Terms of Service

Noctara Red

Effective date: 24 April 2026 | Version: 1.0

Issued by Noctara Security Ltd, a company incorporated in England and Wales (Company No. 17122134). These Terms govern access to and use of the Noctara Red platform at www.noctara.tech.

1. Interpretation

2. Acceptance and Eligibility

2.1 How acceptance occurs

By clicking to accept, submitting an Order Form, paying a subscription invoice, or accessing the Platform, the Customer agrees to be bound by this Agreement. If the Customer is an organisation, the individual accepting on its behalf warrants that they have authority to bind that organisation.

2.2 Eligibility

The Platform is a professional tool intended for organisations and individuals engaged in authorised security testing. By accepting these Terms the Customer confirms that:

• it is at least 18 years of age or, if an organisation, duly incorporated and authorised to enter this Agreement;
• it holds all necessary authorisations, permissions, and legal rights from the owners of any systems, networks, or assets it tests using the Platform;
• its use of the Platform will comply with all applicable laws and regulations.

2.3 Individual tier restriction

The Individual tier is available solely to sole traders and independent contractors. It is not intended for team delivery or multi-client use. Organisations with two or more users must subscribe to the Business tier or above.

3. Subscription and Access

3.1 Grant of access

Subject to payment of the Fees and compliance with this Agreement, We grant the Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Platform during the Subscription Period for the Customer's internal security testing and reporting purposes, within the seat limit of the applicable tier.

3.2 Subscription tiers

The Platform is offered across multiple subscription tiers. Current pricing, seat allocations, and tier features are set out on the pricing page at www.noctara.tech/pricing and in the applicable Order Form. The features available to the Customer are those described in the Documentation and Order Form at the time of subscription.

3.3 AI processing credits

Each tier includes a standard credit allowance for AI-assisted report processing. Credits are consumed on a per-file or per-batch basis as disclosed within the Platform. Additional credits may be purchased at the applicable surcharge rate. Unused credits do not roll over between billing periods unless otherwise agreed in writing.

3.4 Beta access

During the beta period, access is provided at the beta rate of GBP 50 per tester seat per month with a standard credit allowance included. Beta pricing is locked through to general availability for participants who join during the beta. Noctara Security Ltd may extend, modify, or conclude the beta programme on 30 days' written notice to active beta participants.

3.5 Account security

The Customer is responsible for maintaining the confidentiality of all account credentials and for all activities that occur under its account. The Customer must notify Us immediately at info@noctara.tech if it suspects any unauthorised access to its account.

4. Fees and Payment

4.1 Payment in advance

The Customer shall pay the Fees in advance for each billing period. Annual prepay is the default contract structure unless otherwise agreed in the Order Form.

4.2 Payment method

Fees are collected via the payment method specified at checkout or in the Order Form. The Customer authorises Us to charge that payment method automatically at the start of each billing period.

4.3 Late payment

If any amount remains unpaid 14 days after its due date, We may suspend access to the Platform until all outstanding amounts are settled in full. Continued non-payment for a further 14 days after suspension constitutes grounds for termination under clause 10.

4.4 Price changes

We may revise the Fees on not less than 60 days' prior written notice. Revised Fees take effect at the start of the next Subscription Period following expiry of that notice. If the Customer does not wish to accept revised Fees it may terminate this Agreement before the revised Fees take effect.

4.5 Taxes

All Fees are stated exclusive of VAT. Where VAT or any other applicable tax is chargeable it will be added at the prevailing rate and invoiced to the Customer. The Customer is responsible for any other applicable taxes in its jurisdiction.

4.6 Refunds

Subscription Fees are non-refundable except where required by applicable law or as expressly agreed in writing by Noctara Security Ltd.

5. Acceptable Use

5.1 Permitted use

The Customer may use the Platform solely for the purpose of conducting, documenting, and reporting on authorised security testing engagements in respect of systems the Customer is entitled to test.

5.2 Prohibited activities

The Customer must not, and must ensure its Authorised Users do not:

• use the Platform to test any system, network, or asset without holding current written authorisation from the relevant system owner for that specific engagement;
• use the Platform for any unlawful purpose or in breach of the Computer Misuse Act 1990, the Investigatory Powers Act 2016, or any applicable equivalent legislation in any relevant jurisdiction;
• upload or process any special category personal data (as defined under UK GDPR, including health, biometric, or criminal conviction data) unless the Customer holds a lawful basis and has notified Us in advance;
• attempt to reverse engineer, decompile, or disassemble any part of the Platform;
• share, sell, sublicense, or otherwise transfer account credentials or subscription rights to any third party;
• use automated means to scrape, extract, or harvest data from the Platform other than via documented API endpoints;
• submit false or misleading information to the Platform or misrepresent the scope, authorisation status, or nature of any engagement;
• use AI Outputs in any client-facing report or regulatory submission without prior human review and approval by a qualified analyst;
• use the Platform in a manner that could damage, overburden, or impair the Platform or interfere with any other party's use.

