graphic_eq EchoForge Order Security Audit
gavel Legal

Security Audit
Terms of Service

Effective date: 1 April 2026  ·  EchoForge (echoforge.biz)

warning

Authorised testing only. By placing an order you confirm that you own, or have explicit written authorisation to test, the target system. Submitting a target you do not control is a criminal offence in most jurisdictions and will result in immediate cancellation without refund and referral to relevant authorities.

1. Agreement

These Terms of Service ("Terms") govern your purchase and use of the EchoForge Web Application Security Audit service ("Service"). By placing an order you agree to these Terms in full. If you are placing an order on behalf of an organisation, you represent that you have authority to bind that organisation to these Terms.

2. Rules of Engagement

The following rules are legally binding conditions of the Service. Violation of any rule results in immediate termination without refund and may result in legal action.

  • 2.1 Authorisation. You must own the target domain and all associated systems, or hold explicit written authorisation from the owner to conduct security testing. "Explicit written authorisation" means a signed document or email from the authorised system owner that specifies the scope and dates of testing.
  • 2.2 Scope. Testing is strictly limited to the domain submitted at order time and its direct subdomains. EchoForge will not probe IP addresses, third-party services, or any system outside the declared scope. You must not submit a domain that resolves to shared infrastructure (e.g. a shared hosting IP) where probing would affect other tenants.
  • 2.3 Production systems. You accept that active scanning may generate unusual traffic patterns and, in rare circumstances, trigger rate-limiting or temporary unavailability of web services. EchoForge operates with rate-limited, non-destructive probing; however, you accept this risk and do not hold EchoForge liable for any service disruption arising from the scan.
  • 2.4 No exploitation. EchoForge will identify and report vulnerabilities but will not exploit them beyond what is necessary to confirm their existence. No data will be extracted, modified, or deleted from target systems.
  • 2.5 Prohibited targets. You must not submit targets that belong to government systems, critical national infrastructure, financial institutions, healthcare systems, or any system where testing is prohibited by law regardless of ownership.

3. Ownership Verification

Before any active scanning begins, EchoForge requires verification that you control the target domain. Verification is completed by clicking a one-time link sent to an email address at the target domain. Scanning will not commence until verification is complete.

Completion of the verification step constitutes your confirmation that the submitted target is within your authorised scope.

4. Service Tiers and Delivery

  • 4.1 Starter ($49). Surface-level scan covering OWASP Top 10 fingerprinting, HTTP security headers, exposed sensitive paths, and email security configuration. Delivered as a PDF report within 24 hours of ownership verification.
  • 4.2 Professional ($149). Full active scan including all Starter coverage plus active vulnerability probing, authentication testing, injection surface analysis, and CORS/cookie security review. Delivered within 48 hours of verification.
  • 4.3 Agency ($349). Deep multi-surface scan covering all Professional content plus subdomain enumeration, API surface mapping, and custom template analysis. Delivered within 72 hours of verification.
  • 4.4 Delivery method. The final report is a PDF delivered by email to the address provided at order time, and optionally shared via a Google Drive link. Delivery timelines begin from the moment domain ownership is verified, not from the time of order placement.
  • 4.5 Delays. If ownership verification is not completed within 14 days of the order, the order will expire. No refund is issued for orders that expire due to failure to complete verification.

5. Free Retest

EchoForge offers one free retest within 30 days of the original report delivery date, limited to verification that previously reported Critical and High findings have been remediated. The retest covers the same scope and tier as the original order. To request a retest, reply to your delivery email.

6. Payment and Refunds

  • 6.1 Payment is due in full at the time of order. Orders are not processed until payment is confirmed.
  • 6.2 Refund before scan start. A full refund is available if requested before domain ownership verification is completed and before any scanning has commenced.
  • 6.3 No refund after scan. Once scanning has commenced, no refund is available regardless of the findings or their severity.
  • 6.4 Unauthorised target. If a submitted target is found to be outside your authorised scope, the order is cancelled immediately without refund and may be reported to relevant authorities.
  • 6.5 To request a refund, contact contact@echoforge.biz.

7. Confidentiality

The security report is confidential and intended solely for the use of the ordering party. EchoForge will not disclose report contents or findings to any third party without your written consent, except as required by law.

EchoForge retains a copy of scan results and the report for a maximum of 90 days for quality assurance and dispute resolution purposes, after which all data is deleted.

8. Limitation of Liability

The Service is provided on an "as-is" basis. EchoForge does not guarantee that all vulnerabilities will be identified — no security assessment is exhaustive. The report reflects the security posture of the target at the time of scanning only.

To the maximum extent permitted by applicable law, EchoForge's total liability for any claim arising from or related to the Service is limited to the amount paid for the specific order giving rise to the claim.

EchoForge is not liable for any indirect, incidental, consequential, or punitive damages, including loss of data, loss of revenue, or business interruption, even if advised of the possibility of such damages.

9. Your Responsibilities After the Report

The report is a professional assessment, not legal advice. You are solely responsible for determining how to remediate findings and for the timeline and adequacy of your remediation efforts.

EchoForge recommends rotating all credentials and secrets identified in the report as an immediate priority. EchoForge accepts no liability for damage arising from failure to act on report findings in a timely manner.

10. Governing Law

These Terms are governed by the laws of the State of Israel. Any disputes arising under these Terms shall be subject to the exclusive jurisdiction of the courts of Tel Aviv, Israel. If any provision of these Terms is found to be unenforceable, the remaining provisions remain in full force.

11. Changes to These Terms

EchoForge reserves the right to update these Terms at any time. Updates will be posted at this URL with a revised effective date. Orders placed prior to a change are governed by the Terms in effect at the time of order placement.

12. Contact

Questions about these Terms or the Service: contact@echoforge.biz

open_in_new Order Security Audit on Fiverr