Our work is defined by ethical boundaries. Not by technical capabilities.
We start no review without documented, written approval from the domain owner or authorized representative. Every test has a defined scope.
We do not perform denial-of-service tests or load systems beyond normal browsing.
We do not manipulate employees, send email fraud emails or test human weakness.
We do not crack credentials, steal credentials or access protected areas.
We do not access customer data, form submissions, databases or internal documents. Everything stays external-only.
We do not alter, delete or damage any data, files or configurations. Our review is 100% non-destructive.
We only see what a visitor or attacker sees from the outside. No access, no internal access, no firewall rule changes.
We do not provide legal advice. Our GDPR-related content is a technical trust signal review, not a legal examination and not a replacement for a data protection officer or lawyer.