![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 392 84" xmlns="http://www.w3.org/2000/svg"><defs ><linearGradient id="KHdlBVDzM-2037857189-linear-gradient" x1="0.49751243781094523" x2="0.5024875621890548" y1="0" y2="1"><stop offset="0" stop-color="rgb(139, 174, 255)"/><stop offset="1" stop-color="rgba(243, 45, 45, 0.2)"/></linearGradient><linearGradient id="cDxFcS0Gh-2037857189-linear-gradient" x1="1.6831485946812565" x2="-0.5845528784578186" y1="-0.7000000000000001" y2="1.6"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0.30434782608695654" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient><linearGradient id="ntDRMiwH_-2037857189-linear-gradient" x1="0.9929785811171902" x2="0.007021418882809827" y1="0" y2="1"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient></defs><path d="M 0 0 L 15.663 0 L 15.663 74.348 L 0 74.348 Z M 59.875 0 L 75.438 0 L 75.438 74.348 L 59.875 74.348 Z M 8.525 29.937 L 66.814 29.937 L 66.814 43.617 L 8.525 43.617 Z" fill="rgb(0, 0, 0)" height="74.34776746386652px" id="R6fGi3jY7" transform="translate(74.657 5.953)" width="75.43826082312543px"/><path d="M 34.398 59.28 C 27.789 59.28 21.875 58.025 16.654 55.513 C 11.499 53.001 7.435 49.532 4.461 45.104 C 1.487 40.61 0 35.423 0 29.541 C 0 23.659 1.388 18.537 4.163 14.176 C 7.005 9.748 10.904 6.278 15.861 3.767 C 20.817 1.256 26.5 0 32.911 0 C 39.322 0 44.84 1.454 49.466 4.362 C 54.158 7.203 57.76 11.202 60.271 16.357 C 62.849 21.511 64.137 27.591 64.137 34.597 L 12.193 34.597 L 12.193 23.99 L 56.108 23.99 L 49.565 27.856 C 49.367 24.419 48.541 21.511 47.087 19.132 C 45.633 16.687 43.717 14.804 41.337 13.482 C 38.958 12.16 36.116 11.499 32.812 11.499 C 29.309 11.499 26.27 12.226 23.692 13.68 C 21.115 15.068 19.099 17.017 17.645 19.529 C 16.257 22.04 15.563 25.014 15.563 28.45 C 15.563 32.416 16.456 35.852 18.24 38.76 C 20.024 41.602 22.568 43.782 25.873 45.303 C 29.243 46.823 33.275 47.583 37.967 47.583 C 42.262 47.583 46.591 46.954 50.953 45.699 C 55.315 44.377 59.213 42.593 62.65 40.346 L 62.65 50.854 C 59.015 53.497 54.72 55.579 49.763 57.099 C 44.873 58.553 39.751 59.28 34.398 59.28 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="Qti8hp6m5" transform="translate(162.503 22.508)" width="64.1373913043478px"/><path d="M 1.983 22.602 L 9.616 23.99 L 17.348 22.602 L 17.348 79.403 L 1.983 79.403 Z M 9.616 16.357 C 6.774 16.357 4.461 15.63 2.677 14.176 C 0.892 12.656 0 10.64 0 8.129 C 0 5.683 0.892 3.734 2.677 2.28 C 4.461 0.76 6.774 0 9.616 0 C 12.458 0 14.738 0.76 16.456 2.28 C 18.24 3.734 19.132 5.683 19.132 8.129 C 19.132 10.64 18.24 12.656 16.456 14.176 C 14.738 15.63 12.458 16.357 9.616 16.357 Z" fill="rgb(0, 0, 0)" height="79.40341570381497px" id="atqgKejC9" transform="translate(236.629 0.898)" width="19.132173913043488px"/><path d="M 64.237 40.247 C 64.237 44.212 63.08 47.616 60.767 50.457 C 58.52 53.299 55.149 55.48 50.656 57 C 46.162 58.52 40.61 59.28 34.002 59.28 C 27.194 59.28 21.247 58.421 16.158 56.703 C 11.135 54.984 7.237 52.605 4.461 49.565 C 1.685 46.459 0.198 42.89 0 38.859 L 15.663 38.859 C 16.059 40.776 17.05 42.461 18.637 43.915 C 20.288 