Terms & Conditions

Last Updated: April 7, 2026

1. Acceptance of Terms

By accessing or using the Phantava platform ("Service"), operated by Phantava ("Company," "we," "us"), you agree to be bound by these Terms & Conditions. If you do not agree, do not use the Service.

2. Description of Service

Phantava is an AI-powered offensive security operations platform that provides automated and semi-automated penetration testing, vulnerability assessment, reconnaissance, and security reporting capabilities. The Service integrates with third-party tools via the Model Context Protocol (MCP) and large language models (LLMs) to execute security testing workflows.

Phantava's core service, Assessments, operates autonomously using AI agents with no human intervention during execution. Once an Assessment is initiated, the AI will independently plan, execute, and adapt its testing activities within the defined scope. Phantava also provides a Terminal environment in which users may interact with AI-assisted workflows directly. These two modes of operation carry different risk profiles, and you acknowledge that you understand the distinction between them before use.

Phantava's capabilities include, but are not limited to:

  • Web application penetration testing (OWASP-class vulnerability identification, authentication testing, injection attacks, business logic analysis)
  • Network reconnaissance and enumeration
  • API security assessment and fuzzing
  • Vulnerability chaining and exploit path analysis
  • AI-generated reporting and remediation guidance

The specific LLM providers and MCP integrations utilized by the Service are disclosed in our Privacy Policy, which is updated as those integrations change.

3. Authorized Use Only

You represent and warrant that you have explicit, written authorization from the owner of any target system, network, or application before initiating any security assessment using the Service. Unauthorized access to computer systems is a violation of federal and state law, including but not limited to the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

Because Phantava's Assessments operate autonomously without human intervention, scope definition is your sole responsibility. Before initiating any Assessment, you must define a precise scope including all authorized IP ranges, domains, subdomains, URLs, and asset identifiers. You acknowledge that the AI agent will act independently within that defined scope, and that any scope definition errors — including overly broad or incorrect target definitions — are entirely your responsibility.

You agree to:

  • Only test systems you own or have written permission to test
  • Maintain written proof of authorization for all assessments at all times
  • Define precise, accurate scope boundaries before initiating any Assessment
  • Comply with all applicable laws, regulations, and industry standards
  • Comply with the penetration testing policies of any relevant cloud service providers (including but not limited to AWS, Microsoft Azure, and Google Cloud Platform), which govern permitted testing activities independently of these Terms
  • Respect scope boundaries defined in your engagement agreements
  • Immediately cease testing — including terminating any active Assessment — if authorization is revoked

Phantava does not independently verify that you hold authorization for any target system. The responsibility for ensuring lawful and authorized use rests entirely with you.

4. Acceptable Use Policy

You may NOT use the Service to:

  • Attack, probe, or scan systems without proper authorization
  • Conduct denial-of-service attacks or intentionally disrupt services
  • Exfiltrate, steal, or destroy data belonging to unauthorized parties
  • Distribute malware, ransomware, or other malicious payloads
  • Engage in any activity that violates applicable law
  • Circumvent or disable the Service's scope enforcement mechanisms
  • Share credentials or assessment data with unauthorized individuals
  • Use the Service for competitive intelligence or corporate espionage
  • Target critical infrastructure, including power grids, water systems, financial systems, or healthcare systems, without explicit regulatory authorization
  • Initiate Assessments against shared hosting environments or multi-tenant infrastructure where testing activity could impact other tenants

We reserve the right to suspend or terminate your account immediately if we reasonably believe you are violating this policy.

5. Autonomous AI Operations

Phantava's Assessment feature operates through AI agents that act independently — without human oversight or intervention during execution. By initiating an Assessment, you acknowledge and accept the following:

Unpredictability of AI behavior. AI agents may take actions that are unexpected, non-linear, or not explicitly anticipated by the user. The AI adapts its approach based on discovered information and may pursue attack paths that were not specifically requested. This is inherent to autonomous AI-driven security testing.

No real-time human review. Unlike traditional penetration testing, Phantava Assessments are not supervised by a human operator in real time. You are solely responsible for monitoring active Assessments and for terminating them if circumstances change.

