Terms of Service

1. Acceptance of Terms

By accessing or using the Mirage platform ("Platform"), operated by Pentesys Ltd ("Company", "we", "us", or "our"), you ("Customer", "you", or "your") agree to be bound by these Terms of Service ("Terms"). If you are entering into these Terms on behalf of an organisation, you represent that you have the authority to bind that organisation to these Terms.

If you do not agree to these Terms, you must not access or use the Platform.

2. Definitions

• "Platform" means the Mirage cybersecurity platform, including all associated services, APIs, and documentation.
• "Services" means the cybersecurity services provided through the Platform, including Mirage Surface, Mirage Validate, and Mirage Adversary.
• "Subscription" means a recurring agreement to access specific Services for a defined period.
• "Credits" means the prepaid units used to purchase penetration testing services under Mirage Validate.
• "Organisation" means your company, team, or entity account on the Platform.
• "Authorised User" means any individual authorised by you to access the Platform under your Organisation.
• "Target" means any system, application, network, or asset that you submit for security testing.

3. Description of Services

The Mirage platform provides the following cybersecurity services:

3.1 Mirage Surface (External Attack Surface Management)

A subscription-based service providing continuous monitoring of your external attack surface, including:

• Domain and subdomain discovery
• Asset inventory and classification
• Automated vulnerability scanning
• Change detection and alerting
• Technology fingerprinting

Domain limits are determined by your subscription tier (Starter: 1 domain, Professional: 5 domains, Enterprise: unlimited).

3.2 Mirage Validate (Penetration Testing as a Service)

A credit-based service providing human-led penetration testing and vulnerability validation, including:

• Web application penetration testing
• API security testing
• Mobile application testing
• Infrastructure penetration testing
• Vulnerability validation and exploitation

Automated scanning features are provided at no additional cost. Human validation services consume credits.

3.3 Mirage Adversary (Red Team as a Service)

A contract-based service providing adversary simulation and red team exercises, including:

• Realistic attack simulations
• Social engineering campaigns
• Physical security assessments
• Purple team exercises
• Assumed breach scenarios

Adversary services are provided under separate campaign contracts and require advance scheduling.

4. Account Registration & Security

4.1 Account Creation

To access the Platform, you must create an Organisation account. You agree to:

• Provide accurate, current, and complete registration information
• Use a valid corporate email address (personal email providers such as Gmail, Yahoo, Hotmail, and similar services are not permitted)
• Maintain and promptly update your account information
• Keep your login credentials confidential and secure
• Notify us immediately of any unauthorised access to your account

4.2 Single Account Policy

Specifically, you agree NOT to:

• Create multiple accounts using email aliases (e.g., [email protected])
• Register additional accounts using different email addresses from the same organisation
• Create accounts on behalf of others to exploit trial offers
• Use temporary, disposable, or anonymised email addresses
• Share account credentials with individuals outside your Organisation
• Transfer or sell your account to third parties

We reserve the right to:

• Merge or terminate duplicate accounts without notice
• Revoke trial benefits obtained through multiple account abuse
• Permanently ban individuals or organisations engaged in such practices
• Pursue legal remedies for fraudulent account creation

4.3 Account Responsibility

You are responsible for all activities that occur under your account. You accept full liability for any actions taken by Authorised Users within your Organisation.

5. Prohibited Conduct

You agree not to engage in any of the following prohibited activities:

• Submitting Targets for testing that you do not own or have explicit written authorisation to test
• Using the Platform to conduct attacks against systems without proper authorisation
• Attempting to gain unauthorised access to the Platform or other users' accounts
• Interfering with or disrupting the Platform's infrastructure or other users' access
• Uploading malicious code, viruses, or harmful content
• Using the Platform for any illegal purpose or in violation of applicable laws
• Reselling, sublicensing, or providing access to the Platform to third parties
• Circumventing any access controls, rate limits, or security measures
• Scraping, data mining, or automated collection of Platform data
• Impersonating any person or entity, or falsely representing your affiliation

6. Subscription Terms & Billing

6.1 Subscription Plans

Mirage Surface is offered on a subscription basis with the following tiers:

6.2 Billing Cycle

Subscriptions are billed in advance on a monthly or annual basis, as selected at the time of purchase. All fees are non-refundable except as expressly stated in these Terms or required by applicable law.

