Ethical Use Policy

Our commitment to responsible cybersecurity practices and ethical standards

Our Commitment to Ethical Security

At PivotChip Security inc., we are deeply committed to conducting all cybersecurity services with the highest ethical standards. This Ethical Use Policy outlines our principles, responsibilities, and requirements for the ethical use of our services, tools, and security testing capabilities.

We believe that cybersecurity professionals have a unique responsibility to use their skills and knowledge for the protection and benefit of organizations and society. This policy ensures that all our services are delivered in a manner that respects legal boundaries, protects client interests, and maintains the trust placed in us.

⚖️ Policy Scope

This policy applies to all PivotChip Security inc. employees, contractors, clients, and anyone using our services or security tools. Violations of this policy may result in termination of services, legal action, and notification to law enforcement authorities.

Core Ethical Principles

⚖️

Legal Compliance

All security testing and services must comply with applicable laws and regulations. We never engage in unauthorized access or illegal activities.

📝

Proper Authorization

Written authorization is required before any security testing. Scope, timing, and methods must be clearly defined and agreed upon.

🔒

Confidentiality

Client data, security findings, and vulnerabilities are handled with strict confidentiality and never disclosed without permission.

🛡️

Do No Harm

We take all reasonable precautions to avoid causing damage, disruption, or data loss during security assessments.

🎯

Professional Integrity

We provide honest, accurate, and unbiased assessments without conflicts of interest or misleading information.

🤝

Responsible Disclosure

Vulnerabilities are disclosed responsibly to affected parties with reasonable time for remediation before public disclosure.

Legal Compliance Requirements

Authorization and Scope

All security testing services require explicit written authorization before work begins. This authorization must clearly define:

  • Specific systems, networks, and applications authorized for testing
  • Testing timeframes and any restricted time periods
  • Approved testing methodologies and any prohibited techniques
  • Emergency contact procedures and escalation paths
  • Data handling and confidentiality requirements
  • Rules of engagement and testing boundaries

🚫 Prohibited Activities

The following activities are strictly prohibited without explicit written authorization:

  • Testing or accessing systems not explicitly authorized
  • Social engineering or phishing attacks (without specific approval)
  • Physical security testing (without specific approval and coordination)
  • Denial of service or disruptive testing (without specific approval)
  • Testing during blackout periods or outside authorized timeframes
  • Data exfiltration or removal of client information (without specific approval)
  • Installation of persistent backdoors or unauthorized tools (without specific approval)

Applicable Laws and Regulations

We comply with all applicable laws and regulations including but not limited to:

Criminal Laws

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communications Privacy Act (ECPA)
  • State computer crime statutes
  • International cybercrime laws

Data Protection Regulations

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Client Data Protection

We recognize that security testing may involve access to sensitive client data. We implement strict controls to protect this information:

Data Handling Procedures

During Testing

  • Minimize access to sensitive data
  • Use secure, encrypted connections
  • Document data accessed during testing
  • Never transmit sensitive data over insecure channels
  • Report any accidental data exposure immediately

After Testing

  • Securely delete all client data captured during testing
  • Verify removal of tools and test artifacts
  • Provide certification of data destruction upon request
  • Retain only necessary documentation per agreement
  • Store reports and findings in encrypted, access-controlled systems

Confidentiality Obligations

  • Non-Disclosure: All findings, vulnerabilities, and client information are confidential and protected by non-disclosure agreements
  • Limited Access: Only personnel directly involved in the engagement have access to client data and findings
  • Secure Storage: All client data is stored in encrypted, access-controlled systems with audit logging
  • Retention Limits: Client data is retained only as long as necessary per contractual agreements and then securely destroyed
  • No Disclosure: We never disclose client names, engagement details, or findings without explicit written permission

Responsible Disclosure Policy

When vulnerabilities are discovered during security testing or research, we follow responsible disclosure practices to balance security improvement with risk management:

Disclosure Process

1️⃣

Discovery

Vulnerability identified during authorized testing or research

2️⃣

Notification

Affected party notified privately with detailed technical information

3️⃣

Remediation

Reasonable time provided for fix development and deployment (typically 90 days)

4️⃣

Disclosure

Public disclosure only after remediation or agreed timeframe, coordinated with affected party

Disclosure Principles

  • Private First: Always notify affected parties privately before any public disclosure
  • Technical Details: Provide sufficient technical information for effective remediation
  • Reasonable Timeline: Allow adequate time for fix development and deployment
  • Coordinated Release: Work with vendors on disclosure timing and public messaging
  • Public Benefit: Balance responsible disclosure with public awareness and protection
  • No Exploitation: Never exploit vulnerabilities beyond what's necessary for demonstration and proof of concept

Safe Handling of Security Tools

Security testing tools are powerful and can cause harm if misused. We implement strict controls over the use, storage, and distribution of security tools:

Tool Usage Requirements

Before Use

  • Verify proper authorization for tool deployment
  • Review tool capabilities and potential impacts
  • Test tools in isolated environments first
  • Document tool usage and settings
  • Obtain specific approval for high-risk tools

During Use

  • Use minimum privilege necessary
  • Monitor for unintended impacts
  • Maintain detailed logs of tool usage
  • Follow escalation procedures if issues arise
  • Stay within authorized scope and timeframes

Tool Security and Control

  • Access Control: Security tools are restricted to authorized personnel only
  • Secure Storage: Tools stored in encrypted, access-controlled systems with audit logging
  • Version Control: All tools version-controlled and tested before deployment
  • No Distribution: Security tools never provided to clients or third parties without proper review
  • Custom Tools: Proprietary tools developed with security best practices and code review
  • Tool Removal: All tools removed from client systems after testing completion

⚠️ Dual-Use Tool Warning

Many security tools can be used for both legitimate testing and malicious purposes. Users of our services or tools must:

  • Never use tools for unauthorized access or malicious purposes
  • Obtain proper authorization before any security testing
  • Comply with all applicable laws and regulations
  • Report any discovered vulnerabilities responsibly
  • Use tools only within authorized scope and timeframes

Employee and Contractor Standards

All PivotChip Security inc. employees and contractors must adhere to the highest professional and ethical standards:

Professional Requirements

  • Maintain current industry certifications and technical skills
  • Complete annual ethics and compliance training
  • Sign and comply with confidentiality and non-disclosure agreements
  • Report any ethical concerns or policy violations immediately
  • Refuse to engage in unauthorized or illegal activities
  • Represent the company with integrity and professionalism

Conflicts of Interest

  • Disclose any potential conflicts of interest before engagement
  • Never use client access for personal benefit or unauthorized purposes
  • Avoid situations where personal interests conflict with client interests
  • No trading on material non-public information discovered during testing

Continuous Professional Development

We invest in our team's ethical and technical development through:

  • Regular ethics training and policy reviews
  • Technical certifications and continuing education
  • Participation in professional security organizations
  • Regular team discussions of ethical scenarios and case studies
  • Mentorship and peer review processes

Client Responsibilities

Clients engaging our services also have ethical responsibilities to ensure testing is conducted properly:

Authorization Requirements

  • Proper Authority: Ensure you have legal authority to authorize security testing on all systems in scope
  • Third-Party Systems: Obtain written permission from third parties (cloud providers, managed service providers, etc.) before testing their systems
  • Accurate Scope: Provide accurate scope information and clearly identify any systems that should not be tested
  • Stakeholder Notification: Notify relevant internal stakeholders (IT, legal, management) about security testing activities
  • Compliance: Ensure testing complies with applicable regulations and contractual obligations

Use of Findings

  • Use security findings solely for improving your organization's security posture
  • Do not weaponize vulnerabilities or use them to harm others
  • Prioritize remediation of critical findings
  • Maintain confidentiality of testing methods and detailed findings
  • Share information responsibly with business partners if their systems are affected

Policy Enforcement and Violations

Violation Reporting

We take ethical violations seriously. Anyone who becomes aware of a violation of this policy should report it immediately:

  • Internal Reporting: Employees should report to their manager, compliance officer, or use company defined communication progress
  • Client Reporting: Clients should contact their engagement manager or our Chief Compliance Officer
  • External Reporting: Serious violations may be reported to appropriate law enforcement authorities

🚨 Consequences of Violations

Violations of this Ethical Use Policy may result in:

  • Immediate termination of services or employment
  • Legal action including civil litigation and criminal prosecution
  • Notification to law enforcement authorities
  • Financial liability for damages caused
  • Loss of certifications and professional credentials
  • Industry reputation damage and blacklisting

No Retaliation

We prohibit retaliation against anyone who reports potential violations in good faith. Employees, contractors, and clients who raise ethical concerns will be protected from adverse consequences.

Policy Questions and Ethics Consultation

If you have questions about this Ethical Use Policy or need guidance on ethical issues related to our services, please contact:

📧

Ethics and Compliance

Email: ethics@pivotchip.ca

⚖️

Legal Department

Email: legal@pivotchip.ca

Policy Updates

This Ethical Use Policy is reviewed and updated regularly to reflect evolving legal requirements, industry standards, and ethical considerations. The current version is effective as of January 2024.

Last Updated: November 16, 2025
Version: 1.0

Questions About Our Ethical Standards?

We're committed to transparency and are happy to discuss our ethical practices and policies.

Contact Us