45.303 22.436 46.393 25.08 47.186 C 27.723 47.913 30.796 48.276 34.299 48.276 C 39.256 48.276 42.956 47.715 45.402 46.591 C 47.913 45.468 49.169 43.782 49.169 41.536 C 49.169 39.884 48.309 38.661 46.591 37.868 C 44.873 37.009 41.701 36.381 37.075 35.984 L 26.369 35.092 C 20.156 34.563 15.233 33.506 11.598 31.92 C 8.03 30.334 5.485 28.351 3.965 25.972 C 2.445 23.527 1.685 20.917 1.685 18.141 C 1.685 14.11 2.907 10.772 5.353 8.129 C 7.864 5.485 11.301 3.47 15.663 2.082 C 20.09 0.694 25.245 0 31.127 0 C 37.141 0 42.494 0.826 47.186 2.478 C 51.878 4.13 55.612 6.41 58.388 9.318 C 61.229 12.16 62.849 15.497 63.245 19.33 L 47.583 19.33 C 47.318 17.943 46.558 16.621 45.303 15.365 C 44.113 14.043 42.295 12.953 39.85 12.094 C 37.471 11.235 34.299 10.805 30.334 10.805 C 26.038 10.805 22.701 11.334 20.322 12.391 C 18.008 13.449 16.852 14.969 16.852 16.951 C 16.852 18.339 17.546 19.496 18.934 20.421 C 20.388 21.28 23.097 21.875 27.063 22.205 L 40.842 23.395 C 46.855 23.923 51.548 24.948 54.918 26.468 C 58.289 27.922 60.668 29.838 62.056 32.217 C 63.509 34.53 64.237 37.207 64.237 40.247 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="hawlOmO0I" transform="translate(265.098 22.508)" width="64.23652173913041px"/><path d="M 0 26.468 L 0 19.628 L 11.896 16.059 L 18.339 0 L 27.261 0 L 27.261 14.87 L 52.539 14.87 L 52.539 26.468 L 27.261 26.468 L 27.261 48.277 C 27.261 52.77 28.186 55.91 30.037 57.694 C 31.953 59.478 35.158 60.37 39.652 60.37 C 42.494 60.37 45.005 60.106 47.186 59.577 C 49.433 58.983 51.548 58.156 53.53 57.099 L 53.53 69.193 C 51.68 70.052 49.169 70.845 45.997 71.572 C 42.824 72.299 39.586 72.663 36.282 72.663 C 30.532 72.663 25.84 71.737 22.205 69.887 C 18.637 68.037 16.026 65.459 14.374 62.155 C 12.722 58.784 11.896 54.885 11.896 50.457 L 11.896 26.468 Z" fill="rgb(0, 0, 0)" height="72.66254347826086px" id="zoUpiAa2F" transform="translate(334.598 9.126)" width="53.53043478260872px"/><path d="M 0 74.348 L 0 47.609 L 47.609 0 L 74.348 0 Z" fill="url(%23KHdlBVDzM-2037857189-linear-gradient)" height="74.34776086956523px" id="KHdlBVDzM" transform="translate(-0.348 5.953)" width="74.34782611028008px"/><path d="M 31.304 0 L 31.304 31.304 L 0 31.304 Z" fill="rgb(0, 0, 0)" height="31.304282608695672px" id="T30T86M87" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="rgb(26, 26, 26)" height="31.304282608695672px" id="apAet4OjV" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="url(%23cDxFcS0Gh-2037857189-linear-gradient)" height="31.304282608695672px" id="cDxFcS0Gh" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 47.609 0 L 74.348 0 L 0 74.348 L 0 47.609 Z" fill="url(%23ntDRMiwH_-2037857189-linear-gradient)" height="74.34776086956523px" id="ntDRMiwH_" transform="translate(-0.348 5.953)" width="74.34782611028008px"/></svg>)
Terms of Service
Version 1.0, 2026-02-26
Heist AS, org. nr. 935 833 973 ("Heist") operates an AI-driven penetration testing platform (the "Service"). The Service conducts automated, continuous security testing against systems you designate, identifying vulnerabilities using offensive security techniques used in real-world cyberattacks.
