These Terms of Service ("Terms") constitute the entire agreement between HACKERSEC INOVAÇÃO EM CIBERSEGURANÇA LTDA ("HackerSec", "we" or "us") and the legal entity or individual who accesses, uses or contracts the HackerSec platform and services ("Client" or "you"), governing all conditions of access, use and contracting of the HAS – HackerSec Advanced Security platform ("Platform") and the offensive cybersecurity operations facilitated through it.
By accessing, registering or using the Platform, the Client acknowledges having read, understood and fully accepted these Terms, as well as the Privacy Policy and the Acceptable Use Policy, which are an integral part of this instrument.
For purposes of these Terms, the following terms shall have the meanings assigned to them:
2.1. These Terms govern the contracting of access to the HAS Platform and the execution of Offensive Cybersecurity Operations, focused on continuous or on-demand offensive security testing, according to the modality and scope selected by the Client.
2.2. The Client acknowledges that the engagement involves accessing and using a technology platform through which HackerSec delivers and presents the technical results of the Offensive Cybersecurity Operation, executed in accordance with the best technical practices and methodologies adopted by the market.
2.3. The engagement does not constitute an obligation of result, a security certification, a guarantee of the absence of vulnerabilities, or a compliance attestation. HackerSec does not guarantee the identification of each and every vulnerability, nor the absence of residual risks after execution of the Operation.
2.4. Activities performed under these Terms may involve automated, assisted or combined mechanisms, including proprietary tools, technical agents and artificial intelligence, within the limits of the contracted scope.
2.5. The Platform and Operations are instrumental and informational in nature, intended to support the identification of potential risks and exposures. The analysis, validation and adoption of any corrective or mitigating measures remain the exclusive responsibility of the Client.
2.6. The Platform and services are provided "as is", without guarantees that they will be uninterrupted, error-free, or that they will identify every existing vulnerability. HackerSec is committed to delivering services with diligence, technical competence, and in accordance with industry best practices for offensive cybersecurity, but does not offer implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
3.1. Access to and use of the Platform are conditional upon full acceptance of these Terms, the Privacy Policy and the Acceptable Use Policy. Acceptance occurs electronically, through clicking an acceptance button ("clickwrap"), registering on the Platform, or completing a payment, whichever occurs first.
3.2. The Client declares and warrants that: (a) they are at least 18 years of age; (b) they have full legal capacity to enter into this agreement; (c) if a legal entity, the User accepting these Terms has sufficient authority to bind such entity.
3.3. Registration on the Platform requires providing truthful, complete and up-to-date information. The Client is solely responsible for the accuracy of the information provided.
3.4. Access credentials (login and password) are personal and non-transferable. The Client is fully responsible for all activities performed through their account and must immediately notify HackerSec of any unauthorized use or suspected compromise.
3.5. Electronic acceptance of these Terms has the same validity, authenticity and effectiveness as a physically signed instrument, in accordance with applicable law.
4.1. The Platform offers the following engagement modalities:
A standalone engagement through a one-time payment, in which the Client acquires one or more Single-Use Assets to perform Offensive Cybersecurity Operations with defined scope and timeline. One-Time Tests may be performed at the following levels:
4.1.1.1. Each Single-Use Asset corresponds to the right to submit 1 (one) technological resource to 1 (one) Operation and may be used only once, with no renewal. Acquired Assets may be freely allocated by the Client, subject to the ratio of 1 (one) Asset per tested resource. By way of example, the acquisition of 5 (five) Assets allows the execution of 5 (five) Operations on 1 (one) resource each, or 1 (one) Operation covering up to 5 (five) resources, or any equivalent combination, until the acquired Assets are exhausted.
4.1.1.2. Single-Use Assets are valid for 12 (twelve) months from the date of purchase. Assets not used within this period expire automatically, with no right to refund, conversion into credits, or extension, except as expressly stated otherwise.
A month-to-month recurring engagement, with a monthly allotment of Renewable Assets available for testing, according to the selected plan (Starter, Essential or Business). The Monthly Plan has no lock-in period, auto-renews on a monthly basis, and may be cancelled by the Client at any time, subject to the notice period set forth in Section 9. No early termination penalty applies to the Monthly Plan. Assets are renewed each monthly cycle and are non-cumulative: any allotment not used within a cycle expires at its end and does not carry over to subsequent cycles.
A recurring engagement with a minimum term of 12 (twelve) months, with a monthly allotment of Renewable Assets available for testing, according to the selected plan (Starter, Essential or Business). The Annual Plan offers preferential commercial conditions compared to the Monthly Plan in exchange for the annual commitment, and is subject to the early termination penalty set forth in Section 9. As with the Monthly Plan, Assets are made available and renewed each monthly cycle within the annual term and are non-cumulative: any allotment not used within a cycle expires at its end and does not carry over to subsequent cycles.
The Enterprise Plan and other customized plans, with customizable scope, Asset limits or commercial conditions different from the modalities above, may be negotiated on a case-by-case basis through a specific Commercial Proposal, which shall prevail in the event of any conflict.
4.1.5. Nature of the Asset-based engagement. The engagement's purpose is the provision of testing capacity on the Platform, measured in Assets. Each Asset is consumed at the moment the Client allocates it to an Operation and authorizes the start of its execution, with the corresponding service deemed progressively rendered from that moment.
4.2. The scope of each Operation is defined by the Client at the time of the test request, including: Assets to be tested, category (Application, Infrastructure, Specialized), test type (Black Box, Gray Box or White Box) and access credentials, when applicable.
4.3. Any activities not expressly included in the defined scope are considered extra activities, not included in the original engagement, and must be subject to separate negotiation and agreement.
4.4. HackerSec reserves the right to update, modify, enhance, add or remove Platform features, provided such modifications do not fundamentally alter the main contracted object.
HackerSec undertakes to:
5.2. HackerSec is not obligated to: (i) guarantee the detection of all vulnerabilities; (ii) fix flaws or implement solutions in Client environments; (iii) directly operate Client environments; (iv) ensure any specific level of security; or (v) guarantee uninterrupted Platform availability.
The Client undertakes to:
6.2. The Client acknowledges that HackerSec shall not be liable for damages arising from: (i) improper Platform use; (ii) incorrect scope definition; (iii) failure to remediate Vulnerabilities; (iv) Client's technical or business decisions; or (v) security events occurring in Client environments.
7.1. By requesting an Offensive Cybersecurity Operation through the Platform, the Client grants HackerSec express, specific and unequivocal authorization to perform offensive security testing on the Assets indicated in the scope, within the agreed limits.
7.2. The Client declares and warrants that: (a) they are the legitimate owner or have valid written authorization from the owner for security testing on all indicated Assets; (b) the tests will not violate any contracts, terms of service or obligations with third parties; (c) they have authorization from all necessary parties, including hosting providers when applicable; (d) they will indemnify and hold HackerSec harmless from any claims arising from testing on unauthorized Assets.
7.3. HackerSec will conduct tests exclusively within the defined scope. HackerSec shall not be liable for unavailability, degradation or incidents in Client environments that are inherent to the nature of offensive security testing performed within the authorized scope.
7.4. The Client acknowledges that offensive security testing involves, by its nature, the controlled simulation of attack scenarios on the Assets defined in scope. HackerSec will adopt reasonable technical precautions to minimize impact on tested environments, and the Client is responsible for ensuring the existence of adequate backups and recovery mechanisms.
8.1. In consideration for access to and use of the Platform and the contracted Operation, the Client shall pay HackerSec the amounts corresponding to the selected modality and scope.
8.2. Payments may be made via: (i) credit card; (ii) PIX (Brazil); (iii) bank slip (boleto bancário, Brazil); or (iv) other payment methods available on the Platform.
8.3. For One-Time Tests, payment is due in full at the time of engagement. Operations begin only after payment confirmation.
8.4. For the Monthly Plan, payment is processed on a recurring monthly basis through automatic debit or charge to the payment method registered by the Client. The Monthly Plan has no cancellation penalty, and the Client may cancel auto-renewal at any time, subject to the notice period set forth in Section 9. Amounts corresponding to the current month are non-refundable after charge confirmation.
8.4.1. For the Annual Plan, payment may be made in full or in installments per the conditions of the selected plan, with payment obligations being non-cancelable during the 12 (twelve) month minimum term. Amounts paid are non-refundable.
8.5. Late payment shall be subject to: (i) a late penalty of 2% (two percent); (ii) interest of 1% (one percent) per month; and (iii) monetary adjustment, plus judicial or extrajudicial collection expenses.
