TrustEdge Labs
All legal documents

Engagement Terms

Security Engagement Terms

The baseline terms that apply to every paid security analysis engagement we run. Specific engagement letters may modify or override these. Read alongside our Privacy Policy and Site Terms of Use.

Last updated 2026-05-17

Plain-language summary. We run hands-on security analysis. Our reports are technical hardening guidance — not formal audit certificates. You authorize the testing, we test in good faith, our liability is capped at the fees you pay us, and you protect us from claims that arise from unauthorized testing or your own actions. The full terms below are what you actually agree to.

1. Application

These Engagement Terms apply to every security analysis engagement between TrustEdge Labs ("we" / "TrustEdge") and a customer ("you" / "Client"), unless we have signed a separate engagement letter or master services agreement that explicitly modifies them. Where there is a conflict, the executed engagement letter controls.

2. The services we provide

TrustEdge offers hands-on, technically focused security analysis services, scoped deliberately around the kinds of systems we ourselves build:

  • web application and SaaS security review;
  • WordPress / CMS security review;
  • desktop application and CAD-plugin security review;
  • license and activation flow security review;
  • basic mobile application review (scoped to selected MASVS controls);
  • related advisory work — code review, threat modeling, hardening guidance.

TrustEdge does not offer internal-network engagements, red team / adversary-simulation operations, or any regulator-recognized testing under regimes such as TIBER-EU, CBEST, or DORA TLPT. Where an engagement would require those, we will say so up front and decline rather than overreach.

Each engagement is described in a written statement of work ("SoW") signed by both parties before work begins. The SoW specifies scope, schedule, fees, and any deviations from these Terms.

3. What we are not — formal audit clarification

TrustEdge is an independent software studio. We are not a CREST/OSCP-certified pentest firm; an ISO 27001, SOC 2, PCI-DSS, or HIPAA auditor; nor a regulator-approved provider for TIBER-EU, CBEST, DORA TLPT, or comparable regimes.

Our reports are technical hardening guides. They identify vulnerabilities, give reproduction steps, and recommend remediation. They cannot be used as official documents in regulatory (certification-purpose) audits required by frameworks such as ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, or local regulators (e.g. KVKK, BDDK, TSE in Türkiye). Compliance certificates can only be issued by your accredited auditor, not by us. If you need a regulator-recognized certificate, we are not the right partner for that part of the work.

4. Authorization — your warranty

You warrant and represent that:

  • you own the assets identified in the SoW, or you have full, documented authority from the asset owner(s) to commission security testing of those assets;
  • you have obtained, or you will obtain before testing begins, all consents required by your contracts with hosting providers, cloud platforms, payment processors, and any other third party whose infrastructure is in scope;
  • you have notified internal stakeholders to the extent required by your internal policies, and you will provide a kill-switch contact reachable 24/7 for the duration of any active testing window.

TrustEdge will not begin active testing without (i) a signed Letter of Authorization to Test on Client letterhead, signed by an authorized representative of the Client and stamped where company policy requires it, returned to TrustEdge as a scanned copy via the agreed channel, and (ii) a written engagement letter / statement of work and rules-of-engagement document executed by both parties. A web-form submission alone is not sufficient authorization. We may suspend or stop testing at any time if we reasonably believe the authorization is in doubt or has been revoked.

5. Conduct of the engagement

5.1 Reasonable skill and care

We will perform the services with reasonable skill and care consistent with prevailing industry practice for the type of work described in the SoW. Findings are hand-verified before delivery.

5.2 No guarantee of completeness

Security testing is, by its nature, time-boxed and probabilistic. We do not guarantee that every vulnerability in your systems will be discovered or that the systems will be free of security defects after the engagement. The absence of findings is not, on its own, evidence that no findings exist.

5.3 Production testing

Where testing runs against production systems, we will follow the rules-of-engagement document and proceed with care to avoid service disruption. You acknowledge, however, that security testing carries inherent risk, including the possibility of unintentional disruption, and you accept that risk to the extent we exercise reasonable skill and care.

Before any active testing window begins, you are responsible for: (a) maintaining current backups of in-scope systems and data, (b) ensuring monitoring and rollback plans are in place, (c) provisioning isolated test accounts where the engagement requires authenticated testing, and (d) designating an internal incident-response contact for the duration of the window. We will not begin active testing until these prerequisites are confirmed in writing.

5.4 Default rules of engagement

Unless the engagement letter or rules-of-engagement document explicitly varies these defaults in writing, the following are out of scope for every engagement:

  • destructive testing, data tampering, or service disruption beyond what is unavoidable to demonstrate impact;
  • persistence, backdoors, or any post-engagement access;
  • malware deployment of any kind;
  • volumetric / DoS / DDoS attacks;
  • mass credential attacks (brute force, password spray) unless explicitly scoped;
  • data exfiltration beyond the minimum required to demonstrate impact;
  • social engineering or phishing of staff or third parties;
  • testing of third-party systems, hosting providers, payment processors, or any infrastructure not owned by the Client.

These same defaults are mirrored in the Letter of Authorization to Test that the Client signs before testing begins.

5.5 Communications

Communication channels and response expectations are defined in the engagement letter / SoW (typically a private email thread, and optionally a shared chat channel). Critical findings are reported as soon as reasonably possible through the agreed emergency contact. We do not commit to specific real-time SLAs outside an explicitly-priced retainer.

