The terms that govern engagements with waitdead.ai — independent AI security review. These terms describe what we do, what we do not do, and the limits of any review we deliver.
waitdead.ai provides independent AI security review and assessment services on a scoped, per-engagement basis. Each engagement is defined in writing before work begins, including the systems in scope, the attack surface to be reviewed, the frameworks referenced, the deliverables, the timeline, and the fees. Our services include the Hermes Dogfood Reference Review, the Agentic & MCP Security Review, the AI Security Questionnaire & Evidence Pack, Continuous Adversarial Assurance retainers, and add-on readiness assessments described on our services page.
A review is an assessment, not a product we install or operate on your behalf. Work outside the agreed written scope is not part of the engagement unless separately agreed in writing.
We are not an accredited certification body. We issue no certificate and no attestation. The EU AI Act conformity decision, and any framework conformity decision, is the client's. Our findings are evidence into a human decision — never the final safety authority.
A security review reduces risk; it cannot eliminate it. We provide evidence and assessment, not assurances. We do not guarantee that any system is secure, free of vulnerabilities, "unhackable," or "compliant." No deliverable we produce should be read as a promise of security, a warranty of fitness, or a representation that a system meets any regulatory standard. A clean finding reflects what our method observed within the agreed scope and timeframe — not a guarantee about the system as a whole or about future states of the system.
By engaging us, you represent and warrant that:
You agree to indemnify us against claims arising from your failure to hold the authorizations described above.
Upon full payment for an engagement, we grant you a perpetual, worldwide, non-exclusive license to use the deliverables — including the report, findings, reproduction artifacts, and remediation guidance — within your organization for your internal security, remediation, and stakeholder-evidence purposes.
We retain ownership of our review harness, methodology, the Hermes agent, our internal tooling, and any general know-how, techniques, and non-client-specific improvements developed before or during the engagement. Nothing in these terms transfers ownership of those underlying methods. You may share a deliverable with your assessors, regulators, customers, or counsel as needed; you may not resell it as a standalone product or represent it as your own assessment work.
To the maximum extent permitted by applicable law, neither party is liable to the other for indirect, incidental, special, consequential, or punitive damages, or for lost profits, lost revenue, or loss of data, arising out of or related to an engagement, even if advised of the possibility of such damages.
Our total aggregate liability arising out of or related to an engagement is capped at [to be supplied: liability cap — e.g. fees paid for the engagement giving rise to the claim]. Nothing in these terms limits liability that cannot be limited under applicable law.
Because a review is an assessment within a defined scope and timeframe, we are not liable for vulnerabilities, incidents, or losses arising from systems, components, configurations, or time periods outside the agreed scope, or from changes made to a system after the review.
Each party will protect the other's confidential information with reasonable care and use it only to perform or receive the services. We treat your systems, scope details, and findings as confidential. We will not disclose engagement-specific information, client identity, or findings publicly without your prior written consent. Confidentiality obligations survive the end of an engagement.
We may describe our methodology and publish general, anonymized research that does not identify you or expose your confidential information.
These terms are governed by, and disputes are subject to the courts of, [to be set on incorporation]. The governing law and jurisdiction will be finalized when our legal entity registration is complete; until then this section is a placeholder and not a representation of a chosen forum.
We may update these terms from time to time. The version in effect for an engagement is the version referenced in, or attached to, the signed engagement agreement for that work. Material changes do not retroactively alter a signed engagement. The current version is published on this page with its "last updated" date.
Questions about these terms, or about a proposed engagement, should be raised through our intake channel, which creates a tracked ticket: crm.waitdead.com/intake. A dedicated inbound security mailbox is in progress and will land with our mail server. We do not operate a phone line. See also our Privacy Policy.
Legal entity registration is in progress. Registered-entity details — company name, number, and address — will be added here on incorporation.
Los términos que rigen los encargos con waitdead.ai — revisión de seguridad de IA independiente. Estos términos describen lo que hacemos, lo que no hacemos y los límites de cualquier revisión que entreguemos.
waitdead.ai presta servicios independientes de revisión y evaluación de seguridad de IA de forma acotada y por encargo. Cada encargo se define por escrito antes de comenzar: los sistemas dentro del alcance, la superficie de ataque a revisar, los marcos de referencia, los entregables, el plazo y los honorarios. Una revisión es una evaluación, no un producto que instalamos u operamos por usted. Ver servicios.
No somos un organismo de certificación acreditado. No emitimos certificado ni atestación. La decisión de conformidad con la Ley de IA de la UE, y cualquier decisión de conformidad con un marco, corresponde al cliente. Nuestros hallazgos son evidencia para una decisión humana, nunca la autoridad final de seguridad.
Una revisión de seguridad reduce el riesgo; no puede eliminarlo. Entregamos evidencia y evaluación, no garantías. No garantizamos que un sistema sea seguro, libre de vulnerabilidades ni "conforme". Un hallazgo limpio refleja lo que nuestro método observó dentro del alcance y el plazo acordados, no una garantía sobre el sistema en su conjunto ni sobre estados futuros del sistema.
Al contratarnos, usted declara y garantiza que es propietario de, o tiene plena autorización para permitir pruebas de seguridad de, cada sistema dentro del alcance acordado. Solo probamos sistemas que usted posee o controla y que nos ha autorizado a revisar por escrito. El alcance, incluidas restricciones, ventanas y exclusiones, se acuerda por escrito antes de iniciar las pruebas; los cambios requieren acuerdo por escrito.
Tras el pago total de un encargo, le otorgamos una licencia perpetua, mundial y no exclusiva para usar los entregables —informe, hallazgos, artefactos de reproducción y guía de remediación— dentro de su organización con fines internos de seguridad, remediación y evidencia. Conservamos la titularidad de nuestro arnés de revisión, metodología, el agente Hermes y nuestro instrumental interno.
En la máxima medida permitida por la ley aplicable, ninguna de las partes responde frente a la otra por daños indirectos, incidentales, especiales, consecuentes ni punitivos. Nuestra responsabilidad total agregada se limita a [a definir: tope de responsabilidad]. Nada en estos términos limita la responsabilidad que no pueda limitarse según la ley aplicable.
Cada parte protegerá la información confidencial de la otra con cuidado razonable y la usará solo para prestar o recibir los servicios. Tratamos sus sistemas, detalles de alcance y hallazgos como confidenciales, y no divulgaremos información específica del encargo, ni la identidad del cliente, sin su consentimiento previo por escrito.
Estos términos se rigen por, y las controversias quedan sujetas a los tribunales de, [a definir al constituir la entidad]. La ley aplicable y la jurisdicción se finalizarán al completarse el registro de nuestra entidad legal.
Podemos actualizar estos términos de tiempo en tiempo. La versión vigente para un encargo es la referenciada o adjunta al acuerdo de encargo firmado para ese trabajo. Los cambios materiales no alteran retroactivamente un encargo firmado.
Las consultas sobre estos términos o sobre un posible encargo deben plantearse por nuestro canal de contacto, que crea un ticket con seguimiento: crm.waitdead.com/intake. Un buzón de seguridad dedicado está en preparación y se habilitará con nuestro servidor de correo. No operamos línea telefónica. Ver también nuestra Política de Privacidad.
El registro de la entidad legal está en curso. Los datos de la entidad registrada —nombre, número y domicilio— se agregarán aquí al constituirse.