Last updated: 5 May 2026
This Acceptable Use Policy (AUP) governs your use of the Pental platform (Platform). It is a binding part of our Terms of Service. Pental is sold to penetration testing firms and consultancies; we understand the nature of the work our customers do and the sensitivity of the data involved. This policy exists to set clear responsibilities, protect the Platform and other customers, and define the boundary between our role as a platform provider and your role as the firm conducting testing.
Audience definitions used in this policy. Customer or you: the entity (typically a penetration testing firm) that subscribes to the Platform. Users: the customer's staff (admins, testers, contractors) and the customer's own clients who are granted access to a client-facing portal. Customer Data: everything stored on or generated through the Platform under the customer's account, including assessments, findings, evidence, proposals, invoices, credentials, and reports. End Client: a client of the Customer (e.g. an organisation that has hired the Customer to perform penetration testing).
You are solely responsible for all activity that occurs under your Pental account, including the actions of your staff, contractors, and any End Clients you grant portal access to. In particular:
(a) Authorisation chain. You warrant that all penetration testing activities whose results are stored on the Platform were and continue to be conducted under valid, written authorisation from the relevant system owner, in the form of a signed Statement of Work, Rules of Engagement, letter of authorisation, master services agreement, or equivalent. You will retain those documents for at least the period required by your applicable industry scheme, regulator, or insurer. Pental has no obligation to verify, and no role in determining, whether your engagements are properly authorised.
(b) Lawful basis for End Client data. Where Customer Data includes personal data of End Clients, their staff, or third parties, you are responsible for the lawful basis under which that data was collected and is being processed, and for any privacy notices, consents, or contractual permissions required.
(c) Credential handling. Where you collect, store, or share authorisation credentials (passwords, API keys, MFA seeds, private keys, etc.) on the Platform, you must use the encrypted Credentials Vault feature. You must not paste plaintext credentials into general-purpose fields such as findings descriptions, comments, notes, file uploads, or report bodies. You are responsible for promptly relaying acknowledgement of receipt to your End Client and for ensuring credentials are rotated or revoked at the end of an engagement, in line with that End Client's security practices.
(d) Contractor and User access. You are responsible for vetting, authorising, suspending, and de-provisioning all User accounts within your portal, including contractors. Where you grant portal access to your End Clients, the terms on which they access that portal (in particular, what they can see and do) are your responsibility.
(e) Regulatory compliance. You are responsible for ensuring your use of the Platform complies with all applicable laws and regulations in every jurisdiction where you operate or where your End Clients are based. This includes anti-computer-misuse and unauthorised-access legislation (for example, the US Computer Fraud and Abuse Act, the UK Computer Misuse Act 1990, and equivalent statutes elsewhere), data protection laws (UK GDPR, EU GDPR, CCPA/CPRA, PIPEDA, etc.), export control rules where they apply to security tools or vulnerability information, and any sector-specific or industry scheme requirements (PCI DSS, ISO 27001, HIPAA, SOC 2, NIS2, DORA, CREST, CHECK, PTES, OSSTMM, OWASP testing guides, and similar).
(f) Account security. You are responsible for: enforcing strong authentication on User accounts (multi-factor authentication is available and we recommend you require it for all administrative accounts); promptly removing access when staff or contractors leave; not sharing login credentials between people; and notifying us promptly of any suspected unauthorised access.
The Platform exists to manage, document, schedule, and report your testing work. It is not designed or licensed to be used as an attack tool, scanning engine, exploitation framework, command-and-control infrastructure, or proxy for traffic directed at target systems. You must not use the Platform to:
(a) launch port scans, vulnerability scans, brute-force attempts, denial-of-service traffic, or any active probe against any system, whether authorised or not;
(b) host or deliver malware payloads, droppers, post-exploitation tooling, or persistence mechanisms intended for deployment against any system;
(c) operate command-and-control channels, beacons, or callback infrastructure;
(d) tunnel, proxy, or relay traffic toward target systems through Pental-controlled infrastructure;
(e) extract or stage data exfiltrated from target systems through Platform endpoints (file storage, attachments, exports) at scale or in a manner inconsistent with normal report writing.
Storing screenshots, request/response captures, proof-of-concept code, sample exploit payloads, or extracted data within an assessment record for the purpose of evidencing a finding in a report is a normal and expected use of the Platform. Using the Platform itself to deliver, execute, or coordinate the underlying activity is not.
In addition to the restrictions in Section 2, you must not:
(a) attempt to access, enumerate, or interact with any other customer's tenant data, portal, or environment, including by manipulating tenant identifiers, exploiting any flaw in our access controls, or using credentials issued to a different customer;
(b) probe, scan, penetration-test, fuzz, brute-force, or otherwise security-test the Platform itself without our prior written authorisation; security research subject to our published responsible disclosure terms is permitted (see Section 7);
(c) interfere with or degrade the Platform's infrastructure, availability, performance, or other customers' use of the Platform, including by deliberately abusing rate limits, sending malformed payloads, or storing excessive data designed to consume disproportionate resources;
(d) use the Platform to store or transmit content that is unlawful where you operate or where End Clients are located, including content that would constitute child sexual abuse material, terrorist content, or other categorically illegal material under applicable law;
(e) use the Platform to harass, defame, or threaten any individual, including End Client staff;
(f) misrepresent your identity, your firm's credentials, or your authorisation to test a system in any communication generated through the Platform (e.g. proposals, invoices, reports addressed to End Clients);
(g) sublicense, resell, white-label, rent, lease, or otherwise make the Platform available to any third party without our prior written consent;
(h) reverse-engineer, decompile, scrape, or systematically extract the Platform's source code, design, schemas, or RPC functions for any purpose other than operating the Platform under your Subscription, as further set out in our Terms of Service.
