Terms of Service

These Terms of Service ("Terms") govern access to and use of the website zerohunt.ai, the Zero Hunt appliance (hardware + software), and any associated services (collectively, the "Platform"), provided by Over Holding Srl, with registered office at Viale Tricesimo n.200, 33100 Udine, Italy, VAT IT02945890305 ("Zero Hunt", "we", "us", "our"). The Platform is a regulated cybersecurity product and these Terms apply in addition to the License Agreement signed with each customer.

By accessing the Platform or any part of the Zero Hunt service surface, you agree to be bound by these Terms and by our Privacy Policy and Trust Center. If you do not agree to any part of these Terms, do not access or use the Platform. Continued use after material changes constitutes acceptance.

Zero Hunt is an autonomous, on-premise AI cybersecurity appliance combining:

• Generative penetration testing via a multi-agent AI swarm running locally on the appliance GPU;
• Real-time deep-packet AI traffic analysis on customer-segments selected by the customer;
• Continuous compliance evidence assembly across 32+ frameworks with cryptographically signed artefacts.

The appliance is deployed on-premise inside the customer\'s infrastructure. No customer data, telemetry or analytical output leaves the customer perimeter during normal operation. The Platform is intended for authorised cybersecurity testing and detection only, against systems the customer owns or has documented written authorisation to test.

Subject to the License Agreement and to these Terms, Zero Hunt grants the customer a non-exclusive, non-transferable, non-sublicensable, revocable license to use the Platform within the scope and for the term specified in the License Agreement. The license does NOT permit:

• Reverse engineering, decompilation, or attempts to derive source code or AI model weights;
• Removal or modification of the kill-switch, logging, or human-oversight controls required by the EU AI Act;
• Resale, lease, or provision as a managed service to third parties without an authorised channel agreement (see Partner Program);
• Use of the Platform outside the scope of engagement, the rules of engagement, or the targets explicitly authorised in writing by the customer-side accountable owner;
• Use to circumvent, bypass, or defeat the safety controls of any third-party system or service, except as part of an authorised security engagement on systems the customer owns or is contracted to test.

The Platform performs offensive security operations. Each customer must, before configuring any campaign, establish and maintain:

• Authorisation register: documented written authorisation for every target system, signed by the accountable owner of that system. Authorisation must predate the first campaign.
• Rules of Engagement (RoE): defined scope, allowed techniques, time windows, blast-radius caps, escalation contacts, kill-switch policy. RoE must be reviewed before each new campaign category.
• Scope-of-engagement document: in-scope targets explicitly enumerated; out-of-scope systems explicitly excluded. Wildcard or open-ended scopes are not permitted unless covered by enterprise-wide ownership.
• Accountable Security Officer: a named individual at the customer side, with authority to authorise, suspend, or revoke campaigns.

Authorised use is limited to: (a) security testing of systems the customer owns; (b) security testing of systems the customer is contracted to test under documented authorisation; (c) defensive monitoring within the customer\'s authorised perimeter; (d) compliance assessment for the customer\'s own organisation or its clients.

The Platform must NEVER be used for, or in connection with:

• Unauthorised access, attack, disruption, surveillance, or data extraction of any system not within the customer\'s authorised perimeter;
• Critical infrastructure (energy, water, transport, healthcare, financial market infrastructure) not owned by the customer or not under explicit written authorisation;
• Generation, distribution, or testing of malware, ransomware, or destructive payloads outside the Platform\'s sandboxed execution environment;
• Targeted activity against natural persons (cyber-stalking, harassment, surveillance, dox\'ing) — the Platform is for system-level security, not for human targeting;
• Activity that violates EU Regulation 2021/821 on dual-use items, US ITAR/EAR, or sanctions regimes (EU, OFAC, UK OFSI, UN Security Council);
• Activity in or directed at sanctioned jurisdictions or sanctioned entities;
• Misrepresentation of Platform output as a third-party attestation, certification, or assurance — Zero Hunt output is the customer\'s own internal evidence and must be presented as such;
• Circumvention or modification of the kill-switch, audit logging, or AI Act human-oversight controls;
• Any activity that violates applicable law, including without limitation the Italian Codice Penale articles 615-ter (unauthorised access), 615-quater (illegal possession of access codes), 617-quater (illegal interception), the UK Computer Misuse Act 1990, the US Computer Fraud and Abuse Act, or equivalent national legislation.

The customer represents and warrants, on an ongoing basis, that:

• It has full authority to use the Platform against every target it configures;
• It has, before any campaign, obtained the written authorisations and RoE required by Section 5;
• It maintains effective human oversight of all Platform operations, in line with AI Act Art. 14 (see Section 9);
• It will not enable, encourage, or knowingly permit any prohibited use under Section 6;
• It will keep the appliance updated within 30 days of release of a security-relevant update notification from Zero Hunt;
• It will preserve audit logs and signed evidence artefacts for the period required by applicable law (NIS2, DORA, GDPR, sectoral) and not less than 24 months;
• It will notify Zero Hunt without undue delay, and in any event within 72 hours, of any incident, defect, or suspected compromise of the Platform that may affect other customers or Zero Hunt itself.

