Free audit terms
Effective from: July 9, 2026
This is an English-language translation of the original Latvian document provided for the convenience of non-Latvian-speaking users. In the event of any discrepancy or inconsistency between this translation and the Latvian-language original, the Latvian version shall prevail and is the sole legally binding version.
1. General Provisions
1.1. These terms govern the procedure under which SIA SAM MARTIN GROUP, registration No. 40203520646, legal address: Matīsa iela 16-2, Rīga, LV-1001, Latvia (hereinafter – EvoEX), performs a free website security audit (hereinafter – the Audit) for Clients who apply for the service on the EvoEX website.
1.2. The Audit is an informational, limited-scope service provided free of charge, the purpose of which is to help the Client identify potential vulnerabilities in a website or application; however, it is not a full-scope penetration test or a certified security audit, nor does it constitute any security guarantee.
1.3. By applying for the free audit on the EvoEX website https://evoex.eu/en/bezmaksas-audits, and by completing and submitting the application form, the Client confirms that they have read these terms, understand them, and agree to them.
1.4. Agreement to these terms is deemed to be given at the moment the application is successfully submitted and registered in EvoEX's customer relationship management system (CRM). The application record stored in the EvoEX CRM system serves as sufficient evidence that the Client has reviewed and agreed to the terms, unless the Client proves otherwise.
1.5. If the Client does not agree to these terms, they may not submit an application for the free Audit, and EvoEX is under no obligation to provide the Audit to such a Client.
1.6. These terms constitute a general policy and are not individually negotiated with each Client separately; they apply to all free Audit applications.
2. Description of the Service and Nature of the Testing
2.1. The Audit is performed using the OWASP Zed Attack Proxy (OWASP ZAP) and/or other dynamic application security testing (DAST) tools intended for identifying vulnerabilities in web applications.
2.2. OWASP ZAP is an open-source tool that performs site mapping, passive scanning, and active scanning by analysing HTTP requests and responses and using known attack vectors to identify vulnerabilities.
2.3. The developers and community of OWASP ZAP state that active scanning is potentially dangerous and, depending on the application, may cause the creation, modification, or deletion of data, as well as disruptions to system operation, and therefore it must not be used without the owner's permission and proper preparation.
2.4. During the Audit, EvoEX may, at its own discretion, limit the scope of the tests performed by OWASP ZAP and other tools in order to reduce risks; however, it is impossible to completely rule out the possibility of impact, as active tests by their very nature simulate attack scenarios.
2.5. The result of the Audit is a summary / short report on the identified issues and general recommendations for remedying them; EvoEX does not undertake to provide a complete list of all possible vulnerabilities and does not guarantee that no other undetected vulnerabilities or security issues remain.
2.6. EvoEX is under no obligation to test all parts of the system, user roles, API endpoints, third-party integrations, payment systems, internal networks, or source code, unless this is expressly specified and technically feasible.
3. Client's Consent and Authorisation
3.1. By applying for the Audit and submitting an application on the EvoEX website, the Client confirms that they own the system to be tested or that they lawfully control that system and are authorised to permit its security testing.
3.2. The Client confirms that the Audit is not being requested against the systems of third parties without the consent of those parties, and that the domains, URLs, and systems specified in the application are under their control.
3.3. The Client undertakes to ensure that the domains, URLs, test accounts, configurations, and other resources used during the Audit are under the Client's control and that testing them does not violate laws, contracts, or the rights of third parties.
3.4. If it later transpires that the Client has requested an Audit of a system to which they have no rights, the Client agrees that they solely assume full legal and financial liability and shall compensate EvoEX for any losses or claims arising as a result of such a situation.
3.5. The Client ensures that they have obtained all necessary internal approvals (from management, shareholders, the IT department, etc.), where such approvals are required, and EvoEX is not liable if the Client has failed to do so.
4. Testing Risks and “Not Hacking”
4.1. The Audit uses security testing methods that may technically resemble attack activities (for example, injection testing, error induction, input manipulation, simulation of unauthorised access attempts, etc.).
