HackZero Terms of Service

Effective date: 2026-06-02 Last updated: 2026-06-02

Plain-language summary (not a substitute for the full Terms). These Terms are the contract between you and Agentic Security, Inc., a Delaware corporation, doing business as HackZero. They govern your use of our website (hackzero.ai), our dashboard (dashboard.hackzero.ai), and our self-serve subscription product (the Watchdog, Pentest, and Compliance tiers). The single most important thing to understand: HackZero runs AI-driven attacks against live systems. You may only point it at systems you own or are legally authorized to test. You promise us that you have that authority, and you agree to cover us if that promise turns out to be false. Our AI finds and validates vulnerabilities, but it cannot find every vulnerability and its output can include errors, so you must independently verify findings before you act on them. Subscriptions auto-renew; you can cancel online at any time, as easily as you signed up. Enterprise customers are governed by a separately negotiated Master Services Agreement (the “MSA”), not by these self-serve Terms. If any of this matters to your decision, read the full sections below, especially Section 6 (Authorization to Test), Section 8 (AI Disclaimers), Section 13 (Auto-Renewal and Cancellation), and Section 18 (Limitation of Liability).

1. Introduction and Acceptance

1.1 Who we are

These Terms of Service (“Terms”) are a binding agreement between Agentic Security, Inc., a Delaware corporation, doing business as “HackZero” (“HackZero”, “we”, “us”, or “our”), with its principal place of business at 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States, and the legal entity that accepts these Terms (“Customer”, “you”, or “your”).

1.2 What these Terms cover

These Terms govern:

(a) your access to and use of the HackZero website at hackzero.ai and any associated marketing pages (the “Site”); and

(b) your access to and use of the HackZero dashboard at dashboard.hackzero.ai and the self-serve subscription product offered through it, including the Watchdog, Pentest, and Compliance tiers and the Free tier (collectively, the “Services”).

1.3 What these Terms do not cover (Enterprise / MSA precedence)

The Enterprise tier and any engagement procured through HackZero’s sales team are governed by a separately negotiated Master Services Agreement (“MSA”) and its order forms, exhibits, and the Rules of Engagement incorporated into it, not by these Terms. If you are an Enterprise customer, the MSA controls, and where these Terms conflict with the MSA for your engagement, the MSA prevails for that engagement. Nothing in these Terms is intended to contradict, narrow, or expand the MSA. These Terms also do not displace any separate written agreement you have signed with us, including any Data Processing Addendum (see /legal/dpa) or Rules of Engagement (see Section 6).

You accept these Terms by clicking a button or checking a box indicating acceptance, by signing an electronic order or Rules of Engagement, by creating an Account, or by accessing or using the Services. When you accept on behalf of an entity, you represent that you have authority to bind that entity, and “Customer” and “you” refer to that entity.

Electronic signature and records consent. You agree that your electronic acceptance constitutes your signature and creates a valid, binding, and enforceable agreement. You consent to transact with us electronically and to receive these Terms and related notices, disclosures, and records in electronic form. In the United States, this consent is given under the federal Electronic Signatures in Global and National Commerce Act (ESIGN), 15 U.S.C. sections 7001 through 7006, and applicable State enactments of the Uniform Electronic Transactions Act (UETA), and, where a New York record is involved, the New York Electronic Signatures and Records Act. For customers in Canada and Latin America, your electronic acceptance is valid as a “simple” electronic signature under: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Part 2, and applicable provincial electronic-commerce statutes; Mexico’s Código de Comercio, Articles 89 Bis and following, and the Ley de Firma Electrónica Avanzada; Brazil’s Medida Provisória 2.200-2/2001 and Lei 14.063/2020; Argentina’s Ley 25.506 and Decreto 182/2019; Colombia’s Ley 527 de 1999 and Decreto 2364 de 2012; Chile’s Ley 19.799; and Peru’s Ley 27269 and DS 052-2008-PCM. You acknowledge that a simple electronic signature with a logged audit trail is sufficient and enforceable for these Terms.

Our assent records. We maintain records of the version of these Terms you accepted, the date and time of acceptance, and the IP address and user-agent associated with acceptance. You may withdraw your consent to transact electronically by closing your Account, though that will end your ability to use the Services.

1.5 Documents incorporated by reference

The following documents are part of these Terms and are presented to you with working links before you accept. By accepting these Terms you also accept:

If a conflict exists between these Terms and an incorporated document on the subject the incorporated document specifically addresses, the incorporated document controls for that subject, except that the MSA controls over all of the foregoing for Enterprise engagements.

2. Definitions

For these Terms:

3. Eligibility and Accounts

3.1 Eligibility (business use only)

Business use only. The Services are offered solely to businesses and organizations, and to individuals acting on behalf of a business or otherwise in a commercial or professional capacity. The Services are not directed to, and are not intended for, consumers acquiring them for personal, family, or household purposes. By registering for or using the Services, you represent that you are acting for a business or in a professional capacity. Where a mandatory consumer-protection law nonetheless applies to a particular customer, nothing in these Terms waives or limits a right that cannot be waived under that law.