5.3 Sanctions and export controls

The Customer confirms it is not subject to any UK, EU, or US sanctions list and that its use of the Platform complies with all applicable export control legislation. We may suspend access without notice if We have reasonable grounds to believe a sanctions or export control obligation has arisen.

6. Customer Data

6.1 Ownership

The Customer retains ownership of all Customer Data. The Customer grants Noctara Security Ltd a limited, non-exclusive licence to process Customer Data solely to the extent necessary to provide the Services.

6.2 Customer responsibility

The Customer is solely responsible for:

• ensuring it has all necessary rights, permissions, and consents to upload Customer Data to the Platform;
• ensuring that any personal data within Customer Data is processed in accordance with applicable data protection law and that any data relating to third parties was lawfully obtained;
• the accuracy, legality, and completeness of all Customer Data submitted to the Platform.

6.3 Third-party personal data in engagements

The Customer acknowledges that penetration testing engagements may involve the discovery and upload of personal data relating to third parties, including employee credentials, email addresses, and system access data belonging to the Customer's clients. The Customer is the data controller for all such personal data and is responsible for ensuring it has appropriate authority to process that data within the Platform, including obtaining any necessary consent or relying on a valid legal basis.

6.4 Our processing obligations

We will process personal data contained within Customer Data only on the Customer's instructions and in accordance with Our Data Processing Agreement. We will implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access.

6.5 Subprocessors

We use third-party subprocessors in the operation of the Platform, including cloud infrastructure providers and AI inference providers. A current list of subprocessors is maintained at /subprocessors. We will give the Customer not less than 30 days' prior notice of any material change to the subprocessor list. If the Customer objects to a new subprocessor on reasonable data protection grounds it may terminate this Agreement in accordance with clause 10 without penalty.

6.6 Data hosting and international transfers

The Platform is hosted on infrastructure located in the UK or European Economic Area where possible. Where any transfer of personal data outside the UK or EEA is required in connection with the operation of the Services, We rely on UK adequacy regulations, adequacy decisions, or standard contractual clauses as the applicable transfer mechanism.

6.7 Retention and deletion

We retain Customer Data for the duration of the Subscription Period and for a further 30 days following termination, during which the Customer may export its data via the Platform. After that period We will securely delete or anonymise all Customer Data unless We are required by law to retain it. Full retention periods are set out in Our Data Retention Policy.

7. AI-Assisted Outputs

7.1 Nature of AI Outputs

The Platform uses third-party AI infrastructure to generate report narratives, vulnerability enrichment, remediation guidance, regulatory consequence narratives, and other AI-assisted content. AI Outputs are intended to assist qualified human analysts and do not constitute professional, legal, or regulatory advice.

7.2 Human review requirement

All AI Outputs must be reviewed, validated, and approved by a qualified human analyst before inclusion in any client-facing deliverable, security assurance statement, or regulatory submission. The Customer accepts full responsibility for any AI Output that is relied upon in a deliverable without appropriate human review.

7.3 Accuracy disclaimer

AI Outputs may contain inaccuracies, omissions, or errors. Regulatory consequence narratives and breach cost projections generated by the Platform are indicative only, based on published regulatory frameworks and industry benchmarks. They do not constitute legal or financial advice. Actual regulatory outcomes will depend on specific facts, jurisdiction, and regulatory discretion.

7.4 No warranty on AI Outputs

We make no warranty that AI Outputs will be error-free, complete, or suitable for any particular purpose. The Customer assumes full responsibility for the use of AI Outputs in any report, deliverable, or communication.

8. Intellectual Property

8.1 Platform IP

All Intellectual Property Rights in the Platform, its underlying technology, algorithms, templates, and Documentation are owned by or licensed to Noctara Security Ltd. Nothing in this Agreement transfers any such rights to the Customer.

8.2 Customer report IP

Intellectual Property Rights in reports generated by the Customer using the Platform, including reports incorporating AI Outputs that have been reviewed and approved by the Customer's analysts, vest in the Customer. The Customer is solely responsible for the content of such reports.

8.3 Feedback

If the Customer provides feedback, suggestions, or ideas relating to the Platform, the Customer grants Noctara Security Ltd a perpetual, royalty-free, irrevocable licence to use that feedback without restriction or compensation.

9. Confidentiality

9.1 Obligations

Each party will keep the other party's Confidential Information strictly confidential and will not disclose it to any third party without prior written consent, except as permitted by clause 9.2.

9.2 Permitted disclosures

Either party may disclose Confidential Information to its employees, contractors, and professional advisers who need it for the purposes of this Agreement and who are subject to equivalent confidentiality obligations. Either party may also disclose Confidential Information to the extent required by law, regulation, or court order, provided it gives the other party prompt written notice where permitted and reasonable assistance in seeking a protective order.

9.3 Duration

Confidentiality obligations survive termination of this Agreement for five years, except in relation to trade secrets which remain confidential indefinitely.

10. Term and Termination

10.1 Term

This Agreement commences on the date the Customer accepts it and continues for the initial Subscription Period specified in the Order Form. It then renews automatically for successive equivalent periods unless terminated in accordance with this clause.

