SPNT
Legal

Responsible Use

Serpentine provides defensive security capabilities. Misuse is contractually prohibited and operationally prevented.

Our position

Serpentine builds security capabilities for organizations defending their own infrastructure. Our platform enables security audit, exploitability validation, infrastructure hardening, compliance evidence generation, and adversarial research.

Adversarial security capabilities are inherently dual-use. The same techniques that help defenders understand their exposure can be misused. We acknowledge this reality and govern our platform accordingly.

Our commitments are not aspirational. They are operationalized through customer vetting, contractual obligations, technical controls, and compliance with EU export control frameworks.

Permitted use

  • Authorized security assessment of assets owned or operated by the customer
  • Assessment of assets where the customer has written authorization from the asset owner
  • Research and education within Serpentine's terms of service
  • Compliance, audit, and regulatory reporting activities

Prohibited use

  • Unauthorized assessment of third-party assets
  • Surveillance of individuals
  • Suppression of journalism, dissent, or human rights activity
  • Use against critical infrastructure where the customer lacks operating authority
  • Export to or use by entities subject to EU, UN, or NATO member-state sanctions
  • Resale or sublicensing to parties not vetted under Serpentine's customer due diligence

Customer vetting

Serpentine performs customer due diligence before onboarding and on an ongoing basis. Our process includes:

  • Identity and entity verification at onboarding
  • Sanctions and adverse media screening
  • Intended use disclosure
  • Reassessment on tier upgrades, particularly for Istraga access

Contractual obligations

  • All customers agree to acceptable use clauses in the Master Services Agreement
  • Use violations trigger immediate access suspension and contract review
  • Material violations may be reported to relevant authorities

Export controls

Serpentine operates under the EU dual-use export control framework (Regulation 2021/821). Customers in jurisdictions outside the EU may be subject to additional authorization requirements.

Customers receiving Istraga or Napad capabilities outside the EU are subject to end-use documentation.

Reporting misuse

If you become aware of misuse of Serpentine capabilities, please report it.

  • Email: misuse@spnt.io
  • Confidential reporting available
  • Reports reviewed within 5 business days

Updates

This policy may be updated as regulatory frameworks evolve. Material changes are notified to customers via the standard policy update channel.

Last updated: May 2026