These terms (“VAPT Terms”) apply if you have opted for the one-time (comprehensive) Vulnerability Assessment and Penetration Test (“VAPT”) or one-time Express Vulnerability Assessment and Penetration Test (“Express VAPT”). The VAPT Terms apply solely to the VAPT/Express VAPT and any conflicting click-through terms of the third party VAPT provider (“VAPT Provider”) are excluded and shall not apply to you.

1. Service Offerings

1.1. If you have opted for the Express VAPT for web, mobile, desktop or other applications, the following are the offerings included:

• automated scans of the agreed applications and/or APIs;
• expert triage and manual validation of detected findings to ensure zero false positives;
• targeted manual checks for common critical and high-risk CVE & OWASP Top 10 vulnerabilities (e.g., basic authentication flows & access control, input validation and injection, security headers, sensitive data exposure); 
• access to vulnerability management dashboard where each vulnerability will be reported along with risk ratings and remediation guidance;
• final PDF report with the status & details of vulnerabilities found;
• One retest to validate the fixes made by your team. The retest will be available for a period of 60 days from the date of initial VAPT completion.

1.2. If you have opted for comprehensive VAPT for web, mobile, desktop or other applications, the following are the offerings included:

• automated scans of the agreed applications and/or APIs;
• expert triage and manual validation of detected findings to ensure zero false positives;
• comprehensive manual checks as per OWASP ASVS & NIST standard including advanced authentication flows & access control, business logic security testing, input validation and injection, security headers, sensitive data exposure); 
• access to vulnerability management dashboard where each vulnerability will be reported along with risk ratings and remediation guidance;
• final PDF report with the status & details of vulnerabilities found;
• Upto two retest to validate the fixes made by your team. The retest will be available for a period of 60 days from the date of initial VAPT completion.

1.3 Unless otherwise specifically mentioned, reference to VAPT hereinafter shall mean the VAPT (whether Express VAPT or VAPT) opted by you.

2. Scheduling and Timeline

You shall raise the request with Sprinto to commence the VAPT within 90 days of the Order Form effective date. You may reschedule with 2 business days’ notice, without charge. Cancellation after testing commencement incurs full fee.

3. Client Requirements and Scope

You will provide Sprinto and the VAPT Provider with accurate, complete, and timely information, access, approvals, materials and environment readiness (“Required Inputs“). You warrant that your systems are properly configured, stable, and suitable for testing. Sprinto may refuse testing of systems deemed technically inappropriate or excessively risky. You agree that you are solely responsible for any pre-existing system issues. You represent that you own and/or control in-scope systems or have written authority and have obtained and maintain required third-party approvals for the VAPT. The VAPT Provider recommends using dedicated test environments. Before testing, you will maintain verified, restorable backups of in-scope systems/data and a workable restoration plan. Any timelines or service levels applicable to the VAPT are tolled while such items are pending. Delays caused by client, third parties, or force majeure events extend deadlines accordingly without penalty to Service Provider. The scope of the services is strictly limited to as agreed between us in writing. You understand that Denial of Service (DoS), exploitation of live customer data and making changes to production configurations are outside the scope of the testing. Any additional testing, expanded scope, or supplementary services require separate written agreement and fees as mutually agreed between us. You acknowledge that testing production systems carries inherent risks. You accept full responsibility for production testing decisions and resulting business impacts.

5. Information Sharing and Confidentiality

You consent to Sprinto sharing necessary contact and technical information with the VAPT Provider to perform the VAPT. Sprinto will ensure the VAPT Provider is bound by written confidentiality and data-protection obligations and uses such information only for the VAPT. The VAPT Provider shall process your data solely for testing purposes using standard security practices. You remain solely responsible for regulatory compliance and data classification accuracy.

