Last updated: 5 May 2026
These Terms of Service ("Terms") constitute a legally binding agreement between you ("Customer", "you", "your") and Pental Limited, a company registered in England and Wales (company number 17172077) with its registered office at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF ("Pental", "we", "us", "our"). By accessing, subscribing to, or using the Pental platform in any capacity, you agree to be bound by these Terms in full. If you do not agree, you must immediately cease all use of the Platform and you are not permitted to subscribe.
Pental is a business management platform sold to penetration testing firms and consultancies. These Terms reflect that context — including your responsibilities for the testing engagements whose data you store on the Platform, the credentials you collect, and the End Clients you grant portal access to.
"Platform" means the Pental software-as-a-service application in its entirety, including all web portals, client-facing interfaces, admin dashboards, setup wizards, APIs, serverless functions, database schemas, SQL migrations, RPC functions, storage configurations, authentication flows, frontend source code (whether visible in browser developer tools or otherwise), backend logic, documentation, and all updates, modifications, and derivative versions provided by us.
"Customer", "you", or "your" means the individual or legal entity subscribing to and using the Platform. Where the Customer is a penetration testing firm or consultancy (the typical case), references to "you" include all employees, officers, agents, and contractors acting on the Customer's behalf.
"Users" means all individuals who access the Platform under the Customer's account, including the Customer's administrators, staff, contractors, and any End Clients to whom the Customer grants portal access.
"End Client" means a client of the Customer (e.g. an organisation that has hired the Customer to perform penetration testing) to whom the Customer grants access to a client-facing portal hosted on the Platform.
"Customer Data" means all data, content, and information uploaded, entered, or generated by you or your Users through the Platform, including assessment records, findings, exploit evidence, proposals, invoices, reports, client records, credentials submitted via the Vault, and any other data you choose to store. Customer Data does not include the Platform itself, its source code, its database schemas, its RPC functions, or any other component of the Platform's technology.
"Subscription" means the paid or trial access plan selected by the Customer (Starter, Professional, or Enterprise), the term of that plan, and any associated order form or quote.
"Intellectual Property" means all patents, copyrights, moral rights, design rights (registered and unregistered), trade marks, service marks, database rights, rights in trade secrets, rights in confidential information, know-how, source code, object code, algorithms, architectures, database schemas, data structures, UI/UX designs, visual designs, page layouts, workflows, feature combinations, and all other intellectual property rights of any kind, in each case whether registered or unregistered and including all applications and rights to apply for any of the foregoing, anywhere in the world.
"Provided Materials" means any database schemas, SQL scripts, RPC functions, setup guides, configuration files, or other technical materials provided to you as part of the Platform, including but not limited to materials provided during Enterprise plan setup.
"AUP" means our Acceptable Use Policy, as updated from time to time and available at pental.io/acceptable-use.
"DPA" means our Data Processing Addendum, which forms part of these Terms and governs our processing of personal data within Customer Data on your behalf.
Subject to your compliance with these Terms and payment of all applicable fees, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Platform solely for your own internal business operations during the term of your Subscription. This licence permits use of the Platform exclusively through our provided web interface and documented APIs. No other rights are granted.
