Terms of Service

These Terms of Service ("Terms") govern your use of the services provided by CalCyber Security ("CalCyber," "we," "us," or "our"), including managed security services, cybersecurity consulting, penetration testing and vulnerability assessments, compliance services, incident response, The Phishery threat intelligence platform, free attack surface scans, and any related products, deliverables, websites, or support (collectively, the "Services"). By using our Services, you ("you" or "Customer") agree to these Terms. If you do not agree, do not use our Services.

Where you have entered into a separate written agreement, statement of work (SOW), service order, or rules of engagement (ROE) with CalCyber, that document controls in the event of a conflict with these Terms.

1. Services Provided

CalCyber provides cybersecurity consulting, managed security (MSSP) services, OT/ICS security services, security architecture, penetration testing and vulnerability assessment, compliance and regulatory services (including HIPAA and CMMC support), digital forensics and incident response, and the threat intelligence platform known as The Phishery. The specific scope, deliverables, timeline, and pricing of any engagement will be set out in the applicable proposal, SOW, service order, or rules of engagement.

2. Eligibility

You must be at least 18 years old and legally able to enter into a binding contract. If you are using the Services on behalf of an organization, you represent that you have authority to bind that organization to these Terms.

3. Account and Security

• You are responsible for providing accurate account and contact information and keeping it current.
• You are responsible for safeguarding credentials, API keys, and tokens issued to you, and for all activity conducted under your account.
• You must notify us promptly of any unauthorized access, suspected compromise, or security incident involving your account or systems we manage.

4. Payment Terms

• Fees are due as specified in your SOW, proposal, service order, or invoice.
• Unless otherwise stated in writing, invoices are due Net 15 from the invoice date.
• We may suspend or terminate Services for unpaid balances after reasonable notice.
• All fees are non-refundable unless otherwise stated in writing.
• Applicable taxes and processing fees will be added where required.
• Emergency, after-hours, or out-of-scope work may incur additional charges, communicated in advance where practical or as outlined in your agreement.

5. Service Availability and SLA

We work to deliver reliable, high-quality Services, but we do not guarantee uninterrupted or error-free operation. Scheduled maintenance, upstream vendor outages, and unforeseen events may occur. Any specific uptime, response-time, or remediation-time commitments apply only if expressly set out in a signed Service Level Agreement (SLA) or MSSP agreement.

6. Authorized Testing and Rules of Engagement

For penetration testing, red-team, vulnerability scanning, social-engineering, phishing simulation, attack surface monitoring, and any other offensive or intrusive security testing ("Security Testing"), you must provide signed written authorization covering the scope, targets, timing, methods, and points of contact before testing begins. This authorization is typically a Rules of Engagement document or testing addendum to your SOW.

• You represent and warrant that you own, operate, or have obtained all necessary rights and authorizations from the owners and operators of every asset, domain, IP range, network, application, account, or employee group included in the scope.
• You are solely responsible for coordinating with hosting providers, cloud platforms, ISPs, third-party vendors, and affiliates whose authorization is required to test assets they control.
• You agree to indemnify and hold CalCyber harmless from any claim arising from testing conducted within the authorized scope against assets you did not have the right to authorize.
• Security Testing carries inherent risk. While we use reasonable care, testing may cause service degradation, alerts, account lockouts, or brief unavailability. You should back up critical data and notify relevant stakeholders before testing windows.
• We will not perform testing outside the authorized scope and will pause or stop testing if we become aware that scope authorization is invalid, revoked, or disputed.

7. Free Attack Surface Scan

CalCyber offers a no-cost external attack surface scan as a lead-generation and community service. By requesting a free scan you represent that you are authorized to request assessment of the domains, hostnames, IP addresses, and externally exposed assets you provide, and that you understand:

• Findings are delivered on an "as is" basis and are limited to externally observable information. A free scan is not a penetration test, compliance audit, or exhaustive assessment.
• The scan does not establish an ongoing engagement, retainer, or advisory relationship.
• We may retain anonymized or aggregate technical findings for threat research, product improvement, and responsible-disclosure purposes, but will not publish your identity or brand-level results without consent.
• Sections 6 (Authorized Testing), 13 (No Security Guarantee), and 14 (Limitation of Liability) apply to free scans.