These Terms of Service (the "Agreement") are entered into by and between Heist and the entity placing an order for or accessing the Service ("Customer"), each a "Party" and collectively the "Parties". This Agreement governs Customer's initial access to the Service as well as any future use. Heist may modify this Agreement from time to time as set out in Section 14.4.
The Service is for business use only. The individual creating the account confirms they act for, and have authority to bind, an entity as the Customer. By completing the user registration process, designating a named entity as the Customer, and checking the acceptance box, the designated entity agrees to be bound by this Agreement as the Customer.
If the individual completing the user registration process does not have authority to bind the designated entity, that individual shall be the Customer and shall assume all Customer's obligations under this Agreement. Heist may suspend any user where it has reasonable grounds to believe the user is not authorised to bind the designated entity to this Agreement.
1. Definitions
"Authorized Testing" means automated penetration testing and offensive security assessments conducted by the Service against Customer's designated Targets.
"Documentation" means the user guides, technical specifications, policies and other materials that Heist makes available in the Service or via its trust centre, as updated from time to time.
"Customer Data" means any data or content that Customer, or others acting on its behalf, provides, discloses or transfers to Heist in connection with the Service, including any personal data contained in it.
"Fees" means the amounts payable as set out in an executed Order Form or in Heist's then-current pricing tiers available on www.heisthq.com.
"Findings" means all results, outputs, reports, vulnerability identifications, exploit proofs, recommendations, and other artefacts generated by or through the Service. Exploit proofs are working attack artefacts targeting Customer's own systems and represent the most sensitive category of Findings; they should be subject to enhanced access controls and securely deleted once the associated vulnerability has been remediated.
"Order Form" means any ordering document, statement of work or similar document executed by both Parties that references this Agreement and sets out additional terms, pricing or scope for Customer's use of the Service.
"Subscription Term" means the ongoing period that starts when Customer activates a plan (free or paid) for the Service and ends when Customer cancels the Service or this Agreement is otherwise terminated in accordance with its terms.
"Targets" means the domains, systems, applications, endpoints, and related infrastructure that Customer designates within the Service for Authorized Testing.
"User" means an individual associated with Customer who has been provisioned with access to the Service.
2. Authorisation and Scope
2.1 Authorisation Grant. Customer hereby expressly authorises Heist to conduct Authorized Testing against Customer's designated Targets. This authorisation constitutes Customer's informed consent for Heist to access, probe, test, and attempt to exploit vulnerabilities in Customer's systems using offensive security techniques used in real-world cyberattacks.
2.2 Target Designation. Customer designates Targets by adding them to the Service. The Service will conduct information gathering and conduct Authorized Testing on each Target. Customer may exclude specific endpoints or components from Authorized Testing within the Service.
2.3 Domain Verification. Customer must complete Heist's domain verification process for each Target before Authorized Testing may commence.
2.4 Testing Windows. Customer may configure permitted testing windows. The Service will conduct Authorized Testing only during enabled testing windows.
2.5 Control. Customer may pause or terminate Authorized Testing at any time using the controls provided in the Service.
2.6 Scope Boundaries. Heist employs technical safeguards with the aim of constraining Authorized Testing to designated Targets, including domain and scope verification prior to testing and a kill switch enabling immediate suspension of Authorized Testing at any time. Customer acknowledges that AI-driven systems may behave unpredictably despite such controls, and that Heist cannot guarantee the AI will never attempt to access systems outside the designated scope. Customer must immediately terminate the Authorized Testing and notify Heist upon becoming aware of any out-of-scope activity. Upon becoming aware of any out-of-scope activity, Heist will promptly suspend the relevant testing activity and notify Customer without undue delay.