The Zero Hunt offensive engine is classified as a high-risk AI system under Annex III of Regulation (EU) 2024/1689 (the "AI Act"), being deployed in critical infrastructure security. Both parties have distinct obligations:

• Zero Hunt as provider (Arts. 9-19): risk management system, technical documentation, logging, transparency, human oversight controls, accuracy/robustness/cybersecurity declarations, quality management system, post-market monitoring. Detailed conformity artefacts are available to customers under NDA via [email protected].
• Customer as deployer (Art. 26): use the Platform in line with the documented instructions; maintain meaningful human oversight and the kill-switch capability; monitor operation; suspend operation if a serious incident is detected; cooperate with the competent national authority; preserve logs for at least 6 months (longer where sectoral rules apply).

The Platform does NOT engage in prohibited AI practices under Art. 5 of the AI Act (no social scoring, no subliminal manipulation, no exploitation of vulnerabilities of individuals, no untargeted scraping of facial images).

All intellectual property rights in the Platform — including software, AI model weights, algorithms, the AI Gym backtest corpus, documentation, trademarks, website content, and the Trust Center artefact templates — are owned by Over Holding Srl or its licensors. Nothing in these Terms transfers ownership; the customer receives only the limited license described in Section 4 and the License Agreement.

Findings, evidence files, signed reports, and remediation artefacts generated by the Platform from operations on the customer\'s own systems are owned by the customer. The customer grants Zero Hunt a limited, non-exclusive licence to access anonymised metadata strictly for post-market AI Act monitoring and security incident response — only with explicit opt-in via the optional sync server, never as a default.

Personal-data processing performed by Zero Hunt as a controller is governed by our Privacy Policy, compliant with Regulation (EU) 2016/679 ("GDPR"). For all subprocessors of the website and sales infrastructure, see Trust Center.

Where the customer\'s use of the Platform involves processing of personal data on the customer\'s behalf (e.g. processing endpoint user identifiers as part of internal security testing), Zero Hunt acts as a processor and a Data Processing Agreement under Art. 28 GDPR is signed as part of the License Agreement. The DPA template is available on request to [email protected].

Architectural note: the Platform runs entirely on-premise. By default, no personal data processed by the appliance leaves the customer perimeter. The DPA covers the limited cases (operator-side maintenance access under authorisation, signed update bundles) where this default could be displaced.

Each party undertakes to: (a) keep confidential all non-public information disclosed by the other party in connection with the Platform, including without limitation source code, AI model details, security findings, threat-intelligence, pricing, and roadmap; (b) use such information only for the purposes contemplated by these Terms and the License Agreement; (c) protect such information with at least the same degree of care it uses for its own confidential information of like importance, and no less than a reasonable standard of care.

Confidentiality obligations survive termination for a period of 5 years (or longer where required by law, e.g. for trade secrets). Compelled disclosure under judicial order or by a competent regulator is permitted, with prior notice to the other party where lawful.

The Platform may include elements classified as dual-use under EU Regulation 2021/821, including offensive cybersecurity tools that may fall under category 4 (computers) or 5 (telecommunications and information security) of the EU Dual-Use List. The customer:

• Will not export, re-export, transfer, or use the Platform in or to any jurisdiction subject to EU, US, UK, or UN sanctions;
• Will not provide the Platform to any sanctioned person, entity, or government, nor to any person on the EU Consolidated Sanctions List, OFAC SDN List, UK OFSI Consolidated List, or equivalent;
• Will obtain any export authorisation required by EU Reg. 2021/821, US EAR/ITAR, or equivalent national regimes before transferring the Platform across borders;
• Acknowledges that the Wassenaar Arrangement\'s intrusion-software controls may apply and will comply with national implementing measures.

Zero Hunt may suspend or terminate the License immediately upon becoming aware of any breach of this Section, with no liability for resulting service interruption.

Zero Hunt operates a coordinated vulnerability disclosure program for the Platform and the website. The full policy, contact addresses, and acknowledgement timeline are published at /trust and in the RFC 9116 file at /.well-known/security.txt.

The customer agrees to: (a) report any vulnerability discovered in the Platform to [email protected] within 30 days of discovery; (b) not publicly disclose the vulnerability before the earlier of (i) the agreed remediation window (default 90 days from acknowledgement) or (ii) Zero Hunt\'s written consent; (c) not exploit the vulnerability beyond what is necessary to demonstrate it.

Researchers acting in good faith within the published disclosure policy are not subject to legal action by Zero Hunt.

For so long as the customer is in active use of the Platform, the customer may, on no less than 30 days written notice and no more than once per twelve-month period (except where a serious incident or regulator order makes more frequent audit reasonable):

• Request a copy of Zero Hunt\'s AI Act technical documentation for the version in deployment;
• Request a copy of the most recent third-party penetration test report on the appliance image (redacted as necessary);
• Request the SOC 2 report once available, or written confirmation of the current certification status;
• Receive written answers to a reasonable security questionnaire.

