Master Services Agreement
1. Acceptance & Parties
These Terms & Conditions ("Terms") govern all services provided by Infilux AppSec ("Infilux", "we", "us") to any individual or entity ("Client") accessing www.infilux.in, guardeon.io, or contracting any of our cybersecurity services. By submitting a Statement of Work (SOW), creating a GuardEon account, or instructing us to commence work, the Client agrees to be bound by these Terms, the signed Master Services Agreement (MSA), applicable SOW, and our Data Processing Addendum (DPA). Where any provision conflicts, the order of precedence is: (1) signed MSA, (2) SOW, (3) DPA, (4) these Terms.
2. Scope of Services
Infilux AppSec provides: (a) Vulnerability Assessment & Penetration Testing (VAPT) for web applications, mobile applications, APIs, thick clients, networks, cloud, and source code; (b) Red Team adversary simulation aligned to MITRE ATT&CK; (c) 24/7 Managed SOC including SIEM tuning, threat hunting, and incident response; (d) GRC compliance automation across ISO 27001, SOC 2, PCI-DSS, HIPAA, GDPR, DPDP, RBI CSF, DORA, NIST CSF 2.0, and ITGC; (e) the GuardEon External Attack Surface Management (EASM) SaaS platform; (f) Dark Web Monitoring; (g) Phishing simulation and security-awareness training; (h) Virtual CISO (vCISO) advisory. Each engagement is defined in its individual SOW.
3. Client Authorisation & Warranties
The Client expressly represents, warrants, and authorises Infilux to perform security testing on the in-scope assets defined in the SOW. The Client confirms it owns, or has obtained all necessary authorisations from the legal owner of, every asset in scope — including any third-party cloud tenancies, hosted applications, shared-infrastructure components, and managed-service provider environments. The Client indemnifies Infilux against all claims arising from any assertion that Infilux lacked authorisation to test an in-scope asset.
4. Rules of Engagement
Unless expressly authorised in writing within the SOW, Infilux will not: (a) perform Denial-of-Service (DoS) or resource-exhaustion attacks; (b) modify, exfiltrate, or destroy production data; (c) conduct physical intrusion of Client premises; (d) social-engineer employees without opt-in authorisation from the Client's designated executive sponsor; (e) engage third parties, suppliers, or customers of the Client. All testing is conducted within the agreed testing window and against the IP ranges / domains / applications listed in the SOW. Any out-of-scope discovery is immediately reported and stopped until the SOW is amended.
5. Emergency Stop
Both parties designate named Technical Points of Contact (TPOCs) available 24/7 during active engagements. The Client may invoke an "Emergency Stop" at any time by contacting the Infilux TPOC; Infilux will cease all active testing within 30 minutes, preserve evidence, and resume only on written re-authorisation. Infilux will independently invoke an Emergency Stop if it detects genuine adverse impact on production systems, unintentional out-of-scope access, or risk to life-safety critical infrastructure.
6. Confidentiality & Non-Disclosure
Both parties agree that all information exchanged during an engagement is Confidential Information. This includes but is not limited to: network architecture, source code, vulnerability findings, exploit chains, business strategy, personnel details, and any data stored on in-scope systems. Each party will protect the other's Confidential Information with at least the same standard of care used for its own (never less than reasonable care), for a period of five (5) years from disclosure, or indefinitely for trade secrets. The mutual NDA embedded in each SOW supersedes this clause where more protective.
7. Responsible Disclosure & Zero-Day Handling
If, during an engagement, Infilux discovers a previously unknown vulnerability (a "zero-day") in third-party software used by the Client, Infilux will: (a) immediately notify the Client under confidentiality; (b) coordinate with the Client on responsible disclosure to the affected vendor and, where applicable, CERT-In / CISA / MITRE CVE Numbering Authorities; (c) publicly disclose only with the Client's consent and after a mutually agreed embargo period (typically 90 days). Infilux never sells vulnerabilities to offensive-security brokers or undisclosed buyers.
