Acceptance of Terms
By accessing or using PentestClaw Services, you ("Customer") agree to be bound by these Terms of Service ("Agreement"). If you do not agree to these terms, do not use the Services.
Authority Representation
If you are accepting this Agreement on behalf of a company or other legal entity ("Customer"), you represent and warrant that:
- You have full legal authority to bind Customer to this Agreement
- You have read and understand this Agreement
- You agree, on behalf of Customer, to be bound by this Agreement
Services Description
PentestClaw provides autonomous AI-powered penetration testing and red teaming services ("Services") designed to identify vulnerabilities in Customer's infrastructure through authorized security testing.
Scope — Services Include
- Automated vulnerability scanning and exploitation
- AI-driven payload generation and delivery
- Infrastructure reconnaissance and analysis
- Detailed reporting and remediation recommendations
Limitations — Services Do Not Include
- Testing of third-party infrastructure without written authorization
- Exfiltration or retention of personal data
- Disruption of business operations
- Testing outside agreed scope or timeframes
Customer Obligations & Authorization
Customer must have explicit written authorization before any testing begins. This is a legal requirement under Mexican law (LFTR) and cannot be waived.
3.1 Authorization Requirement
Customer represents and warrants that:
- (a) Legal Authority: Customer has full legal authority to authorize testing and has obtained all necessary internal approvals.
- (b) Ownership or Authorization: Customer owns or has explicit written authorization from the system owner to conduct security testing on all infrastructure targeted by the Services.
- (c) Compliance with Mexican Law (PRIMARY): Customer is responsible for ensuring that all testing complies with Mexican laws:
- Federal Telecommunications Law (LFTR)
- Federal Data Protection Law (LFPDPPP)
- General Data Protection Law (LGPD)
- Mexican Penal Code cybercrime provisions
- Mexican Commercial Code
- (d) Other Jurisdictions (Secondary): If testing involves infrastructure in other jurisdictions, Customer ensures compliance with:
- Computer Fraud and Abuse Act (CFAA) — United States
- General Data Protection Regulation (GDPR) — European Union
- California Consumer Privacy Act (CCPA) — United States
- (e) No Government Infrastructure: Testing will NOT target Mexican government infrastructure without explicit written authorization from the relevant government agency.
3.2 Domain Verification
Before conducting any testing, Customer must complete PentestClaw's automated Domain Verification process, which confirms administrative access to the target domain, authorization to conduct security testing, and Customer's acceptance of responsibility for all testing activities. This verification serves as documented proof of authorization.
3.3 Cooperation
- Provide timely and accurate information about infrastructure
- Respond to inquiries from PentestClaw regarding testing scope
- Notify PentestClaw immediately of any changes to authorization
- Maintain confidentiality of testing findings until authorized release
Prohibited Uses
Customer shall NOT use PentestClaw Services to:
- (a) Unauthorized Access — Violates LFTR, Mexican Penal Code:
- Access systems without authorization
- Test infrastructure without written permission
- Exceed scope of authorized testing
- (b) Government Infrastructure — Violates LFTR, Mexican law:
- Test Mexican government infrastructure without explicit written authorization
- Test critical national infrastructure without authorization
- Test telecommunications infrastructure without COFETEL authorization
- (c) Third-Party Infrastructure — Violates Mexican law:
- Test infrastructure owned by third parties without written consent
- Test infrastructure without documented authorization
- (d) Data Misuse — Violates LFPDPPP, LGPD:
- Exfiltrate, retain, or misuse personal data
- Use personal data for purposes other than security testing
- Share personal data with unauthorized parties
- Retain personal data after testing completion
- (e) Operational Disruption: Disrupt critical infrastructure, conduct testing during production hours without approval, or cause service outages or data loss.
- (f) Legal Violations: Violate any applicable Mexican laws or laws of other jurisdictions where infrastructure is located.
- (g) Scope Violations: Conduct testing outside agreed scope, timeframes, or hours, or test additional systems not authorized.
- (h) Intellectual Property: Reverse engineer PentestClaw's proprietary algorithms, access source code, or copy/distribute PentestClaw's tools.
- (i) Unlawful Purposes: Use Services for any unlawful purpose, to facilitate cybercrime, or to harm individuals or organizations.
Data Protection & Privacy
5.1 Customer Data
PentestClaw will:
- Process Customer Data only as necessary to provide the Services
- Not use Customer Data for any purpose other than providing the Services
- Implement appropriate technical and organizational measures to protect Customer Data
- Notify Customer without undue delay of any unauthorized access to Customer Data
5.2 Personal Data — LFPDPPP & LGPD Compliance
If testing involves personal data of individuals:
- Customer must ensure compliance with Mexican data protection laws (LFPDPPP, LGPD)
- Customer must obtain informed consent from data subjects before testing
- PentestClaw will implement enhanced protections for personal data
- A Data Processing Addendum (DPA) is required for GDPR/CCPA compliance
5.3 Data Retention
- Retain Customer Data only for the duration necessary to provide Services
- Delete Customer Data within 30 days of Service termination
- Provide Customer with copies of findings upon request
- Not retain personal data after testing completion
PentestClaw's servers are hosted on Hostinger (USA). PentestClaw maintains compliance with Mexican data protection laws (LFPDPPP, LGPD) as if data were stored in Mexico. Data is encrypted in transit and at rest.