3. Findings
3.1 Delivery. Findings are made available through the Service. Critical findings are also notified by email, unless email notifications have been disabled by Customer in the Service. Customer may configure additional notification channels through available integrations.
3.2 Retention. Heist retains Findings for the duration of Customer's subscription. Heist will delete all Findings and Customer Data embedded therein within thirty (30) days of receipt of Customer's written deletion request. Heist may also delete said data with thirty (30) days prior notice after the Customer's termination of its subscription.
3.3 Ownership. Heist retains ownership of all Findings.
3.4 Customer rights. Customer on a paid plan may use Findings to:
(a) remediate vulnerabilities in Customer's own systems;
(b) share with Customer's internal security, risk, legal and compliance functions;
(c) share with Customer's auditors, regulators, and supervisory authorities;
(d) share with Customer's insurers; and
(e) share with Customer's group companies.
The right to use and share Findings under (a)-(e) above is perpetual and irrevocable with respect to Findings generated during a paid Subscription Term.
Customer may not use Findings beyond the permissions above without Heist's prior written consent. If the Findings contain information about or relating to third parties, such information shall be considered Confidential Information and shall always be securely redacted by the Customer prior to external sharing of the Findings.
Nothing in this Section 3 permits use of Heist's name, trademarks or logos without Heist's prior written consent, nor does it imply Heist's approval of any disclosure of third-party information.
3.5 Confidentiality. The Customer has no confidentiality obligations to Heist with respect to that Customer's own Findings, and the Customer's use and disclosure of its own Findings is governed exclusively by Section 3, except for any embedded information about or relating to third parties, which shall be considered Confidential Information.
3.6 Survival. Customer's rights to use Findings generated during a paid Subscription Term under this Section 3 survive termination of this Agreement.
4. Customer Responsibilities
In addition to the warranties set out in Section 9.5, Customer accepts sole responsibility for:
(a) how the Service is used, including setting the appropriate configuration of scope, Targets, and test intensity;
(b) deciding which Targets and environments to test;
(c) notifying all relevant stakeholders that Authorized Testing will occur and maintaining sufficient competent personnel to handle any downtime, disruption or other side-effects of Authorized Testing;
(d) maintaining appropriate backups before, during and after Authorized Testing, as well as maintaining appropriate business continuity measures;
(e) considering whether to configure security monitoring to account for testing activity;
(f) reviewing Findings and taking appropriate remediation action;
(g) rotating any credentials, tokens, or other secrets that were accessed or disclosed during Authorized Testing or appear in Findings; and
(h) using the Service's pause and stop controls if Authorized Testing causes any issues, harm or other unintentional consequences, or a risk thereof.
Heist's corresponding obligations for scope controls, incident response, security practices, and delivery of Findings are set out in Section 5.
5. Heist Obligations
Heist commits to the following in connection with the Service:
(a) Scope controls. Heist will employ technical safeguards with the aim of constraining Authorized Testing to Customer's designated Targets, including domain and scope verification prior to testing and a kill switch enabling immediate suspension of Authorized Testing at any time (Section 2.6).
(b) Out-of-scope response. Upon becoming aware of any out-of-scope activity, Heist will promptly suspend the relevant testing activity and notify Customer without undue delay (Section 2.6).
(c) Security. Heist will maintain security measures consistent with industry standards for services of this type, as described at https://heisthq.com/trust. Heist may update such measures provided that updates do not materially decrease overall security during a subscription term (Section 7.1).
(d) Findings delivery. Heist will make Findings available through the Service. Critical findings will also be notified by email, unless email notifications have been disabled by Customer in the Service (Section 3.1).