8. Deliverables & Intellectual Property
Upon full payment for a completed engagement, the Client receives full ownership of the engagement-specific deliverables — executive report, technical findings, CVSS scoring, proof-of-concept evidence, and remediation recommendations. Infilux retains all rights to its pre-existing methodology, proprietary testing scripts, internal tooling, GuardEon platform IP, training materials, and threat intelligence. Infilux may use de-identified, aggregated engagement metrics (e.g., "X% of web apps tested had Broken Access Control findings") for benchmarking, marketing, and threat research, but never Client-identifying data without written consent.
9. Point-in-Time Assessment Limitations
Security assessments are a point-in-time evaluation. A clean report does not constitute a warranty that the in-scope systems are free of vulnerabilities, nor that they will remain secure against future threats, zero-days, or configuration changes. Infilux disclaims any express or implied warranty of fitness for a particular purpose, merchantability, or non-infringement beyond the specific findings documented in the deliverable. Residual risk and ongoing security are the Client's responsibility.
10. GuardEon Platform Acceptable Use
Use of the GuardEon EASM platform (https://guardeon.io) is subject to these Terms plus any GuardEon-specific Subscription Agreement. The Client may monitor only domains and IP ranges they own or have written authorisation to monitor. The Client will not use GuardEon to scan, probe, or monitor third parties, competitors, or any assets outside its authorised attack surface. Infilux reserves the right to suspend or terminate GuardEon accounts engaged in unauthorised monitoring, unlawful activity, or abuse of rate limits.
11. Fees, Invoicing & Payment
Fees are as specified in the SOW or GuardEon Subscription. Unless otherwise agreed: invoices are due Net 30 days from issue; late payment incurs interest at 1.5% per month or the maximum permitted by law, whichever is lower; all amounts are exclusive of taxes (GST, VAT, withholding) which are the Client's responsibility; Infilux may suspend ongoing SOC services or withhold draft deliverables for invoices overdue by more than 45 days after written notice. All fees are non-refundable once work has commenced, except where Infilux materially breaches the SOW.
12. Limitation of Liability
EXCEPT FOR LIABILITIES ARISING FROM: (A) BREACH OF CONFIDENTIALITY, (B) INDEMNIFICATION OBLIGATIONS, (C) INFILUX'S GROSS NEGLIGENCE OR WILFUL MISCONDUCT, (D) INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR (E) DAMAGES THAT CANNOT BE EXCLUDED UNDER APPLICABLE LAW — EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER ANY ENGAGEMENT SHALL NOT EXCEED THE FEES PAID BY THE CLIENT TO INFILUX UNDER THE RELEVANT SOW IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES, OR LOSS OF PROFITS, REVENUE, OR DATA.
13. Indemnification
Each party will defend, indemnify, and hold harmless the other from and against any third-party claims, damages, losses, and reasonable legal fees arising from: (a) the indemnifying party's breach of confidentiality obligations; (b) the Client's failure to obtain proper authorisation over in-scope assets under Clause 3; (c) Infilux's gross negligence or wilful misconduct; (d) infringement of third-party intellectual property in deliverables produced by Infilux (limited to Infilux's indemnification). Each party must promptly notify the other of any claim, cooperate in the defence, and not settle without consent.
14. Insurance
Infilux AppSec maintains Professional Indemnity / Errors & Omissions insurance and Cyber Liability insurance with coverage appropriate to the nature of enterprise cybersecurity services, with minimum aggregate limits of USD 1,000,000 (or INR equivalent), available on request to enterprise clients during procurement review.
15. Data Handling
All processing of personal data or Client Confidential Information is governed by our Privacy Policy (https://infilux.in/privacy-policy) and the Data Processing Addendum (DPA) executed with each enterprise client. The DPA incorporates EU Standard Contractual Clauses (SCCs), UK IDTA where required, and DPDP Act (India) data-handling schedules. Infilux acts as Data Processor when handling Client personal data; the Client remains the Data Controller.
