Terms & Conditions

Katana AUTO – Automated Penetration Testing Service

1. Definitions

  • "Confidential Information": any information in any form that has been provided by one party (the "disclosing party") to the other party (the "receiving party") or that is otherwise shared in connection with this agreement and which was marked confidential or was stated to be confidential at the time of disclosure; concerns the customers, finances, sales, marketing, products, suppliers, employees, business operations, forecasts, management, or network or computer systems information of the disclosing party; or would ordinarily be deemed by a reasonable person to be confidential or proprietary. This includes any Personal Data where the Customer is a Controller and the Supplier is its Processor (as defined in clause 14). The provisions (but not the existence) of this agreement and the process of its negotiation are also Confidential Information.
  • "Customer": the person or organisation who creates an account on the Platform and submits a test.
  • "Charges": the price displayed on the Platform for the Services, as determined by the number of endpoints discovered during the crawl phase.
  • "Due Date": 14 days from the date on which the Supplier issues an invoice to the Customer.
  • "Intellectual Property Rights": any patents, copyright, database right, design right, trade mark, service mark, trade secret, logo, know-how and any other intellectual property rights (whether registered or unregistered or capable of registration) together with any current applications for any registrable items of the foregoing and all rights and forms of protection having equivalent or similar effect anywhere in the world.
  • "Material Breach": with respect to a given breach, that a reasonable person in the position of the non-breaching party would wish to terminate this agreement because of that breach.
  • "Platform": the Katana AUTO web application operated by the Supplier, through which the Customer submits tests and receives reports.
  • "Proposal": the automated quotation presented to the Customer on the Platform following the crawl phase, detailing the number of endpoints discovered, the Charges, test mode, and testing methodology.
  • "Services": the automated AI-powered penetration testing services provided by the Supplier to the Customer via the Platform, including the crawl, testing, human verification, and delivery of the report.
  • "Supplier": Samurai Digital Security Limited, a company registered in England and Wales with company number 10511079. The Supplier's registered office address is Unit 3, Hazel Court Midland Way, Barlborough, Chesterfield, England, S43 4FD.

2. The Agreement

2.1. This agreement comprises these terms, and the Proposal as presented on the Platform.

2.2. By clicking "Agree & Start Test" on the Platform, the Customer accepts this agreement in its entirety. This agreement applies to the exclusion of any other terms the Customer may supply.

2.3. This agreement supersedes all previous negotiations, understandings, and representations relating to the subject matter of this agreement.

2.4. This agreement, and any claim, dispute or matter arising out of or in connection with it (including non-contractual claims), is governed by English law.

3. Duration

3.1. This agreement starts when the Customer clicks "Agree & Start Test" on the Platform and continues until the Services are complete and all Charges have been paid, unless terminated earlier in accordance with this agreement.

4. Cancellation of Services

4.1. Due to the automated nature of the Services, once the Customer clicks "Agree & Start Test", the Services will commence immediately and cannot be cancelled.

4.2. The Customer is not eligible for a refund of the Charges once the Services have commenced.

4.3. If the Customer does not click "Agree & Start Test", no agreement is formed and no Charges are due. The Proposal will remain available on the Platform for 30 days, after which it will expire.

5. Supplier Obligations

5.1. The Supplier shall:

a) provide the Services using AI-powered testing tools, with findings verified by CREST-registered penetration testers;

b) provide the Services to the standard of a reasonable and prudent operator providing services similar to the Services in the ordinary course of business;

c) use reasonable endeavours to deliver the verified report within 2 working days of the automated testing phase completing; and

d) comply with all applicable laws.

5.2. The nature of the Services means that the Supplier cannot, and does not, guarantee:

a) it will find, identify, or attribute all indicators of compromise;

b) it will find, identify, or attribute all possible vectors of attack or vulnerabilities; or

c) the security of any system.

5.3. The Supplier retains editorial control over the scope and content of any reports, including classifications of risk. The final content of any report will be determined solely by the Supplier.