On-site audits and access to non-public source code or production infrastructure require a separate written agreement and are at the discretion of Zero Hunt.

Service level commitments — including incident response times, security-patch SLA, and update cadence — are defined in the License Agreement specific to each deployment. Baseline commitments applicable to all customers:

• Critical security patches: released as soon as reasonably possible after verification, with target maximum of 14 days from confirmed CVSS ≥9.0 vulnerability in the Platform;
• Vulnerability disclosure acknowledgement: 5 business days from receipt at [email protected];
• Documentation updates: AI Act and compliance documentation refreshed within 30 days of a material regulatory change.

Customer indemnifies Zero Hunt, its directors, officers, employees and affiliates against any claim, damage, fine, sanction, settlement, or expense (including reasonable legal fees) arising out of or relating to:

• Use of the Platform outside the scope of authorisation, the RoE, or in breach of Sections 5, 6, or 7;
• The customer\'s failure to obtain or maintain the written target authorisations required by Section 5;
• Misrepresentation of Platform output as a third-party attestation;
• Breach of export control, sanctions, or dual-use obligations under Section 12;
• Any third-party claim alleging that the customer\'s configured campaigns or RoE violated such third party\'s rights or applicable law.

Zero Hunt indemnifies the customer against any third-party claim alleging that the Platform, as delivered and used within the documented authorised scope, infringes the intellectual property rights of such third party in the EU. Zero Hunt may, at its option, modify the Platform to be non-infringing, procure a license, or refund the unused portion of fees paid for the affected version. This is Zero Hunt\'s sole indemnification obligation regarding IP infringement.

To the maximum extent permitted by applicable law:

• The Platform is provided "as is" and "as available". Zero Hunt does not warrant that the Platform will identify all vulnerabilities, prevent all attacks, or satisfy all regulatory requirements — security is a continuous practice, not a product property;
• Zero Hunt is not liable for indirect, incidental, special, consequential, punitive, or exemplary damages — including without limitation lost profits, loss of business, loss of data, or business interruption — even if advised of the possibility;
• The total aggregate liability of Zero Hunt under or in connection with these Terms and the License Agreement, regardless of the cause of action, shall not exceed the fees paid by the customer to Zero Hunt for the Platform in the 12 months preceding the event giving rise to the claim;
• Nothing in these Terms limits liability for: wilful misconduct, gross negligence, death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be limited under applicable law.

Either party may terminate the License Agreement for the other party\'s material breach, where such breach is not cured within 30 days of written notice. Zero Hunt may suspend or terminate the License immediately for breach of Sections 4, 5, 6, or 12.

On termination: (a) the customer\'s right to use the Platform ceases; (b) the customer may, for 90 days, continue to access the Trust Center to export historical evidence bundles; (c) the customer remains responsible for retaining its own findings and logs for the period required by applicable law; (d) Zero Hunt does not retain customer telemetry — the on-premise architecture means there is nothing on Zero Hunt\'s side to delete; (e) Sections 9, 10, 11, 12, 13, 16, 17, 20, and 23 survive termination.

Neither party is liable for failure or delay in performance to the extent caused by events beyond reasonable control, including without limitation acts of war, terrorism, sabotage, pandemic, government action, internet or telecommunications outages, or natural disasters. The affected party will use reasonable efforts to resume performance as soon as practicable and will notify the other party promptly.

These Terms are governed by and construed in accordance with the laws of Italy, without regard to conflict-of-laws principles. Any dispute arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of Udine, Italy, without prejudice to: (a) the right of either party to seek injunctive or equitable relief in any competent jurisdiction to protect intellectual property or confidential information; (b) the consumer\'s right (where applicable) to bring proceedings in their place of domicile under Regulation (EU) 1215/2012.

Zero Hunt may modify these Terms from time to time. Material changes will be notified by updating the "Last updated" date at the top of this page and, where appropriate, by direct notice to active customers. Continued use of the Platform after material modifications constitutes acceptance of the updated Terms. The customer may terminate the License Agreement without penalty if it does not agree to a material modification, by written notice within 30 days of the change becoming effective.

If any provision of these Terms is found invalid or unenforceable, the remaining provisions remain in full force and effect; the invalid provision shall be replaced by a valid provision that most closely achieves the original intent. These Terms, together with the Privacy Policy, the Trust Center, the License Agreement (where signed), and any Data Processing Agreement, constitute the entire agreement between the parties regarding the Platform and supersede any prior agreements on the same subject.

Legal notices to Zero Hunt must be sent to [email protected] AND by registered mail to the registered office (Over Holding Srl, Viale Tricesimo n.200, 33100 Udine, Italy). Notices regarding security incidents to [email protected]. Notices regarding personal-data processing to [email protected]. Notices are effective on receipt; notices sent during a weekend or public holiday in Italy are effective the next business day.

Over Holding Srl
Viale Tricesimo n.200, 33100 Udine, Italy
VAT IT02945890305
Email: legal(at)zerohunt.ai · security(at)zerohunt.ai · dpo(at)zerohunt.ai