16. Term, Suspension & Termination
MSAs continue until terminated. Either party may terminate an individual SOW with thirty (30) days' written notice if the other party materially breaches the SOW and fails to cure within fifteen (15) days of written notice. Infilux may suspend or terminate immediately if: (a) the Client fails to pay undisputed invoices after 45 days of notice; (b) Infilux reasonably believes continuing would violate law, sanctions, or ethical codes (e.g., OSCP Code of Ethics, CREST standards); (c) the Client uses services to conduct unlawful activity. On termination, each party promptly returns or certifies destruction of the other's Confidential Information, subject to legal-hold and audit-retention exceptions.
17. Force Majeure
Neither party is liable for delay or failure to perform caused by events beyond its reasonable control, including natural disasters, war, civil unrest, cyber-attacks against the non-breaching party's infrastructure (unless caused by that party's negligence), pandemic, government action, sanctions, or material internet/cloud-provider outages. The affected party must promptly notify the other and use commercially reasonable efforts to resume performance.
18. Sanctions & Export Control
Infilux AppSec does not engage clients located in, or provide services to parties sanctioned under, OFAC SDN, UN Security Council Consolidated List, EU Sanctions Map, UK HM Treasury, or India's MEA restricted lists. The Client warrants it is not a sanctioned person/entity, is not majority-owned by a sanctioned person, and will not use our services to evade sanctions or export-control regulations (including EAR, ITAR, and Wassenaar Arrangement dual-use technology controls).
19. Professional Conduct
Infilux AppSec personnel holding professional certifications (OSCP, CEH, CISSP, CISA, ISO 27001 Lead Auditor, etc.) operate in accordance with the codes of ethics and professional conduct of their respective certifying bodies — including (ISC)², ISACA, Offensive Security, EC-Council, and the ISO/IEC auditor scheme. Client reports of ethical concerns may be submitted to ethics@infilux.in for independent review.
20. Assignment
Neither party may assign or transfer its rights or obligations under these Terms without the prior written consent of the other, such consent not to be unreasonably withheld. Notwithstanding the above, either party may assign to a successor in interest via merger, acquisition, or sale of substantially all assets, provided the successor assumes all obligations and is not a competitor of the non-assigning party.
21. Governing Law & Jurisdiction
These Terms are governed by and construed in accordance with the laws of India, specifically the State of Gujarat. Subject to the Dispute Resolution clause below, the courts of Ahmedabad, Gujarat, India have exclusive jurisdiction. Enterprise clients outside India may negotiate alternative governing law (e.g., England & Wales, Singapore, or Delaware) within their MSA; such elections override this clause only to the extent expressly set out in the signed MSA.
22. Dispute Resolution & Arbitration
The parties shall first attempt to resolve any dispute through good-faith negotiation between designated executives for thirty (30) days. Disputes unresolved through negotiation shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996 (India) before a sole arbitrator appointed by mutual agreement, seated in Ahmedabad, Gujarat, India, conducted in English. The arbitrator's award is final and enforceable by any court of competent jurisdiction. Either party may seek interim injunctive relief in any court to protect Confidential Information or IP.
23. Changes to These Terms
Infilux AppSec may update these Terms to reflect new services, regulatory changes, or product evolution (including GuardEon feature releases). Material changes affecting signed MSAs or active SOWs will be communicated in writing to the Client's designated contacts at least thirty (30) days before taking effect. Minor clarifications, typographical corrections, and routine updates may be made without advance notice. The "Last Updated" date at the bottom of this page reflects the most recent revision.
24. Contact
Infilux AppSec · 301, Skywalk The Element, Gota, Ahmedabad, Gujarat 382481, India. General: sales@infilux.in · +91-9106266245. Legal & contracts: legal@infilux.in. Data protection: dpo@infilux.in. Security disclosure: security@infilux.in (PGP: /.well-known/security.txt). Ethics reports: ethics@infilux.in.
// Legal & Contracts
MSA, SOW, DPA, amendments, vendor onboarding: legal@infilux.in
Last Updated: April 15, 2026
Privacy Policy →