You must be at least 18 years old to create an Account or use the Services. The Services are not directed to children. We do not knowingly collect personal information from children under 13 (or under the higher minimum age in your jurisdiction), and we will delete such information on discovery. See the Privacy Policy (/legal/privacy).

3.2 Registration and account security

You agree to provide accurate, current, and complete registration information and to keep it updated. You are responsible for safeguarding your credentials and for all activity under your Account. Authentication is session-based; we do not issue long-lived API tokens. Multi-factor authentication and single sign-on are available and we recommend you enable them. Notify us at [email protected] promptly if you suspect unauthorized access.

3.3 Authorized Users; responsibility

You are responsible for your Authorized Users’ compliance with these Terms and the AUP, and for any act or omission of an Authorized User that, if done by you, would breach these Terms.

3.4 Export control and sanctions

You represent that you are not located in, organized under the laws of, or ordinarily resident in any country or territory subject to comprehensive U.S. sanctions, and that you are not a person with whom U.S. persons are prohibited from transacting under applicable export-control or economic-sanctions laws. You will not use the Services in violation of those laws.

4. Description of the Services

4.1 What the Services do

HackZero provides an AI penetration-testing and AI red-team platform. Subject to a signed RoE, the Services: (a) read your source code through a read-only GitHub App; (b) run autonomous, large-language-model-driven attacks (using a real browser, scanners, and a library of exploitation skills) against your live web application within the scope you authorize; and (c) return exploit-validated Findings together with compliance evidence, including mappings to SOC 2, HIPAA, PCI-DSS 4.0, and ISO 27001 control frameworks. The Services are performed by autonomous AI agents with limited human direction. See the AI Transparency Notice (/legal/ai).

4.2 Tiers and limits

The Services are offered in Tiers with different scan limits, features, and prices, described at the point of purchase. The Free tier permits signup and configuration only and runs zero live scans. The Compliance and Enterprise Tiers can be operated inside your own virtual private cloud (“self-hosted mode”); when run in self-hosted mode, your Customer Data does not leave your perimeter, and the subprocessor exposure described in the Subprocessor List (/legal/subprocessors) is correspondingly reduced.

4.3 Changes to the Services

We may add, modify, or discontinue features. We will not make a change that materially degrades a core function of a paid Tier during your then-current paid term without giving you notice and, where the change materially and adversely affects you, the ability to cancel and receive a pro-rata refund of prepaid, unused fees as described in Section 14 and the Refund and Cancellation Policy (/legal/refunds).

4.4 Beta features

We may offer features identified as beta, preview, or experimental. Those features are provided “as is”, may be changed or withdrawn at any time, and are excluded from any service commitment.

5. Acceptable Use

Your use of the Services is subject to the Acceptable Use Policy (/legal/acceptable-use), which is part of these Terms. Among other things, the AUP prohibits using the Services against systems you are not authorized to test, against critical infrastructure or systems whose failure could endanger human life or safety, for extortion or the public release of unpatched findings, in a manner that exceeds your authorized scope, or to violate any applicable law or third-party right. We may suspend or terminate access immediately, with notice where practicable, on a reasonable suspicion of a violation of the AUP or of Section 6. A breach of the AUP is a material breach of these Terms.

6. Authorization to Test, Customer Warranties, and Customer Reverse-Indemnity

This is the most important section of these Terms. The Services launch real attacks against live systems. Directing those attacks at systems you do not own or are not authorized to test can be a serious crime in every jurisdiction we serve. By using the Services you make binding promises to us about your authority, and you agree to defend and indemnify us if those promises prove false. Read this section in full.

6.1 Rules of Engagement gate every scan

No scan runs until you sign a Rules of Engagement for the relevant engagement. The RoE is where you define, by IP address, network range (CIDR), autonomous-system number (ASN), domain, application, cloud-account identifier, or repository, the Targets that are in scope and the techniques that are permitted, and where you identify any assets that are out of scope. The scope you define in the RoE is a hard technical and contractual boundary, not advisory guidance. You are responsible for the accuracy and completeness of your scope. Where you maintain a recurring or scheduled scan, the schedule executes automatically at the configured times, and you are solely responsible for keeping your schedule and scope appropriate, including during release freezes, incident windows, and third-party maintenance.

6.2 Customer authorization-to-test warranty

You represent and warrant that, for every Target you submit, designate, or leave in an active schedule, you hold the legal authority to authorize testing of that Target by HackZero and its autonomous agents. That authority must arise from one or more of the following: (a) your ownership of the Target; (b) a lease, license, or hosting arrangement that grants you the right to authorize testing; (c) your employment relationship with, or control over, the entity that owns or operates the Target; or (d) another lawful arrangement, including prior written authorization from the owner or operator, that gives you the right to authorize access to and testing of the Target and to authorize access to all data reachable from the Target.

