Legal & Policies
Grey Shield cybersecurity firm. Effective date: 1 January 2025.
Privacy Policy
Last updated: January 2025Grey Shield ("we", "our", "us") is a cybersecurity services company registered in India. We are committed to protecting your personal data in accordance with the Digital Personal Data Protection (DPDP) Act, 2023 and applicable Indian law.
1. Information We Collect
Information you provide directly
When you contact us, request an assessment, or subscribe to our research, we collect:
- Name and job title
- Business email address and phone number
- Company name and industry
- Security requirements shared via contact forms or calls
Information collected automatically
When you browse our website we automatically collect limited technical data:
- IP address (anonymised after 24 hours)
- Browser type and operating system
- Pages visited and time spent
- Referring URL
We use privacy-respecting analytics. No third-party tracking pixels. Cookie consent is requested before any non-essential cookies are set.
2. How We Use Your Information
- Respond to enquiries and scope engagements
- Deliver contracted penetration testing or advisory services
- Send security research and updates you have opted in to receive
- Improve our website and service delivery
- Comply with legal obligations
We do not sell, rent, or trade your personal information to any third party, ever.
3. Data Retention
- Enquiry data — 12 months from last contact if no engagement follows
- Engagement records — 5 years for contractual and compliance purposes
- Marketing opt-ins — until you unsubscribe
4. Security
We apply industry-leading controls: AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and annual internal audits. Engagement reports are encrypted end-to-end and shared only via secure, time-limited links.
5. Your Rights
Under the DPDP Act and applicable laws you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request erasure ("right to be forgotten")
- Withdraw consent at any time
- Nominate a representative for your data rights
To exercise any right, email contact@greyshield.in. We will respond within 30 days.
6. Contact
Data Protection queries: contact@greyshield.in
Terms of Service
Last updated: January 2025These Terms of Service ("Terms") govern your access to and use of the Grey Shield website and professional services. By engaging with us or using this site, you agree to these Terms.
1. Services
Grey Shield provides offensive security services including penetration testing, vulnerability assessments, red team operations, and advisory services ("Services"). Each engagement is governed by a separate Statement of Work ("SOW") and Master Services Agreement ("MSA") signed before work commences.
2. Authorisation & Scope
All security testing is performed exclusively under written, signed authorisation from the system owner. You warrant that:
- You own or have explicit written permission for all systems in scope
- The scope provided is accurate and complete
- Testing outside agreed scope is not authorised and will not be performed
3. Acceptable Use of This Website
When using greyshield.in, you agree not to:
- Probe, scan, or test our infrastructure without prior written authorisation
- Scrape or systematically harvest content
- Introduce malware or attempt unauthorised access
- Misrepresent your identity or affiliation
4. Intellectual Property
All website content, methodology documents, and report templates remain our intellectual property. Deliverables produced for you under an engagement are licensed to you for internal use upon full payment. Redistribution or resale requires prior written consent.
5. Confidentiality
Grey Shield treats all client information and findings as strictly confidential. We will not disclose engagement details, vulnerabilities found, or client identity without written consent, except where required by law.
6. Disclaimer of Warranties
Security testing is inherently limited in scope and time. We make no warranty that assessments will identify every vulnerability, or that systems will remain secure after an engagement. Conclusions are based on information and access available at the time of testing.
7. Limitation of Liability
To the fullest extent permitted by law, Grey Shield total liability for any claim shall not exceed the fees paid for the specific engagement giving rise to the claim. We are not liable for indirect, consequential, or incidental damages.
8. Governing Law
These Terms are governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts of Haryana, India.
9. Contact
Legal enquiries: contact@greyshield.in
Responsible Disclosure
Last updated: January 2025Grey Shield believes in the security research community and coordinated disclosure. If you discover a vulnerability in our systems, we ask that you report it to us before publishing so we can address it and credit your work.
Report a vulnerability to our security team:
Send a detailed report with reproduction steps and proof-of-concept to our dedicated inbox.
1. Scope
This policy applies to vulnerabilities discovered in:
- greyshield.in and all subdomains
- Grey Shield publicly accessible infrastructure
- Any mobile applications we publish
2. What We Ask of You
- Report to us before any public disclosure
- Provide sufficient detail to reproduce the issue
- Give us 30 days to investigate and remediate before publishing
- Do not access or modify data beyond what is necessary to demonstrate the vulnerability
- Do not perform denial-of-service, social engineering, or physical attacks
3. Safe Harbour
Grey Shield will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy.
If your research complies with this policy, we commit to:
- Not initiating legal action related to your research
- Working with you to understand and validate findings
- Keeping you informed of remediation progress
- Publicly crediting you (with your permission) once resolved
4. Out of Scope
- Missing security headers without demonstrated exploitability
- Clickjacking on pages without sensitive actions
- Theoretical vulnerabilities without a working proof-of-concept
- Vulnerabilities in third-party software (report to the vendor directly)
- Denial-of-service vulnerabilities requiring significant resources
5. Response Timeline
- Acknowledgement — within 2 business days
- Initial triage — within 7 business days
- Critical/High fix — 30 days
- Medium/Low fix — 90 days
6. Recognition
We currently offer:
- Public acknowledgement in our Hall of Thanks (with your permission)
- A letter of thanks suitable for your portfolio or CVE submission
- Priority consideration for open security researcher roles
7. Contact
Security disclosures: contact@greyshield.in
Legal enquiries: contact@greyshield.in