8. Incident Response Engagements

Incident response ("IR") services are engaged either on a retainer basis or as an emergency one-time engagement. For emergency engagements, work begins upon execution of an IR engagement letter or equivalent written authorization and payment of any required retainer or minimum fee. IR work is performed on a best-efforts basis under time pressure and with incomplete information; we make no guarantee of containment, eradication, recovery, attribution, or evidentiary outcome. You are responsible for operational decisions, legal notifications, insurance coordination, and communications with regulators, customers, and law enforcement unless expressly scoped otherwise.

9. Compliance Services Disclaimer

CalCyber provides compliance advisory, gap assessment, policy development, and audit-readiness services for frameworks including HIPAA, CMMC, NIST, and other regulatory regimes. These Services are advisory in nature. You remain solely responsible for your organization's compliance with applicable laws, regulations, and contractual obligations. Our deliverables are not legal advice, do not constitute certification, and do not transfer regulatory liability. Certification and attestation, where applicable, can only be issued by an accredited third party.

10. Acceptable Use

• Use the Services only for lawful purposes and in accordance with these Terms.
• Do not use CalCyber tools, infrastructure, credentials, or reports to attack, probe, or gain unauthorized access to systems you do not own or have authorization to test.
• Do not interfere with, degrade, or attempt to circumvent our systems, networks, or security controls.
• Do not transmit malware, spam, or unlawful content through Services we operate.
• Do not republish, resell, or redistribute deliverables, reports, or The Phishery data feeds except as permitted in writing.

11. Customer Responsibilities

• Provide timely access to systems, facilities, personnel, documentation, and stakeholders needed to deliver the Services.
• Maintain current licenses and entitlements for your own third-party software unless otherwise agreed in writing.
• Follow reasonable security guidance and remediation recommendations, including patching, configuration changes, and access control.
• Maintain appropriate and current backups of your data. Unless we have expressly agreed to provide backup services, we are not responsible for data loss. Where we do provide backups, our responsibility is limited to the extent of the backups we maintain.
• Ensure any customer-supplied equipment is in good working order. We are not responsible for defects, failures, or compatibility issues with customer-owned hardware or software.

12. The Phishery Platform

The Phishery is a threat intelligence platform operated by CalCyber that detects phishing infrastructure, monitors AI-related data exposure, and delivers brand-impersonation and device-code-phishing protection. Use of The Phishery — including the browser extension, SIEM integrations, and any data feeds — is governed by these Terms and any applicable product-specific agreement, subscription order, or data-sharing addendum.

• The free tier of the browser extension is provided "as is" and may contribute anonymized, non-identifying threat indicators and observed indicators of compromise back to the platform to improve detection for all users. Personal content, credentials, and PII are not transmitted as part of this crowdsourced intel.
• Paid tiers, enterprise deployments, and SIEM/TAXII integrations are governed by the applicable subscription terms and data-sharing configuration agreed in writing.
• Detection models are probabilistic. False positives and false negatives are inherent to threat intelligence. The Phishery is a layer of defense, not a substitute for your complete security program.
• You may not reverse-engineer, redistribute, resell, or use The Phishery data feeds to train competing threat-intelligence models without our prior written consent.

13. No Security Guarantee

Cybersecurity is a risk-management discipline, not a guarantee. No security product, service, assessment, or consulting engagement — including ours — can fully prevent, detect, or remediate every threat. Nothing in these Terms, any proposal, SOW, deliverable, or marketing material constitutes a warranty that the Services will prevent unauthorized access, data loss, compromise, downtime, regulatory violation, or business interruption.

14. Limitation of Liability

To the maximum extent permitted by law:

• CalCyber is not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, including loss of profits, revenue, data, goodwill, or business interruption, even if advised of the possibility of such damages.
• Our total aggregate liability for any and all claims related to the Services will not exceed the greater of (a) the total fees you paid to CalCyber for the specific Services giving rise to the claim in the six (6) months immediately preceding the event, or (b) one thousand U.S. dollars ($1,000) for engagements provided at no charge.
• These limitations apply in the aggregate across all claims and theories of liability and survive termination of these Terms.

