DBAudit
Sign inGet started

Security Assessment Authorization Agreement

DBAudit - Rules of Engagement

Last Updated: April 2026

This Security Assessment Authorization Agreement ("Agreement") is entered into between DBAudit ("DBAudit", "we", "us") and the individual or entity accepting these terms ("Client", "you") in connection with the security assessment services provided through the DBAudit platform.

By accepting this Agreement, you confirm that you have read, understood, and agree to be bound by the terms set out below.

1. Authorization and legal capacity

  • You represent that you are the legal owner of the target domain or have explicit written authorization from the owner to commission third-party security testing.
  • You represent that you have authority to bind the organization associated with the target domain to this Agreement.
  • You represent that the requested assessment complies with applicable law, regulation, and contractual obligations.
  • Domain ownership verification during onboarding (for example DNS, HTML meta tag, or a file-based verification method) is treated as authorization to begin assessment activity for the verified target.
  • Misrepresentation of ownership or authorization may result in immediate suspension or termination of service and may be reported to applicable authorities.

2. Scope of assessment

Authorized scope

  • The target domain and publicly resolvable subdomains tied to that target.
  • Publicly accessible web application endpoints and APIs associated with the target.
  • Resources responding directly to requests originating from the target domain.

Out of scope

  • Third-party services not under the direct control of the Client.
  • Internal or private networks not publicly accessible.
  • Domains or subdomains not registered under the verified target.
  • Systems and services not directly associated with the specified target.

3. Assessment methodology

Permitted activities

  • Automated and AI-assisted vulnerability discovery and validation testing.
  • Testing for common vulnerability classes in modern web applications and APIs.
  • Evaluation of authentication, session handling, access controls, and business logic.
  • Endpoint and parameter enumeration with response-behavior analysis.
  • Public-information reconnaissance relevant to the target.
  • Proof-of-concept exploit attempts where needed to validate exploitability of a finding.

Prohibited activities

  • Denial-of-service or other availability-impacting attack traffic.
  • Intentional permanent modification, deletion, or corruption of production data.
  • Persistent backdoors, web shells, or malicious persistence mechanisms.
  • Social engineering, phishing, or physical security testing.
  • Testing outside the explicitly authorized target scope.
  • Retention, sharing, or monetization of non-public data found during testing.

4. Confidentiality and data handling

  • Findings and reports are provided only through authorized access paths in the DBAudit product.
  • If sensitive data is encountered during authorized testing, interaction with that data should stop immediately and exposure should be documented only as needed for the finding.
  • DBAudit may disclose information only when required by applicable law or with explicit written Client authorization.

5. Reporting and deliverables

  • Findings are delivered through the DBAudit product experience and may include severity, technical detail, exploitability evidence, and remediation guidance.
  • Available reporting depth and product capabilities may vary based on the active plan or purchase for the Client account.

6. Limitation of liability

  • Security testing involves controlled interaction with live systems and may introduce temporary performance variation.
  • To the extent permitted by law, DBAudit is not liable for direct operational impact arising from testing conducted within authorized scope.
  • Nothing here limits liability for fraud, willful misconduct, or gross negligence where such limitations are prohibited by law.

7. Term and revocation

  • This Agreement becomes effective upon acceptance by the Client.
  • The Client may revoke authorization by removing verification signals from the target and submitting written notice through official DBAudit support channels.
  • DBAudit may suspend or terminate assessment activity on expiration, cancellation, or material breach of this Agreement.

8. Indemnification

The Client agrees to indemnify, defend, and hold harmless DBAudit and its personnel from claims, liabilities, damages, costs, and expenses (including reasonable legal fees) resulting from misrepresentation of authorization, breach of this Agreement, violation of applicable law, or third-party claims alleging unauthorized testing based on Client-provided authorization.

9. Governing law and dispute resolution

This Agreement is governed by applicable law as determined by the controlling terms between DBAudit and the Client. This Agreement is the full understanding between the parties regarding authorization for security assessment activity and supersedes prior representations on this subject.