Verification Labs, LLC. DBA Pentest Express
Terms of Service
Cybersecurity Testing Services
Last Updated: 2026-04-12
Welcome, and thank you for choosing Verification Labs, LLC. DBA Pentest Express ("Company," "we," "us," or "our") for your cybersecurity testing needs. These Terms of Service (these "Terms") form a legally binding agreement between you and Verification Labs, LLC. DBA Pentest Express. Please read them carefully before placing an order.
By clicking "I Agree," completing a purchase through our website, or otherwise engaging our services, you confirm that you have read, understood, and agree to be bound by these Terms in their entirety. If you are accepting on behalf of an organization, you represent that you have the authority to bind that organization. If you do not agree, do not complete your purchase.
§ 1 Definitions
"Approved Methods" means the testing techniques and tools described in the applicable Service Description or Statement of Work.
"Client," "you," or "your" means the individual or entity purchasing Services through our website or under a written agreement.
"Confidential Information" means any non-public information disclosed by either party to the other in connection with the Services, including but not limited to security findings, reports, business data, network configurations, and vulnerability details.
"Deliverables" means the written reports, executive summaries, and any other tangible work product we provide to you as part of the Services.
"Engagement" means a single, discrete purchase of Services, whether placed through our website or documented in a Statement of Work.
"Excluded Systems" means any systems, networks, applications, or environments expressly identified as out of scope for a given Engagement.
"Fees" means the total amount paid or payable by Client to Company for an Engagement.
"Provider IP" means all tools, scripts, methodologies, frameworks, proprietary techniques, and pre-existing intellectual property owned by Company.
"Services" means the cybersecurity testing, assessment, and related professional services we provide, including but not limited to external penetration testing, web application testing, vulnerability assessments, and related consulting.
"Target Systems" means the systems, networks, applications, and environments that Client has authorized Company to test during an Engagement.
"Testing Window" means the specific dates and times during which testing is authorized to occur.
§ 2 Services and Scope
Each Engagement is defined by the service package you select at checkout or by a separate Statement of Work agreed to in writing. The scope of testing—including Target Systems, Approved Methods, Testing Window, and any Excluded Systems—will be documented before testing begins.
We test only what you authorize. We will not access, test, or attempt to penetrate any system, network, or application that falls outside the agreed scope. If we discover during testing that a Target System includes components owned or operated by a third party (such as a cloud hosting provider), we will pause testing of that component until appropriate third-party authorization is obtained.
We reserve the right to decline or discontinue any Engagement if, in our professional judgment, the requested scope poses unacceptable legal, ethical, or technical risk.
§ 3 Authorization and Legal Safe Harbor
This is one of the most important sections of these Terms. Penetration testing, by its nature, involves accessing computer systems in ways that could implicate federal and state computer crime laws. Your authorization protects both of us.
3.1 Your Grant of Authorization
By purchasing an Engagement, you hereby authorize Company and its designated personnel to access, test, and attempt to penetrate the Target Systems using the Approved Methods during the Testing Window. This authorization constitutes your express consent to access the Target Systems within the meaning of 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act, or "CFAA") and any analogous state computer crime statutes.
3.2 Your Representation of Authority
You represent and warrant that you have full legal authority to grant this authorization with respect to every Target System included in the Engagement. This means you either own or lawfully operate every system we are asked to test, or you have obtained written permission from the system owner to authorize testing. If any Target System is hosted by, managed by, or owned by a third party, you must obtain and provide to us—before testing begins—written authorization from that third party in a form we find reasonably acceptable.
3.3 Consequences of Unauthorized Scope
We will not begin testing any system for which authorization is missing, incomplete, or questionable. If you provide inaccurate information about your authority over a Target System, you bear full legal and financial responsibility for any consequences, including third-party claims and regulatory actions. See Section 12 (Indemnification) for details.
§ 4 Your Responsibilities
A successful engagement depends on your cooperation. By purchasing Services, you agree to the following:
4.1 Accurate Information
You will provide accurate, complete, and current information about your systems, network environment, and the scope of testing. This includes identifying all Target Systems, Excluded Systems, and any systems that are owned or managed by third parties.
4.2 Points of Contact
You will designate at least one authorized point of contact and one emergency contact who can be reached during the Testing Window. These contacts must have sufficient authority to make real-time decisions about the Engagement, including pausing or stopping testing if needed.
4.3 Internal Notification
You are responsible for notifying your own internal teams—including IT, security, and any relevant third-party service providers—about the Engagement to the extent you deem appropriate. We are not responsible for internal disruptions caused by your failure to notify relevant stakeholders.
4.4 Backups and Business Continuity
While we take every reasonable precaution to avoid disrupting your operations, penetration testing carries inherent risk. You are responsible for maintaining current backups of your data and systems and for having business continuity measures in place before testing begins.
