Legal & Trust

No scoping calls, system access, or exchange of sensitive information takes place before a mutual NDA is signed. The NDA covers both the existence and the content of the engagement. This applies to all engagement types — red-team, advisory, and retainer.

All testing is conducted strictly within the written scope of work. We do not test systems, endpoints, or environments that are not explicitly listed in the scope. Any request to expand scope during an engagement requires a written amendment before work proceeds.

• Access credentials and system access are revoked immediately upon engagement completion.
• No client data, production data, or PII is retained beyond what is strictly necessary to produce the agreed deliverable.
• Deliverables are transmitted via encrypted channels and deleted from our infrastructure after confirmed client receipt.
• We do not use client data for any purpose beyond the agreed engagement scope.
• Subcontractors, if used, are bound by the same data handling terms and signed to the same NDA.

The underlying data-protection framework — how we handle all personal data across the site — is documented in our Privacy Policy.

If we discover a critical vulnerability during an engagement — one that poses immediate risk — we communicate it to the designated client contact within 24 hours of discovery, out-of-band from the final report. We do not sit on critical findings until report delivery.

We occasionally publish sanitized case studies drawn from real engagements. Before any engagement finding is considered for publication, we strip all client identifiers, modify non-essential technical details, and obtain written consent. No finding is ever published without explicit client approval.

All deliverables produced under an engagement belong to the client upon full payment. LogicLeak retains the right to use generic, non-client-identifiable methodologies and techniques developed during the engagement for future work.

LogicLeak's liability is limited to the fees paid for the engagement in question. We accept no liability for issues arising from testing conducted outside the agreed scope, nor for pre-existing vulnerabilities unrelated to the engagement. Security testing inherently carries risk — the scope agreement documents agreed risk boundaries.

LogicLeak follows responsible coordinated disclosure for vulnerabilities discovered outside of client engagement scope. We notify the affected vendor or operator privately before any public disclosure, giving them reasonable time to investigate and remediate.

• Day 0 — Private notification sent to vendor via security contact or responsible disclosure channel.
• Day 1–30 — Acknowledgement and triage expected from vendor.
• Day 30–120 — Remediation window. We work with vendors on timeline if complexity requires it.
• Day 120 — Default public disclosure regardless of patch status, with advance warning to vendor.
• Extensions are granted case-by-case for complex systemic issues. We do not grant indefinite embargoes.

Public disclosures include: affected system class, technical description, reproduction conditions, and remediation guidance. We do not publish vendor names without consent unless the vendor has been unresponsive beyond the disclosure window.

To report a vulnerability in LogicLeak's own systems, email security@logicleak.io. We follow the same timeline above for our own systems — we commit to acknowledgement within 48 hours and remediation within 30 days for critical findings.

Looking for our Privacy Policy or Terms of Service? Those live on their own dedicated pages.