4.2. The Audit is always performed only with the Client's prior consent and authorisation, with the aim of improving the security of the Client's system rather than causing harm or obtaining unlawful benefit; consequently, the Audit is not to be regarded as “hacking” or unauthorised access.
4.3. The Client expressly acknowledges and agrees that, technically, attack testing tools and methods are used during the Audit, but, since these tests are performed with the Client's permission and in the Client's interests, the Client is not entitled to subsequently interpret this Audit as an unauthorised attack or an attempt to hack the system.
4.4. If the Client's internal or external regulations require that such tests be approved separately (for example, by the IT department, the board, the owner, etc.), the Client undertakes to obtain these approvals before submitting the Audit application, and EvoEX is not liable if the Client has failed to do so.
4.5. The Client is aware that security testing is essential for mitigating the risks of cyberattacks, and the Audit is performed as a security measure and not as a malicious act.
5. Exclusion and Limitation of Liability
5.1. EvoEX expressly warns that active scanning may cause disruptions to system operation, slowdowns, errors, modification or deletion of data, as well as database failures, especially if the test is performed in a production environment or against a live database.
5.2. The Client agrees that all such consequences are deemed entirely to be risk consequences assumed by the Client, and EvoEX is not liable for any server “crash”, system downtime, resource overload, data corruption, data loss, failure to complete transactions, disruption to business processes, or reputational damage.
5.3. EvoEX offers and assumes no warranties whatsoever (whether express or implied) regarding the result of the Audit, including that:
- the Audit may not detect all vulnerabilities;
- the issues identified may not be the only or the most serious ones;
- following the Audit, the system is not to be regarded as “secure” or “fully protected”.
5.4. The Audit is provided “as is” and “as available” (as-is, as-available), and EvoEX is not liable for errors, deficiencies, inaccuracies, or omissions in the Audit results.
5.5. As the Audit is a free service, any potential material obligation of EvoEX towards the Client is limited to EUR 0.00, and the Client unequivocally waives the right to claim compensation or indemnity from EvoEX for any loss arising as a result of or during the Audit.
5.6. The Client agrees that EvoEX cannot be held liable, either criminally or under civil law, for the technical actions carried out during the Audit, as they are performed on the basis of the Client's authorisation with the aim of improving the security of the Client's systems, and the Client themselves assumes full legal and commercial risk.
6. Client's Preparation Obligations
6.1. The Client shall, as far as possible, ensure that the Audit is performed in a testing environment or a separate environment that is as close to production as possible but does not pose a direct risk to the live production database.
6.2. If the Audit is performed in a production environment, the Client is aware that this is an increased risk and agrees that EvoEX is not liable for the consequences of such a choice.
6.3. The Client shall ensure backups, monitoring, incident management processes, and other measures necessary to promptly restore system operation during or after the Audit, should this become necessary.
6.4. The Client acknowledges that neither OWASP ZAP, nor other testing tools, nor the EvoEX team can guarantee the complete harmlessness of the tests, and that the safest solution is always a separate testing environment.
7. Data Processing and Confidentiality
7.1. During the Audit, EvoEX processes technical data, including URLs, HTTP requests and responses, error messages, headers, and other technical information necessary to perform the Audit.
7.2. This data is used solely for performing the Audit, preparing the results, and communicating with the Client, except where legal acts provide for or require other use or disclosure.
7.3. EvoEX ensures the confidentiality of the data obtained during the Audit and does not disclose it to third parties without the Client's consent, except in the cases provided for by law.
7.4. The Client confirms that they have a legal basis for allowing EvoEX to process the technical data necessary to perform the Audit.
8. Application of the Terms and Amendments
8.1. These terms apply to all Clients who apply for a free Audit and are binding from the moment the Client submits the application form and it is registered in the EvoEX CRM system.
8.2. EvoEX reserves the right to unilaterally amend these terms at any time by publishing the updated version on its website; applications already received are subject to the version of the terms that was in force at the time the application was submitted.
8.3. If any of these terms becomes invalid or unenforceable, this does not affect the validity of the remaining terms.