6.3 Automatic Renewal

Subscriptions automatically renew at the end of each billing period unless cancelled prior to the renewal date. You may cancel your subscription at any time through the Platform's billing settings.

6.4 Price Changes

We may change subscription prices upon 30 days' written notice. Price changes take effect at the start of the next billing cycle following the notice period.

6.5 Failed Payments

If payment fails, we will attempt to collect payment for up to 14 days. If payment remains unsuccessful, your subscription will be suspended. Access will be restored upon successful payment of all outstanding amounts.

6.6 Taxes

All prices are exclusive of VAT and other applicable taxes, which will be added where required by law.

7. Credit System (Mirage Validate)

7.1 Credit Valuation

7.2 Credit Validity

After the expiry period:

• Unused credits will expire and be forfeited without refund
• Credits cannot be extended, transferred, or converted to cash
• You will receive email notifications at 30 days and 7 days before expiry
• It is your responsibility to utilise credits before expiration

7.3 Credit Consumption

Credits are consumed when:

• A penetration test is scheduled and confirmed
• Human validation of vulnerabilities is requested
• Expert consultation hours are utilised

Credits are NOT consumed for:

• Automated vulnerability scanning
• Report generation
• Platform access and dashboard usage

7.4 Credit Refunds

Purchased credits are non-refundable except:

• Where required by applicable consumer protection laws
• If we are unable to deliver the agreed services
• At our sole discretion in exceptional circumstances

7.5 Credit Abuse

Attempting to fraudulently obtain, duplicate, or manipulate credits will result in immediate account termination and potential legal action.

8. Service Level Agreements

8.1 Platform Availability (Mirage Surface)

8.2 Support Response Times

Response times apply during business hours (Monday-Friday, 09:00-18:00 UTC, excluding UK public holidays).

8.3 Penetration Testing SLA (Mirage Validate)

8.4 Red Team SLA (Mirage Adversary)

8.5 SLA Credits

If we fail to meet the Platform Uptime SLA, you may be eligible for service credits:

Service credits must be requested within 30 days of the incident and are issued as account credit, not refunds.

8.6 SLA Exclusions

SLAs do not apply to outages caused by:

• Scheduled maintenance during announced windows
• Force majeure events (natural disasters, war, etc.)
• Your actions, systems, or third-party services
• Internet connectivity issues outside our control
• Abuse or violation of these Terms

9. Acceptable Use Policy

9.1 Authorised Testing Only

You warrant that you have obtained all necessary authorisations, consents, and legal rights to conduct security testing on any Target submitted to the Platform. You must:

• Own the Target systems or have explicit written permission from the owner
• Ensure testing complies with all applicable laws and regulations
• Notify relevant third parties (cloud providers, hosting companies) as required
• Maintain documentation of authorisation for audit purposes

9.2 Scope Restrictions

You agree that testing will remain within agreed-upon scope boundaries. Testing must not:

• Impact systems outside the defined Target scope
• Cause denial of service to production systems (unless explicitly agreed)
• Exfiltrate, modify, or destroy production data
• Compromise systems belonging to third parties

9.3 Compliance

You are responsible for ensuring that your use of the Platform complies with:

• The Computer Misuse Act 1990 (UK)
• General Data Protection Regulation (GDPR)
• Industry-specific regulations (PCI-DSS, HIPAA, etc.)
• Any other applicable laws in your jurisdiction

10. Intellectual Property

10.1 Our Intellectual Property

The Platform, including its software, design, documentation, methodologies, tools, techniques, and all related intellectual property, is owned exclusively by Pentesys Ltd. Nothing in these Terms grants you any rights to our intellectual property except the limited licence to use the Platform as described herein.

10.2 Your Content

You retain ownership of all data, content, and materials you upload to the Platform. You grant us a limited licence to process your content solely for the purpose of providing the Services.

10.3 Feedback

Any feedback, suggestions, or ideas you provide regarding the Platform may be used by us without restriction or compensation.

