Terms of Service

Last updated: March 2026

Table of Contents
1. Agreement to Terms2. Service Description3. Authorization and Scope4. Limitation of Liability5. No Guarantee of Complete Coverage6. Confidentiality7. Data Retention8. Payment and Refunds9. Dispute Resolution10. Errata and Corrections11. Responsible Disclosure12. Modifications

1. Agreement to Terms

By purchasing any Pilum.io service you agree to these Terms. Tier 1 consent is via the Polar.sh checkout ToS checkbox. Tier 2+ consent is via signed authorization document plus these Terms.

2. Service Description

Pilum.io offers the following service tiers:

Tier 1 — Snapshot ($299)

Passive-only scan. Zero active API calls. URL only. Covers: HTTP headers, publicly served JS analysis, DNS, SSL/TLS, dependency CVE matching, infrastructure signals. Does NOT cover: authenticated testing, active API probing, repo analysis, database queries, form submissions.

Tier 2 — Deep Audit ($1,499)

Active testing with signed authorization. Covers everything in Tier 1 plus active probing as defined in the authorization document.

Tier 3 — Guardian ($699/month)

Ongoing delta scanning per GitHub webhook trigger plus monthly full audit.

Tier 4 — Remediation

Coming soon. Not currently offered.

3. Authorization and Scope

Client represents and warrants:

  • (a) They own or have explicit written authorization to test all assets in scope.
  • (b) Tier 1 ToS checkbox constitutes authorization for passive GET requests only.
  • (c) Tier 2+ requires a separate signed authorization document — no active testing begins without this document on file.
  • (d) Scope is defined by the assets listed at engagement start. Assets not listed are out of scope regardless of discovery during testing.

Client indemnifies Pilum.io against all claims arising from testing assets the client did not have authorization to test.

4. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

  • (a) PILUM.IO’S TOTAL LIABILITY ARISING FROM ANY ENGAGEMENT SHALL NOT EXCEED THE TOTAL FEES PAID BY CLIENT FOR THE SPECIFIC ENGAGEMENT GIVING RISE TO THE CLAIM.
  • (b) PILUM.IO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA BREACHES OCCURRING AFTER REPORT DELIVERY, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  • (c) PILUM.IO DOES NOT GUARANTEE THAT ALL VULNERABILITIES WILL BE DISCOVERED. SECURITY AUDITS REPRESENT A POINT-IN-TIME ASSESSMENT. NEW VULNERABILITIES MAY EMERGE AFTER DELIVERY DUE TO CHANGES IN THE CLIENT’S CODEBASE, DEPENDENCIES, OR THREAT LANDSCAPE.
  • (d) THE LIMITATION OF LIABILITY IN SECTION 4(a) APPLIES PER ENGAGEMENT, NOT PER FINDING. A CLIENT WHO HAS PURCHASED MULTIPLE ENGAGEMENTS MAY NOT AGGREGATE CLAIMS TO EXCEED THE FEE OF ANY SINGLE ENGAGEMENT.

5. No Guarantee of Complete Coverage

Security auditing is not a guarantee of security. Pilum.io’s reports represent the findings discovered during the engagement scope using the methodology described. Absence of findings does not mean absence of vulnerabilities. The report documents what was tested, what was found, and what was not tested. Client acknowledges this inherent limitation of all security auditing services.

6. Confidentiality

Pilum.io treats all client data, codebases, findings, and engagement details as strictly confidential. We do not share, sell, or disclose client findings to any third party without written consent.

Exception: We may use anonymized, non-attributable aggregate data (vulnerability type frequencies, severity distributions) to improve our detection accuracy. No client-identifying information is included in aggregate data.

7. Data Retention

Per our published Data Retention Policy. Clients may request early deletion at security@pilum.io.

8. Payment and Refunds

Tier 1: Payment via Polar.sh. Non-refundable once scan has begun. If we are unable to complete the scan, a full refund is issued.

Tier 2+: 50% deposit on authorization. Remainder on delivery. If we abort per the breach discovery protocol and client elects not to continue, deposit is refunded minus time already spent (hourly rate $150).

9. Dispute Resolution

Parties agree to attempt good-faith resolution before any legal action. Disputes not resolved within 30 days may be submitted to binding arbitration under the rules of JAMS (for US clients) or ICC (for international clients). Governing law: State of Delaware, USA (pending LLC formation; currently Republic of Indonesia, Jakarta courts for PT-governed engagements).

10. Errata and Corrections

If a confirmed finding in a delivered report is proven to be a false positive, Pilum.io will issue an errata PDF within 72 hours of verified notification. The errata replaces the affected finding in the official record. No additional fee is charged for errata. This does not create additional liability beyond Section 4.

11. Responsible Disclosure

Pilum.io operates under a responsible disclosure policy (pilum.io/legal/disclosure). Third-party vulnerabilities discovered incidentally are reported to the relevant party per responsible disclosure norms, not to the client. Client-side findings affecting third-party services are noted INFORMATIONAL.

12. Modifications

Pilum.io may update these Terms. Material changes will be communicated via email to clients with active engagements. Continued use constitutes acceptance.