Last updated: May 31, 2026
NYOXA LABS operates strictly within legal and ethical boundaries, performing security testing exclusively on assets for which explicit, written authorization has been obtained from the legitimate owner or authorized representative. This Authorization Policy outlines the requirements for obtaining and confirming authorization before any security assessment or related service can commence.
1. Authorization Requirement
Before NYOXA LABS can initiate any security assessment, the client must provide comprehensive written authorization confirming the following:
- Identification of In-Scope Systems: A clear and precise list of all systems, applications, networks, domains, IP addresses, cloud platforms, APIs, and user roles that are to be included in the scope of the assessment.
- Permission to Test: Explicit confirmation that the client possesses the legal authority and necessary permissions to authorize security testing on all identified in-scope systems.
- Testing Schedule: Agreed-upon testing dates, windows, or specific timeframes during which the assessment will be conducted.
- Restrictions and Exclusions: Any specific restrictions, limitations, or systems that are explicitly out-of-scope or should not be tested.
- Emergency Contact Details: Primary and secondary emergency contact information for the client, available 24/7 during the assessment period.
- Sensitive Systems: Identification of any particularly sensitive systems or data that require special handling or actions to avoid during testing.
2. Scope Confirmation
The agreed-upon scope will be formally documented in a Statement of Work (SOW) or similar engagement agreement. This document will serve as the definitive record of authorized testing targets. Any changes to the scope must be formally approved in writing by both parties before testing proceeds.
3. Out-of-Scope Assets
NYOXA LABS will not intentionally test any systems or assets outside the approved scope. If, during the course of an assessment, unexpected third-party or out-of-scope assets are encountered, they will be immediately documented and excluded from further testing. Any decision to include such assets must be preceded by formal written approval from the client and, if necessary, the respective third-party owner.
4. Rules of Engagement (RoE)
For each engagement, specific Rules of Engagement (RoE) will be established. These RoE will detail critical operational aspects of the assessment, including but not limited to:
- Testing Windows: Specific times and days when testing activities are permitted.
- Rate Limits: Any limitations on the intensity or frequency of testing requests to prevent service disruption.
- Excluded Actions: Specific testing methodologies or tools that are prohibited.
- Communication Protocols: Procedures for communication between NYOXA LABS and the client during the assessment.
- Data Handling Expectations: Guidelines for the collection, storage, and transmission of assessment data.
- Stop-Test Conditions: Criteria under which testing must be immediately paused or halted.
5. Client Responsibility
The client is solely responsible for ensuring that they have the full legal authority to approve security testing on all specified systems. NYOXA LABS relies on the client's representation of authorization and will not be held liable for any claims arising from unauthorized testing if such authorization was misrepresented by the client.
6. Changes to This Policy
NYOXA LABS reserves the right to update this Authorization Policy at any time. Any changes will be posted on our website with a revised "Last updated" date.
7. Contact Us
For any questions regarding this Authorization Policy or to discuss authorization for a security assessment, please contact us at:
info@nyoxa.com security@nyoxa.com