10.2 Termination for convenience

Either party may terminate this Agreement by giving not less than 30 days' written notice to take effect at the end of the then-current Subscription Period. Monthly subscribers may cancel at any time with 30 days' notice. Annual subscribers may cancel before the end of the current annual term but no refund will be given for any unused portion of the prepaid term.

10.3 Termination for cause

Either party may terminate this Agreement with immediate effect on written notice if:

• the other party commits a material breach and fails to remedy it within 14 days of written notice requiring it to do so, where the breach is capable of remedy;
• the other party becomes insolvent, enters administration, liquidation, or any analogous insolvency process;
• the other party ceases or threatens to cease to carry on business.

We may additionally suspend or terminate access immediately if the Customer breaches clause 5 or if continued provision of the Services would expose Us to material legal or regulatory risk.

10.4 Consequences of termination

On termination or expiry of this Agreement:

• all access rights granted under this Agreement cease immediately;
• any Fees accrued and unpaid become due and payable immediately;
• clause 6.7 applies to the retention and deletion of Customer Data;
• clauses 8, 9, 11, 12, 13, and 14 survive termination indefinitely or for the period stated in those clauses.

11. Warranties

11.1 Our warranties

Noctara Security Ltd warrants that:

• it has the right to enter into this Agreement and to grant the access rights set out herein;
• it will provide the Services with reasonable care and skill;
• it will use reasonable endeavours to make the Platform available 24 hours a day, 7 days a week, subject to planned maintenance windows and events outside Our reasonable control.

11.2 Customer warranties

The Customer warrants that:

• it has authority to enter into this Agreement and to bind the entity on whose behalf it acts;
• it holds all necessary authorisations for each security testing engagement conducted using the Platform;
• its use of the Platform and all Customer Data will comply with applicable laws.

11.3 Disclaimer

Except as expressly set out in this Agreement, the Platform and Services are provided "as is" and "as available". To the fullest extent permitted by law, Noctara Security Ltd excludes all implied warranties, conditions, and representations, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement.

12. Limitation of Liability

12.1 Exclusion of certain losses

To the fullest extent permitted by law, neither party will be liable to the other for any loss of profits, revenue, business or contracts, anticipated savings, data, goodwill, or any indirect, consequential, or special losses, whether or not advised of the possibility of such losses.

12.2 Aggregate cap

Subject to clause 12.3, Our total aggregate liability to the Customer under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will not exceed the total Fees paid by the Customer in the 12 months immediately preceding the event giving rise to the claim.

12.3 Uncapped liability

Nothing in this Agreement limits or excludes either party's liability for:

• death or personal injury caused by negligence;
• fraud or fraudulent misrepresentation;
• any liability that cannot be excluded or limited by applicable law.

12.4 Basis of the bargain

The Customer acknowledges that the limitations in this clause reflect a reasonable allocation of risk and form an essential element of the Agreement between the parties.

13. Data Protection

Each party will comply with its obligations under UK GDPR, the Data Protection Act 2018, and any successor or replacement legislation. To the extent that Noctara Security Ltd processes personal data on behalf of the Customer as a data processor, the terms of the Data Processing Agreement apply and are incorporated into this Agreement. In the event of any conflict between this Agreement and the Data Processing Agreement in relation to the processing of personal data, the Data Processing Agreement prevails.

14. General

14.1 Entire agreement

This Agreement constitutes the entire agreement between the parties relating to its subject matter and supersedes all prior representations, agreements, and understandings, whether oral or written, relating to that subject matter.

14.2 Variation

We may update these Terms from time to time. Where a change is material, We will give the Customer not less than 30 days' notice by email to the Customer's registered account address. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Terms. If the Customer does not accept the revised Terms it may terminate this Agreement before the update takes effect.

14.3 Waiver

A failure or delay by either party to exercise any right or remedy under this Agreement does not constitute a waiver of that right or remedy.

14.4 Severability

If any provision of this Agreement is found to be invalid, illegal, or unenforceable, it will be severed. The remaining provisions will continue in full force and effect.

14.5 Assignment

The Customer may not assign or transfer any rights or obligations under this Agreement without Our prior written consent. We may assign this Agreement to any group company or in connection with a merger, acquisition, or sale of all or substantially all of Our assets, on written notice to the Customer.

14.6 Force majeure

Neither party will be in breach of this Agreement or liable for delay in performing its obligations to the extent such delay is caused by events beyond its reasonable control, provided it promptly notifies the other party and uses reasonable endeavours to mitigate the impact.

14.7 Notices

Written notices under this Agreement to Noctara Security Ltd must be sent to info@noctara.tech. Notices to the Customer will be sent to the email address registered on the account. Email notice is effective on the next Business Day after sending.

14.8 Third-party rights

This Agreement does not confer any rights on any third party under the Contracts (Rights of Third Parties) Act 1999.

14.9 Governing law and jurisdiction

This Agreement is governed by the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales for the resolution of any dispute arising out of or in connection with this Agreement.

Contact

Noctara Security Ltd

Company No. 17122134

www.noctara.tech

info@noctara.tech

For data protection queries: info@noctara.tech