Legal · Penetration Test Service

Pentest Terms of Service

Last updated: May 11, 2026

This page sets out the legal terms governing your use of the GetCodeAudit "Pentest Report" service ("the Service"). The Service performs active, automated penetration testing against a target web domain you specify.

READ THIS BEFORE PURCHASING. Penetration testing involves sending probing requests to a website. In most jurisdictions, performing this testing on a website you do not own or have authorization to test is a criminal offense (Computer Fraud and Abuse Act in the United States; Section 66 of the Information Technology Act, 2000 in India; similar laws elsewhere). By purchasing the Service, you accept full legal responsibility.

1. Authorization Requirement

You may only purchase the Service to test a domain (or its subdomains) where one of the following is true:

You are the legal owner of the domain.
You are an employee or authorized agent of the domain owner, acting within the scope of your authorization.
You hold written, dated authorization from the domain owner permitting penetration testing.

When you submit a Pentest order, you check a consent box affirming this. We store your IP address, timestamp, and email at the moment of consent. This record may be provided to law enforcement upon valid legal request.

2. Prohibited Targets

You may not use the Service to test:

Domains you do not own and have not received written authorization to test.
Government, military, banking, healthcare, or critical infrastructure systems, even with apparent authorization, without prior coordination with us at pentest@getcodeaudit.com.
Third-party hosted services (Shopify storefronts, Wix sites, WordPress.com, etc.) — these belong to the platform vendor, not you.
Domains showing as parked, expired, or for sale.
Domains where the Pentest scan would violate any applicable law in your jurisdiction or the target's jurisdiction.

3. What the Service Does

The Pentest scan performs:

Reflected XSS probes (benign canary payloads, non-persistent).
SQL injection probes (error-based detection only).
Open redirect, path traversal, host header injection, and CORS misconfiguration probes.
Directory and subdomain enumeration (DNS lookups and HTTP HEAD requests).
HTTP method enumeration (OPTIONS).
Login endpoint rate-limit testing (up to 8 wrong attempts with random credentials).
JavaScript file analysis for hardcoded secrets.
HTML comment harvesting.
All passive checks included in the Quick Scan tier (TLS, headers, DNS, exposed files).

Requests are rate-limited to no more than 5 per second. The scan identifies itself with the User-Agent string GetCodeAudit-Pentest/1.0 (authorized scan; pentest@getcodeaudit.com).

4. What the Service Does NOT Do

It does not attempt to access, modify, or delete data.
It does not attempt account takeover, privilege escalation, or to bypass authentication on protected resources.
It does not perform denial-of-service testing.
It does not test business logic, authorization, or chained vulnerabilities — these require manual testing by a qualified human pentester.
It does not constitute formal security certification or replace a manual penetration test for compliance purposes.

5. Disclaimer of Warranties

The Service is provided "as is" without warranty of any kind. We do not guarantee that the Service will identify all vulnerabilities present on the target. False positives and false negatives are possible. You agree to validate findings before acting on them.

6. Limitation of Liability

To the maximum extent permitted by law, GetCodeAudit and its operators shall not be liable for:

Any disruption, downtime, or instability caused to the target by the Service.
Any legal consequences you face arising from unauthorized testing.
Any indirect, consequential, or incidental damages.

Our maximum aggregate liability is limited to the amount you paid for the specific Pentest order in dispute.

7. Indemnification

You agree to indemnify and hold harmless GetCodeAudit, its operators, and its contractors from any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from:

Your unauthorized use of the Service against a domain you do not own.
Your violation of any law or third-party right in connection with your use of the Service.
Your breach of these Terms.

8. Data Handling

We store the following data for each Pentest order:

Your email address.
The target URL.
The IP address from which you placed the order.
Date and time of consent.
Razorpay payment identifiers (no card data — that stays with Razorpay).
The findings produced by the scan.
The generated report PDF.

We retain this data for 12 months after the scan, then permanently delete it. We will surrender this data to law enforcement only upon valid legal process.

9. Refunds

Refunds are available within 24 hours of order placement only if the scan has not yet begun. Once a scan has been dispatched, the engineering cost is incurred regardless of outcome, and we do not refund completed or in-progress scans.

10. Modifications & Termination

We reserve the right to refuse service or terminate scans in progress if we have reason to believe the testing is unauthorized, illegal, or in violation of these Terms. In such cases we may report relevant information to law enforcement.

11. Governing Law

These Terms are governed by the laws of India. Disputes will be subject to the exclusive jurisdiction of courts in the city where GetCodeAudit is registered.

12. Contact

For questions about these Terms or to request authorized testing of sensitive targets: pentest@getcodeaudit.com

By checking the consent boxes on the Pentest order form, you confirm you have read, understood, and accept these Terms in full.