Legal · Penetration Test Service

Pentest Terms of Service

Last updated: June 1, 2026

This page sets out the legal terms governing your use of the GetCodeAudit "Pentest Report" service ("the Service"). The Service performs active, automated penetration testing against a target web domain you specify.

READ THIS BEFORE PURCHASING. Penetration testing involves sending probing requests to a website, including TCP port scanning of the target host. In nearly every country, performing this testing — including port scanning — on a system you do not own or have authorization to test is a criminal offense. Examples include the Computer Fraud and Abuse Act (United States), the Computer Misuse Act 1990 (United Kingdom), the EU Directive 2013/40 on attacks against information systems and member-state laws implementing it, and Section 43 / 66 of the Information Technology Act, 2000 (India) — and equivalent laws apply almost everywhere else. By purchasing the Service, you accept full legal responsibility in every applicable jurisdiction.

1. Authorization Requirement

You may only purchase the Service to test a domain (or its subdomains) where one of the following is true:

You are the legal owner of the domain.
You are an employee or authorized agent of the domain owner, acting within the scope of your authorization.
You hold written, dated authorization from the domain owner permitting penetration testing.

When you submit a Pentest order, you check a consent box affirming this. We store your IP address, timestamp, and email at the moment of consent. This record may be provided to law enforcement upon valid legal request.

2. Prohibited Targets

You may not use the Service to test:

Domains you do not own and have not received written authorization to test.
Government, military, banking, healthcare, or critical infrastructure systems, even with apparent authorization, without prior coordination with us at pentest@getcodeaudit.com.
Third-party hosted services (Shopify storefronts, Wix sites, WordPress.com, etc.) — these belong to the platform vendor, not you.
Domains showing as parked, expired, or for sale.
Domains where the Pentest scan would violate any applicable law in your jurisdiction or the target's jurisdiction.

3. What the Service Does

The Pentest scan performs:

Reflected XSS probes (benign canary payloads, non-persistent).
SQL injection probes (error-based, time-based blind, and boolean-based detection) against GET parameters and POST form fields. Probes are non-destructive: no INSERT/UPDATE/DELETE/DROP payloads are sent.
Open redirect, path traversal, host header injection, and CORS misconfiguration probes.
Directory and subdomain enumeration (DNS lookups and HTTP HEAD requests).
HTTP method enumeration (OPTIONS).
TCP port scanning of the target host (the most common 1,000 ports) and service-version detection on any open ports, to identify network services exposed beyond the web application.
Login endpoint rate-limit testing (up to 8 wrong attempts with random credentials).
JavaScript file analysis for hardcoded secrets.
HTML comment harvesting.
All passive checks included in the Quick Scan tier (TLS, headers, DNS, exposed files).

Requests are rate-limited to no more than 5 per second. The scan identifies itself with the User-Agent string GetCodeAudit-Pentest/1.0 (authorized scan; pentest@getcodeaudit.com).

4. What the Service Does NOT Do

It does not attempt to access, modify, or delete data.
It does not attempt account takeover, privilege escalation, or to bypass authentication on protected resources.
It does not perform denial-of-service testing.
It does not test business logic, authorization, or chained vulnerabilities — these require manual testing by a qualified human pentester.
It does not constitute formal security certification or replace a manual penetration test for compliance purposes.

5. Disclaimer of Warranties

The Service is provided "as is" without warranty of any kind. We do not guarantee that the Service will identify all vulnerabilities present on the target. False positives and false negatives are possible. You agree to validate findings before acting on them.

6. Limitation of Liability

To the maximum extent permitted by law, GetCodeAudit and its operators shall not be liable for:

Any disruption, downtime, or instability caused to the target by the Service.
Any legal consequences you face arising from unauthorized testing.
Any indirect, consequential, or incidental damages.

Our maximum aggregate liability is limited to the amount you paid for the specific Pentest order in dispute.

7. Indemnification

You agree to indemnify and hold harmless GetCodeAudit, its operators, and its contractors from any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from:

Your unauthorized use of the Service against a domain you do not own.
Your violation of any law or third-party right in connection with your use of the Service.
Your breach of these Terms.

8. Data Handling

We store the following data for each Pentest order:

Your email address.
The target URL.
The IP address from which you placed the order.
Date and time of consent.
Razorpay payment identifiers (no card data — that stays with Razorpay).
The findings produced by the scan.
The generated report PDF.

The scan findings and report PDF are retained for 30 days after delivery; the order record (email, target, consent timestamp, payment reference) is retained for up to 12 months, after which it is deleted, except for any minimal record we are required by law to keep (such as a tax invoice). We will surrender data to law enforcement only upon valid legal process. For full detail on what we collect, how long we keep it, international data transfers, and your rights (including GDPR and CCPA rights), see our Privacy Policy.

9. Refunds

Refunds are available within 24 hours of order placement only if the scan has not yet begun. Once a scan has been dispatched, the engineering cost is incurred regardless of outcome, and we do not refund completed or in-progress scans.

10. Modifications & Termination

We reserve the right to refuse service or terminate scans in progress if we have reason to believe the testing is unauthorized, illegal, or in violation of these Terms. In such cases we may report relevant information to law enforcement.

11. Governing Law

These Terms are governed by the laws of India. Disputes will be subject to the exclusive jurisdiction of courts in the city where GetCodeAudit is registered (S.A.S Nagar / Mohali, Punjab, India). If you are a consumer resident in the EEA, the UK, or another jurisdiction with mandatory consumer-protection law, nothing here removes rights that cannot be waived under the law of your country of residence, and that law prevails to the extent of any conflict.

12. Contact

For questions about these Terms or to request authorized testing of sensitive targets: pentest@getcodeaudit.com

By checking the consent boxes on the Pentest order form, you confirm you have read, understood, and accept these Terms in full.

How can we help?

Find an answer or send us a message.

How long does a scan take?

Most scans complete within a few minutes. You'll get an email with your report as soon as it's ready.

Will the scan crash my site?

No. Testing is non-destructive and rate-limited; it's designed to observe, not to break anything.

What if I'm not authorized to test the target?

You must own the target or have written permission. Scanning without authorization may be illegal, and you confirm authorization at checkout.

Do you store my data?

Only what's needed to run the scan and deliver the report. Reports are auto-purged after 30 days, data is encrypted, and we never sell it. See our Privacy Policy for detail.

Can I re-run a scan?

Pentest orders include one free rescan within 7 days — open your report page and click "Request free rescan".

Is the PDF really password-protected?

Yes. The report PDF is encrypted; you verify your email to retrieve it.

Something else?

Use the "Submit a ticket" tab and our team will get back to you by email.

Prefer email? Reach us directly at
support@getcodeaudit.com

For anything about an existing order, include your order reference so we can find it faster.