6.3 Further customer warranties

You further represent and warrant that:

(a) No AUP or law breach by authorizing. Your authorization to test each Target does not breach any cloud-provider, hosting-provider, or other third-party acceptable-use policy or terms of service, does not violate any applicable law, and does not infringe or misappropriate any third-party right.

(b) Consents obtained. You have obtained all consents, approvals, and internal coordination required for the testing, including any consent required from employees, end users, or partners whose systems, accounts, or communications may be reached, and including consent required under laws protecting stored communications and the interception of communications (for example, in the United States, the Stored Communications Act, 18 U.S.C. section 2701, and the Wiretap Act, 18 U.S.C. section 2511). Your authorization to us does not waive the rights of any third party.

(c) Accuracy of scope. The scope and Target identifiers you provide are accurate and complete, and you will promptly correct them if they change. Any use of the Services outside your authorized scope is a breach of these Terms and is unauthorized.

(d) No prohibited Targets. You will not designate as a Target any system whose testing or failure could lead to death, personal injury, or damage to physical or environmental safety, including life-support systems, emergency services, industrial control systems for critical infrastructure, nuclear facilities, autonomous vehicles, or air-traffic-control systems.

6.4 Statutory authorization recital

Your authorization under a signed RoE is intended to constitute “authorization” or its equivalent, and to supply the lawful basis or “colour of right” that negates the relevant offense, under the computer-access and computer-crime laws of the jurisdictions in which the Services operate, including:

You acknowledge that authorization must precede the activity (retroactive consent is not a defense in these jurisdictions), that the authorizer must be entitled to authorize, and that authorization must match the actual scope. You may revoke your authorization at any time by a signed writing delivered to [email protected]; revocation takes effect prospectively and does not retroactively render prior authorized activity unauthorized.

6.5 Allocation of agent behavior

You acknowledge that the Services are powered by autonomous AI agents whose behavior is non-deterministic. As between you and HackZero:

(a) where an agent deviates from scope because of an agent reasoning failure (for example, target drift or recursive expansion beyond scope), HackZero bears responsibility for that deviation, regardless of how you scoped the engagement; HackZero owns its AI failure modes; and

(b) where an agent acts against an asset that you represented was in scope but that you did not in fact own or have authority to authorize, or where a deviation is otherwise traceable to your misrepresentation or misconfiguration of scope, you bear the resulting risk under your warranties in this Section 6 and your indemnity in Section 6.7.

This allocation is consistent with, and for Enterprise engagements is governed by, the corresponding provisions of the MSA and the RoE.

6.6 Provider commitments

HackZero will use commercially reasonable technical containment to keep its agents within the scope you authorize, will hard-stop at RoE-listed boundaries, will require an explicit approval before pivoting to a newly discovered asset, will extract only the minimum data necessary to evidence a Finding rather than perform raw exfiltration, and will maintain an immutable engagement and authorization audit trail. We will honor a published kill-switch protocol with a named, verifiable contact and will pause testing on a detected scope deviation. We retain authorization and engagement logs for a period intended to support a later authorization defense (see Section 9).

6.7 Customer reverse-indemnity (testing authority)

You will defend, indemnify, and hold harmless HackZero and its officers, directors, employees, contractors, and authorized software agents (the “HackZero Indemnitees”) from and against any claim, action, or proceeding (whether civil, criminal, administrative, or regulatory), and any resulting damages, fines, penalties, settlement amounts, and reasonable attorneys’ fees, arising from or related to: (a) any breach of your warranties in this Section 6; (b) any activity by HackZero or its agents against any asset that you (or an Authorized User acting for you) designated, targeted on demand, or left in an active schedule but that you did not in fact own or have authority to authorize for testing; (c) any allegation that testing of a Target was unauthorized or that your authorization was inaccurate or misrepresented; and (d) your use of the Services in violation of these Terms, the AUP, applicable law, or a third party’s acceptable-use policy or terms of service.

This indemnity is the core risk allocation of these Terms. It is carved out of, and is not subject to, the limitation of liability in Section 18. The procedure in Section 19.3 applies to this indemnity.

7. Vulnerability Disclosure

Our own vulnerability disclosure program for HackZero’s platform, including good-faith-security-research safe-harbor terms for researchers who test HackZero in scope, is published separately at /legal/security. Nothing in these Terms authorizes you to test HackZero’s own infrastructure except as that Vulnerability Disclosure Policy permits.

8. AI Disclaimers

Read this section together with the AI Transparency Notice (/legal/ai).

8.1 Autonomous, non-deterministic testing

The Services use autonomous AI agents that plan, execute, and report on tests with limited human direction. These agents are non-deterministic: identical Inputs may produce different test paths and different Findings across engagements. We do not warrant that the Services will reproduce, on a later engagement, a Finding produced earlier, or that any specific class of vulnerability will be detected in any engagement.

8.2 No guarantee of completeness

The Services do not, and cannot, find every vulnerability. Testing is point-in-time and bounded by the methodology and the scope you authorize. We warrant our methodology (which follows recognized standards such as the Penetration Testing Execution Standard and the OWASP Web Security Testing Guide); we do not warrant the Output. The absence of a Finding is not a representation that a Target is free of vulnerabilities or secure.

8.3 False positives, false negatives, and hallucinations

AI-generated Findings may contain inaccuracies, including misclassification, exaggerated or understated severity, an incorrect weakness classification, fabricated evidence (a “hallucination”), a real issue reported as more or less severe than it is (a “false positive”), or a real issue not reported at all (a “false negative”). Before you remediate, publicly disclose, or make any regulatory report based on a Finding, you must independently verify it by reproducing the documented test steps and reviewing the captured request and response artifacts we provide. AI-based testing supplements but does not replace human security review, defense-in-depth controls, a secure development lifecycle, and continuous monitoring.

8.4 No-detection-no-charge commitment is a billing term, not a warranty

If we offer a commitment that you are not charged for an engagement in which our agent finds no valid exploit in your in-scope assets, that commitment is a pricing and billing term, not a representation or warranty about the security of your systems. It is not a representation that your assets are free of vulnerabilities, and it must not be read to override Sections 8.1 through 8.3. A Finding counts toward any such commitment only if it meets our reproducibility-evidence standard.

8.5 Foundation models and the no-AI-training commitment

HackZero uses one or more enterprise-grade foundation models, provided by reputable third parties and/or operated by HackZero, to power its autonomous testing agents and to generate report narratives. HackZero selects, configures, and maintains these models, and the specific models and configurations may evolve over time as the technology matures. Whichever model is used, the data-protection and confidentiality commitments stated here apply.

No training on your data. We do not use your Customer Data, source code, or findings to train or fine-tune foundation models, and we require any third-party model provider we engage to apply the same restriction. You retain ownership of your Inputs and of the findings and reports the Services generate for you.

Service quality and evaluation. We may process de-identified and aggregated information derived from use of the Services to operate, secure, evaluate, benchmark, and improve the quality, accuracy, and reliability of the Services, including our detection capabilities and our internal model and system evaluations. De-identified and aggregated information does not identify you, your organization, or any individual, and is not used to train third-party foundation models on your identifiable data.

This commitment is restated as a material term in Section 16.4.

9. Logging and Audit Trail

We record engagement, authorization, and signing events (including the typed legal name, IP address, user-agent, timestamp, and hash-chained, tamper-evident audit events) as the record of your authorization and of what the Services did. We retain these authorization and signing audit records for seven (7) years, consistent with the MSA, for evidentiary and authorization-defense purposes. This retention may continue notwithstanding a deletion request, to the extent permitted by applicable law (see the Privacy Policy at /legal/privacy and Section 16.3).

10. Fees, Billing, Taxes, and Overage

10.1 Tiers and prices

The self-serve subscription Tiers are Watchdog, Pentest, and Compliance. You pay the fees for the plan you select, as described on our pricing page at https://hackzero.ai/pricing and shown to you at checkout, which we may update from time to time. The Free tier permits signup only and runs zero live scans. Enterprise is custom-priced, sold by our team, and governed by the MSA. Prices are stated and charged in U.S. dollars unless we specify otherwise at the point of purchase.

10.2 Annual billing

If you choose annual billing for a paid Tier, you pay for ten (10) months and receive twelve (12) months of service (that is, two months free), billed in advance for the annual term.

10.3 Payment processor (Stripe)

Self-serve payments are processed by Stripe, Inc., our payment processor and a subprocessor (see /legal/subprocessors). By providing a payment method, you authorize us and Stripe to charge that method for all fees due. We do not store full payment-card numbers; Stripe handles card data under its PCI-DSS Level 1 program. Enterprise customers may pay by invoice and wire transfer where their MSA or order form so provides. You are responsible for keeping your payment method current; failed or reversed payments may result in suspension under Section 14.

10.4 Overage

If your use exceeds the scan limit of your Tier, we charge per-scan overage at the rate disclosed for your Tier at the point of purchase or in your dashboard. Overage is billed in arrears with your next invoice.

10.5 Taxes

Fees are exclusive of taxes. You are responsible for all sales, use, value-added, goods-and-services, withholding, and similar taxes and duties associated with your purchase, other than taxes on our net income. Where we are required to collect a tax, it will be added to your invoice. If you are exempt, you will provide a valid exemption certificate.

10.6 Disputes and late amounts

If you believe an invoice is incorrect, contact [email protected] within thirty (30) days of the invoice date; we will not treat a good-faith, timely disputed amount as overdue while we investigate. Undisputed past-due amounts may accrue interest at the lower of 1.0 percent per month or the maximum rate permitted by law.

11. Founding-Cohort Price Lock

11.1 The lock

Founding-cohort customers keep the rate in effect for their selected plan at the time they first subscribed, for as long as their subscription stays active and continuously paid. As long as your subscription remains active and continuously paid, we will not raise the per-period rate for that subscription above the rate you locked, even if we raise public prices.

11.2 What ends the lock

The price lock is personal to the active, continuously paid subscription. Cancelling your subscription terminates the lock. Cancelling ends the locked rate; re-subscribing is at the then-current published rate, and you do not regain the founding-cohort rate. A lapse in payment that results in termination of the subscription under Section 14 also ends the lock. Changing your Tier applies the lock, if still in effect, to the rate then current for the new Tier, as disclosed at the time of the change.

11.3 Relationship to the Refund and Cancellation Policy

The mechanics of the price lock are also stated in the Refund and Cancellation Policy (/legal/refunds), which controls in case of any conflict on the subject of refunds and cancellation.

12. Refunds

Refunds, including any pro-rata refund on a termination for our uncured material breach and the treatment of the founding-cohort lock on cancellation, are governed by the Refund and Cancellation Policy (/legal/refunds), which is part of these Terms. Where a mandatory consumer-protection law nonetheless applies to a particular customer, nothing in these Terms or that Policy limits a non-waivable statutory refund, restitution, or right-of-withdrawal right that cannot be waived under that law (see Section 21).

13. Auto-Renewal and Cancellation

This section is designed to comply with the California Automatic Renewal Law and the federal Restore Online Shoppers’ Confidence Act. We present the auto-renewal terms to you clearly and in proximity to your purchase, obtain your express consent to them, send you a confirmation, and let you cancel online at any time.

13.1 Automatic renewal

Paid subscriptions renew automatically at the end of each billing period (monthly for monthly plans; annually for annual plans) for a further period of the same length, at the then-applicable rate for your subscription (which, for founding-cohort Customers, is the locked rate under Section 11), until you cancel. By subscribing, you give your express affirmative consent to this automatic renewal on these terms, which are presented to you clearly and conspicuously and in visual proximity to the acceptance control before you are charged.

13.2 Acknowledgment

After you subscribe, we send you an acknowledgment that states the auto-renewal terms, the recurring charge and frequency, and how to cancel, in a form you can retain.

13.3 How to cancel

You can cancel at any time, through your dashboard at dashboard.hackzero.ai, using a cancellation path that is at least as easy to use as the path by which you subscribed, and in the same medium in which you subscribed. You do not need to call us, send postal mail, or speak to a representative. If you also wish to confirm by email, you may write to [email protected]. Cancellation stops the next renewal. Unless the Refund and Cancellation Policy (/legal/refunds) or a non-waivable consumer right provides otherwise, cancellation takes effect at the end of your current paid period, and you retain access until then.

13.4 Reminders for longer terms

For any subscription term longer than one year, and for any conversion from a free trial to paid where one is offered, we will provide the reminder and conversion notices required by applicable law.

13.5 Effect of cancellation on the price lock

If you are a founding-cohort Customer, cancelling ends your price lock as described in Section 11.2.

14. Suspension

We may suspend your access to the Services, in whole or in part, where: (a) you fail to pay undisputed fees when due and do not cure within ten (10) days of notice; (b) we reasonably suspect a violation of Section 6 or the AUP, or activity that threatens the security or integrity of the Services or of any third party; or (c) we are required to do so by law. We will give notice where practicable and will limit the scope and duration of a suspension to what is reasonable. Suspension does not relieve you of fees accrued before the suspension. We will restore access promptly once the cause is resolved.

15. Confidentiality

Each party may receive the other’s confidential information. The receiving party will use it only to perform under these Terms, will protect it with at least reasonable care, and will not disclose it except to its personnel and advisors who need it and are bound by confidentiality. Confidential information does not include information that is or becomes public without breach, was rightfully known before disclosure, is rightfully received from a third party without restriction, or is independently developed. The receiving party may disclose confidential information if required by law, giving reasonable advance notice where permitted. Your Customer Data and our non-public platform and methodology are each confidential information of the disclosing party. Your obligations regarding Findings are addressed in Section 16. Your processing of personal data is also governed by the Privacy Policy (/legal/privacy) and, where applicable, the Data Processing Addendum (/legal/dpa).

16. Intellectual Property

16.1 HackZero ownership

We and our licensors own all right, title, and interest in the Services, including the platform, software, autonomous-agent technology, methodology, exploitation skills, models we develop, documentation, and all related intellectual-property rights. Except for the limited right to use the Services under these Terms, we grant you no rights in the foregoing. The HackZero name and logo are our trademarks; you may not use them without our prior written consent.

16.2 License to you

Subject to these Terms and your payment of fees, we grant you a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during your subscription for your internal business purposes.

16.3 Customer ownership of Input and Findings

As between the parties, you own your Input and your Customer Data, and you own the Findings and report deliverables generated for you. You grant us a limited, non-exclusive license to host, process, and use your Input and Customer Data solely to provide, secure, and support the Services for you, and to generate aggregated, anonymized statistics and vulnerability patterns that do not identify you or your assets. We may retain authorization, signing, and audit records as described in Section 9.

