Penetration Testing – Terms and Conditions
1. Engagement Scope
GRC Concierge (“Service Provider”) shall provide penetration testing services (“Services”) to the Client as outlined in the mutually agreed Statement of Work (SOW). The SOW will define the systems, applications, IP ranges, domains, timeframe, and type of testing (e.g., black-box, grey-box, white-box).
2. Client Responsibilities
The Client must provide written authorization for the penetration test prior to commencement. The Client agrees to notify relevant internal stakeholders and third-party service providers (e.g., hosting companies, ISPs) that testing will occur. The Client shall provide necessary access credentials, documentation, and contact information to support the engagement.
3. Payment Terms
All fees for the Services must be paid in full prior to the commencement of testing, unless otherwise agreed in writing. GRC Concierge reserves the right to delay or withhold testing and deliverables until payment is received. If additional work is required beyond the scope defined in the SOW, a change order and corresponding payment terms will be provided for Client approval.
4. Testing Limitations
The testing will be conducted in a controlled manner and is intended to identify and validate security vulnerabilities. GRC Concierge will take reasonable measures to avoid causing service disruption; however, some risk exists with all penetration testing. The Client agrees to accept this risk.
5. Confidentiality
All findings, data accessed, and reports generated during the penetration test are confidential. GRC Concierge agrees not to disclose or share any client data or findings with third parties without prior written consent, unless legally required.
6. Intellectual Property
All proprietary tools, scripts, and methodologies used during the engagement remain the intellectual property of GRC Concierge. The final report and test results shall become the property of the Client upon full payment.
7. Reporting and Remediation Support
A formal report will be provided within 10 business days of the test’s completion, unless otherwise agreed upon. GRC Concierge may offer follow-up consultation for remediation recommendations, verification testing, or clarification of findings upon request.
8. Use of Third-Party Tools and Services
GRC Concierge may utilize industry-standard third-party tools, platforms, or services to conduct certain aspects of the penetration testing engagement. The Client acknowledges and agrees that:
These tools are selected for their effectiveness and widespread use in security testing.
Any risks associated with the use of these tools, including false positives, performance impacts, or temporary service disruption, will be minimized to the best of GRC Concierge’s ability but cannot be fully eliminated.
GRC Concierge does not warrant or guarantee the performance, availability, or results of any third-party tools.
The Client consents to the use of such tools as part of the penetration test and acknowledges that some testing data may be temporarily processed or stored by these third-party providers as part of standard operation.
9. Limitation of Liability
GRC Concierge is not liable for any damages or losses resulting from system downtime, data loss, or business interruption unless due to gross negligence or intentional misconduct. Total liability shall not exceed the fees paid by the Client for the Services.
10. Legal Authorization
The Client warrants they have full legal authority over the assets to be tested and indemnifies GRC Concierge from any claims arising from unauthorized testing.
11. Term and Termination
Either party may terminate this agreement with 5 business days’ written notice. If terminated prior to completion, the Client will be billed for work completed up to the termination date.
12. Governing Law
This agreement shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada.