Legal · Terms of service

Terms of service.

Last updated April 16, 2026

These terms govern your engagement of CD Grayson for consulting, assessment, testing, and ongoing services. By signing a statement of work or otherwise engaging us, you agree to these terms. If anything is unclear, email hello@cdgrayson.net before you sign.

01 — PartiesWho this is between

These terms form a contract between you (the client, whether an individual or a business) and CD Grayson ("we," "us," "our"). If you're engaging us on behalf of an organization, you represent that you have authority to bind that organization to these terms.

02 — ScopeServices we provide

CD Grayson provides professional services that may include security assessments, penetration testing, managed security and monitoring, data engineering and analytics, and secure hosting and infrastructure as a supporting offering to our security and data work. The specific scope of any engagement — what we'll do, how we'll do it, timeline, and deliverables — is defined in a written statement of work ("SOW") agreed between the parties before work begins.

These terms apply to every engagement; the SOW governs the specific work. If the SOW conflicts with these terms, the SOW controls for that engagement.

03 — AuthorizationFor security testing

Penetration testing, vulnerability scanning, and offensive security work can be illegal if performed without proper authorization. Before any testing begins, you must sign a written authorization ("rules of engagement") that identifies the systems in scope, the testing windows, permitted techniques, and points of contact. Testing is strictly limited to assets you own or are legally authorized to test. You represent and warrant that you have this authority.

We will not test third-party systems, SaaS platforms, or cloud infrastructure without the written consent of their operators. If your scope includes such systems, obtaining that consent is your responsibility.

04 — ObligationsWhat we need from you

To do our work, we depend on your cooperation. You agree to:

Provide accurate information about your systems, data, and environment
Grant access as reasonably required to perform the work
Designate a point of contact available to respond to questions and approvals
Back up your own data and systems before we begin any engagement that could affect them
Notify us promptly of any concerns about our work or conduct

05 — FeesPayment and billing

Project engagements are billed according to the SOW — typically a fixed fee, a deposit at engagement start, and milestone payments tied to deliverables. Invoices are due within 15 days of receipt unless otherwise stated in the SOW.

Retainer engagements (managed security, ongoing monitoring, secure hosting) are billed monthly in advance. The first month is due at engagement start.

Expenses. Reasonable out-of-pocket expenses required for the engagement — travel, specialized tools, cloud services used on your behalf — are billed at cost and approved in advance where material.

Late payment. Invoices more than 30 days past due accrue interest at 1.5% per month, and we may suspend services until outstanding balances are paid.

06 — ConfidentialityMutual obligations

Each party may receive confidential information from the other — business plans, technical details, security findings, customer data, and more. Each party agrees to protect the other's confidential information with at least the same care it uses for its own, and to use it only for the purposes of the engagement.

We will not disclose your confidential information to third parties except as required to perform the engagement (and then only to people bound by confidentiality obligations), or as required by law. Security findings, vulnerability details, and similar materials are particularly sensitive and will be handled accordingly.

Confidentiality obligations survive termination for five years, or indefinitely for information that qualifies as a trade secret.

07 — Intellectual propertyWho owns what

Your materials. You retain all rights to your data, systems, code, and materials. You grant us a limited license to access and use them solely to perform the engagement.

Our materials. We retain all rights to our methodologies, templates, tools, and general know-how. Nothing in an engagement transfers those to you.

Deliverables. Unless a SOW says otherwise, reports, documentation, and custom deliverables produced for you become your property once paid for in full. We retain a non-exclusive right to use anonymized learnings and improvements to our methodologies.

08 — Data handlingHow we treat client data

We treat client data with the care its sensitivity requires. Data we collect or access during an engagement is used only for the engagement, stored on systems configured for the purpose, and deleted or returned at the end of the engagement unless retention is required by law or agreed in writing.

If an engagement involves processing personal data subject to specific regulations (HIPAA protected health information, PCI cardholder data, GDPR personal data), the SOW will address the additional obligations that apply — including, where required, a business associate agreement, data processing agreement, or equivalent.

09 — HostingInfrastructure services

Where an engagement includes secure hosting or managed infrastructure, additional terms apply. You remain responsible for the content you host and for maintaining your own backups of any data that matters to you. We configure systems for reasonable security, maintain patches and monitoring, and will notify you of incidents we detect, but no system is perfectly secure and we don't warrant availability beyond what is explicitly agreed.

Your use of hosting services is governed by our Acceptable Use Policy.

10 — AvailabilityService uptime

For retainer and hosting engagements, we work to keep services available but we don't guarantee uninterrupted operation unless a specific service-level agreement is part of your SOW. Scheduled maintenance, third-party outages, and unexpected incidents can affect availability.

11 — DisclaimersWhat we can't promise

Security work is inherently probabilistic. An assessment or penetration test identifies issues we find within the agreed scope and time; it does not guarantee that all issues have been found. A clean report doesn't mean your systems are invulnerable. Data engineering work depends on the quality of the underlying data, which we may not control.

To the maximum extent permitted by law, our services are provided "as is" and we disclaim all warranties, express or implied, including merchantability, fitness for a particular purpose, and non-infringement.

12 — LiabilityLimitations

To the maximum extent permitted by law, our total aggregate liability to you for any claim arising out of or related to an engagement is limited to the fees you paid us in the twelve months preceding the event giving rise to the claim.

We will not be liable for indirect, incidental, special, consequential, or punitive damages — including lost profits, lost data, loss of business, or reputational harm — even if advised of the possibility.

These limitations do not apply to (a) our obligations of confidentiality, (b) gross negligence or willful misconduct, or (c) liability that cannot be excluded under applicable law.

13 — IndemnificationMutual protections

You agree to indemnify and hold us harmless from claims, damages, and expenses (including reasonable attorney's fees) arising from (a) your breach of these terms or an SOW, (b) your operation of your business, systems, or services, (c) your violation of any law or third-party right, or (d) any representation that you had authorization to have systems tested when in fact you did not.

We will indemnify and hold you harmless from third-party claims alleging that our deliverables, as delivered, infringe their intellectual property rights — subject to the liability cap in Section 12.

14 — TerminationEnding engagements

For convenience. Either party may terminate a retainer engagement at the end of any monthly billing cycle by giving at least 30 days' written notice. Project engagements may be terminated as specified in the SOW.

For cause. Either party may terminate immediately for material breach that isn't cured within 15 days of written notice (or shorter if the breach is incurable or creates urgent risk).

Effect. On termination, you pay for work performed through the termination date, and we'll return or delete your data according to the engagement's terms. Sections that by their nature should survive — confidentiality, payment obligations, liability limits, governing law — do survive.

15 — Governing lawJurisdiction

These terms are governed by the laws of the State of Texas, without regard to conflict-of-laws principles. Disputes will be resolved in the state or federal courts located in Texas, and both parties consent to that jurisdiction.

16 — MiscellaneousFinal provisions

Entire agreement. These terms, together with any SOW and our Privacy Policy and Acceptable Use Policy, constitute the entire agreement between the parties regarding the services.

Amendments. Changes to these terms or an SOW must be in writing and signed by both parties.

Severability. If any part is held unenforceable, the rest remains in effect.

Assignment. Neither party may assign these terms without the other's written consent, except in connection with a merger, acquisition, or sale of substantially all assets.

Notices. Notices under these terms should be in writing to hello@cdgrayson.net.