6. Customer Obligations

6.1. The Customer warrants and represents that:

a) the Customer owns, or has obtained written authorisation from the owner of, the target application and all systems, networks, and infrastructure within the scope of the Services;

b) the Customer has legal authority to authorise security testing on behalf of their organisation;

c) all information provided to the Supplier via the Platform is complete, accurate, and up to date; and

d) the Customer will comply with all applicable laws.

6.2. The Customer shall not attempt to influence or pressurise the Supplier as to its investigation or the content of any report.

6.3. If, directly or indirectly because of a breach by the Customer of this agreement, the Supplier is unable to perform the Services in full or to the expected standard:

a) the Supplier shall use reasonable efforts to perform the Services, but will not be liable for any defective or inadequate performance; and

b) the Customer remains liable to pay the Charges in full.

7. Domain Verification

7.1. Before the Services commence, the Customer must verify ownership of or authority over the target domain, either by:

a) using an account registered with an email address on the target domain; or

b) verifying a code sent to an email address on the target domain.

7.2. The Customer indemnifies the Supplier against all losses, costs, claims, expenses and liabilities whatsoever arising out of or in connection with the Customer submitting a target which the Customer does not own or have authority to test.

8. Credentials and Authenticated Testing

8.1. Where the Customer opts for authenticated testing, the Customer may provide up to 5 sets of credentials via the Platform.

8.2. Credentials are transmitted securely via encrypted connection and are used solely for the purpose of performing the Services.

8.3. The Supplier will delete credentials from its systems promptly after the testing phase is complete.

8.4. The Customer is responsible for ensuring that any credentials provided are test credentials or that the Customer has authority to use them for the purpose of security testing.

9. Test Modes

9.1. The Customer selects one of the following test modes before the Services commence:

a) Standard: read-focused testing with minimal impact to the target application. Recommended for live/production environments.

b) Aggressive: comprehensive testing which may create test accounts, form submissions, and database entries. For development and staging environments only.

9.2. The Customer acknowledges that even in Standard mode, testing may have an impact on the target application, and the Supplier is not liable for any such impact.

9.3. The Customer accepts responsibility for any test data created during the assessment.

10. Pricing and Payment

10.1. The Charges are determined by the number of endpoints discovered during the automated crawl phase and are presented to the Customer in the Proposal on the Platform before the Customer agrees to proceed.

10.2. Unless stated otherwise, prices exclude VAT. The Supplier will add VAT at the prevailing rate.

10.3. The Supplier will issue an invoice to the Customer's billing email address upon delivery of the verified report.

10.4. The Customer shall pay each invoice by the Due Date (14 days from invoice date).

10.5. If the Supplier does not receive payment by the Due Date, the Supplier may:

a) send reminders and charge an admin fee for each reminder, by way of liquidated damages;

b) charge penalties and interest as specified in the Late Payment of Commercial Debts (Interest) Act 1998; and

c) charge reasonable costs and expenses (including legal costs) for seeking payment.

10.6. If the Supplier does not receive payment 30 days after the Due Date, the Supplier may suspend the Customer's access to the Platform and any reports.

11. Intellectual Property

11.1. The Supplier or its licensors remains the owner of any Intellectual Property Rights subsisting in any reports, tools, software, documentation, and any other materials or deliverables made available to the Customer.

11.2. The Customer is granted a non-exclusive, non-transferable licence to use the report for the Customer's own internal purposes only.

12. Termination

12.1. Either party may terminate this agreement in the event of Material Breach by the other party, by giving notice to the other party.

12.2. Termination will not affect any rights, obligations or liabilities that have accrued before termination or that are intended to continue beyond termination.

12.3. The Customer is not entitled to a refund of any payments in the event of termination.

13. Limits on Liability

13.1. All conditions, warranties or terms which might have effect between the Customer and the Supplier, or be implied or incorporated into this agreement (whether by statute, common law or otherwise) are excluded to the extent permitted by law.