8.6. In case of default, HackerSec may suspend Platform access until payment is current.
8.7. Contracted amounts include all applicable taxes. Where withholding or source collection of taxes is required, HackerSec will itemize such amounts on the invoice.
8.8. Non-refundable payments. The engagement corresponds to the acquisition of Assets for use on the Platform. Once payment is confirmed, amounts paid are non-refundable, and acquired Assets are not convertible into credits or transferable, except as required by mandatory law. Assets not used within their applicable validity period expire with no right to refund, whether the monthly allotment of the continuous plans at the end of each cycle or the Single-Use Asset at the end of the 12 (twelve)-month period. In the event of a failure exclusively attributable to HackerSec that prevents delivery, HackerSec will re-execute the operation, with no refund. Payment disputes (chargebacks) will be evaluated based on this policy and evidence of execution.
One-Time Test engagements terminate automatically upon delivery of the final Reports. Platform access for Report consultation remains available while the Client maintains an active account.
The Monthly Plan has an initial term of 1 (one) month from payment confirmation and auto-renews for successive equal monthly periods, unless either Party provides written notice, subject to the following:
The Annual Plan has a 12-month term from payment confirmation and auto-renews for successive equal periods, unless either Party provides written notice:
9.4.1. Early termination of the Annual Plan due to Client breach shall incur a compensatory penalty of 25% (twenty-five percent) of the remaining contract balance, without prejudice to collection of overdue amounts and any damages. This penalty does not apply to the Monthly Plan, which may be cancelled at any time without any charge, subject to the notice period set forth in item 9.2.
9.4.2. Termination does not release the Client from payment of invoiced or accrued amounts.
9.4.3. Upon termination, HackerSec may suspend or terminate Platform access without any right to compensation.
9.4.4. These Terms may be terminated immediately upon: (a) bankruptcy, judicial recovery or dissolution of either Party; (b) material breach not cured within 10 business days of written notice.
9.4.5. Obligations regarding confidentiality, intellectual property, liability limitations and data protection survive termination.
10.1. The Client acknowledges that the Platform and all its components, including software, source code, architecture, methodologies, workflows, automations, agents, models, algorithms, artificial intelligence, know-how, technical documentation and improvements, are and shall remain the exclusive property of HackerSec.
10.2. Reports and results generated in the context of the Operation belong to the Client, who may freely use, reproduce and share them for its own purposes, including for compliance, audits and demonstration of its security posture to customers, partners and authorities. The Client shall only refrain from commercializing the Reports as a standalone product or using them to suggest certification or endorsement by HackerSec beyond what is expressly stated therein.
10.3. This engagement does not imply any transfer or licensing of HackerSec's intellectual property rights beyond the use strictly necessary for the contracted purpose.
10.4. HackerSec may use anonymized and aggregated technical data, including Vulnerability patterns and operational metrics, for Platform improvement, development and AI model training, provided such use does not identify the Client or their Assets.
10.5. HackerSec undertakes not to infringe upon intellectual property rights of the Client or third parties accessed during service execution.
11.1. The Parties undertake to keep strictly confidential all Confidential Information accessed by reason of these Terms.
11.2. All information identified as confidential or that by its nature should reasonably be treated as confidential shall be considered Confidential Information, including contracts, know-how, techniques, models, reports, processes, financial data, commercial and legal information, names, pricing, costs, research, and identified Vulnerabilities.
11.3. Confidential Information shall be used exclusively for the purposes of these Terms and shall not be disclosed to third parties without prior express authorization.
11.4. Each Party shall adopt reasonable security measures to protect Confidential Information and promptly notify the other Party of any incident that may compromise confidentiality.
11.5. The following are not considered confidential: (i) information that becomes public without breach of these Terms; (ii) information legitimately received from third parties without confidentiality obligations; (iii) information already known to the receiving Party; or (iv) information required to be disclosed by law or court order, provided prior notice is given when possible.
11.6. Confidentiality obligations survive termination for 5 (five) years or as required by applicable law, whichever is longer.
12.1. In no event shall HackerSec's total liability arising out of or related to these Terms exceed the total amount actually paid by the Client in the 12 (twelve) months preceding the event giving rise to liability.