(e) IP indemnification. Heist will defend Customer against third-party claims that the Service infringes a copyright, patent or trademark (Section 11.1).
(f) Warranties. Heist warrants that it has authority to enter into this Agreement, that the person accepting this Agreement is authorised to do so, and that entering this Agreement does not violate any other agreement to which Heist is bound (Section 9.1).
(g) Notice of changes. Heist will provide thirty (30) days' prior written notice before modifying or replacing this Agreement (Section 14.4).
6. Fees and Payment
6.1 Fees. Fees are set forth on Heist's pricing page. All fees are in the currency stated and exclude applicable taxes. Customer shall pay all Fees or ensure that Fees may be automatically charged by Heist on the due date indicated in the billing information provided in the Service.
6.2 Billing. Subscriptions are billed in advance on a recurring basis. Customer authorises Heist to charge Customer's payment method at each billing cycle.
6.3 Taxes. Heist may charge Customer for any VAT, sales tax or tariffs applicable to the Fees or the provision of the Service in the Customer's jurisdiction.
6.4 Price Changes. Heist may change its Fees upon thirty (30) days' prior written notice. Such changes shall apply at the next renewal.
6.5 Free Tier. Heist may offer a free tier with limited functionality. Heist may modify or discontinue the free tier at any time.
7. Security and Data Protection
7.1 Security. Heist's security practices are described at https://heisthq.com/trust. Heist maintains security measures consistent with industry standards for services of this type and may update such measures provided that updates do not materially decrease overall security during a subscription term.
7.2 Privacy. Heist's Privacy Policy at https://heisthq.com/privacy-policy describes how Heist collects and uses personal data in connection with the Service and is incorporated into this Agreement by reference.
7.3 Data processing. To allow for disclosure and transfer of personal data, whether intentional or as a byproduct of using the Service, the Parties agree to the Data Processing Agreement available at https://heisthq.com/trust/dpa.
8. Confidentiality
8.1 Confidential Information. "Confidential Information" means information disclosed by one Party to the other that is marked or otherwise reasonably understood to be confidential, including Customer Data, information about the Customer's systems, non-public information about Heist and the Service, the terms of this Agreement and Findings. A Customer shall have no confidentiality obligations to Heist with respect to that Customer's own Findings, except any embedded information about or relating to third parties, which shall be considered Confidential Information.
8.2 Exceptions. Information is not Confidential Information if it:
(a) becomes public through no fault of the receiving Party;
(b) was lawfully known to the receiving Party without restriction before disclosure;
(c) is received from a third party who is not under a duty of confidence; or
(d) is independently developed without use of the disclosing Party's information.
8.3 Use and protection. Each Party will use the other Party's Confidential Information only to perform this Agreement and will protect it using at least reasonable care. Each Party may share Confidential Information with its employees, contractors and professional advisers who need to know it for that purpose and are bound to keep it confidential, and remains responsible for their compliance.
8.4 Required Disclosure. A Party may disclose Confidential Information to the extent required by law, court order or a regulatory authority, provided it gives reasonable notice to the other Party (where lawful) and takes reasonable steps to limit and protect the disclosure.
9. Warranties and Disclaimers
Authorized Testing is configured and controlled by Customer. The liability allocation below reflects this: Heist is responsible for how the Service operates within the scope Customer defines; Customer is responsible for what that scope includes. Sections 9.2–9.4 describe what Heist does not warrant. Section 10 sets out the financial consequences of any liability that does arise.
9.1 Mutual Warranties. Each Party represents and warrants that:
(a) it has authority to enter into this Agreement;
(b) the person accepting this Agreement is authorised to do so; and
(c) entering this Agreement does not violate any other agreement to which it is bound.
9.2 General Disclaimer. To the fullest extent permitted by applicable law, the Service is provided "as is" and "as available". Heist disclaims all warranties, express or implied, including warranties of merchantability or fitness for a particular purpose. Heist does not warrant that the Service will be uninterrupted, error-free, or meet Customer's requirements. The Service is provided without uptime guarantees, service level commitments, or dedicated support response times, unless specifically agreed between the Parties.