16.4 No-AI-training (material term)

As stated in Section 8.5, we do not use your Customer Data, source code, or findings to train or fine-tune foundation models, and we require any third-party model provider we engage to apply the same restriction. You retain ownership of your Inputs and of the findings and reports the Services generate for you. This is a material term. Breach of this Section 16.4 is not subject to the limitation of liability in Section 18, consistent with the MSA’s treatment of the AI-training prohibition. You may, no more than once per year, request a SOC 2 or ISO 27001 report or an equivalent third-party attestation evidencing this posture, subject to confidentiality.

16.5 Feedback

If you give us suggestions or feedback about the Services, you grant us a perpetual, irrevocable, royalty-free license to use it without restriction. Feedback is given voluntarily and does not include your Customer Data.

17. Warranties and Disclaimers

17.1 Mutual warranties

Each party represents that it has the authority to enter into these Terms and that its acceptance is duly authorized.

17.2 Our limited warranty

We warrant that we will perform the Services using the recognized methodologies described in Section 8.2 and with reasonable skill and care.

17.3 Disclaimer

EXCEPT AS EXPRESSLY STATED IN THESE TERMS, THE SERVICES, INCLUDING ALL OUTPUT AND FINDINGS, ARE PROVIDED “AS IS” AND “AS AVAILABLE”, AND TO THE MAXIMUM EXTENT PERMITTED BY LAW WE DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WITHOUT LIMITING SECTION 8, WE DO NOT WARRANT THAT THE SERVICES WILL FIND ALL VULNERABILITIES, WILL BE ERROR-FREE, WILL OPERATE WITHOUT INTERRUPTION, OR THAT FINDINGS WILL BE ACCURATE, COMPLETE, OR FREE OF FALSE POSITIVES OR FALSE NEGATIVES. WE DO NOT WARRANT THAT TESTING WILL NOT AFFECT THE AVAILABILITY OR PERFORMANCE OF A TARGET. This Section 17.3 does not limit a non-waivable warranty or right that applies to a particular customer under a mandatory law of its jurisdiction (see Section 21).

18. Limitation of Liability

This section allocates risk between us. The fees for the self-serve Services reflect this allocation; without it, we could not offer the Services at these prices.

18.1 Exclusion of indirect damages

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, LOST DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY OF LIABILITY.

18.2 Aggregate cap

SUBJECT TO SECTION 18.3, EACH PARTY’S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS AND THE SERVICES WILL NOT EXCEED THE TOTAL FEES YOU PAID TO US FOR THE SERVICES IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM. For Enterprise engagements, the liability cap in the MSA controls.

18.3 Carve-outs

The exclusions and cap in Sections 18.1 and 18.2 do not apply to: (a) your payment obligations under Section 10; (b) your indemnification obligations under Section 6.7; (c) either party’s indemnification obligations under Section 19; (d) our breach of the no-AI-training commitment in Sections 8.5 and 16.4; (e) a party’s breach of its confidentiality obligations in Section 15; and (f) a party’s fraud, gross negligence, or willful misconduct. Where prompt action is needed to address a third-party prompt-injection or model-jailbreak attack that causes our agent to exfiltrate Customer Data, we treat the resulting loss as our responsibility outside the cap, consistent with the AI Transparency Notice (/legal/ai).

18.4 Mandatory-law savings clause

Nothing in this Section limits or excludes any liability that cannot be limited or excluded under applicable law, including any liability that cannot be waived under a mandatory law that applies to a particular customer. Where a jurisdiction does not permit the exclusion or limitation of certain damages, the exclusions and limitations in this Section apply only to the extent permitted there (see Section 21).

19. Indemnification

19.1 By HackZero (IP defense for Customers)

We will defend you, and your officers, directors, and employees, against any third-party claim alleging that the Services as delivered by us infringe or misappropriate a third party’s intellectual-property right, and we will indemnify you for damages and reasonable attorneys’ fees finally awarded against you or agreed in settlement, provided you meet the conditions in Section 19.3. If a claim is made or we reasonably believe one is likely, we may, at our option, modify or replace the Services to be non-infringing, procure the right for you to continue using them, or terminate the affected subscription and refund prepaid, unused fees. We have no obligation for a claim arising from your Input or Customer Data, your combination of the Services with anything we did not provide, or your use of the Services in breach of these Terms.

19.2 By Customer

In addition to your reverse-indemnity in Section 6.7, you will defend and indemnify the HackZero Indemnitees against any third-party claim arising from your Input or Customer Data, your breach of Section 5 (Acceptable Use) or Section 6, or your violation of any data-protection, privacy, sectoral, securities-disclosure, or export-control law to the extent attributable to your instructions or representations.

19.3 Procedure

The party seeking indemnity will (a) promptly notify the indemnifying party of the claim (a delay reduces the indemnity only to the extent it prejudices the defense), (b) give the indemnifying party sole control of the defense and settlement (except that a settlement imposing a non-monetary obligation or an admission on the indemnified party requires that party’s prior written consent, not to be unreasonably withheld), and (c) provide reasonable cooperation. The indemnified party may participate with its own counsel at its own expense.

20. Term, Termination, and Governing Law

20.1 Term

These Terms apply from your acceptance and continue while you have an Account or use the Services. Your paid subscription runs for the billing period you select and renews under Section 13 until cancelled.

