Engagement Terms

1. Purpose and Scope

These Engagement Terms supplement our Terms of Service and establish the framework governing professional services engagements between Alex Terrats Ciberseguretat SLU (DAB SecurePeak) ("SecurePeak") and our clients. Professional services include security assessments (penetration testing, red team operations, vulnerability assessments), security consulting (architecture review, compliance advisory, incident response), cryptographic infrastructure services (PKI design, HSM deployment, key ceremonies), and managed security services (SOC operations, threat monitoring, detection engineering).

Each engagement is governed by a specific Statement of Work (SOW) that references these Engagement Terms and defines the particular scope, deliverables, timeline, and pricing for that engagement. In the event of conflict, the SOW takes precedence over these general terms.

2. Engagement Types and Service Categories

3. Engagement Lifecycle

All professional services engagements follow a structured lifecycle designed to ensure clarity of expectations, proper authorization, and quality delivery.

4. Authorization Requirements

4.1 Third-Party Systems

Testing of systems hosted by or belonging to third parties (cloud providers, SaaS vendors, managed service providers) requires additional authorization. Client is responsible for obtaining necessary permissions from third parties and ensuring testing complies with third-party terms of service. SecurePeak may require evidence of third-party authorization before including such systems in scope.

4.2 Cloud Environment Testing

Testing in major cloud environments (AWS, Azure, GCP) must comply with each provider's penetration testing policies. Client is responsible for submitting required notifications or obtaining approvals from cloud providers. SecurePeak will provide guidance on cloud provider requirements but client bears responsibility for compliance.

5. Rules of Engagement

5.1 Standard Rules

Unless otherwise specified in the SOW, the following standard rules apply to all offensive security engagements:

• Testing is limited to systems, networks, and applications explicitly identified as in-scope.
• Denial-of-service attacks are not performed unless explicitly authorized and coordinated.
• Data exfiltration is limited to proof-of-access; actual sensitive data is not extracted without explicit approval.
• Social engineering targets are limited to personnel within the client organization unless otherwise specified.
• Physical security testing requires separate authorization and coordination.
• All testing is conducted from SecurePeak infrastructure using documented source IP addresses.
• Testing pauses upon client request through established communication channels.

5.2 Restricted Actions

The following actions are prohibited unless explicitly authorized in writing:

• Modification or deletion of production data
• Installation of persistent backdoors or implants
• Actions that could cause system instability or outages
• Testing of systems during designated blackout periods
• Contact with end users or customers of the client
• Disclosure of findings to any party other than authorized contacts

5.3 Emergency Procedures

In the event of unexpected system impact, discovery of active compromise, or other emergency situations, SecurePeak will immediately cease related testing activities, notify designated emergency contacts, document the circumstances, and await client guidance before resuming. Client agrees to maintain accurate emergency contact information and respond promptly to emergency notifications.

6. Scope Management

6.1 Scope Definition

The Statement of Work defines the precise scope of each engagement. Scope includes target systems (IP ranges, domains, applications, physical locations), assessment type and depth, testing timeframe and any restrictions, specific objectives or compliance requirements, and excluded systems and actions.

6.2 Scope Changes

Changes to scope during an engagement require written approval from both parties. Scope expansions may result in additional fees and timeline adjustments. SecurePeak will provide a change order documenting the revised scope and associated costs before proceeding with expanded testing.

6.3 Discovered Systems

During testing, SecurePeak may discover systems or applications not explicitly included in scope that appear related to in-scope targets. SecurePeak will document such discoveries and seek client authorization before testing discovered systems. Testing of discovered systems without explicit approval is prohibited.

7. Deliverables

7.1 Standard Deliverables

Unless otherwise specified, offensive security assessments include the following deliverables:

Deliverable	Description	Format
Executive Summary	High-level overview of findings, risk assessment, and strategic recommendations suitable for leadership	PDF
Technical Report	Detailed findings with evidence, reproduction steps, impact analysis, and remediation guidance	PDF
Findings Spreadsheet	Structured listing of all findings for tracking and remediation management	Excel/CSV
Evidence Package	Supporting evidence including screenshots, logs, and proof-of-concept files	Encrypted ZIP
Debrief Presentation	Presentation materials for findings review session	PDF/PPTX

7.2 Remediation Verification

Remediation verification (retest) is available as an add-on service to validate that identified vulnerabilities have been effectively addressed. Retest scope is limited to previously identified findings and includes updated report reflecting remediation status.

7.3 Report Confidentiality

All deliverables are classified as Confidential and are delivered only to authorized contacts specified in the SOW. Reports are encrypted in transit and at rest. Client is responsible for appropriate handling and distribution of reports within their organization.

8. Client Responsibilities

8.1 Pre-Engagement

Client agrees to provide accurate and complete scope information, execute required authorization documentation, identify and brief internal stakeholders, configure necessary access credentials and VPN connections, notify relevant third parties as required, and confirm testing windows and any blackout periods.

8.2 During Engagement

Client agrees to maintain availability of designated contacts during testing windows, respond promptly to questions and access requests, notify SecurePeak immediately of any planned maintenance or changes, refrain from modifying security controls in response to testing without coordination, and provide access to requested documentation and personnel as needed.

8.3 Post-Engagement

Client agrees to participate in debrief sessions, review draft reports for factual accuracy, confirm receipt of final deliverables, and address identified vulnerabilities according to risk prioritization.

9. SecurePeak Responsibilities

9.1 Professional Standards

SecurePeak commits to conducting all engagements with professionalism, integrity, and adherence to industry standards. Our team members maintain relevant certifications (OSCP, OSCE, GPEN, GXPN, CISSP, etc.) and participate in ongoing professional development.

9.2 Methodology

Our assessment methodologies align with industry frameworks including OWASP Testing Guide, PTES (Penetration Testing Execution Standard), NIST SP 800-115, MITRE ATT&CK Framework, and OSSTMM (Open Source Security Testing Methodology Manual). Specific methodologies are detailed in engagement proposals.

9.3 Communication

SecurePeak will maintain regular communication throughout the engagement, notify client immediately of critical findings, provide status updates at agreed intervals, and respond to client inquiries within one business day.

9.4 Data Handling

SecurePeak handles all client data in accordance with our Privacy Policy and applicable data protection regulations. Testing data is encrypted at rest and in transit. Client data is retained only for the duration necessary to complete the engagement and deliver reports, after which it is securely destroyed unless retention is required for legal or contractual reasons.

10. Compliance and Legal Considerations

10.1 Legal Compliance

All engagements are conducted in compliance with applicable laws including the Computer Fraud and Abuse Act (CFAA) in the United States, Computer Misuse Act 1990 in the United Kingdom, relevant EU member state implementations of the Network and Information Security Directive, and Andorran criminal law regarding computer systems. Client authorization ensures that testing activities are lawful. Testing without proper authorization is illegal and SecurePeak will not proceed without appropriate documentation.

10.2 Regulatory Requirements

For clients in regulated industries, engagements can be structured to satisfy regulatory requirements including PCI-DSS penetration testing requirements (Requirement 11.3), HIPAA security risk assessment requirements, SOC 2 penetration testing for Trust Services Criteria, GLBA safeguards rule assessment requirements, and DORA ICT risk management testing for financial entities. Specific regulatory scope and reporting requirements should be identified during engagement planning.

10.3 Export Controls

Certain cryptographic services may be subject to export control regulations. Client is responsible for ensuring that engagement activities comply with applicable export control laws in their jurisdiction.

11. Confidentiality and Non-Disclosure

11.1 Mutual Confidentiality

Both parties agree to maintain strict confidentiality regarding all information exchanged during the engagement. This includes client business information, technical architecture, vulnerabilities discovered, assessment methodologies, and report contents.

11.2 Vulnerability Non-Disclosure

SecurePeak will not publicly disclose any vulnerabilities discovered during client engagements without explicit written consent. If vulnerabilities are discovered in third-party products, SecurePeak may, with client consent, pursue responsible disclosure to the vendor following industry-standard timelines.

11.3 Confidentiality Period

Confidentiality obligations survive engagement completion and remain in effect indefinitely for vulnerability information and for five (5) years for other confidential information.

12. Limitation of Liability for Engagements

The limitation of liability provisions in our Terms of Service apply to all engagements. Additionally, Client acknowledges that security testing inherently involves risk of unintended system impact. While SecurePeak exercises professional care to minimize such risks, Client agrees that SecurePeak is not liable for unavoidable consequences of authorized testing activities conducted within the defined scope and rules of engagement. Neither party shall be liable for indirect, consequential, or punitive damages arising from the engagement.

13. Insurance

SecurePeak maintains professional liability insurance (Errors & Omissions) and cyber liability insurance appropriate for our service offerings. Certificates of insurance are available upon request. Specific insurance requirements can be addressed in individual engagement agreements.

14. Dispute Resolution

Disputes arising from engagements shall be resolved according to the dispute resolution provisions in our Terms of Service. The parties agree to attempt good faith resolution before initiating formal proceedings.