Potential for unintended impact. Autonomous security testing carries an inherent risk of causing unintended disruption to target systems, including service degradation, data modification, account lockouts, or triggering of security controls. You acknowledge and accept this risk as a condition of using the Assessment feature.

Prompt injection risk. Because Phantava's AI agents process content returned from target systems (including web pages, API responses, file contents, and error messages), those systems may contain adversarial content designed to manipulate AI behavior — a class of attack known as prompt injection. Phantava does not guarantee that its AI agents are immune to prompt injection attacks, and is not liable for any actions taken by the AI as a result of adversarially crafted target content.

Terminal use. The Terminal environment allows human-in-the-loop interaction with AI-assisted workflows. Users operating in the Terminal retain greater direct control but remain subject to all Terms herein. Terminal use does not reduce your responsibility for scope definition, authorization, or compliance.

Your responsibility to stop. You may terminate an active Assessment at any time through the Service interface. If you are unable to stop an Assessment and believe it is causing harm, you must contact Phantava immediately at legal@phantava.com. Phantava reserves the right to terminate any Assessment at its discretion.

6. Account Registration & Teams

You must provide accurate information when creating an account. You are responsible for maintaining the confidentiality of your credentials and for all activity under your account. Team administrators are responsible for managing team member access and permissions, including who is authorized to initiate Assessments on behalf of the team.

7. Subscription & Payment

Certain features require a paid subscription. Billing is handled through our payment processor. Subscriptions auto-renew unless cancelled before the next billing period. Refunds are handled on a case-by-case basis. Free-tier and alpha access may be subject to usage limits and feature restrictions.

8. Data Handling & Security

We take the security of your data seriously. Assessment data, credentials, findings, and reports are stored in encrypted databases. However:

  • You are responsible for the sensitivity of data you input into the Service
  • Do not store production credentials unnecessarily — use test accounts where possible
  • Assessment data is retained according to your team's settings and subscription tier
  • AI-generated outputs (findings, reports) may be processed by third-party LLM providers as configured by your team

Evidence artifacts. Assessments may generate evidence artifacts including screenshots, payloads, raw HTTP request/response data, and captured traffic. These artifacts are stored encrypted and associated with your account. You are responsible for handling, storing, and disposing of these artifacts in accordance with your engagement agreements and applicable law. Phantava retains evidence artifacts for a period defined by your subscription tier, after which they are permanently deleted.

AI training. Phantava does not use your assessment data, findings, custom prompts, or uploaded documents to train AI models without your explicit opt-in consent. Default LLM provider integrations are governed by those providers' own data usage policies, which are disclosed in our Privacy Policy. Where available, zero-retention API configurations are used.

Breach notification. In the event of a confirmed data breach affecting your assessment data, Phantava will notify affected account holders within 72 hours of confirming the breach, in accordance with applicable law.

Third-party LLM processing. AI-generated outputs (findings, reports) may be processed by third-party LLM providers as configured by your team. See our Privacy Policy for details.

We do not sell your data to third parties.

9. Intellectual Property

Your content: You retain ownership of assessment configurations, custom prompts, uploaded documents, and assessment findings generated through your use of the Service.

Our content: The Service, including its software, UI, documentation, default prompts, AI agent logic, and underlying models, is the intellectual property of Phantava and is protected by copyright and other intellectual property laws.

10. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. We do not guarantee that:

  • The Service will identify all vulnerabilities in a target system
  • AI-generated findings are free from false positives or false negatives
  • The Service will be uninterrupted, error-free, or secure
  • Assessment results meet any specific compliance or regulatory standard
  • The autonomous AI agent will behave in a fully predictable or reproducible manner across assessments

Penetration testing inherently carries risk. You acknowledge that security testing — particularly autonomous AI-driven testing — may cause unintended disruptions to target systems, and you accept that risk.

11. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, PHANTAVA SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO: loss of data, system downtime, business interruption, service disruption caused by autonomous AI actions, damages arising from prompt injection attacks on the AI agent, or damages arising from your use of the Service to test systems. Our total liability shall not exceed the amount you paid for the Service in the 12 months preceding the claim.