4.5 Third-Party Authorizations
If any Target Systems are hosted on, managed by, or interconnected with third-party infrastructure (including cloud service providers such as AWS, Azure, or Google Cloud), you are responsible for obtaining any required authorizations or policy approvals from those third parties before the Testing Window opens. We will not commence testing until you confirm that all necessary third-party approvals are in place.
4.6 Timely Cooperation
You will respond to our reasonable requests for information, access, or clarification in a timely manner. Delays caused by your failure to cooperate may result in rescheduling, and we are not responsible for timeline slippage attributable to Client delays.
§ 5 Payment, Refunds, and Cancellation
5.1 Prepayment Required
All Fees are due in full at the time of purchase. Payment is processed through our third-party payment processor (currently Stripe). By submitting payment, you authorize the charge and agree to the payment processor's own terms of service.
5.2 No Refunds After Testing Begins
All sales are final once testing has commenced. If you cancel an Engagement before any testing has occurred, you may be eligible for a refund minus a 10% administrative fee, at our sole discretion. Once our team has begun work—including pre-engagement reconnaissance, scoping, or active testing—no refund will be issued.
5.3 Rescheduling
You may reschedule an Engagement up to 30 business days before the scheduled Testing Window at no additional charge. Rescheduling requests made fewer than 2 business days before the Testing Window may be subject to a rescheduling fee of up to 10% of the Engagement Fees. We reserve the right to decline rescheduling requests that fall outside a reasonable timeframe.
5.4 Non-Payment and Suspension
If you have an outstanding balance on any related agreement or invoice, we reserve the right to withhold Deliverables or suspend Services until all amounts are paid in full.
5.5 Taxes
Fees do not include applicable taxes. You are responsible for all sales, use, VAT, or other taxes imposed by any governmental authority in connection with your purchase, excluding taxes based on our net income.
§ 6 Scheduling and Testing Windows
After your purchase is confirmed, we will work with you to establish a mutually agreeable Testing Window. Testing will occur only during the agreed Testing Window unless you provide prior written approval for testing outside that window.
If an emergency arises during testing—for example, if we discover a condition that poses an imminent threat to the confidentiality, integrity, or availability of your systems—we will immediately notify your designated emergency contact and pause the relevant testing activity until you authorize us to proceed.
We make reasonable efforts to adhere to agreed timelines, but testing schedules are estimates, not guarantees. Factors such as scope complexity, system responsiveness, and Client cooperation may affect timing.
§ 7 Rules of Engagement
Unless a separate Statement of Work specifies otherwise, the following rules apply to every Engagement:
7.1 No Unauthorized Destruction
We will not intentionally modify, delete, or destroy your data. Where data samples are necessary to demonstrate a finding, we will use synthetic or redacted examples whenever possible.
7.2 No Denial-of-Service Attacks
We will not conduct denial-of-service or stress-testing attacks against production systems unless you have expressly authorized such testing in writing.
7.3 No Physical Intrusion
Our Services are limited to remote, network-based testing unless physical penetration testing or social engineering has been explicitly included in your Engagement scope.
7.4 No Social Engineering by Default
We will not target your employees by name with social engineering tactics (phishing, pretexting, etc.) unless social engineering testing is expressly included in your Engagement scope and you have provided a list of approved targets.
7.5 Data Handling
Any Client confidential data we incidentally obtain during testing will be handled in accordance with Section 9 (Confidentiality) and securely destroyed within 30 business days after delivery of the final Deliverables.
§ 8 Deliverables and Reports
Upon completion of testing, we will provide you with a written report detailing our findings, including identified vulnerabilities, risk ratings, and remediation recommendations. The specific format, level of detail, and delivery timeline will depend on the service package you purchased.
Deliverables reflect a point-in-time assessment. Our findings represent the security posture of the Target Systems as observed during the Testing Window only. We do not represent or guarantee that our testing will identify every vulnerability, and we do not warrant that your systems will be secure after the Engagement.
Deliverables are provided for your internal business use only. You may not publish, distribute, or share our reports with third parties without our prior written consent, except as required by law or regulation, or as reasonably necessary to share with your legal counsel, auditors, or insurance carriers under obligations of confidentiality.
§ 9 Confidentiality
9.1 Mutual Obligations
Each party (as a "Receiving Party") agrees to hold in confidence all Confidential Information disclosed by the other party (as a "Disclosing Party") and to use at least the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care. Neither party will use the other's Confidential Information for any purpose other than performing its obligations or exercising its rights under these Terms.
9.2 Exceptions
Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was rightfully in the Receiving Party's possession before disclosure; (c) is independently developed by the Receiving Party without reference to the Confidential Information; or (d) is rightfully received from a third party without restriction.
