Terms of Service

Last updated: March 9, 2026

1. Parties and Acceptance

This agreement is entered into between Yellowhak OÜ, a private limited company incorporated in Estonia, registered at Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415 ("Yellowhak", "we", or "the Provider"), and the natural or legal person that engages our cybersecurity consulting services ("the Client" or "you"). By signing a Statement of Work (SOW), submitting an assessment request, or engaging our services in any form, the Client acknowledges having read, understood, and accepted these Terms of Service in full.

2. Definitions

• "Services": Cybersecurity consulting, offensive security testing (Red Teaming, penetration testing, AI security audits), secure software development, and related advisory services provided by Yellowhak OÜ.
• "Client": Natural or legal person that contracts the Services.
• "Engagement": A specific project or assessment conducted under a signed Statement of Work (SOW).
• "Deliverables": Reports, findings, recommendations, and any other work product generated during an Engagement.
• "Confidential Information": Any non-public information disclosed by either party during an Engagement, including vulnerabilities, network architectures, credentials, and proprietary methodologies.

3. Description of Services

Yellowhak OÜ provides offensive cybersecurity consulting services including but not limited to: AI Red Teaming and adversarial testing of LLM/RAG systems, Advanced Persistent Threat (APT) emulation, network and infrastructure penetration testing, web and mobile application security assessments, and secure software development and architecture review. All Engagements are governed by a signed Statement of Work (SOW) that defines scope, timeline, methodology, and rules of engagement. Yellowhak OÜ reserves the right to update its methodologies and tools to reflect current threat landscapes.

4. Authorization and Scope

The Client warrants that it has full legal authority to authorize Yellowhak OÜ to perform all activities defined in the SOW. Testing will be conducted exclusively within the authorized scope. Any activities outside the defined scope require prior written authorization. Yellowhak OÜ shall not be liable for any disruptions, data loss, or service interruptions that may occur during authorized testing activities, provided such activities were performed within the agreed scope and in accordance with industry best practices.

5. Acceptable Use

5.1 Client Obligations

The Client shall provide timely and accurate information necessary for the Engagement, including network access, credentials, and scope documentation. The Client shall designate a primary point of contact with authority to make decisions regarding the Engagement scope and escalation procedures.

5.2 Prohibitions

• Using Yellowhak OÜ's Deliverables for any illegal, fraudulent, or unauthorized purpose.
• Distributing vulnerability findings or reports to third parties without prior written authorization.
• Reverse-engineering, decompiling, or attempting to extract the proprietary methodologies, tools, or algorithms used by Yellowhak OÜ.
• Requesting Yellowhak OÜ to perform activities targeting systems for which the Client does not have authorization.
• Using engagement findings to harass, extort, or intimidate any third party.

6. Intellectual Property

6.1 Yellowhak OÜ IP

All proprietary tools, methodologies, frameworks, scripts, and techniques used by Yellowhak OÜ remain the exclusive intellectual property of Yellowhak OÜ. The Client receives no license to these assets unless explicitly stated in the SOW.

6.2 Client Deliverables

Upon full payment, the Client receives a non-exclusive, non-transferable license to use the Deliverables internally for remediation and compliance purposes. The Client may share relevant findings with their remediation teams and auditors.

6.3 Case Studies

Yellowhak OÜ may reference the Engagement in anonymized case studies or marketing materials, provided no Confidential Information is disclosed. The Client may opt out of this use by written notice.

7. Confidentiality

Both parties commit to maintaining the confidentiality of all Confidential Information received during the Engagement. Neither party shall disclose Confidential Information to third parties without prior written consent. This obligation survives for 5 years after the Engagement ends. Confidential Information does not include information that is publicly available, already known to the receiving party, or must be disclosed by legal mandate.

8. Payments and Invoicing

Fees are defined in the SOW. Invoices are issued according to the milestones or schedule defined therein. Payment is due within 30 days of invoice date unless otherwise agreed. Late payments accrue interest at 1.5% per month. All prices are exclusive of applicable taxes (VAT/IGV).

9. Warranties and Limitations

Yellowhak OÜ warrants that Services will be performed with professional skill and care consistent with industry standards. However, Yellowhak OÜ does not guarantee the discovery of all vulnerabilities, nor that systems will be immune to attack after remediation. Security testing provides a point-in-time assessment and does not constitute an ongoing warranty of security.

10. Limitation of Liability

In no event shall Yellowhak OÜ be liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, data loss, business interruption, or other intangible losses. Yellowhak OÜ's total aggregate liability to the Client shall not exceed the total amount paid by the Client for the specific Engagement giving rise to the claim, or EUR 5,000, whichever is greater.

11. Termination

11.1 Cancellation by the Client

The Client may cancel an Engagement with 15 days' written notice. Fees for work already performed and non-cancellable expenses shall remain due.

11.2 Termination by Yellowhak OÜ

Yellowhak OÜ may terminate an Engagement immediately if the Client breaches these Terms, provides false authorization, or if continuing the Engagement would pose legal or ethical risks.

12. Indemnification

The Client agrees to defend, indemnify, and hold harmless Yellowhak OÜ and its officers, employees, and agents from any claims, damages, liabilities, costs, or expenses arising from: (i) false or unauthorized scope representations; (ii) the Client's use of Deliverables in violation of these Terms; (iii) third-party claims arising from the Client's systems or data.

13. Governing Law and Arbitration

These Terms are governed by the laws of the Republic of Estonia. Disputes shall first be subject to 30 days of amicable negotiation. If no agreement is reached, disputes will be resolved by binding arbitration before the Tallinn Chamber of Commerce Arbitration Centre, in English. Yellowhak OÜ reserves the right to seek injunctive relief or protect intellectual property rights in competent courts. EU consumers may also use the European Commission's online dispute resolution platform at https://ec.europa.eu/consumers/odr.

14. Contact

For any inquiries regarding these Terms of Service: Email: legal@yellowhak.com — Entity: Yellowhak OÜ — Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia.