)
You grant us a limited, worldwide, royalty-free license to host, process, transmit, and display your content solely for the purpose of operating the Service for you. We do not use your engagement data, findings, or scanned target content to train AI models. We do not sell your data.
7. Service availability and SLAs
We aim for 99.9% monthly uptime on the dashboard. Status is published at status.pentestai.xyz.
- Pro tier: best-effort uptime; no service credits
- Team tier: best-effort uptime; no service credits
- Enterprise tier: 99.9% monthly uptime SLA; service credits per the Enterprise MSA
We are not liable for downtime caused by:
- Force majeure events (natural disasters, war, civil unrest, government action)
- Third-party dependencies outside our control (Cloudflare, Stripe, Anthropic, OpenAI, AWS, GCP)
- Scheduled maintenance announced ≥48 hours in advance on the status page
- Customer-side issues (network, browser, misconfiguration)
8. Disclaimers
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, TO THE FULLEST EXTENT PERMITTED BY LAW.
We do not warrant that the Service will identify all vulnerabilities in your targets, that scan results are accurate, that exploit proofs-of-concept are safe in every environment, or that the Service is suitable for any compliance attestation (PCI, HIPAA, SOC2 audit) without additional human review.
The Service is a tool, not a substitute for a qualified security engineer's judgment.
9. Limitation of liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:
- Neither party is liable for any consequential, incidental, indirect, special, or punitive damages, lost profits, or loss of business opportunity arising from these Terms or the Service, even if advised of the possibility of such damages.
- Our total cumulative liability to you for any and all claims arising out of or relating to these Terms or the Service is capped at the greater of (a) $100 USD or (b) the fees you paid us in the 12 months preceding the event giving rise to the claim.
- This cap applies regardless of the cause of action (contract, tort, strict liability, statute, or otherwise) and survives termination.
- We are not liable for any damages arising from your testing of any target, including but not limited to outages, data loss, corruption, or third-party claims by the target's owner.
Some jurisdictions do not allow limitations of liability or exclusion of certain damages; in those jurisdictions, the limits above apply to the maximum extent permitted by law.
10. Indemnification
You will defend, indemnify, and hold us, our subprocessors, and our employees harmless from and against any claim, demand, loss, liability, damage, settlement, judgment, or expense (including reasonable attorneys' fees) arising out of or related to:
- Your use of the Service against a target without authorization, or in violation of the AUP
- Your violation of any law in connection with the Service
- Your violation of these Terms or the Privacy Policy
- Any dispute, claim, or action by a target system owner relating to your testing
- Any third-party claim that your content infringes intellectual property or violates privacy rights
We will give you prompt notice of the claim, control of the defense (with cooperation from you), and the right to settle (provided the settlement does not impose any obligation on you other than payment of money you are obligated to indemnify).
This obligation survives termination.
11. Termination
By you: cancel any time via dashboard settings. Cancellation takes effect at the end of the current billing period.
By us: for cause (non-payment, AUP violation, illegal activity), immediately and without refund. For convenience (we shut down the Service), with 90 days' notice and pro-rated refund of pre-paid annual fees.
On termination:
- Your access to the dashboard ends
- Your data is retained per the Privacy Policy (default 12 months, deletable on request, audit logs retained 7 years)
- Pre-paid annual fees: refundable per Section 4 if you cancel within 30 days, otherwise non-refundable
- Sections 6, 8, 9, 10, 12, and any others that by their nature should survive, will survive
12. Disputes and governing law
These Terms are governed by the laws of [FILL: governing jurisdiction, e.g. "the State of Delaware, USA, without regard to conflict-of-laws principles"].
[FILL: pick ONE — get legal advice — defaulting to Option A is common for SaaS]
Option A. Binding arbitration with class waiver: Any dispute arising out of or relating to these Terms or the Service that cannot be resolved through informal negotiation within 60 days will be resolved by binding arbitration administered by [FILL: AAA / JAMS] under its [FILL: Commercial / Consumer] Rules. The seat of arbitration is [FILL: city, state]. Class actions, class arbitrations, and consolidated arbitrations are waived. Either party may seek injunctive relief in court for IP infringement.
Option B. Court venue: Any dispute arising out of or relating to these Terms or the Service will be resolved exclusively in the state and federal courts of [FILL: county, state]. Each party consents to personal jurisdiction and venue there.
If any provision of this Section is unenforceable, the remainder remains in force.
13. International users and export controls
If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with local law. You may not use the Service if you are located in, are a national of, or are working on behalf of a country subject to comprehensive US sanctions (currently Cuba, Iran, North Korea, Syria, the Crimea / Donetsk / Luhansk regions of Ukraine, and any other jurisdiction added during the term).
You may not use the Service to develop or deliver weapons of mass destruction, nuclear, chemical, or biological weapons capability, or to violate US export-control laws (EAR, ITAR).
14. Beta features
We may from time to time make features available marked "Beta", "Preview", or "Experimental". Beta features are provided as-is, may break or be removed at any time, and are not covered by any SLA. Feedback you provide on Beta features may be used by us without restriction.
15. Changes to these Terms
We may update these Terms from time to time. Material changes will be posted at pentestai.xyz/terms with at least 30 days' notice via email. Continued use after the effective date is acceptance. If you do not agree to the new Terms, your remedy is to stop using the Service before the effective date.
16. Notices
To us: [email protected] and a copy by mail to [FILL: physical mailing address. Required for legal effect; a PO box is acceptable].
To you: the email on file with your account, or in-app banners on the dashboard.
17. Miscellaneous
- Severability. If any provision is held unenforceable, the remainder of the Terms remains in force.
- No waiver. Failure to enforce a provision is not a waiver of that provision.
- Assignment. You may not assign these Terms without our written consent. We may assign in connection with a merger, acquisition, or sale of assets, on notice to you.
- Entire agreement. These Terms (with the AUP, Privacy Policy, Cookie Policy, and any Order Form or MSA) are the entire agreement between us and you.
- Independent contractors. Nothing in these Terms creates an employment, partnership, joint venture, or agency relationship.
- Force majeure. Neither party is liable for delays caused by events outside its reasonable control.
18. Contact
- Legal:
[email protected] - Privacy:
[email protected] - Abuse:
[email protected] - Security:
[email protected](also see SECURITY.md) - Sales:
[email protected] - Support:
[email protected]
[FILL: physical mailing address]