Authorization first
The accountable owner must authorize targets and resolve third-party or provider permissions before active testing.
Trust center overview
Review how to govern target authorization, scope, credentials, sensitive evidence, operational safety, reporting, and limitations before a Revaizor engagement.
The accountable owner must authorize targets and resolve third-party or provider permissions before active testing.
Share only the credentials, test data, architecture context, and evidence needed for the approved objective.
Security, privacy, retention, access, location, subprocessors, and incident terms should be confirmed for the proposed engagement.
A security test should have an accountable owner, written authorization, exact targets, explicit exclusions, permitted techniques, a test window, escalation contacts, and stop conditions. Provider and third-party permissions are part of authorization, not an assumption.
Use scoped test accounts and non-production data where the objective permits. Avoid sharing secrets in initial sales forms. Before an engagement, agree an approved transfer method, recipients, access duration, and revocation process appropriate to the material involved.
Penetration-test evidence may contain system details, identifiers, screenshots, requests, responses, or limited proof of impact. Agree collection limits, redaction, access, report distribution, retention, deletion, and any customer-side storage requirements before testing begins.
Rules of engagement should exclude destructive or availability-impacting actions unless specifically approved with safeguards. Monitoring and incident-response contacts need a clear path for suspected incidents, unintended access, or conditions that require testing to pause.
Reports should separate confirmed observations from assumptions, describe evidence provenance, and state constraints. Disclosure of findings to vendors or third parties requires customer direction and a coordinated process; a test engagement does not grant permission to publish vulnerabilities.
This page does not claim certifications, specific hosting locations, retention periods, encryption designs, audit reports, or contractual commitments. Request current documentation and engagement-specific terms for the controls that matter to your risk review.
No. Use the public form for high-level qualification only. Agree an appropriate channel and handling terms before sharing credentials, non-public architecture, target lists, or vulnerability evidence.
No. The accountable owner and any required provider or third-party permissions must be established before active testing of that target.
Binding commitments belong in the executed agreement and engagement documentation. Ask for current evidence and terms rather than relying on general website language.
Tell us the target type and desired outcome. Sensitive scope details are collected after qualification.
Start a security review