11. Reverse Engineering Prohibition

You expressly agree NOT to:

• Reverse engineer: Attempt to derive source code, algorithms, data structures, or ideas from the Platform
• Decompile or disassemble: Convert any part of the Platform from object code to source code
• Analyse security measures: Probe, scan, or test the vulnerability of the Platform itself (the Platform is NOT an authorised Target)
• Bypass access controls: Circumvent any technical measures designed to protect the Platform
• Extract methodologies: Systematically extract our testing methodologies, detection signatures, or vulnerability databases
• Create derivative works: Develop competing products based on our Platform's functionality
• Monitor or intercept: Capture, intercept, or analyse network traffic between you and the Platform for reverse engineering purposes
• Automated extraction: Use bots, scrapers, or automated tools to extract Platform data or functionality

11.1 Permitted Security Research

If you discover a security vulnerability in the Platform, you must report it through our responsible disclosure programme. Unauthorised security testing of the Platform is prohibited.

11.2 Consequences

Violation of this section will result in:

• Immediate termination of your account without refund
• Permanent ban from the Platform
• Legal action for damages and injunctive relief
• Reporting to relevant law enforcement authorities

12. Security & Vulnerability Disclosure

12.1 Our Security Measures

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-tenancy isolation and access controls
• Regular security assessments and penetration testing
• Employee security training and background checks
• Incident response and disaster recovery procedures

12.2 Responsible Disclosure

If you discover a security vulnerability in the Platform, please report it to [email protected]. We commit to:

• Acknowledging receipt within 48 hours
• Providing regular updates on remediation progress
• Not pursuing legal action against good-faith researchers
• Crediting researchers (with permission) in our security advisories

13. Limitation of Liability

13.1 Service Limitations

You acknowledge that:

• No security testing service can guarantee the discovery of all vulnerabilities
• The Platform provides tools and information but cannot prevent all security incidents
• Security testing may cause disruption to Target systems despite best efforts
• Remediation of identified vulnerabilities is your responsibility

13.2 Liability Cap

To the maximum extent permitted by law:

• Our total liability for any claims arising from these Terms shall not exceed the fees paid by you in the twelve (12) months preceding the claim
• We are not liable for indirect, incidental, special, consequential, or punitive damages
• We are not liable for loss of profits, data, business opportunity, or goodwill

13.3 Exceptions

Nothing in these Terms excludes or limits liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be excluded by applicable law

14. Indemnification

You agree to indemnify, defend, and hold harmless Pentesys Ltd, its officers, directors, employees, and agents from any claims, liabilities, damages, costs, and expenses (including legal fees) arising from:

• Your use of the Platform
• Your violation of these Terms
• Your violation of any third-party rights
• Unauthorised security testing conducted using the Platform
• Any claims by third parties related to Targets you submitted for testing

15. Termination

15.1 Termination by You

You may terminate your account at any time by:

• Cancelling your subscription through the Platform's billing settings
• Contacting support to request account deletion

15.2 Termination by Us

We may terminate or suspend your account immediately if:

• You breach any provision of these Terms
• You engage in fraudulent or illegal activities
• You fail to pay fees when due
• Continued service would violate applicable law
• We discontinue the Platform (with 90 days' notice)

15.3 Effect of Termination

Upon termination:

• Your access to the Platform will be revoked
• Unused credits and subscription time are forfeited (except where prohibited by law)
• You may request export of your data within 30 days
• We will delete your data within 90 days (unless legally required to retain)
• Sections regarding liability, indemnification, and intellectual property survive termination

16. Governing Law

These Terms are governed by the laws of England and Wales. Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.

If you are a consumer, you may also have rights under the laws of your country of residence that cannot be waived by contract.

17. Changes to Terms

We may update these Terms from time to time. We will notify you of material changes by:

• Posting the updated Terms on the Platform
• Sending an email to your registered address
• Displaying a prominent notice when you log in

Continued use of the Platform after changes take effect constitutes acceptance of the updated Terms. If you do not agree to the changes, you must stop using the Platform and terminate your account.

18. Contact Information

For questions about these Terms, please contact: