Skip to main content

Legal

Terms of Service

Last updated: March 2026

1. Introduction and Acceptance

These Terms of Service ("Terms") constitute a legally binding agreement between you (whether an individual or an entity) and Security Brigade InfoSec Private Limited ("Security Brigade", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, with its registered office in Mumbai, Maharashtra, India.

By accessing our website (securitybrigade.com), engaging our cybersecurity services, or using our Lemon assessment platform, you agree to be bound by these Terms. If you are accepting these Terms on behalf of an organisation, you represent that you have the authority to bind that organisation. If you do not agree with these Terms, you must not access or use our services.

These Terms apply to website access, general service enquiries, and use of our platform. Specific cybersecurity engagements (penetration testing, red team exercises, compliance audits, and similar services) are additionally governed by a separate Statement of Work ("SOW"), Master Services Agreement ("MSA"), or engagement letter. In the event of conflict between these Terms and a signed SOW or MSA, the SOW or MSA shall prevail.

2. Scope of Services

Security Brigade provides cybersecurity assessment, consulting, and compliance services, including but not limited to:

  • Web, mobile, and API penetration testing
  • Network and infrastructure security assessments
  • Red team and adversary simulation engagements
  • Cloud security assessments (AWS, Azure, GCP)
  • Secure code review and architecture review
  • Compliance assessments (PCI DSS, SOC 2, ISO 27001, RBI, SEBI CSCRF, IRDAI)
  • OT/SCADA security assessments
  • Spear phishing and social engineering simulations
  • Breach and attack simulation (BAS)

The precise scope, methodology, deliverables, and timelines for any engagement shall be defined in the applicable SOW. Security Brigade shall perform services in a professional and workmanlike manner consistent with industry standards and CERT-In empanelment requirements.

3. Authorisation and Rules of Engagement

The Client warrants and represents that it has full authority to authorise Security Brigade to perform security testing on the systems, applications, and networks specified in the SOW. The Client shall provide a duly executed authorisation letter or "Permission to Test" before any active testing commences. Security Brigade shall not be held liable for any disruption, data loss, or service degradation arising from authorised testing activities performed within the agreed scope and rules of engagement.

Security Brigade shall not test systems or networks not expressly included in the SOW without prior written authorisation. Any out-of-scope discoveries that indicate a critical risk will be reported to the Client promptly for a determination on whether to extend the engagement scope.

4. Client Obligations

In engaging our services, you agree to:

  • Provide timely and accurate information necessary for the performance of services, including system access, credentials, architecture documentation, and contact details for technical personnel.
  • Ensure that you hold all necessary rights and authorisations to permit testing of the specified systems, including any third-party hosted or cloud environments.
  • Notify your relevant internal teams (SOC, IT operations, hosting providers) of the testing schedule to avoid unnecessary incident escalation.
  • Not use our assessment reports, vulnerability findings, or methodologies for any unlawful purpose.
  • Make timely payments in accordance with the agreed commercial terms.

5. Intellectual Property

Client Deliverables: Assessment reports, findings, and remediation recommendations delivered under an engagement are the property of the Client upon full payment of all fees due. The Client receives a perpetual, non-exclusive licence to use these deliverables for its internal business purposes.

Security Brigade IP: All methodologies, frameworks, tools (including the Lemon platform), proprietary testing scripts, checklists, report templates, and general know-how developed or used by Security Brigade remain the exclusive intellectual property of Security Brigade. No engagement transfers ownership of such IP to the Client.

Aggregated Insights: Security Brigade may use anonymised, aggregated, and de-identified data from engagements to improve its services, develop threat intelligence, and create industry benchmarks, provided that no Client-identifiable information is disclosed.

Website Content: All content on securitybrigade.com, including text, graphics, logos, icons, images, and software, is the property of Security Brigade or its licensors and is protected under the Copyright Act, 1957 (India) and applicable international intellectual property laws. You may not reproduce, distribute, modify, or create derivative works from our website content without express written permission.

6. Confidentiality

Both parties acknowledge that in the course of the engagement, each party may receive or have access to confidential information of the other party. "Confidential Information" includes, without limitation: vulnerability reports, penetration test findings, source code, system architectures, security configurations, commercial terms, business strategies, and any information marked as confidential.

Each party agrees to: (a) hold the other party's Confidential Information in strict confidence; (b) not disclose it to any third party without prior written consent, except to employees and contractors with a need to know who are bound by obligations of confidentiality no less protective; and (c) not use it for any purpose other than performing or receiving the services contemplated.

The duty of confidentiality survives termination of the engagement for a period of five (5) years, or for as long as the information remains a trade secret, whichever is longer. Disclosure required by law, regulation, or court order shall not constitute a breach, provided the disclosing party gives reasonable prior notice where legally permitted.

7. Limitation of Liability

To the maximum extent permitted by applicable law:

  • No Guarantee of Absolute Security: Security Brigade provides professional security assessment services but does not and cannot guarantee that all vulnerabilities in a system will be identified or that a system will be immune to attack following our assessment. Cybersecurity risk can be reduced, not eliminated.
  • Aggregate Liability Cap: Security Brigade's total aggregate liability for any claims arising out of or in connection with an engagement shall not exceed the total fees paid by the Client for that specific engagement during the twelve (12) months preceding the claim.
  • Exclusion of Consequential Damages: In no event shall Security Brigade be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, loss of data, loss of business opportunity, or reputational harm, even if advised of the possibility of such damages.
  • Testing Disruptions: Security Brigade shall not be liable for service disruptions, performance degradation, or data loss in the Client's systems arising from testing activities performed within the authorised scope and rules of engagement, provided such testing was conducted in accordance with the agreed methodology.

8. Indemnification

The Client shall indemnify, defend, and hold harmless Security Brigade, its directors, officers, employees, and contractors from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from: (a) the Client's breach of these Terms or the applicable SOW; (b) the Client's failure to obtain proper authorisation for testing; (c) the Client's misuse of assessment reports or findings; or (d) any third-party claim arising from the Client's systems, content, or data.

Security Brigade shall indemnify the Client against claims arising from Security Brigade's gross negligence or wilful misconduct in the performance of services, or from Security Brigade's material breach of its confidentiality obligations under Section 6.

9. Lemon Platform Terms

Access to Security Brigade's Lemon assessment platform is provided on a licence basis for the duration of the engagement. The Client agrees to: (a) use the platform solely for the purpose of the agreed engagement; (b) not share access credentials with unauthorised parties; (c) not attempt to reverse-engineer, decompile, or extract the source code of the platform; (d) comply with our acceptable use policy. Access credentials are revoked upon conclusion of the engagement unless otherwise agreed.

10. Term and Termination

Either party may terminate an engagement for cause upon thirty (30) days' written notice if the other party materially breaches its obligations and fails to cure such breach within the notice period. Security Brigade may suspend services immediately if it reasonably determines that continued testing poses a risk of harm to the Client's production environment, or if the Client fails to make payments when due.

Upon termination, the Client shall pay all fees for services rendered up to the date of termination. Sections relating to Confidentiality, Intellectual Property, Limitation of Liability, Indemnification, and Governing Law shall survive termination.

11. Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes, controversies, or claims arising out of or relating to these Terms, or the breach, termination, or invalidity thereof, shall be resolved as follows:

  • Negotiation: The parties shall first attempt to resolve the dispute through good-faith negotiation between senior management representatives within thirty (30) days of written notice.
  • Mediation: If negotiation fails, the parties shall submit the dispute to mediation administered under the rules of the Mumbai Centre for International Arbitration (MCIA).
  • Arbitration: If mediation fails within sixty (60) days, the dispute shall be resolved by binding arbitration under the Arbitration and Conciliation Act, 1996 (India). The arbitration shall be conducted by a sole arbitrator appointed by mutual consent, seated in Mumbai, Maharashtra. The language of arbitration shall be English.

Notwithstanding the above, either party may seek injunctive or other equitable relief from the competent courts of Mumbai, Maharashtra, to protect its Confidential Information or intellectual property rights.

12. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations due to circumstances beyond its reasonable control, including natural disasters, acts of government, cyberattacks on the performing party's own infrastructure, pandemic restrictions, war, or civil unrest. The affected party shall notify the other party promptly and use reasonable efforts to mitigate the impact.

13. Severability and Waiver

If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The failure of either party to enforce any right or provision shall not constitute a waiver of such right or provision.

14. Modifications to These Terms

Security Brigade reserves the right to modify these Terms at any time. We will post the revised Terms on this page with an updated "Last updated" date. Your continued use of our website or services after any modification constitutes acceptance of the revised Terms. Material changes to Terms governing active engagements will be communicated directly to the affected Client.

15. Contact

For any questions about these Terms, please contact:

Security Brigade InfoSec Private Limited
Registered Office: Mumbai, Maharashtra, India
Email: privacy@securitybrigade.com
India: in.sales@securitybrigade.com
United Kingdom: uk.sales@securitybrigade.com
United States: us.sales@securitybrigade.com
Asia-Pacific: apac.sales@securitybrigade.com