12. Indemnification

You agree to indemnify, defend, and hold harmless Phantava, its officers, employees, and agents from any claims, damages, losses, or expenses (including legal fees) arising from:

  • Your use of the Service
  • Your violation of these Terms
  • Your unauthorized testing of third-party systems
  • Any claim by a third party related to your security assessments
  • Actions taken by Phantava's AI agents within a scope you defined or authorized
  • Your failure to comply with the penetration testing policies of cloud service providers

13. Termination

We may suspend or terminate your access at any time, with or without cause, including for violation of these Terms. Phantava reserves the right to immediately terminate any active Assessment if it determines, at its sole discretion, that the Assessment poses a risk of harm. Upon termination, your right to use the Service ceases immediately. You may export your data prior to termination where technically feasible.

14. Modifications

We may update these Terms at any time. Material changes will be communicated via email or in-app notification. Continued use after changes constitutes acceptance of the updated Terms.

15. Governing Law

These Terms are governed by the laws of the Commonwealth of Massachusetts, USA, without regard to conflict of law principles. Any disputes shall be resolved in the courts of Massachusetts.

16. Limitations of AI Security Testing

Customer acknowledges that all security testing performed through Phantava constitutes a point-in-time assessment of the target systems as configured at the time of testing. Phantava does not warrant or guarantee that any scan, assessment, or report will identify all vulnerabilities, misconfigurations, or security flaws present in the target environment, nor that results will be free from false positives, false negatives, errors, or omissions. Remediation guidance provided by Phantava is informational only and does not constitute a warranty, certification, or assurance of security.

Customer acknowledges that Phantava's outputs are generated by artificial intelligence and machine learning models, which may produce findings that are probabilistic in nature, non-deterministic, not fully explainable, or not reproducible across repeated assessments. Phantava expressly disclaims any liability arising from Customer's reliance on such outputs without independent verification.

Because Phantava's AI agents actively process content retrieved from target systems during autonomous Assessments, those systems may contain adversarial content designed to manipulate, redirect, or subvert AI behavior (prompt injection). Phantava makes no representation that its AI agents are fully resistant to such attacks and expressly disclaims liability for any assessment actions, outputs, or behaviors that result from the AI processing adversarially crafted content within a target environment.

17. Responsible Disclosure & Bug Bounty Use

Phantava may be used in the context of responsible disclosure programs or bug bounty engagements operated by third-party organizations ("Bug Bounty Programs"). If you are using Phantava within a Bug Bounty Program:

  • You are solely responsible for understanding and complying with the scope, rules, and restrictions of that Bug Bounty Program
  • Phantava does not enforce Bug Bounty Program-specific rules and is not responsible for any violations thereof
  • Findings generated by Phantava's AI agents do not constitute official vulnerability reports; you are responsible for reviewing, validating, and formatting any submission in accordance with the Bug Bounty Program's requirements
  • Automated or high-volume scanning may be explicitly prohibited by the Bug Bounty Program regardless of the tools used; you must confirm that autonomous AI-driven testing is permitted before initiating an Assessment in this context
  • Phantava is not responsible for any disqualification, legal action, or other consequence arising from your use of the Service within a Bug Bounty Program

18. Third-Party Tool Integrations

The Service integrates with third-party tools and services via the Model Context Protocol (MCP) and other integration mechanisms. With respect to such integrations:

  • Phantava is not responsible for the functionality, availability, accuracy, or security of any third-party tool or service invoked during an Assessment or Terminal session
  • Third-party tools operate under their own terms of service and data handling practices, which you are independently responsible for reviewing and complying with
  • Phantava does not warrant that third-party integrations will perform correctly, remain available, or produce accurate results
  • Data passed to or from third-party tools during an Assessment — including target-derived content, credentials, and findings — may be subject to those tools' own data retention and processing policies
  • The inclusion of a third-party tool in the Service does not constitute Phantava's endorsement of that tool or any warranty regarding its behavior

Phantava reserves the right to add, remove, or modify third-party integrations at any time. Material changes to integrations that affect data handling will be communicated via our Privacy Policy.

19. Contact

For questions about these Terms, contact us at legal@phantava.com.