6. Authorization and Risk

You hereby authorize Sprinto and the VAPT Provider to perform vulnerability testing and, within the agreed scope, to exercise vulnerabilities solely for risk/threat identification. You acknowledge and agree that the VAPT may simulate attacker techniques but it is authorized, controlled, and designed to be non-destructive. You acknowledge you have been informed of the testing approach, methodology, tools, permissible exploits, and risks. If a disruption is caused by out-of-scope activity, gross negligence, or willful misconduct, Sprinto shall be responsible subject to the liability limits (agreed to in the Order Form/Terms of Service). Except for the foregoing, no liability shall arise from in-scope testing. Exploitation shall be limited to the minimum necessary proof-of-concept (such as screenshots) for reporting. You assume all business risks associated with testing including potential system disruption, data exposure, or service interruption. Sprinto’s and the VAPT Provider’s sole obligation for disruption is reasonable restoration assistance and not business impact compensation.

7. Service Standards and Limitations

The VAPT will be performed with reasonable skill and care. Sprinto shall ensure that industry-standard tools and methods are used but makes no guarantee of vulnerability detection completeness. Security testing cannot identify 100% of potential issues due to technological limitations. You acknowledge and agree that the VAPT is done on the version of the app provided to the VAPT Provider. Any material change (including new releases, patches, dependency updates, or configuration/infrastructure changes) may affect results and may require scoped re-testing of the affected components.

8. Reports and Intellectual Property

The VAPT Provider will deliver the final assessment report directly to you (with Sprinto in copy). You may rely only on the written report expressly designated “Final” by the VAPT Provider. All drafts, interim outputs, e-mails, and oral statements are non-final and not for reliance. You own all reports, findings, screenshots, results, and recommendations about your systems (“Reports“). Sprinto and the VAPT Provider retain ownership of their pre-existing methodologies, tools, and templates (“Background IP“). You are hereby granted a perpetual, worldwide, royalty-free license (including for affiliates, auditors, and regulators) to use Background IP as embedded in the Reports for internal use only. No extraction, reverse engineering, or separate use permitted. Any improvements or modifications to the Background IP remain that party’s exclusive property regardless of your input or collaboration.

9. Implementation and Remediation

The Report shall outline vulnerabilities and recommended remediation steps. However, you acknowledge and agree that neither Sprinto nor the VAPT Provider have any liability towards implementing fixes for the vulnerabilities found. Recommendations are provided as guidance only. Neither Sprinto nor the VAPT Provider makes any warranty that implementing suggestions will prevent security incidents. You shall evaluate and implement recommendations at your own risk.

10. Report Usage and Third-Party Reliance

You acknowledge that the Reports are informational and do not guarantee identification of all vulnerabilities. The final report may be shared (such as with affiliates, auditors, regulators, or service providers) for review; however, reliance is limited to you and all third-party reliance is expressly disclaimed, unless Sprinto agrees in a separate signed writing naming the third party and scope of reliance. No third-party beneficiary rights are created.

11. System Restoration

If testing causes disruption, Sprinto and the VAPT Provider will promptly assist, at no additional charge, in restoring the affected environment to substantially its pre-test state. This excludes pre-existing defects and issues not caused by the VAPT. Sprinto and the VAPT Provider make no guarantee that systems can be fully restored to pre-test state.

12. Sensitive Data

You must not provide access to, or require testing against, Sensitive Data (i.e., special categories of personal data under applicable law, including health, racial or ethnic origin, biometric identifiers, medical or criminal-conviction data). If processing such data is unavoidable, you must give prior written notice to Sprinto and obtain Sprinto’s written agreement so that additional safeguards, if any, are implemented. If you provide Sensitive Data without such prior notice and agreement, Sprinto will have no liability for any losses arising from that unauthorized inclusion, and you remain responsible for compliance with applicable law. You agree to minimize or redact personal data shared for testing and to avoid sharing Sensitive Data where reasonably possible.

13. Survival

The following provisions survive completion or termination of the VAPT to the extent they relate to pre-termination activities or Reports: Sections 5 (Information Sharing and Confidentiality), 6 (Authorization and Risk) (only the risk allocation, restoration assistance and no-business-impact statements), 7 (Service Standards and Limitations), 8 (Reports and Intellectual Property), 9 (Implementation and Remediation), 10 (Report Usage and Third-Party Reliance), 11 (System Restoration) (solely until restoration is completed), and 12 (Sensitive Data).