Absolute prohibitions. You must not, and must not permit, enable, encourage, instruct, or assist any third party (including employees, contractors, consultants, affiliated companies, or AI/automated tools) to:
(a) copy, reproduce, clone, replicate, modify, adapt, translate, port, decompile, reverse-engineer, disassemble, or create derivative works of the Platform or any part thereof, including source code, object code, algorithms, data structures, database schemas, SQL functions, RPC functions, API structures, user interface designs, visual designs, component structures, page layouts, navigation patterns, workflow sequences, feature logic, or architecture;
(b) build, develop, commission, fund, design, prototype, specify, or participate in the creation of any software product, service, application, or platform that replicates, imitates, clones, is derived from, or is substantially similar to the Platform or any of its features, functions, design, workflow, or user experience, whether in whole or in part, and regardless of the programming language, framework, or technology used;
(c) use the Platform, any access to the Platform, any Provided Materials, any screenshots or recordings of the Platform, or any knowledge, insight, or understanding of the Platform's design, features, architecture, or operation (however obtained, and whether during or after your Subscription) to directly or indirectly create, assist in creating, contribute to, advise on, consult on, or inform the development of any competing or similar product, service, or offering;
(d) use any Provided Materials (including database schemas, SQL scripts, RPC functions, or setup guides) for any purpose other than operating your own instance of the Platform under an active Subscription. The Provided Materials are licensed, not sold or assigned, and remain our exclusive property;
(e) sublicense, resell, rent, lease, lend, distribute, white-label, or otherwise make the Platform, any Provided Materials, or any component thereof available to any third party outside your organisation without our prior written consent (granting your End Clients access to a client-facing portal under your Subscription is permitted and is the intended use);
(f) scrape, crawl, data-mine, screen-capture for reproduction purposes, or systematically extract content, designs, schemas, code, or functionality from the Platform;
(g) remove, obscure, or alter any proprietary notices, attributions, labels, marks, or branding on or within the Platform;
(h) attempt to gain unauthorised access to any part of the Platform, its infrastructure, source code repositories, databases, or other customers' tenants;
(i) probe, scan, fuzz, brute-force, or otherwise security-test the Platform without our prior written authorisation (security research subject to our published responsible disclosure terms is permitted, see the AUP);
(j) benchmark, performance-test, or analyse the Platform for competitive intelligence or to assist any competitor without our prior written consent;
(k) use the Platform itself as an attack tool, scanner, exploitation framework, command-and-control infrastructure, or proxy for traffic directed at target systems (further detail is set out in the AUP).
The restrictions in (a), (b), (c), (d), and (g) are perpetual. They apply during and after termination or expiry of your Subscription. Your acceptance of these restrictions is a material condition of this agreement.
The Platform in its entirety, all Provided Materials, and all Intellectual Property embodied therein are and shall remain the sole and exclusive property of Pental Limited. This includes the Platform's source code, compiled code, database schemas, SQL functions and procedures, API design, frontend and backend architecture, user interface designs, visual designs, page layouts, component structures, feature combinations, workflow logic, and all documentation.
Nothing in these Terms transfers, assigns, conveys, or grants any Intellectual Property rights to you. No implied licences are granted. Your use of the Platform does not create any ownership interest in or to the Platform, its technology, its design, or any derivative thereof.
You acknowledge and agree that: (a) the Platform represents substantial proprietary investment, original creative work, and confidential know-how; (b) the Platform's specific combination of features, design patterns, workflow sequences, database architecture, and user experience constitutes original work protected by the Copyright, Designs and Patents Act 1988 and other applicable intellectual property legislation; (c) the Provided Materials, including database schemas and RPC functions, are proprietary trade secrets provided to you under strict licence for use solely with the Platform; (d) any unauthorised reproduction, imitation, cloning, or derivation of the Platform or Provided Materials constitutes both copyright infringement and misappropriation of trade secrets under English law; and (e) such infringement would cause immediate, irreparable, and unquantifiable harm to Pental Limited.
These Intellectual Property provisions are perpetual and are not limited by the term of your Subscription or any limitation period.
Customers on the Enterprise plan may elect to use the Bring Your Own Database option, under which Customer Data is stored exclusively in a Supabase project owned, billed, and operated by the Customer. Pental provides Provided Materials (database schema, RPC functions, setup guides) under strict licence to enable this configuration. The following additional terms apply:
(a) The Provided Materials are licensed exclusively for use with and in connection with the Platform under an active Enterprise Subscription. You may not use them for any other purpose.
(b) Upon termination of your Subscription, you must permanently delete all Provided Materials (including database schemas, RPC functions, and any copies thereof) from your systems within 14 days. You may export your Customer Data before deletion.
(c) The Provided Materials may not be used, in whole or in part, as a foundation, template, reference, or starting point for any other software product, service, or database design.
(d) You must not share, publish, open-source, or make the Provided Materials available to any person outside your organisation, nor to any person within your organisation who does not require access to operate the Platform.