9.3 Required Disclosures
Either party may disclose Confidential Information to the extent required by law, regulation, or legal process, provided that the Receiving Party gives the Disclosing Party prompt notice (where legally permitted) and reasonable cooperation in seeking a protective order or other appropriate remedy.
9.4 Duration
The obligations under this Section survive termination of these Terms for a period of three (3) years. Obligations relating to trade secrets continue for as long as the information remains a trade secret under applicable law.
§ 10 Intellectual Property
10.1 Our Tools and Methods
All Provider IP—including our tools, scripts, scanning infrastructure, methodologies, frameworks, and proprietary techniques—remains our sole property. Nothing in these Terms transfers any ownership interest in Provider IP to you.
10.2 Your License to Deliverables
Upon full payment of all Fees for an Engagement, we grant you a non-exclusive, non-transferable, royalty-free license to use the Deliverables for your internal business purposes only. This license does not include the right to resell, sublicense, or publicly distribute the Deliverables.
10.3 Our Retained Knowledge
We retain an irrevocable, royalty-free right to use any general knowledge, skills, techniques, concepts, and know-how developed or refined during the course of an Engagement. This does not include your Confidential Information—it simply means we remain free to use our own expertise on future engagements.
§ 11 Warranty Disclaimer
EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICES AND DELIVERABLES ARE PROVIDED "AS IS" AND "AS AVAILABLE." WE MAKE NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NON-INFRINGEMENT.
WE DO NOT WARRANT THAT OUR SERVICES WILL IDENTIFY EVERY VULNERABILITY IN YOUR SYSTEMS, NOR DO WE WARRANT THAT YOUR SYSTEMS WILL BE SECURE FOLLOWING AN ENGAGEMENT. CYBERSECURITY TESTING IS INHERENTLY LIMITED IN SCOPE AND REFLECTS CONDITIONS OBSERVED DURING THE TESTING WINDOW ONLY. THREATS EVOLVE CONTINUOUSLY, AND NO TEST CAN GUARANTEE FUTURE SECURITY.
We will perform our Services with reasonable care and skill consistent with generally accepted industry practices. That is our sole performance commitment, and it is not a guarantee of any particular outcome.
§ 12 Limitation of Liability
12.1 Cap on Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COMPANY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO ANY ENGAGEMENT—WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY—SHALL NOT EXCEED THE TOTAL FEES ACTUALLY PAID BY CLIENT TO COMPANY FOR THE SPECIFIC ENGAGEMENT GIVING RISE TO THE CLAIM.
12.2 Exclusion of Consequential Damages
IN NO EVENT SHALL COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOST PROFITS, LOST REVENUE, LOST DATA, BUSINESS INTERRUPTION, REPUTATIONAL HARM, OR COST OF SUBSTITUTE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12.3 Exceptions
Nothing in this Section limits liability for: (a) death or personal injury caused by our negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law.
12.4 Acknowledgment
You acknowledge that the Fees reflect the allocation of risk set forth in these Terms, including the limitations in this Section. We would not offer our Services at the stated Fees without these limitations.
§ 13 Indemnification
13.1 Your Indemnification of Us
You agree to defend, indemnify, and hold harmless Company and its officers, directors, employees, contractors, and agents from and against any third-party claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) your failure to obtain required authorizations under Section 3; (b) your breach of any representation, warranty, or obligation in these Terms; (c) your negligence or willful misconduct; or (d) any inaccurate or misleading information you provide regarding the Target Systems or your authority over them.
13.2 Our Indemnification of You
We will defend, indemnify, and hold harmless Client from and against third-party claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of our gross negligence or willful misconduct in performing the Services, subject to the limitations set forth in Section 12.
13.3 Indemnification Procedures
The indemnified party must: (a) notify the indemnifying party promptly in writing of any claim; (b) give the indemnifying party sole control of the defense and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying party's expense. Failure to provide prompt notice does not relieve the indemnifying party of its obligations except to the extent it is materially prejudiced.
§ 14 Data Handling and Destruction
We take your data seriously. During an Engagement, we may incidentally come into contact with your data in the course of testing. We handle that data as follows:
14.1 Minimization
We do not exfiltrate live Client data from Target Systems. Where data samples are needed to substantiate a finding, we use redacted or synthetic examples.
14.2 Secure Storage
Any Client data we incidentally acquire during testing is stored in encrypted form on systems under our control, accessible only to authorized personnel working on your Engagement.
14.3 Destruction
We will securely destroy all Client data (other than Deliverables and our internal work files that do not contain your raw data) within 60 business days after delivery of the final Deliverables. Upon your written request, we will provide written confirmation of destruction.
14.4 Retention of Deliverables
We may retain copies of Deliverables for our own records, compliance, and quality assurance purposes, subject to the confidentiality obligations in Section 9.