12.2. In no event shall HackerSec be liable for any indirect, incidental, special, consequential, punitive or exemplary damages, including lost profits, lost revenue, loss of data, loss of business, reputational damage or business interruption, even if advised of the possibility of such damages.
12.3. These limitations apply regardless of the theory of liability invoked (contractual, tort, negligence, strict liability or any other).
12.4. HackerSec shall not be liable for: (i) failures or unavailability in Client environments; (ii) undetected vulnerabilities; (iii) security incidents before, during or after the Operation; (iv) Client decisions based on Reports; or (v) acts or omissions of third parties.
13.1. The Client acknowledges and agrees that HackerSec may use artificial intelligence ("AI") tools, autonomous agents, automations and other technological mechanisms in conducting Offensive Cybersecurity Operations, including reconnaissance, analysis, exploitation and report generation.
13.2. AI usage aims to enhance the effectiveness, coverage and speed of Operations, complementing HackerSec's technical team expertise. AI-generated results undergo review and validation processes.
13.3. HackerSec does not guarantee that AI-generated results are free from errors, omissions or inaccuracies. Final responsibility for analysis and corrective action remains with the Client per Section 6.
13.4. No training on Client data. HackerSec does not use identifiable Client data, including personal data, credentials and technical information about Client Assets, to train, fine-tune or directly feed foundational or commercial AI models, except upon explicit and specific Client consent in optional programs formally communicated.
13.5. Isolated execution and retention controls. Testing operations run in isolated environments, with minimal data retention upon completion. HackerSec selects AI sub-processors that offer restricted retention controls, including Zero Data Retention (ZDR) modes where available in the contracted plan.
13.6. Aggregated learning. HackerSec may use (i) anonymized vulnerability class patterns and (ii) aggregated operational metrics, to improve the Platform, without such use identifying the Client, their Assets or their data.
13.7. The Client acknowledges that artificial intelligence agents operate in an automated manner and complement the work of HackerSec's technical team. HackerSec adopts control and review mechanisms over actions performed by these agents. The limitations of liability set forth in Section 12 apply to Operations conducted with the use of AI.
14.1. HackerSec will use commercially reasonable efforts to keep the Platform available and operational. The Client acknowledges that no system can guarantee absolute, uninterrupted availability.
14.2. The Platform may be unavailable due to: (i) scheduled or emergency maintenance; (ii) security or technology updates; (iii) third-party infrastructure failures; (iv) force majeure; or (v) events beyond HackerSec's reasonable control.
14.3. HackerSec will endeavor to provide reasonable advance notice of scheduled maintenance when possible.
14.4. Temporary unavailability does not constitute a breach, does not give rise to refunds, credits or compensation, and does not authorize unilateral termination by the Client.
15.1. The Parties declare compliance with all applicable legislation, including labor, environmental, tax, anti-corruption and integrity laws, undertaking not to practice any illicit, fraudulent or illegal acts.
15.2. The Parties undertake to observe applicable anti-corruption laws, including Brazil's Anti-Corruption Law (Law No. 12,846/2013), the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act, as applicable.
16.1. Any communication between the Parties must be in writing to be valid.
16.2. Communications to HackerSec may be made through the Platform or sent to [email protected], both considered official channels.
16.3. Communications to the Client may be made through the Platform or to the registered email address.
16.4. Each Party shall maintain up-to-date contact information. Communications sent to provided addresses are considered valid regardless of express acknowledgment of receipt.
17.1. HackerSec may modify these Terms upon reasonable notice via the Platform or email. Continued use constitutes acceptance of modifications.
17.2. Tolerance of any breach shall not constitute waiver or precedent.
17.3. These Terms, together with the Privacy Policy and Acceptable Use Policy, constitute the entire agreement between the Parties, superseding all prior understandings.
17.4. If any provision is found invalid, the remaining provisions shall remain in full force and effect.
17.5. Nothing in these Terms creates an employment, partnership or agency relationship between the Parties.
17.6. The Client may not assign rights or obligations without HackerSec's prior written consent. HackerSec may freely assign to any affiliate.
18.1. These Terms shall be governed by and construed in accordance with the laws of the Federative Republic of Brazil.
18.2. The courts of São Paulo, State of São Paulo, Brazil, shall have exclusive jurisdiction over any disputes arising from these Terms, with express waiver of any other forum.