9.3 Disclaimer for Authorized Testing.
AI behaviour. The Service relies on automated processes and AI-based tools. The behaviour and outputs of these tools can be non-deterministic and unpredictable; results may vary between runs and may contain inaccuracies or artefacts; and the Service may occasionally exceed intended scope boundaries despite technical controls.
Customer's validation responsibility. Customer remains solely responsible for reviewing, validating, and safely executing any actions or recommendations produced by the Service and for maintaining appropriate safeguards, backups, and change controls. Out-of-scope activity resulting from Customer's misconfiguration is Customer's sole responsibility.
Inherent risk. Penetration testing, including Authorized Testing and other use of the Service, inherently carries risk of service disruption or system instability. Customer accepts these risks and agrees to take all necessary steps to mitigate potential impact, including maintaining appropriate backups and incident response procedures.
Liability disclaimer. To the fullest extent permitted by applicable law, Heist disclaims responsibility and liability for any loss, damage, corruption, downtime, data unavailability, or other consequences arising from or in connection with Customer's Authorized Testing or use of the Service. This disclaimer does not limit Heist's liability for its failure to respond to known out-of-scope activity without undue delay as required by Section 2.6. Where Heist is liable under this Agreement, that liability is subject to the limitations set out in Section 10.
9.4 Disclaimer for Findings. Heist does not warrant that the Service will identify all vulnerabilities, misconfigurations, or other security weaknesses in Customer's environment. Findings may be incomplete, inaccurate, or include false positives or false negatives, and may vary over time as systems and threat landscapes change. Vulnerabilities, defects, outages, data loss risks, or other issues may remain undetected. Customer remains responsible for independently validating the Findings and determining remediation priorities and actions. To the fullest extent permitted by applicable law, the Findings are provided "as is" and "as available," without warranties of any kind, whether express, implied, or statutory, including any warranties of accuracy, completeness or fitness for a particular purpose.
9.5 Customer Warranty. Customer represents and warrants that:
(a) Customer owns, or holds a valid, written authorisation to conduct Authorized Testing on, each Target;
(b) Customer has completed domain verification for each Target;
(c) the Authorized Testing does not violate an agreement with a third party;
(d) Customer's use of the Service complies with all applicable laws and regulations, including laws governing processing of personal data, information security, computer access and security testing;
(e) it holds all necessary rights and legal bases (including under applicable data protection laws) to include any personal data it holds in any capacity within the scope of the Authorized Testing and to disclose or transfer such personal data to Heist for the purposes of providing the Service, and that it has provided all required notices and obtained any required consents from data subjects;
(f) Customer and any person acting on its behalf will comply with the licence restrictions set out in Section 12.7; and
(g) Customer and any person acting on its behalf will assume the responsibilities set out in Section 4.
10. Limitation of Liability
10.1 Exclusion of Damages. Neither Party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages, including lost profits, business interruption, or loss of data, regardless of whether such damages were foreseeable or whether a Party was advised of their possibility.
10.2 Liability Cap. Heist's total cumulative liability arising from this Agreement shall not exceed the higher of: (i) the fees paid by Customer in the twelve months preceding the event giving rise to the claim; or (ii) 10% of documented, reasonable costs of remediation directly attributable to the event giving rise to the claim. Where Customer is on a free plan, Heist's total cumulative liability shall not exceed €5,000, with exceptions outlined in Section 10.3.
10.3 Exceptions. The limitations in this Section 10 shall not apply in the event of:
(a) Customer's failure to comply with Section 12 (Intellectual Property Rights, Licence and Use Rights), Section 4 (Customer's Responsibilities) or Section 9.5 (Customer's Warranty);
(b) Customer's payment obligations;
(c) either Party's breach of Section 8 (Confidentiality); or
(d) either Party's gross negligence or wilful misconduct.
