This Authorization to Test ("Authorization") is a binding rules-of-engagement document between you (the "Customer") and smert.ai Limited (Hong Kong) ("smert.ai"). It supplements the Terms of Service and the Acceptable Use Policy. You must accept this Authorization before any audit, scan, or proof-of-concept ("Test") is executed against any asset you register.
1. Customer authority warranty
You represent and warrant that, for every asset you register or submit (each a "Target") — including source repositories, web endpoints, APIs, smart contracts, AI agents, hosts, identities, and supporting infrastructure — either (a) you are the legal owner or operator, or (b) you hold a current, written authorization from the legal owner or operator permitting the Testing contemplated here. You will produce evidence of such authorization on request.
2. Grant of authorization
You authorize smert.ai, its personnel, infrastructure, and automated tooling to perform security testing of the Targets you register, including but not limited to:
- Reconnaissance, fingerprinting, and vulnerability discovery;
- Authenticated and unauthenticated probing within scope;
- Non-destructive exploitation and proof-of-concept generation;
- Static and dynamic analysis of submitted code and binaries;
- Prompt-injection, tool-abuse, and jailbreak testing of AI agents in scope;
- Traffic that may resemble, and be flagged as, an attack by monitoring tools.
smert.ai will not knowingly perform destructive actions (data destruction, denial of service, ransom, lateral movement outside scope) and will operate within the safety gates configured in the platform.
3. Scope lock
Only Targets you explicitly register through the platform (and accept on the allowlist) are in scope. Anything else is out of scope and will be blocked by the platform's DB-enforced safety gate. You must keep the allowlist accurate and remove Targets you no longer have authority to test.
4. Third-party hosting and providers
Where a Target is hosted by a third party (cloud provider, SaaS, CDN, exchange), you are responsible for: (a) complying with that provider's terms of service and any pen-testing notification or pre-authorization rules; (b) obtaining the provider's consent where required; and (c) any consequences of testing without that consent. smert.ai will not be a party to such consent.
5. Stop-test and incident contacts
You may halt any Test at any time from the operator console or by emailing support@smertai.com. We commit to acting on stop requests without undue delay. You will keep an up-to-date technical contact on file for incident escalation.
6. Data handling
- Test inputs, logs, intermediate artifacts, and proofs-of-concept are stored encrypted in tenant-isolated storage.
- By default we retain audit artefacts for the duration of the engagement plus 90 days, after which they are purged. You may request earlier deletion by emailing support@smertai.com.
- We will not publish findings about your Targets to third parties without your written consent, except as required by law.
7. Indemnity for unauthorized targets
You will defend, indemnify, and hold smert.ai harmless from and against any claim, liability, loss, or expense (including reasonable legal fees) arising from a Target you submitted for which you did not in fact have the authority required under Section 1, or from your failure to obtain consents required under Section 4.
8. Safe harbour
Provided you are acting within this Authorization and the AUP, smert.ai will not pursue legal action against your good-faith use of the Service to test Targets you are authorized to test.
9. Record of consent
When you accept this Authorization (via checkbox, click-through, or signed engagement), we record the timestamp, the accepting user's account, IP address, and user-agent, and the list of Targets covered. That record is admissible as evidence of your acceptance.
10. Survival
Sections 1, 4, 6, 7, 9, and 10 survive termination of the engagement or these Terms.