6. Deliverables

  • a written executive summary suitable for leadership;
  • a technical report with findings, severity, reproduction steps, and remediation guidance, mapped where useful to public technical references (OWASP ASVS/MASVS, NIST SP 800-115, CWE);
  • an optional live readout call with your engineering team, when scoped in the SoW;
  • re-testing is not included by default; if required, a limited verification pass on previously-reported findings may be scoped separately in the SoW. Any re-test covers only the previously reported findings and does not include new features, architecture changes, or expanded scope.

7. Confidentiality

Both parties undertake to keep confidential all non-public information disclosed by the other in connection with the engagement, including findings, source code, network topologies, commercial terms, and any data observed during testing. Each party will use the other's confidential information only for the purposes of the engagement and will protect it with at least the same care it uses for its own confidential information of similar sensitivity, and never less than reasonable care.

These confidentiality obligations survive the engagement for five (5) years, or longer if required by applicable law (e.g. trade secrets, personal data).

8. Intellectual property

8.1 Deliverables

Subject to payment of fees, we grant you a perpetual, worldwide, non-exclusive, non-transferable license to use the written deliverables (executive summary and technical report) for your internal business purposes, including sharing them with your auditors, regulators, customers, or insurers as needed.

8.2 What we don't hand over

We provide sufficient technical detail in the report for verification and remediation. We do not provide reusable exploit chains, internal tools, prompts, automation scripts, source code, runtime instrumentation, or proprietary methodology, unless explicitly agreed in writing in the SoW. This protects both parties: it keeps weaponizable artifacts from leaving controlled hands and keeps our methodology a methodology rather than a product.

8.3 Methodology and tooling ownership

We retain ownership of all methodology, internal templates, scripts, exploit primitives, and tools we developed before, or independently of, the engagement. Nothing in the engagement transfers ownership of these to you.

8.4 Anonymized learnings & case-study consent

We may use anonymized, non-identifying learnings from the engagement to improve our methodology and train our team. We will not publish a case study, your name, logo, domain, screenshots, unique architecture details, or any identifiable vulnerability narrative without your prior written approval — even in anonymized form, if a reasonable reader could attribute it to you.

9. Fees, expenses, and taxes

Fees are stated in the SoW and are exclusive of VAT (KDV) and any other taxes, which we will add where required by law. Reasonable, pre-approved expenses (e.g. travel) are charged at cost. Invoices are payable within thirty (30) days of issue. Overdue amounts accrue default interest at the rate set by the Central Bank of the Republic of Türkiye for commercial transactions.

10. Limitation of liability

Subject to applicable law, our aggregate liability arising out of or in connection with the engagement (whether in contract, tort, breach of statutory duty, or otherwise) shall not exceed the fees actually paid by you to TrustEdge under the relevant engagement letter or SoW in the twelve (12) months preceding the event giving rise to liability.

We are not liable for any indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, goodwill, anticipated savings, or data, even if advised of the possibility of such damages.

Nothing in this clause limits liability that cannot be excluded by law, including liability for fraud, gross negligence, or willful misconduct.

11. Indemnification by Client

You agree to indemnify, defend, and hold harmless TrustEdge from and against any claim, demand, damage, loss, fine, penalty, or cost (including reasonable attorneys' fees) brought by any third party arising from or related to:

  • a breach of your authorization warranty in clause 4 (i.e. you did not in fact have authority to commission testing of one or more in-scope assets);
  • your failure to obtain consents required from third-party providers (hosting, cloud, payment, etc.);
  • your unauthorized disclosure of our deliverables, methodology, or tools;
  • a regulator's or auditor's reliance on our reports as formal audit evidence in circumstances where we have disclaimed such use (see clause 3).

12. Data protection

Where we process personal data on your behalf during the engagement, the parties may sign a data processing addendum addressing applicable KVKK and GDPR requirements — including processor obligations, confidentiality, security measures, sub-processors, and cross-border transfers where relevant. Our default addendum is available on request. We do not engage new sub-processors for personal-data handling without giving you prior notice and a reasonable opportunity to object.

13. Term and termination

Either party may terminate the engagement for material breach not cured within fifteen (15) days of written notice, or immediately for insolvency events. On termination, you owe fees for work performed up to the termination date, plus any non-cancelable third-party costs we incurred in good faith for the engagement.

14. Force majeure

Neither party is liable for delay or failure to perform caused by events beyond its reasonable control (war, sanctions, natural disaster, large-scale internet/cloud outage, government action), provided the affected party gives prompt notice and uses reasonable efforts to mitigate.

15. Governing law and dispute resolution

These Terms and any engagement governed by them are subject to the laws of the Republic of Türkiye. The parties submit to the exclusive jurisdiction of the Istanbul Central (Çağlayan) Courts and Enforcement Offices of the Republic of Türkiye, except where mandatory law gives one party the right to sue or be sued elsewhere. The parties will attempt in good faith to resolve disputes amicably before initiating proceedings.

16. Notices

Formal notices must be sent by registered mail (or KEP, in Türkiye) to the addresses identified in the SoW. Operational communications may be sent by email — to legal@trustedgelabs.dev for TrustEdge, and to the email designated in the SoW for the Client.

17. Severability and assignment

If any provision is held unenforceable, the remainder remains in force. Neither party may assign these Terms or any engagement without the other's prior written consent, except that either party may assign to a successor in a merger or acquisition.

18. Entire agreement

The applicable engagement letter or SoW, together with these Engagement Terms, our Privacy Policy, and any signed DPA, constitute the entire agreement between the parties for the services and supersede prior representations or understandings on the same subject.

These Engagement Terms were prepared in good faith but are not legal advice. For meaningful engagements, both parties are encouraged to review them with their own counsel and to sign a tailored engagement letter.