11. Indemnification
11.1 By Heist. Heist will defend Customer against third-party claims that the Service infringes a copyright, patent or trademark, and will pay resulting damages or settlements. This obligation does not apply if the claim arises from Customer's breach of this Agreement.
11.2 By Customer. Customer will defend, indemnify, and hold Heist harmless from any claim arising from Customer's failure to comply with Section 12 (Intellectual Property Rights, Licence and Use Rights), Section 4 (Customer's Responsibilities) or Section 9.5 (Customer's Warranty).
11.3 Process. The indemnified Party shall promptly notify the indemnifying Party of any claim. The indemnifying Party shall control the defence and settlement of the claim. The indemnified Party shall offer their reasonable cooperation at the indemnifying Party's expense.
12. Intellectual Property Rights, Licence and Use Rights
12.1 Heist Ownership. Heist owns all rights, title, and interest in and to the Service, including all intellectual property rights in the software, documentation, models, prompts, configurations, workflows, algorithms, and underlying technology, together with all improvements, derivatives, and modifications thereto, as well as all Findings. Customer's rights to use Findings are set out in Section 3.
12.2 Customer Data. The Service may access data within Customer's systems during Authorized Testing, including Customer Data. Excluding any contradiction to Section 12.1, Heist does not claim ownership over Customer Data disclosed or transferred by use of the Service, including Customer Data embedded in Findings. Heist does not retain Customer Data except as necessary to deliver and retain Findings. Heist will delete or anonymise all Customer Data within six (6) months of the Customer's termination of subscription or within 30 (thirty) days of receipt of the Customer's written deletion request.
12.3 Licence. Subject to this Agreement and the timely payment of all applicable Fees, Heist grants Customer a limited, non-exclusive, non-transferable, non-sublicensable and revocable licence, during the applicable Subscription Term, to access and use the Service solely for Customer's internal security testing purposes, in accordance with the Documentation, the usage parameters, features and volumes shown in the Service (and any Order Form, if applicable), and all scope controls configured by Customer.
The licence is limited to use by Customer's Users for the benefit of Customer and not for any third party, and does not permit managed service, service bureau, outsourcing, time-sharing or similar provision of the Service to, or for the benefit of, any third party.
Heist may monitor usage and enforce technical safeguards to verify compliance with this Agreement and to protect the security and integrity of the Service. The licence will automatically terminate upon expiry or termination of the Subscription Term or this Agreement, or may be suspended by Heist as permitted herein.
12.4 Aggregated Learning. Heist may retain generalised, anonymised patterns learned from conducting tests to improve the Service, such as vulnerability categories, attack technique effectiveness, and detection rates. Such patterns will not include Customer Data, Customer-specific data, configurations, target identities, or specific vulnerabilities, and cannot be used to identify Customer or reconstruct any aspect of Customer's systems or security posture.
12.5 Feedback. If Customer provides feedback about the Service, Heist may use such feedback without restriction or compensation.
12.6 Account Registration. Users must register and create an account to use the Service. Account credentials are personal and shall not be shared. All Users must be human; accounts registered by automated methods are not permitted.
12.7 Licence Restrictions. Customer shall not, and shall not authorise any User to:
(a) reproduce, modify, adapt, translate, create derivative works from, publicly display, publicly perform, distribute, or make available the Service or any component thereof;
(b) designate as a Target any system that Customer does not own, or for which Customer does not hold a valid, written authorisation to test;
(c) use Findings to attack, exploit, or probe any systems that Customer does not own or is not authorised to test, or for any purpose other than improving the security of Customer's own systems;
(d) attempt to disable, circumvent, interfere with or override the Service's scope limitations, safety features or other technical and administrative guardrails, including by directing or inducing the Service to run tests outside the scope configured by Customer;
(e) use the Service in any jurisdiction where penetration testing is prohibited or restricted by applicable law, regulation, third-party contracts, or provider terms (including cloud or hosting provider terms);
(f) use the Service or any outputs to build, train, develop, or improve any model, system, product or service that is competitive with the Service, or to benchmark the Service for publication without Heist's written consent;
(g) copy, decompile, disassemble, or reverse engineer the Service, or attempt to derive its source code, underlying models or datasets;
(h) sublicense, sell, resell, lease, lend, or otherwise transfer or provide access to the Service to any third party; or
(i) interfere with the integrity, security or performance of the Service or any third-party systems or networks.