20.2 Termination for convenience by you

You may stop using the Services and cancel a paid subscription at any time under Section 13. Cancellation is governed by Section 13 and the Refund and Cancellation Policy (/legal/refunds).

20.3 Termination for material breach (30-day cure)

Either party may terminate these Terms (or, for HackZero, the affected subscription) on written notice if the other party materially breaches and fails to cure the breach within thirty (30) days after receiving written notice describing it. This 30-day cure right is in addition to, and does not limit, our suspension rights under Section 14 or our immediate suspension or termination rights for a violation of Section 6 or the AUP, which by their nature may not be curable and which protect HackZero and third parties from unauthorized testing. Either party may also terminate immediately if the other becomes insolvent, files for bankruptcy, or makes an assignment for the benefit of creditors.

20.4 Effect of termination

On termination: (a) your right to use the Services ends; (b) you must pay all fees accrued through the termination date; (c) each party returns or destroys the other’s confidential information, except records each party may retain by law or under Section 9; and (d) Sections 1.3, 6, 8, 9, 15, 16, 17, 18, 19, 20.4, 21, and 22 survive. Our handling and destruction of Customer Data on termination follow the Privacy Policy (/legal/privacy) and, where applicable, the Data Processing Addendum (/legal/dpa); consistent with our MSA practice, source code is permanently destroyed within thirty (30) days of termination on request, with non-editable backups purged within sixty (60) days thereafter, and authorization and signing audit records are retained for seven (7) years.

20.5 Governing law

These Terms, and any dispute arising out of or relating to them or the Services, are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws rules. The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply. This Section does not override a non-waivable right of a business customer under the mandatory law of its jurisdiction (see Section 21).

20.6 Dispute resolution; binding arbitration

Pre-dispute negotiation. Before commencing arbitration, the parties will attempt in good faith to resolve any dispute through informal negotiation for at least thirty (30) days after written notice of the dispute to [email protected].

Binding arbitration. Any dispute arising out of or relating to these Terms or the Services that is not resolved in the negotiation period is resolved by final and binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, before one arbitrator, seated in Wilmington, Delaware, and conducted in English. Judgment on the award may be entered in any court of competent jurisdiction. For cross-border customers, awards are enforceable under the Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the 1958 New York Convention).

Class-action and class-arbitration waiver. Disputes are brought only in an individual capacity, and not as a plaintiff or class member in any purported class or representative proceeding. Class, collective, and class-arbitration proceedings are waived to the extent permitted by law.

Court carve-out. Either party may seek injunctive or other equitable relief in the state or federal courts located in New Castle County, Delaware to protect its intellectual property or Confidential Information, or to address unauthorized access or a breach of the no-AI-training or authorization-to-test obligations, without waiving arbitration for the remainder of the dispute.

Mandatory-law preservation. Nothing in this Section overrides a non-waivable right of a business customer under the mandatory law of its jurisdiction (relevant for certain Canada and Latin America business customers); to that limited extent, the local mandatory forum and venue controls (see Section 21).

21. Jurisdiction-Specific Mandatory Protections (Canada / Quebec and Latin America)

This Section preserves rights that, in many of our markets, cannot be waived by contract. Where it applies, it overrides any conflicting provision in these Terms. The Services are sold to businesses only (see Section 3.1); this Section addresses the limited cases in which a mandatory protection nonetheless attaches to a particular business customer under the law of its jurisdiction.

21.1 General savings rule

To the extent a mandatory consumer-protection or data-protection law of your country, province, or state applies to you notwithstanding the business-only nature of the Services, nothing in these Terms waives, limits, or shortens any right that cannot be waived under that law, including any non-waivable right to bring a claim in your local courts or before your local consumer or data-protection authority, any non-waivable warranty, and any non-waivable right of withdrawal, restitution, or refund. To the extent a provision of these Terms (including the governing-law, venue, arbitration, warranty-disclaimer, or liability provisions) conflicts with such a mandatory right, that provision does not apply to you to the extent of the conflict, and the mandatory right controls.

21.2 Canada (federal and provincial)

For Customers in Canada, the data-protection rights described in our Privacy Policy (/legal/privacy) are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and substantially similar provincial laws including Alberta’s Personal Information Protection Act, S.A. 2003, c. P-6.5, and British Columbia’s Personal Information Protection Act, S.B.C. 2003, c. 63. You retain the right to complain to the Office of the Privacy Commissioner of Canada or your provincial commissioner. Provincial consumer-protection statutes that apply to you, and that you cannot waive, continue to apply notwithstanding the governing-law and venue provisions of these Terms.

