Terms and Conditions of Sale

These Terms and Conditions of Sale govern API security audits provided by Express Security Audit.

The service consists of a technical audit intended to identify exploitable access paths and potential vulnerabilities within a defined scope.

The audit is performed as a realistic attack simulation on the API provided by the client.

The objective is to identify unintended access, logical flaws or exploitable behaviors.

The audit is not a complete security guarantee and does not constitute certification.

The audit is performed without intent to disrupt the systems (non-destructive tests), unless explicitly agreed by the client.

Unless otherwise stated, the audit is performed on an environment provided by the client (production or staging), under the client’s responsibility.

The audit is performed only on:

Any item not communicated is considered out of scope.

• systems, endpoints or environments explicitly provided by the client
• the access provided by the client, including tokens, accounts and documentation

The client guarantees that they own the audited systems or have the necessary authorizations.

The client explicitly authorizes Express Security Audit to perform security tests.

Express Security Audit may not be held liable if an audit is requested without the client having legitimate authorization.

The client selects an audit start date when booking.

The audit begins on the chosen date, provided that the required access has been supplied and the scope is clearly defined.

Otherwise, the audit start may be postponed without Express Security Audit being held liable.

The announced timeline (for example 72h) starts from the effective beginning of the audit. Timelines are expressed in business days.

If a postponement attributable to the client exceeds 5 business days, a new date must be scheduled according to availability.

No refund may be issued in the event of a prolonged postponement attributable to the client or failure to provide the required access.

The client agrees to cooperate actively and provide the information required for the audit to proceed properly.

At the end of the audit, the client receives:

• the exploitable access paths identified
• the endpoints or behaviors concerned
• concrete examples, including requests and scenarios
• a prioritization of risks
• corrective recommendations

The service is billed at the price indicated on the website.

Payment is due in full before the audit starts.

Once the audit has started, no refund may be issued.

The audit aims to identify potential vulnerabilities at a given point in time.

It does not guarantee the absence of flaws or future vulnerabilities.

Some vulnerabilities may not be detected, and flaws may exist outside the tested scope.

Express Security Audit may not be held liable for exploitation of existing vulnerabilities, whether identified or not, nor for indirect damage or loss of business.

The provider is bound by a best-efforts obligation, not an obligation to achieve a specific result.

All information exchanged as part of the audit is strictly confidential.

The audit results are intended for internal use by the client.

Any external disclosure requires prior written agreement.

The audit report becomes the property of the client after full payment.

The client remains responsible for data accessible through the provided API.

The provider undertakes not to use this data outside the strict scope of the audit.

The client agrees not to use the audit results for illegal or malicious purposes.

The client is responsible for the access credentials and accounts provided.

Express Security Audit may not be held liable for consequences related to incorrect access, misconfigured environments or integrated third-party systems.

These Terms and Conditions are governed by the law applicable in the country where Express Security Audit is domiciled.

In the event of a dispute, amicable resolution will be prioritized before any legal action.

Express Security Audit may not be held liable for delays or inability to perform caused by events beyond its control.

This includes major technical issues, unavailability of the client’s systems, network or infrastructure incidents, illness or exceptional unavailability.

In such cases, the audit will be postponed as soon as possible.

Express Security Audit reserves the right to modify these Terms and Conditions at any time.

The applicable Terms and Conditions are those in force at the time of order.