13. Term and Termination
13.1 Term. This Agreement commences on the date Customer first accepts it and continues for the duration of Customer's Subscription Term. The Subscription Term is automatically renewed at the end of the current billing period, unless cancelled by Customer.
Customer may cancel its subscription at any time through the Service. Cancellation stops automatic renewal and Customer retains access until the end of the current billing period.
13.2 Termination for Breach. Either Party may terminate this Agreement if the other Party is in material breach of this Agreement and fails to cure such breach within thirty (30) days of written notice. Termination for breach is effective immediately upon notice following the cure period. If Customer terminates the Agreement due to Heist's uncured material breach of this Agreement, Heist will refund prepaid fees for the unused portion of the Subscription Term.
13.3 Suspension. Heist may suspend access if Customer fails to pay undisputed fees, if Customer fails to comply with its obligations under this Agreement, or if suspension is necessary to protect the integrity or security of the Service.
13.4 Survival. Sections 3, 5, 8, 9, 10, 11, 12, 14.11, 14.12 and the Data Processing Agreement shall survive termination regardless of the cause of termination.
14. Miscellaneous
14.1 Support. Heist provides email support Monday through Friday, 09:00-17:00 CET, Norwegian holidays excluded.
14.2 Entire Agreement. This Agreement is the entire agreement between the Parties regarding its subject matter and supersedes all prior agreements.
14.3 Order Forms. This Agreement may be supplemented by a separate written agreement or order form executed by both Parties. In case of conflict, the separate agreement or order form shall prevail.
14.4 Amendments. Heist may modify or replace this Agreement by providing Customer with thirty (30) days' prior written notice via email or through the Service. If Customer does not agree to the revised terms, Customer may terminate the Agreement before the changes take effect and receive a refund of prepaid fees for the unused portion of the current Subscription Term. Continued use of the Service after the effective date of the new terms shall constitute acceptance of the terms by Customer.
14.5 Assignment. Customer may not assign this Agreement without Heist's written consent, except to a successor in a merger or acquisition. Heist may assign this Agreement to an affiliate (a company in Heist's group) or to a successor in a merger or acquisition.
14.6 Severability. If any provision contained herein is deemed void or unenforceable, the Agreement shall be modified to the minimum extent necessary, and the remaining provisions shall continue in effect.
14.7 Waiver. A Party's failure to enforce a right does not constitute a waiver of such right, unless otherwise provided in this Agreement.
14.8 Force Majeure. Neither Party shall be liable for any delay or failure to perform its obligations under this Agreement to the extent caused by events beyond its reasonable control, including acts of God, flood, fire, earthquake or other natural disaster; war, terrorism, or civil unrest; or strikes or other industrial disputes not involving the affected Party's own workforce. The affected Party shall use reasonable endeavours to mitigate the effects of the event and resume performance as soon as reasonably practicable. This Section 14.8 does not excuse or delay any payment obligations.
14.9 No Agency. The Parties are independent contractors. This Agreement does not create a partnership, joint venture, or agency relationship.
14.10 Notices. Notices to Heist shall be submitted to legal@heisthq.com. Notices to Customer shall be submitted to the email associated with Customer's account.
14.11 Governing Law. This Agreement is governed by Norwegian law.
14.12 Disputes. Disputes arising from this Agreement shall be resolved by the courts of Norway, with Oslo District Court as exclusive legal venue.
Heist AS · Org.nr: 935 833 973 · Email: legal@heisthq.com