Customers routinely store unfixed vulnerability details on the Platform. The disclosure and onward sharing of those details is your responsibility:
(a) Confidentiality to the End Client. Findings, evidence, and reports relating to a particular End Client must not be disclosed to anyone outside your firm or that End Client without authorisation, in line with your engagement contract.
(b) No third-party harm. You must not export findings or vulnerability information from the Platform and use them to attack, exploit, or threaten any system you are not authorised to test, or to coerce or extort any party.
(c) Coordinated disclosure. Where you choose to publicly disclose a vulnerability that you discovered through an engagement managed on the Platform, you remain responsible for following the agreed disclosure timeline with the End Client and the affected vendor (where different), and for complying with any legal restrictions on the publication of exploit code or sensitive technical detail.
We recognise that penetration testing data is inherently sensitive. The Platform applies tenant isolation at the database layer, encryption in transit and at rest, per-tenant credentials encryption keys, and access controls. However:
(a) No absolute guarantee. No system is perfectly secure. You must form your own view of whether the Platform's security posture is appropriate for the sensitivity of the data you intend to store. We are honest in our security claims and do not overstate them.
(b) Customer classification duty. You are responsible for classifying the sensitivity of data before uploading it. If your End Client's data handling requirements (or your own contractual or regulatory obligations to that End Client) prohibit storage of certain categories of data on third-party cloud infrastructure, you must not upload that data to the shared Pental managed environment. The Enterprise plan with Bring Your Own Database is available so you can host all Customer Data in your own Supabase project under your own control.
(c) Data minimisation. Where the same outcome can be achieved by storing redacted, masked, or summarised data instead of full raw output, we encourage you to do so.
(d) Termination and deletion. On termination of your Subscription, your data will be retained and deleted in accordance with the Privacy Policy and our Terms of Service. If you require a certificate of destruction, contractual data-handling commitments at termination, or specific export formats, contact us in advance.
You may invite external testers (contractors) into your portal as Users. When you do so:
(a) you are responsible for ensuring the contractor is authorised to access the relevant assessment, including under any non-disclosure or independent-contractor agreement you have with them;
(b) you must scope contractor access only to what they need for their work (the Platform supports per-assessment lead/contributor assignment);
(c) you must remove contractor access promptly when their engagement ends;
(d) all activity performed by a contractor under your account is treated as your activity for the purposes of this AUP and the Terms of Service.
If you discover a security vulnerability in the Platform itself, we welcome responsible disclosure. Email hello@pental.io with details and reproduction steps. Please:
(a) give us a reasonable opportunity to investigate and remediate before any public disclosure (typically 90 days, extendable by agreement);
(b) limit your testing to your own tenant; do not attempt to access other customers' data or systems;
(c) avoid actions that could degrade the Platform's availability for other customers (denial-of-service, mass automated scanning, etc.).
If you become aware of another customer misusing the Platform in a way that violates this AUP, please report it to the same address.
Pental provides a management and reporting platform. We do not conduct, direct, supervise, or take any responsibility for your penetration testing activities, methodology, findings, or End Client relationships. You acknowledge that:
(a) Pental bears no liability for the accuracy, completeness, suitability, or legality of any data stored on the Platform.
(b) Pental bears no liability for any loss, damage, claim, or proceeding arising from your penetration testing activities, whether or not the results of those activities are stored on the Platform.
(c) Pental bears no liability for any unauthorised access to your data resulting from your failure to secure your account, configure appropriate access controls, follow Platform best practices, or apply available security features such as multi-factor authentication.
(d) Where you use the Bring Your Own Database option on the Enterprise plan, Pental does not control your Supabase project, does not hold administrative credentials for it, and cannot prevent or remediate incidents that originate within it. Any compromise of your Supabase project is your incident.
(e) You agree to indemnify and hold harmless Pental Limited, its directors, officers, employees, and agents from any claims, damages, losses, regulatory penalties, or expenses (including reasonable legal fees) arising from your use of the Platform, your testing activities, your breach of this AUP or the Terms of Service, or your violation of any third party's rights.
We may investigate suspected violations of this AUP. If we determine that a violation has occurred, we may, depending on severity: issue a warning; suspend specific User accounts; suspend the entire account; permanently terminate the Subscription; preserve relevant records as evidence; or report the matter to law enforcement, regulators, payment processors, or other affected parties. We will endeavour to give you prior notice and an opportunity to respond, but reserve the right to act immediately where necessary to protect the Platform, other customers, or third parties.
Termination for breach of this AUP is treated as termination for cause under the Terms of Service.
We may update this AUP from time to time. Material changes will be notified to subscribed customers by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current revision. Your continued use of the Platform after the effective date constitutes acceptance of the updated AUP.
For questions about this AUP, to report a violation, or to disclose a vulnerability, contact us at hello@pental.io.