21.3 Quebec

For Customers resident in Quebec: your personal information is also protected by the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended (“Law 25”), enforced by the Commission d’accès à l’information du Québec. Under the Civil Code of Québec and, where it applies to you, Quebec’s Consumer Protection Act, certain clauses in an adhesion or consumer contract (including external clauses, illegible or incomprehensible clauses, and certain abusive clauses) may be unenforceable against you, and you retain access to the courts of Quebec. Under the Charter of the French Language, CQLR c. C-11, as amended by S.Q. 2022, c. 14 (“Bill 96”), you have the right to be served these Terms and our customer-facing documents in French. We present a French-language version of these Terms to Quebec customers by default, and an English version is provided where the customer expressly requests it after the French version is presented.

21.4 Latin America (Mexico, Brazil, Argentina, Colombia, Chile, Peru)

Where a customer resident in the countries below is entitled to the following mandatory protections under the law of its jurisdiction, those protections apply and override any conflicting provision of these Terms:

We respect intellectual-property rights and respond to notices of alleged copyright infringement concerning material on the Site or in the Services, under the U.S. Digital Millennium Copyright Act, 17 U.S.C. section 512.

22.1 Notice of infringement

If you believe material accessible through the Services infringes your copyright, send a written notice to our designated agent that includes: (a) your physical or electronic signature; (b) identification of the copyrighted work claimed to be infringed; (c) identification of the allegedly infringing material and information reasonably sufficient to locate it; (d) your contact information; (e) a statement that you have a good-faith belief that the use is not authorized by the copyright owner, its agent, or the law; and (f) a statement, under penalty of perjury, that the information in the notice is accurate and that you are the copyright owner or authorized to act on its behalf.

22.2 Designated agent

Notices must be sent to our designated copyright agent: Copyright Agent, Agentic Security, Inc. 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States Email: [email protected]

22.3 Counter-notice

If your material was removed and you believe the removal was in error, you may send a counter-notice to the designated agent that includes: (a) your signature; (b) identification of the removed material and its prior location; (c) a statement, under penalty of perjury, that you have a good-faith belief the material was removed by mistake or misidentification; and (d) your contact information and consent to the jurisdiction of the federal court for your district (or, if outside the United States, for any district in which we may be found), and that you will accept service from the person who gave the original notice. We may restore the material as permitted by 17 U.S.C. section 512(g).

22.4 Repeat infringers

We may terminate, in appropriate circumstances, the Accounts of users who are repeat infringers.

23. Modifications to these Terms

We may update these Terms from time to time. For changes that are material, we will give you advance notice by email and through an in-product notice, with a stated effective date that is not less than thirty (30) days after the notice unless a shorter period is required by law or to address a security or legal risk. For material changes, your continued use of the Services after the effective date, or your re-acceptance where we ask for it, constitutes acceptance; if you do not agree, you may cancel under Section 13 before the effective date. Non-material changes (for example, clarifications or corrections) take effect when posted. We will keep prior versions available on request and will update the “Last updated” date above. We will not rely on an “we may change these Terms at any time without notice” approach.

24. Miscellaneous

24.1 Assignment

You may not assign or transfer these Terms without our prior written consent, except to a successor in a merger or sale of all or substantially all of your assets that is not a competitor of ours, with notice to us. We may assign these Terms to an affiliate or in connection with a merger, acquisition, or sale of assets. Any prohibited assignment is void.

24.2 Force majeure

Neither party is liable for a delay or failure to perform (other than a payment obligation) caused by events beyond its reasonable control, including natural disasters, acts of government, war or terrorism, labor disputes, internet or cloud-provider outages, and material disruption to our upstream foundation-model providers.

24.3 Severability

If a provision of these Terms is held unenforceable, it will be modified to the minimum extent necessary to make it enforceable, or if it cannot be, severed, and the remaining provisions remain in effect.

24.4 No waiver

A party’s failure to enforce a provision is not a waiver of its right to do so later. A waiver is effective only if in writing.

24.5 Relationship of the parties

The parties are independent contractors. These Terms create no agency, partnership, joint venture, or employment relationship.

24.6 Entire agreement; order of precedence

These Terms, together with the documents incorporated in Section 1.5, are the entire agreement between you and us about the Services and supersede all prior or contemporaneous understandings on the subject. For Enterprise engagements, the MSA and its order forms and exhibits prevail. For self-serve Customers, in case of conflict the order of precedence is: (1) a Rules of Engagement you have signed, as to operational scope only; (2) an incorporated policy on the specific subject it addresses; and (3) the body of these Terms.

24.7 Notices

Legal notices to us must be sent to [email protected] and, where a physical address is requested, to Agentic Security, Inc. (d/b/a HackZero), Attn: Legal, 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States. We may give you notice through the email associated with your Account or through an in-product notice. General inquiries: [email protected]. Support: [email protected]. Privacy: [email protected]. Security: [email protected].

24.8 U.S. government end users

The Services are “commercial products” and “commercial computer software” as defined in applicable U.S. Federal Acquisition Regulations; any use, reproduction, or disclosure by the U.S. government is subject only to the rights in these Terms.

24.9 Survival

Provisions that by their nature should survive termination do so, as also stated in Section 20.4.

These Terms are published by Agentic Security, Inc. (d/b/a HackZero) · 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States · Questions about these Terms may be sent to [email protected].