Skip to content
NANOTESTINGNANOTESTING

Acceptable use

Acceptable Use Policy

Effective May 14, 2026 · Sodasoft LLC (30 N Gould St, Sheridan, Wyoming 82801, United States)

This Acceptable Use Policy (the “AUP”) is part of the NANOTESTING Terms of Service and applies to every Authorised User of the Service.

1. The authorisation contract

For every Target you submit you represent and warrant that you have one of:

  • Ownership of the system being tested;
  • Explicit written authorisation from the owner that covers the date, scope, and scanner the Service will use;
  • A safe-harbour defence applicable to your jurisdiction, such as a published bug-bounty programme that permits automated security testing, or a written security- research agreement.

You are responsible for retaining the authorisation document and producing it to us on request. We will cooperate with legal process and may suspend your account if we receive a credible abuse report.

2. What we run

The Service is read-only by default. We:

  • fetch HTTP(S) URLs, parse responses, and observe TLS, DNS, headers, cookies, and body content;
  • fire a curated set of safe probes (OPTIONS, HEAD, GET) at well-known paths;
  • run active tools (Nuclei, ZAP baseline, Schemathesis) only on plans that include them and only against Targets the Customer has explicitly verified ownership of;
  • DELETE requests, brute-force, and stress-testing arenever invoked under any plan.

3. Targets we never accept

  • Systems you do not own or are not authorised to test.
  • Government, critical-infrastructure, or healthcare systems unless a written engagement letter is on file with legal@nanotesting.com.
  • Private IP ranges (RFC 1918), loopback, link-local, metadata endpoints (169.254.169.254), and similar internal addresses. The worker enforces this server-side and refuses to even resolve a host that points to a private address.
  • Domains on the U.S. Treasury OFAC sanctions list or any analogous national export-control list.

4. Behaviour we forbid

  • Using the Service to test, attack, or otherwise interact with a system you do not own or are not authorised to test.
  • Attempting to circumvent rate limits, plan quotas, target- verification requirements, or authentication.
  • Submitting findings to your customers, auditors, or end users that misrepresent the Service's output (for example, marketing a Free-plan limited preview as a completed pentest).
  • Reverse-engineering, decompiling, or attempting to extract the Service's proprietary source code or detector rules.
  • Reselling the Service or providing it as a managed service to a third party without our prior written consent (Agency plan customers may resell signed reports to their clients).
  • Using the Service to develop a competing product or to benchmark detectors that you then incorporate into a competitor.
  • Posting illegal, defamatory, infringing, or harmful content to any Service-hosted artefact (target names, finding notes, uploaded specs).

5. Mobile binary uploads

  • The binary must be the property of your organisation. We do not accept reverse-engineered or pirated copies of other parties' apps.
  • Maximum upload size is 50 MiB per binary.
  • We never sign, repackage, or distribute the uploaded binary.

6. Cloud-account credentials

  • Use a dedicated IAM principal with read-only permissions: AWS-managed SecurityAudit, Azure Reader, or GCP iam.securityReviewer.
  • Rotate the credential on a schedule appropriate for your organisation. The Service is designed to gracefully handle revocation; revoke immediately if you suspect leakage.
  • We do not request, and you must not paste, credentials that carry write permissions.

7. Web3 add-on

  • On-chain probes are read-only (eth_call, eth_getCode, eth_getStorageAt).
  • Etherscan-API-key paste is encrypted at rest. Do not paste a key that also has write or trading permissions on any exchange.
  • The OFAC compliance check uses the public sanctions list and a fresh-wallet probe. We do not, under any circumstances, execute on-chain transactions on a customer's behalf.

8. Reporting abuse

Suspected abuse of the Service should be reported to security@nanotesting.com with as much detail as you can share (target host, approximate timestamps in UTC, source IP if known). We aim to acknowledge within one business day.

9. Enforcement

Violations of this AUP can result in immediate suspension or termination, refund forfeiture per the Refund Policy, and referral to law enforcement. We may share information with the operators of affected Targets when the AUP violation involves unauthorised testing of their systems.