(e) You acknowledge that the frontend portal code, while visible through standard browser developer tools, is protected by copyright and these Terms. Viewing the code in the course of normal Platform use is permitted; copying, extracting, or using it for any purpose other than operating the Platform is strictly prohibited.
Customer Data on Bring Your Own Database. Your Customer Data stored in your own Supabase project belongs entirely to you. You own and control all of your Customer Data, including the right to access, export, modify, migrate, or delete it at any time without our involvement or permission. The Provided Materials used to structure, query, and manage that data belong to Pental Limited; the data itself does not. On termination of your Subscription, your Customer Data remains in your own Supabase project under your continued ownership and control, and is not affected by your loss of access to the Platform.
Customer responsibility for the Bring Your Own Database environment. Where you elect Bring Your Own Database, you are solely responsible for: (i) the security configuration of the Supabase project, including access controls, multi-factor authentication on accounts with administrative access, network restrictions, and key rotation; (ii) the integrity, confidentiality, and availability of credentials such as Supabase project access tokens, service role keys, and management tokens; (iii) backup, retention, and recovery of data within that project; (iv) compliance with all applicable data protection, regulatory, and contractual obligations relating to data stored in the project; (v) timely application of any security patches or schema updates we provide; and (vi) all consequences of any compromise, misconfiguration, accidental deletion, or unauthorised access affecting your project. We do not control your Supabase project, do not hold administrative credentials for it, and cannot prevent or remediate incidents that originate from within it. Any compromise of your Supabase project is your incident and outside our responsibility.
You retain all rights in your Customer Data. You grant us a limited licence to host, store, process, transmit, and display your Customer Data solely as necessary to provide the Platform services to you and your Users.
We will not access, use, sell, or disclose your Customer Data except as necessary to: (a) provide and maintain the Platform; (b) comply with applicable law or valid legal process; (c) enforce these Terms or the AUP; or (d) protect the rights, safety, or property of Pental, our customers, or the public.
On Starter and Professional plans, Customer Data is stored on our managed infrastructure with tenant isolation enforced at the database level through row-level security policies and per-tenant scoping on all server-side functions. On the Enterprise plan with Bring Your Own Database, Customer Data is stored exclusively on your own infrastructure as set out in Section 4.
You are solely responsible for: the accuracy, legality, and appropriateness of all Customer Data; maintaining appropriate backups (in addition to any provided by us); ensuring you have all necessary rights, authorisations, and consents to store and process the data — including testing authorisation from End Clients (Statements of Work, Rules of Engagement, letters of authorisation, etc.) where Customer Data relates to penetration testing engagements; and complying with all applicable laws in respect of your Customer Data (data protection, computer misuse, sector-specific regulation, export controls, and industry schemes such as PCI DSS, ISO 27001, HIPAA, SOC 2, NIS2, DORA, CREST, CHECK).
We process personal data in accordance with the UK General Data Protection Regulation, the EU General Data Protection Regulation, the Data Protection Act 2018, and equivalent applicable frameworks elsewhere.
Where Customer Data contains personal data and we process it on your behalf, we act as your data processor (and on Enterprise BYO, generally as a more limited processor or sub-processor). The detailed obligations of that processor relationship — controller/processor responsibilities, security measures, sub-processor authorisation, audit rights, sub-processor change notification, international transfer mechanisms, data subject rights assistance, and breach notification — are set out in our Data Processing Addendum (DPA), which forms part of these Terms by reference. The DPA is available at pental.io/dpa or on request to hello@pental.io.
The current list of sub-processors and their roles is published in our Privacy Policy. We will give you reasonable advance notice (at least 14 days, where practicable) of any material change to the sub-processor list. You may object to a new sub-processor on reasonable data protection grounds, and where we cannot accommodate your objection you may terminate the affected portion of your Subscription as your sole remedy.
We will notify you without undue delay upon becoming aware of any personal data breach affecting your Customer Data and will cooperate with you in meeting your notification obligations.
Subscriptions are billed in advance on a monthly or annual basis as selected at checkout, or as set out in an order form or quote. All prices are in British Pounds Sterling (GBP) unless otherwise agreed and are exclusive of VAT or other applicable taxes, which will be added at the prevailing rate where relevant.
Payment is processed securely through Stripe. By subscribing, you authorise us to charge your designated payment method on a recurring basis at the start of each billing cycle. You are responsible for maintaining valid, up-to-date payment information.
Failed payments may result in suspension of access. If a payment failure is not remedied within 14 days of written notice, we may terminate the Subscription.
We reserve the right to modify pricing on at least 30 days' written notice. Price changes take effect at the start of the billing cycle following the expiry of the notice period. If you do not agree to a price change, you may cancel before it takes effect; cancellation will be effective at the end of the current paid billing period.
Starter plans include a 7-day free trial. No credit card is required to start the trial and you will not be charged unless and until a payment method is added. If no payment method is on file when the trial ends, your Subscription will be paused automatically and access to the Platform will be suspended. Your Customer Data is retained for 90 days following pause, during which you may add a payment method to resume access; after 90 days, Customer Data is permanently deleted in accordance with Section 8.
Plan changes (upgrades and downgrades) take effect immediately or at the start of the next billing cycle, depending on the change. We will calculate proration on a pro-rata basis where applicable. Where a downgrade requires data migration (e.g. Enterprise BYO to Professional), the migration is conducted in accordance with the timelines and procedures we publish.
You may cancel your Subscription at any time through your account management page or by contacting us. Cancellation takes effect at the end of the current paid billing period. No refunds are provided for unused portions of a billing period except where required by applicable consumer law.
Upon cancellation or termination by either party:
(a) your access to the Platform continues until the end of the current paid period;
(b) for the 30 days following the end of access, your Customer Data is retained in a read-only state to allow you to export it. We make available reasonable export tooling. After 30 days the data enters a deletion window;
(c) within 90 days of the end of access, all Customer Data on managed infrastructure (Starter and Professional plans) is permanently deleted. We do not retain backups beyond the periods set out in our Privacy Policy;
(d) Enterprise BYO customers retain all Customer Data in their own Supabase project and must delete the Provided Materials within 14 days of termination as set out in Section 4;
(e) all licence rights granted under these Terms cease immediately on termination, save for those provisions that survive termination as set out in Section 19.
We may terminate your Subscription and access immediately if: (a) you breach any provision of these Terms or the AUP, including any of the restrictions in Section 2; (b) payment fails and is not remedied within 14 days of written notice; (c) you become insolvent, enter administration, or a winding-up petition is presented against you; (d) we reasonably believe your use of the Platform poses a security risk to the Platform, other customers, or third parties; (e) we are required to do so by law or court order; or (f) we reasonably suspect any attempt to copy, clone, or derive a competing product from the Platform.
We will use commercially reasonable efforts to maintain Platform availability of at least 99.5% per calendar month, measured against authenticated requests to the Platform's primary endpoints.
The availability target excludes downtime caused by: (a) scheduled maintenance, for which we will provide reasonable advance notice; (b) emergency maintenance necessary to protect the security or integrity of the Platform; (c) circumstances beyond our reasonable control, including third-party hosting outages (Supabase, Vercel), internet failures, denial-of-service attacks, and force majeure events as set out in Section 17; and (d) issues caused by your equipment, network, or actions, or those of your Users.
Unless expressly set out in an order form or separately negotiated written agreement, no service credits or other financial remedy are payable for failure to meet the availability target. Your sole remedy for sustained unavailability is to cancel your Subscription as set out in Section 8.
For Enterprise plan customers using Bring Your Own Database, the availability target applies to the Pental application layer only. Availability of your own Supabase project is the sole responsibility of you and Supabase.
We provide support to all paid customers by email at hello@pental.io. Reasonable response targets:
Starter and Professional — best-efforts response within 2 business days for non-urgent issues. Critical issues (Platform unavailability, security incidents, payment failures): same-business-day response where reported during UK business hours.