13.2. Neither party limits or excludes its liability to the other for personal injury or death caused by its negligence, for fraud or fraudulent misrepresentation, or for any matter for which, at law, a party cannot limit or exclude its liability.

13.3. Subject to clauses 13.1 and 13.2, neither party shall be liable to the other for special, indirect, or consequential losses, including loss of profits, earnings, business, goodwill, business interruption, expected savings, sales, or loss of or corruption to data.

13.4. Subject to clauses 13.1 to 13.3, the Supplier's total liability to the Customer for claims arising out of or in connection with this agreement shall not exceed the Charges paid by the Customer for the Services to which the claim relates.

13.5. Any liability owed under this agreement to the Customer is owed solely by the Supplier, and the Customer shall not attempt to enforce any personal responsibility or liability on any individual.

14. Data Protection

14.1. References in this clause to a "Regulation" are to the Applied GDPR (EC regulation 2016/679 as amended by the UK's Data Protection Act 2018). Capitalised terms have the meaning defined by the Regulation unless otherwise defined in this agreement.

14.2. The Customer shall ensure that any instructions given to the Supplier with respect to the Processing of Personal Data are lawful and that the Customer has complied with all applicable data protection laws.

14.3. The Customer shall not transfer any Personal Data to the Supplier unless that transfer is necessary to enable the Supplier to provide the Services.

14.4. Where the Customer is a Controller and the Supplier is the Customer's Processor, the Supplier shall:

a) process Personal Data in accordance with all applicable law and only on the Customer's documented instructions;

b) ensure that persons authorised to process Personal Data are committed to confidentiality;

c) take all measures required pursuant to Article 32 of the Regulation;

d) assist the Customer in responding to Data Subject rights requests;

e) at the Customer's choice, delete or return all Personal Data after the Services are complete; and

f) notify the Customer without undue delay of any Personal Data Breach.

15. Confidentiality

15.1. Each party shall treat the other party's Confidential Information as strictly confidential, shall not disclose it to any person except on a need-to-know basis, and shall keep it in a safe and secure place.

15.2. The results of the Services, including any reports, are the Confidential Information of the Customer.

15.3. These obligations do not apply where disclosure is required by law or where the information is already in the public domain through no fault of the receiving party.

15.4. The obligations in this clause survive for two years from the termination or expiration of this agreement.

16. Penetration Testing – No Liability for Outages

16.1. The Supplier is not liable for degraded system or network performance, loss of or corruption to any data, system or network outages, or any other adverse effects arising out of or in connection with the Services, irrespective of the system, network, data, or nature or scope of the effect.

16.2. The Customer shall maintain such backups, disaster recovery, and resiliency plans as are appropriate to its situation.

17. Events Outside Reasonable Control

17.1. Neither party will be liable for any delay or failure in performance caused by events outside that party's reasonable control, provided that party promptly notifies the other. This does not apply to the Customer's obligation to pay any sums due.

18. Dispute Resolution

18.1. In the event of any disputes, the parties will first attempt to resolve the matter informally. If unresolved, either party may bring a claim before the courts of England.

18.2. Each party agrees to the exclusive jurisdiction of the courts of England.

18.3. To bring any claim, a party must serve the other party with particulars of claim within 12 months of the date on which the cause of action accrued.

19. Miscellaneous

19.1. A person who is not a party to this agreement has no rights under this agreement.

19.2. If any part of this agreement is found to be invalid or unenforceable, this will not affect the remaining provisions.

19.3. The Supplier may amend this agreement at any time by notice to the Customer, provided that the amendment does not impose an additional cost or material burden upon the Customer.

19.4. The Supplier may assign, transfer, or sub-contract any of its rights or obligations. The Customer may not do so without the Supplier's prior written consent.

19.5. Nothing in this agreement establishes any partnership, joint venture, or agency.

Samurai Digital Security Limited. Registered in England and Wales, company number 10511079.

Registered office: Unit 3, Hazel Court Midland Way, Barlborough, Chesterfield, England, S43 4FD.

Last updated: February 2026