§ 15 Term and Termination
15.1 Effective Date
These Terms become effective when you complete your purchase (or, if earlier, when you click "I Agree" or otherwise indicate acceptance) and remain in effect until the Engagement is complete and all obligations have been fulfilled.
15.2 Termination by Either Party
Either party may terminate an Engagement immediately upon written notice if the other party materially breaches these Terms and fails to cure the breach within fifteen (15) days after receiving written notice of the breach.
15.3 Termination by Us
We may also terminate or suspend an Engagement immediately, without a cure period, if: (a) we reasonably believe that continuing the Engagement would violate any law or regulation; (b) we discover that your authorization over the Target Systems is inadequate or invalid; or (c) you fail to cooperate in a manner that prevents us from performing the Services safely and effectively.
15.4 Effect of Termination
Upon termination: (a) we will stop all testing activities; (b) you will pay for all Services performed up to the date of termination (no refund for completed work); (c) each party will return or destroy the other's Confidential Information in accordance with Section 9; and (d) Sections 1, 3.2, 9 through 14, 16, 17, and 18 will survive termination.
§ 16 Dispute Resolution
16.1 Informal Resolution First
Before initiating formal proceedings, you agree to contact us at trey@verificationlabs.com and attempt to resolve any dispute informally for at least thirty (30) days. Most concerns can be resolved quickly and amicably through direct communication.
16.2 Binding Arbitration
If we cannot resolve a dispute informally, you and Company agree that any claim, dispute, or controversy arising out of or relating to these Terms or the Services—including the validity, enforceability, or scope of this arbitration provision—shall be resolved exclusively through binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules then in effect. The arbitration will be conducted by a single arbitrator with experience in cybersecurity or technology services disputes.
16.3 Arbitration Details
The arbitration will be held in Seattle, Washington, or, if mutually agreed, conducted remotely via videoconference. The arbitrator's award will be final and binding, and judgment on the award may be entered in any court of competent jurisdiction. Each party shall bear its own attorneys' fees and costs, unless the arbitrator determines that a party's claims or defenses were frivolous, in which case the arbitrator may award reasonable attorneys' fees to the prevailing party.
16.4 Class Action Waiver
YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDING WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. YOU WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION AGAINST COMPANY.
16.5 Injunctive Relief
Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent irreparable harm pending arbitration. A request for injunctive relief does not waive the right to arbitrate.
16.6 Governing Law
These Terms are governed by and construed in accordance with the laws of the State of Washington, without regard to its conflict-of-laws principles.
§ 17 Changes to These Terms
We may update these Terms from time to time. When we make material changes, we will post the updated Terms on our website and update the "Last Updated" date at the top of this document. Changes take effect upon posting unless otherwise stated.
For any Engagement already purchased at the time of a change, the Terms in effect at the time of your purchase will govern that Engagement. Your continued purchase of new Engagements after a change constitutes acceptance of the updated Terms.
§ 18 General Provisions
18.1 Entire Agreement
These Terms, together with any applicable Statement of Work or service description referenced at checkout, constitute the entire agreement between you and Company with respect to the Services and supersede all prior or contemporaneous agreements, representations, and understandings, whether written or oral.
18.2 Severability
If any provision of these Terms is found to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.
18.3 No Waiver
Our failure to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision. A waiver of any breach is not a waiver of any subsequent breach.
18.4 Assignment
You may not assign or transfer your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets. Subject to the foregoing, these Terms bind and benefit each party's successors and permitted assigns.
18.5 Force Majeure
Neither party is liable for delays or failures in performance caused by events beyond its reasonable control, including natural disasters, pandemics, government actions, cyberattacks on Company's own infrastructure, internet outages, or acts of terrorism. The affected party must provide prompt notice and use reasonable efforts to mitigate the impact.
18.6 Independent Contractors
The relationship between you and Company is that of independent contracting parties. Nothing in these Terms creates a partnership, joint venture, employment, or agency relationship.
18.7 Notices
All notices under these Terms must be in writing and will be deemed given when delivered by email with confirmed receipt, or when sent by recognized overnight courier to the addresses specified in the applicable Engagement or account profile. Notices to Company should be directed to trey@verificationlabs.com.
18.8 Export Compliance
You agree to comply with all applicable export and import laws and regulations. You represent that you are not located in, and will not use the Services from, any country subject to a U.S. government embargo, and that you are not listed on any U.S. government list of prohibited or restricted parties.
18.9 Headings
Section headings are for convenience only and have no legal effect.
18.10 Contact Us
If you have questions about these Terms, please contact us at trey@verificationlabs.com or Verification Labs, LLC. 3518 Fremont Avenue North, Unit 186, Seattle, WA 98103.
By completing your purchase, you acknowledge that you have read, understood, and agree to these Terms of Service.
© 2026 Verification Labs, LLC. DBA Pentest Express. All rights reserved.