Enterprise — same-business-day response for all issues during UK business hours; faster response targets and additional channels may be agreed in an order form.
Free trial accounts and unpaid accounts receive best-efforts community-style support without commitments.
Support covers issues with the Platform itself. It does not cover: (a) advice on penetration testing methodology, findings classification, or report writing; (b) third-party tools you use alongside the Platform; (c) configuration of your own Supabase project on Enterprise BYO beyond initial setup guidance; (d) custom development or feature requests outside the published roadmap.
The Platform is provided on an "as is" and "as available" basis. To the maximum extent permitted by law, we disclaim all warranties, whether express, implied, or statutory, including any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the Platform will be uninterrupted, error-free, completely secure, or free of vulnerabilities.
Architectural isolation for Enterprise Bring Your Own Database customers. The Platform is designed such that a compromise of our shared backend database, or of environment variables held within our application hosting environment, in isolation, does not on its own provide an attacker with the ability to read or modify Customer Data stored in an Enterprise customer's own Supabase project. Access to Customer Data in a Bring Your Own Database environment requires an authenticated end-user session that is established directly against the customer's own Supabase project and that we do not hold or control. This statement describes the architectural design only and is not a warranty. It is qualified by Section 9 (Service Levels) and Section 12 (Limitation of Liability), and does not extend to compromises of the customer's own Supabase project (which are outside our control as set out in Section 4) or to compromise scenarios involving multiple, simultaneous, or chained failures across the Platform's components.
To the maximum extent permitted by applicable law, our total aggregate liability to you arising out of or in connection with these Terms and your use of the Platform — whether in contract, tort (including negligence), breach of statutory duty, misrepresentation, or otherwise — shall not exceed the total fees actually paid by you to us in the twelve (12) months immediately preceding the event giving rise to the claim.
We shall not be liable for any: (a) indirect, incidental, special, consequential, or punitive damages; (b) loss of profits, revenue, business, contracts, or anticipated savings; (c) loss of data or corruption of data (except where caused by our wilful default); (d) loss of goodwill or reputation; (e) cost of procuring substitute services; or (f) liability arising from or relating to your penetration testing activities, your relationships with End Clients, the accuracy or completeness of your findings, your reports, or any third-party claim brought against you by an End Client or other third party — in each case even if we have been advised of the possibility of such damages.
Nothing in these Terms excludes or limits our liability for: death or personal injury caused by our negligence; fraud or fraudulent misrepresentation; or any other liability that cannot be lawfully excluded or limited under the laws of England and Wales.
You agree to indemnify, defend, and hold harmless Pental Limited, its directors, officers, employees, agents, and successors from and against any and all claims, demands, actions, liabilities, damages, losses, costs, and expenses (including reasonable solicitors' fees and court costs) arising out of or relating to: (a) your use of or access to the Platform; (b) any breach by you of these Terms or the AUP, including the restrictions in Section 2; (c) your violation of any applicable law or regulation; (d) your Customer Data or any content you make available through the Platform; (e) any claim by an End Client or other third party arising from your penetration testing activities, your engagement with that party, or your handling of data relating to that party; or (f) any claim arising from your unauthorised access to a system you tested without proper authorisation.
Where you breach Section 2 or Section 14 of these Terms, you additionally agree to indemnify us for: all costs of investigation and enforcement; all lost revenue attributable to any competing product created in breach of these Terms; and all damages to our business reputation and goodwill.
You acknowledge that the Platform, all Provided Materials, and all information regarding the Platform's internal operation, architecture, design, algorithms, database schemas, feature roadmap, pricing strategy, and business operations constitute the confidential information and trade secrets of Pental Limited ("Confidential Information").
You agree to: (a) hold all Confidential Information in strict confidence using at least the same degree of care you use to protect your own most sensitive confidential information, and in no event less than reasonable care; (b) not disclose, publish, or make available any Confidential Information to any third party without our prior written consent; (c) use Confidential Information solely for the purpose of operating the Platform under your Subscription; (d) restrict access to Confidential Information to those of your employees and contractors who need access to operate the Platform and who are bound by confidentiality obligations no less restrictive than these; and (e) promptly notify us of any unauthorised disclosure or use of Confidential Information.
These confidentiality obligations are perpetual and survive the termination of your Subscription indefinitely. They do not apply to information that: (i) was publicly available at the time of disclosure through no fault of yours; (ii) you can demonstrate was in your lawful possession before receiving it from us; or (iii) you are compelled to disclose by a court of competent jurisdiction, provided you give us prompt notice and cooperate in seeking protective measures.
Pental is correspondingly bound to keep Customer Data and any Customer-confidential information disclosed to us in confidence, on substantially the same terms.
From time to time we may make beta, preview, or experimental features available. Such features are clearly labelled. They are provided "as is" without any warranty, may change or be removed at any time, and may not be subject to the same support, availability, or security review as the general Platform. Your use of beta features is voluntary and at your own risk.
Neither party will use the other's name, logo, or trade marks in any public statement, marketing material, or press release without prior written consent, except that we may include your name and logo in a customer list on our website unless you opt out by emailing hello@pental.io.
Neither party will be liable for delay or failure to perform any obligation under these Terms (other than payment of fees) where the delay or failure is caused by an event beyond that party's reasonable control, including acts of God, fire, flood, earthquake, war, terrorism, civil disturbance, pandemic, government action, internet or hosting provider outage, or large-scale denial-of-service attack. The affected party will give prompt notice and take reasonable steps to mitigate the impact.
We may update these Terms from time to time. Material changes will be notified to subscribed customers by email at least 30 days before they take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Terms. If you do not agree to the changes, you must cancel your Subscription before the effective date; cancellation in those circumstances will be effective from that date with proration of any prepaid fees in respect of the period after the change takes effect.
The following sections survive termination or expiry of your Subscription: 1 (Definitions), 2(a)-(d) and (g) (perpetual licence restrictions), 3 (IP Ownership), 4(a)-(e) (Enterprise Provided Materials post-termination), 5 (final paragraph — your obligations regarding accuracy and lawfulness of Customer Data already submitted), 11 (Disclaimer), 12 (Limitation of Liability), 13 (Indemnification), 14 (Confidentiality), 19 (Survival), 20 (Governing Law), 21 (Equitable Relief), 22 (Severability), and 23 (Entire Agreement).
These Terms are governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with these Terms. This choice of jurisdiction does not limit our right to seek injunctive or equitable relief in any court of competent jurisdiction worldwide.
You acknowledge that a breach of Sections 2, 3, 4, or 14 would cause immediate, irreparable, and unquantifiable harm to Pental Limited for which monetary damages would be wholly inadequate. In addition to all other remedies available at law or in equity, Pental Limited shall be entitled to seek and obtain: (a) interim and final injunctive relief; (b) specific performance; (c) an order for delivery up or destruction of infringing materials; and (d) any other equitable relief, from any court of competent jurisdiction, without the requirement of posting a bond, providing an undertaking as to damages, or proving actual monetary loss. The right to equitable relief is cumulative and does not limit our right to pursue damages or any other remedy.
If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent to the maximum extent permissible under law. The invalidity of any provision shall not affect the validity or enforceability of the remaining provisions, which shall continue in full force and effect.
These Terms, together with the AUP, the Privacy Policy, the DPA, and any applicable order form or quote, constitute the entire agreement between you and Pental Limited with respect to the Platform. They supersede all prior and contemporaneous agreements, proposals, understandings, representations, and warranties, whether written or oral. Where there is a conflict between these Terms and a signed order form or master services agreement specifically referencing these Terms, the order form or master services agreement prevails for that customer to the extent of the conflict.
No failure or delay by Pental Limited in exercising any right under these Terms shall operate as a waiver of that right. A waiver of any right on one occasion does not constitute a waiver of that right on any subsequent occasion.
Notices to Pental should be sent to hello@pental.io. Notices to the Customer will be sent to the email address registered against the Customer's account.