Compliance with Laws
| Framework | Jurisdiction | Level | Applies To |
|---|---|---|---|
| LFTR | México | Primary | Both PentestClaw & Customer |
| LFPDPPP | México | Primary | Both PentestClaw & Customer |
| LGPD | México | Primary | Both PentestClaw & Customer |
| Código Penal Federal | México | Primary | Both PentestClaw & Customer |
| CFAA | USA | Secondary | PentestClaw (server compliance) |
| CCPA | USA / California | Secondary | If applicable to Customer data |
| GDPR | European Union | Tertiary | If Customer processes EU data |
| OWASP / NIST | International | Tertiary | Industry standards |
6.1 PentestClaw Compliance — Mexico Primary
- Federal Telecommunications Law (LFTR)
- Federal Data Protection Law (LFPDPPP)
- General Data Protection Law (LGPD)
- Mexican Penal Code cybercrime provisions
- Mexican Commercial Code
- Industry best practices (OWASP, NIST)
6.2 PentestClaw Secondary Compliance — USA Server
- Computer Fraud and Abuse Act (CFAA)
- Data protection standards for US-hosted services (Hostinger)
- US export control regulations
6.3 Customer Compliance — Mexico Primary
- Compliance with LFTR, LFPDPPP, LGPD
- Compliance with Mexican Penal Code cybercrime provisions
- Obtaining necessary governmental authorizations for testing
- Industry-specific regulations if applicable
6.4 Customer Compliance — Other Jurisdictions
If testing involves infrastructure in other jurisdictions, Customer is responsible for compliance with applicable local laws, must obtain necessary authorizations, and must inform PentestClaw of multi-jurisdiction testing.
Limitation of Liability
7.2 Limitation
7.3 Liability Cap
PentestClaw's total liability shall not exceed the fees paid by Customer in the 12 months preceding the claim.
7.4 Exceptions
The above limitations do not apply to:
- Claims arising from PentestClaw's gross negligence or willful misconduct
- Indemnification obligations
- Confidentiality obligations
- Breach of data protection obligations
Indemnification
8.1 Customer Indemnification
Customer shall indemnify, defend, and hold harmless PentestClaw from any claims, damages, or costs arising from:
- Customer's use of Services in violation of this Agreement
- Customer's violation of Mexican laws or other applicable laws
- Customer's lack of authorization to conduct testing
- Customer's unauthorized access to third-party systems
- Customer's misuse of testing findings
8.2 PentestClaw Indemnification
PentestClaw shall indemnify Customer from claims that the Services infringe third-party intellectual property rights, provided Customer has complied with this Agreement.
Confidentiality
9.1 Confidential Information
Each party shall:
- Maintain confidentiality of the other party's Confidential Information
- Not disclose Confidential Information to third parties without prior written consent
- Protect Confidential Information with the same care as its own
9.2 Exceptions
Confidential Information does not include information that:
- Is publicly available through no breach of this Agreement
- Is independently developed without use of Confidential Information
- Is required to be disclosed by law (with prior notice to disclosing party)
Term & Termination
10.1 Term
This Agreement is effective upon acceptance and continues for the duration of the Services engagement.
10.2 Termination
Either party may terminate this Agreement:
- For convenience with 30 days' written notice
- Immediately if the other party materially breaches and fails to cure within 15 days
- Immediately if required by law
10.3 Effect of Termination
- All Services cease immediately
- Customer Data will be deleted within 30 days
- Confidentiality obligations survive termination
- Indemnification obligations survive termination
Jurisdiction & Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the United Mexican States (México), specifically: LFPDPPP, LGPD, LFTR, Código de Comercio, and Mexican Penal Code provisions on cybercrime.
11.2 Exclusive Jurisdiction
All disputes arising from this Agreement shall be resolved in the competent courts of Mexico City (Ciudad de México), in accordance with Mexican law and procedure. Both parties consent to the exclusive jurisdiction and venue of these courts.
11.4 Dispute Resolution Process
Good Faith Negotiation
Parties attempt to resolve disputes through direct negotiation for a period of 30 days.
Mediation
If negotiation fails, parties proceed to formal mediation before a neutral third party.
Arbitration or Litigation
Final resolution through arbitration or litigation in competent courts of Mexico City, in accordance with the Mexican Code of Civil Procedure (Código de Procedimientos Civiles).
PentestClaw Representation
- Company Location: PentestClaw is a company operating in Mexico, providing cybersecurity services to Mexican customers.
- Server Location: While PentestClaw's servers are hosted on Hostinger (USA), PentestClaw operates as a Mexican company providing services to Mexican customers.
- Compliance Responsibility: PentestClaw is responsible for compliance with Mexican laws as the primary service provider. Compliance with US laws is secondary and relates only to data processing on US-hosted servers.
- Data Handling: All customer data is processed on Hostinger servers in the USA, but PentestClaw maintains compliance with Mexican data protection laws (LFPDPPP, LGPD) as if data were stored in Mexico.
- Regulatory Compliance: PentestClaw maintains compliance with Mexican regulatory requirements for cybersecurity service providers.
General Provisions
- Entire Agreement: This Agreement constitutes the entire agreement between the parties and supersedes all prior agreements.
- Amendments: PentestClaw may amend this Agreement with 30 days' written notice. Continued use of Services constitutes acceptance of amendments.
- Severability: If any provision is found invalid, the remaining provisions shall continue in effect.
- Waiver: No waiver of any provision shall be effective unless in writing.