TrustEdge Labs
All legal documents

Engagement Terms

Security Engagement Terms

The baseline terms that apply to every paid security analysis engagement we run. Specific engagement letters may modify or override these. Read alongside our Privacy Policy and Site Terms of Use.

Last updated 2026-05-04

Plain-language summary. We run hands-on security analysis. Our reports are technical hardening guidance — not formal audit certificates. You authorize the testing, we test in good faith, our liability is capped at the fees you pay us, and you protect us from claims that arise from unauthorized testing or your own actions. The full terms below are what you actually agree to.

1. Application

These Engagement Terms apply to every security analysis engagement between TrustEdge Labs ("we" / "TrustEdge") and a customer ("you" / "Client"), unless we have signed a separate engagement letter or master services agreement that explicitly modifies them. Where there is a conflict, the executed engagement letter controls.

2. The services we provide

TrustEdge offers hands-on, technically focused security analysis services, scoped deliberately around the kinds of systems we ourselves build:

  • web application and SaaS security review;
  • WordPress / CMS security review;
  • desktop application and CAD-plugin security review;
  • license and activation flow security review;
  • basic mobile application review (scoped to selected MASVS controls);
  • related advisory work — code review, threat modeling, hardening guidance.

TrustEdge does not offer internal-network engagements, red team / adversary-simulation operations, or any regulator-recognized testing under regimes such as TIBER-EU, CBEST, or DORA TLPT. Where an engagement would require those, we will say so up front and decline rather than overreach.

Each engagement is described in a written statement of work ("SoW") signed by both parties before work begins. The SoW specifies scope, schedule, fees, and any deviations from these Terms.

3. What we are not — formal audit clarification

TrustEdge is an independent software studio. We are not a CREST/OSCP-certified pentest firm; an ISO 27001, SOC 2, PCI-DSS, or HIPAA auditor; nor a regulator-approved provider for TIBER-EU, CBEST, DORA TLPT, or comparable regimes.

Our reports are technical hardening guides. They identify vulnerabilities, give reproduction steps, and recommend remediation. They cannot be used as official documents in regulatory (certification-purpose) audits required by frameworks such as ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, or local regulators (e.g. KVKK, BDDK, TSE in Türkiye). Compliance certificates can only be issued by your accredited auditor, not by us. If you need a regulator-recognized certificate, we are not the right partner for that part of the work.

4. Authorization — your warranty

You warrant and represent that:

  • you own the assets identified in the SoW, or you have full, documented authority from the asset owner(s) to commission security testing of those assets;
  • you have obtained, or you will obtain before testing begins, all consents required by your contracts with hosting providers, cloud platforms, payment processors, and any other third party whose infrastructure is in scope;
  • you have notified internal stakeholders to the extent required by your internal policies, and you will provide a kill-switch contact reachable 24/7 for the duration of any active testing window.

TrustEdge will not begin active testing without (i) a signed Letter of Authorization to Test on Client letterhead, signed by an authorized representative of the Client and stamped where company policy requires it, returned to TrustEdge as a scanned copy via the agreed channel, and (ii) a written engagement letter / statement of work and rules-of-engagement document executed by both parties. A web-form submission alone is not sufficient authorization. We may suspend or stop testing at any time if we reasonably believe the authorization is in doubt or has been revoked.

5. Conduct of the engagement

5.1 Reasonable skill and care

We will perform the services with reasonable skill and care consistent with prevailing industry practice for the type of work described in the SoW. Findings are hand-verified before delivery.

5.2 No guarantee of completeness

Security testing is, by its nature, time-boxed and probabilistic. We do not guarantee that every vulnerability in your systems will be discovered or that the systems will be free of security defects after the engagement. The absence of findings is not, on its own, evidence that no findings exist.

5.3 Production testing

Where testing runs against production systems, we will follow the rules-of-engagement document and proceed with care to avoid service disruption. You acknowledge, however, that security testing carries inherent risk, including the possibility of unintentional disruption, and you accept that risk to the extent we exercise reasonable skill and care.

5.4 Communications

We provide a shared channel (Slack/Teams or equivalent) for the duration of the engagement. We escalate high-severity findings to your designated contact within one business hour of confirmation.

6. Deliverables

  • an executive summary suitable for leadership;
  • a technical report with findings, severity, reproduction steps, and remediation guidance, mapped where useful to public technical references (OWASP ASVS/MASVS, MITRE ATT&CK, NIST SP 800-115, CWE);
  • a 30–60 minute live readout call with your engineering team;
  • one round of re-testing of remediated findings within the re-test window stated in the SoW (typically 90 days, 120 days for desktop / network engagements), at no additional fee.

7. Confidentiality

Both parties undertake to keep confidential all non-public information disclosed by the other in connection with the engagement, including findings, source code, network topologies, commercial terms, and any data observed during testing. Each party will use the other's confidential information only for the purposes of the engagement and will protect it with at least the same care it uses for its own confidential information of similar sensitivity, and never less than reasonable care.

These confidentiality obligations survive the engagement for five (5) years, or longer if required by applicable law (e.g. trade secrets, personal data).

8. Intellectual property

8.1 Deliverables

Subject to payment of fees, we grant you a perpetual, worldwide, non-exclusive, non-transferable license to use the deliverables (reports, scripts, instrumentation files) for your internal business purposes, including sharing them with your auditors, regulators, customers, or insurers as needed.

8.2 Methodology and tooling

We retain ownership of all methodology, internal templates, scripts, exploit primitives, and tools we developed before, or independently of, the engagement. Nothing in the engagement transfers ownership of these to you.

8.3 Anonymized learnings

We may use anonymized, non-identifying learnings from the engagement to improve our methodology, train our team, and publish public technical content — provided that no fact, finding, artifact, or wording specific to you is disclosed.

9. Fees, expenses, and taxes

Fees are stated in the SoW and are exclusive of VAT (KDV) and any other taxes, which we will add where required by law. Reasonable, pre-approved expenses (e.g. travel) are charged at cost. Invoices are payable within thirty (30) days of issue. Overdue amounts accrue default interest at the rate set by the Central Bank of the Republic of Türkiye for commercial transactions.

10. Limitation of liability

Subject to applicable law, our aggregate liability arising out of or in connection with the engagement (whether in contract, tort, breach of statutory duty, or otherwise) shall not exceed the fees actually paid by you to TrustEdge under the relevant engagement letter or SoW in the twelve (12) months preceding the event giving rise to liability.

We are not liable for any indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, goodwill, anticipated savings, or data, even if advised of the possibility of such damages.

Nothing in this clause limits liability that cannot be excluded by law, including liability for fraud, gross negligence, or willful misconduct.

11. Indemnification by Client

You agree to indemnify, defend, and hold harmless TrustEdge and Cihan Karabalta from and against any claim, demand, damage, loss, fine, penalty, or cost (including reasonable attorneys' fees) brought by any third party arising from or related to:

  • a breach of your authorization warranty in clause 4 (i.e. you did not in fact have authority to commission testing of one or more in-scope assets);
  • your failure to obtain consents required from third-party providers (hosting, cloud, payment, etc.);
  • your unauthorized disclosure of our deliverables, methodology, or tools;
  • a regulator's or auditor's reliance on our reports as formal audit evidence in circumstances where we have disclaimed such use (see clause 3).

12. Data protection

Where we process personal data on your behalf during the engagement, the parties will sign a data processing agreement ("DPA") consistent with KVKK Article 8 and, where applicable, GDPR Article 28. Our default DPA is available on request. We do not subcontract personal-data processing to third parties without your prior written consent.

13. Term and termination

Either party may terminate the engagement for material breach not cured within fifteen (15) days of written notice, or immediately for insolvency events. On termination, you owe fees for work performed up to the termination date, plus any non-cancelable third-party costs we incurred in good faith for the engagement.

14. Force majeure

Neither party is liable for delay or failure to perform caused by events beyond its reasonable control (war, sanctions, natural disaster, large-scale internet/cloud outage, government action), provided the affected party gives prompt notice and uses reasonable efforts to mitigate.

15. Governing law and dispute resolution

These Terms and any engagement governed by them are subject to the laws of the Republic of Türkiye. The parties submit to the exclusive jurisdiction of the Istanbul Central (Çağlayan) Courts and Enforcement Offices of the Republic of Türkiye, except where mandatory law gives one party the right to sue or be sued elsewhere. The parties will attempt in good faith to resolve disputes amicably before initiating proceedings.

16. Notices

Formal notices must be sent by registered mail (or KEP, in Türkiye) to the addresses identified in the SoW. Operational communications may be sent by email — to legal@trustedgelabs.dev for TrustEdge, and to the email designated in the SoW for the Client.

17. Severability and assignment

If any provision is held unenforceable, the remainder remains in force. Neither party may assign these Terms or any engagement without the other's prior written consent, except that either party may assign to a successor in a merger or acquisition.

18. Entire agreement

The applicable engagement letter or SoW, together with these Engagement Terms, our Privacy Policy, and any signed DPA, constitute the entire agreement between the parties for the services and supersede prior representations or understandings on the same subject.

These Engagement Terms were prepared in good faith but are not legal advice. For meaningful engagements, both parties are encouraged to review them with their own counsel and to sign a tailored engagement letter.