Where to find policies - Pentest-Tools.com documentation

Legal documents

Terms of service

Usage terms and conditions for Pentest-Tools.com.

Privacy policy

How we collect, use, and protect your personal data.

Security certification

Pentest-Tools.com is ISO 27001 certified. The certification covers the information security management system for the platform and its underlying infrastructure.

Data processing

Data retention

Personal account data is retained for as long as your account is active, and for up to 24 months after it closes. Financial records are kept for 10 years as required by law. For full details, see our privacy policy.

Data deletion

To request deletion of your personal data, contact data.privacy@pentest-tools.com. You can also export your scan data for up to 30 days after account termination.

AI data policy

Our platform includes AI-powered features: the ML Classifier, Flowmapper, and AI-enhanced authentication.

Our AI infrastructure

Different AI features use different model providers:

The ML Classifier uses proprietary classification models hosted on infrastructure we control (Vast.ai GPUs in EEA datacenters). It processes anonymized HTML and returns a classification result.
Flowmapper uses third-party LLMs served through OpenRouter. At the moment, that means Google Gemini.
AI-enhanced authentication uses Azure-hosted OpenAI models in our Azure environment.

We require our third-party AI providers to process your data only to run the feature, not to train their models on it.

Model training

The ML Classifier is our own model. It was trained on public data and de-identified scan results, and we are not currently training new classifier models on your scan data. Flowmapper and AI-enhanced authentication use third-party foundation models. Your data is sent to them for inference only, not for model training. If we introduce AI features that use your data for training in the future, we will document that clearly and provide an opt-out path.

Data handling

We don’t retain your AI request data after the feature finishes running, and we send it only to the infrastructure needed to run the feature you selected.

About AI accuracy

These AI features don’t generate vulnerability findings. The AI handles scoping: is this a soft 404, where are the endpoints, which element is the login button? The actual findings come from the same testing pipeline regardless. If an AI step fails or gets it wrong, the scan falls back to traditional methods or skips that step.

Responsible disclosure

If you find a security vulnerability in our platform, email security@pentest-tools.com. Include a description of the issue and steps to reproduce it. We follow responsible disclosure practices and will keep you updated on the fix.

Privacy and data requests

For GDPR requests, data deletion, or any other privacy concerns, contact data.privacy@pentest-tools.com.

Account security

Data securityHow Pentest-Tools.com stores, protects, and handles your data

⌘I

​Legal documents

Terms of service

Privacy policy

​Security certification

​Data processing

​Data retention

​Data deletion

​AI data policy

​Our AI infrastructure

​Model training

​Data handling

​About AI accuracy

​Responsible disclosure

​Privacy and data requests

​Related topics