Back to Services

Service Terms & Conditions

These terms apply to all CagsTech security testing and consulting engagements.

1. Authorization & Scope

• Security testing will not begin until a signed authorization document is in place
• Client must confirm they own or have explicit permission to test all in-scope systems
• Scope boundaries will be documented and agreed upon in writing before testing begins
• Any additions or modifications to scope require written approval and may affect pricing and timeline
• Out-of-scope testing is prohibited and will not be performed

2. Client Responsibilities

• Provide accurate scope details, credentials, and test windows before testing begins
• Ensure a stable staging environment and timely access for verification activities
• Notify CagsTech immediately of any observed service impact during testing
• Provide a 24/7 escalation contact during active testing windows

3. Service Window & Availability

• Testing occurs only during approved windows agreed in writing
• CagsTech does not provide uptime or availability guarantees for client systems
• Client is responsible for monitoring and maintaining system stability during testing

4. Emergency Stop & Escalation

• CagsTech may pause testing immediately if material risk to system stability is observed
• Testing resumes only after client confirmation and written approval

5. Confidentiality

All findings, source code access, and client information are treated as strictly confidential. CagsTech will:

• Not disclose findings to any third party without written consent
• Securely delete all client data within 30 days of engagement completion (unless retention is requested)
• Not use client systems, code, or findings for any purpose other than the contracted assessment

Exceptions:

• Disclosure may be required by law, regulation, or court order
• CagsTech will provide notice before disclosure when legally permitted
• Limited disclosure to legal or financial advisors is permitted under confidentiality obligations

6. Data Handling & Retention

• Testing artifacts (scan outputs, notes, evidence) are stored securely and encrypted at rest
• Client data is retained for 30 days after final report delivery unless a longer retention window is requested in writing
• Upon request, CagsTech will provide written confirmation of data deletion

7. Reporting & Deliverables

• Deliverables include a PDF report and a summary of findings by severity
• Evidence provided may include screenshots, request/response samples, and proof-of-concept notes
• Severity ratings follow a standard scale (Critical, High, Medium, Low, Informational)
• Deliverables are deemed accepted if no written issues are raised within 10 business days of delivery
• Non-material revisions (formatting or clarifications) are included at no additional cost

8. Safe Harbor

CagsTech agrees to conduct testing only within the documented scope and to avoid intentional disruption. Client agrees not to pursue legal action against CagsTech for testing activities performed in good faith within the agreed scope, provided all authorization requirements are met.

9. Payment Terms

• 50% due upon signed agreement, before testing begins
• 50% due upon delivery of final report
• Payment processed securely via Stripe (credit/debit cards accepted)
• Custom quotes for larger projects require separate payment terms

10. Cancellation & Rescheduling

• Rescheduling requires at least 3 business days notice
• Work already performed is billable and non-refundable
• Late cancellations may incur a scheduling fee

11. Intellectual Property

• Client retains ownership of all code, systems, and data
• CagsTech retains ownership of its methodologies, templates, and tooling
• Reports and findings are provided for the client's internal use only unless otherwise agreed in writing

12. Third-Party Tools

Testing may use reputable third-party tools (e.g., Semgrep, OWASP ZAP). Client acknowledges that some testing artifacts may be generated by these tools. CagsTech does not share client data with third parties beyond what is required to operate these tools.

13. Indemnification

• Client represents they own or have explicit permission to test all in-scope systems
• Client will indemnify and hold CagsTech harmless from claims arising from unauthorized scope, access, or misrepresented ownership

14. Limitations of Liability

Security testing is inherently limited by time, scope, and methodology. This assessment:

• Does not guarantee the discovery of all vulnerabilities
• Represents a point-in-time assessment — new vulnerabilities may emerge after testing
• Does not constitute a warranty or guarantee of application security
• Is not a compliance certification or audit report; findings may be used as supporting evidence within a formal compliance audit, but this engagement does not assert compliance
• CagsTech liability is limited to the total amount paid for the engagement

Neither party is liable for indirect, incidental, or consequential damages arising from this engagement.

15. Force Majeure

Neither party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, outages, war, labor disputes, or government actions.

16. Governing Law & Venue

This agreement is governed by the laws of the State of New York, without regard to conflict of law principles. Venue for any disputes shall be the state or federal courts located in New York County, New York.

17. Dispute Resolution

The parties will first attempt to resolve disputes through good-faith negotiations. If unresolved, either party may pursue claims in the courts identified above.

Last updated: February 5, 2026