15. Warranties Disclaimer

Except as expressly set out in a signed written agreement, the Services, deliverables, reports, and The Phishery platform are provided "as is" and "as available," without warranties of any kind, whether express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, or accuracy of data.

16. Third-Party Services

We may integrate with or provide access to third-party platforms (for example, cloud providers, EDR tools, SIEM platforms, VoIP carriers, threat feeds, or payment processors). We are not responsible for the availability, security, performance, pricing, or terms of third-party services not operated by us. Your use of third-party services is subject to their own terms.

17. Security Suspension

We reserve the right to temporarily suspend, restrict, or isolate Services — including individual endpoints, accounts, or integrations — if we reasonably determine that doing so is necessary to protect our network, other customers, The Phishery platform, or the public from an active threat or policy violation. We will make reasonable efforts to notify you as soon as practical.

18. Confidentiality

We will treat non-public business, technical, operational, and personal information we access while providing the Services as confidential, using at least the same degree of care we use for our own confidential information, and disclosing it only to personnel and subcontractors with a need to know, or as required by law or valid legal process. We are not responsible for data exposure caused by your own negligence, misconfiguration, or acts of third parties outside our control.

19. Data, Privacy, and Research

Our handling of personal information is described in our Privacy Policy. In the course of delivering Services and operating The Phishery, we generate, observe, and retain technical data — including log data, indicators of compromise, detection telemetry, and aggregate metrics. We may use this data in de-identified or aggregated form to improve our Services, conduct threat research, and support responsible-disclosure activities. We will not publish customer-identifiable findings, case studies, or logos without your prior consent.

20. Responsible Disclosure

CalCyber conducts independent security research and, as part of that work, reports vulnerabilities discovered in third-party products, services, and public infrastructure to the affected vendors and operators through coordinated disclosure. Nothing in these Terms limits our ability to engage in good-faith security research or responsible disclosure involving systems other than yours, provided such research does not rely on confidential information obtained through our engagement with you.

21. Intellectual Property

You retain ownership of your data, content, and pre-existing materials you provide to us. CalCyber retains ownership of its pre-existing methodologies, tooling, detection logic, signatures, frameworks, templates, and The Phishery platform, including any improvements we make during an engagement. Upon full payment for a given engagement, you receive a non-exclusive, perpetual license to use the final deliverables for your internal business purposes. You may not resell, redistribute, or publish our deliverables outside your organization without our prior written consent.

22. Force Majeure

We are not liable for failure or delay in performance caused by events beyond our reasonable control, including natural disasters, fire, power outages, internet or upstream provider failures, cyberattacks on third parties, public health emergencies, labor disputes, or governmental actions.

23. Termination

• You may terminate Services as set out in your agreement, SOW, or subscription order.
• We may suspend or terminate Services for material breach of these Terms, non-payment, misuse, or risk to our platform or other customers.
• Termination does not relieve you of payment obligations for Services already rendered or committed.
• Sections that by their nature should survive termination — including confidentiality, limitation of liability, warranties disclaimer, indemnification, intellectual property, and governing law — will survive.

24. Indemnification

You agree to indemnify, defend, and hold harmless CalCyber Security and its officers, employees, contractors, and agents from and against any claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from (a) your use of the Services, (b) your breach of these Terms or any SOW or ROE, (c) your violation of law, or (d) your authorization of Security Testing against assets you did not have the right to authorize.

25. Changes to Services

We may modify or discontinue non-core features or components of the Services with reasonable notice, provided such changes do not materially reduce the core functionality of Services for which you have paid.

26. Governing Law and Venue

These Terms are governed by the laws of the State of California, without regard to its conflict-of-law principles. Any dispute arising out of or relating to these Terms or the Services will be resolved exclusively in the state or federal courts located in Sacramento County, California, and each party consents to personal jurisdiction and venue in those courts.

27. Changes to These Terms

We may update these Terms from time to time. Updated versions will be posted at this URL with a new Effective Date. Material changes will be communicated to active customers via email or in-product notice where practical. Continued use of the Services after the Effective Date constitutes acceptance of the updated Terms.

28. Contact

If you have questions about these Terms or need to provide notice to CalCyber, please contact: