Terms of Service

Terms of Service

Effective date: February 2026 Last updated: February 2026

These Terms of Service ("Terms") govern your use of Email Pen Test ("the Service"), an email security testing tool operated at emailpentest.io. By using the Service, you agree to these Terms. If you disagree, do not use the Service.

If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization to these Terms.

1. What the Service Does

Email Pen Test is a free email security testing tool designed for Google Workspace environments. Here is exactly what happens when you use it:

  1. You provide an email address and verify you own or control that mailbox.
  2. We send 20 test emails to that address. Each email simulates a real-world attack pattern (social engineering, QR code phishing, link wrapping, display name spoofing, etc.).
  3. You report where each email landed — Inbox, Spam, or Not Received.
  4. We calculate a security score and provide a gap analysis with recommendations.

All test emails are:

  • Safe. No malware, no malicious payloads, no credential harvesting.
  • Clearly marked. Subject lines include [EPT_XX] prefixes. Each email contains a footer identifying it as a test.
  • Defensive only. Designed to evaluate your security filters, not to teach attack techniques.

2. Authorization — Read This Carefully

You may only test mailboxes you own or have explicit authorization to test.

This is not optional. By using the Service, you represent and warrant that:

  • You own the email address being tested, or
  • You have written authorization from the mailbox owner, or
  • You are authorized by your organization (as an IT admin, security team member, or equivalent role) to conduct security testing on organizational mailboxes

You also represent that:

  • You are at least 18 years of age
  • Your use complies with all applicable laws, regulations, and your organization's policies
  • You will use test results solely for legitimate security improvement

Unauthorized testing is prohibited. If we have reason to believe you are testing a mailbox without authorization, we will terminate your access immediately and may report the activity to the mailbox owner or relevant authorities.

3. Prohibited Uses

You may not use the Service to:

  • Test mailboxes you don't own or lack authorization to test
  • Send unsolicited messages, harass, or spam anyone
  • Craft phishing campaigns, social engineering attacks, or any offensive activity using test content or results
  • Reverse engineer, decompile, scrape, or extract source code, test logic, or scoring methodology
  • Interfere with, overload, or disrupt the Service or its infrastructure
  • Circumvent rate limits, bot protection, or access controls
  • Impersonate any person, organization, or affiliation
  • Violate any applicable law or third-party right
  • Resell, redistribute, or commercially exploit the Service or its outputs without prior written permission

We reserve the right to terminate access for any prohibited use without notice.

4. No Inbox Access

For the avoidance of doubt: we never access your inbox. We do not request Gmail API access, OAuth scopes, or Google Workspace admin permissions. We send emails to you. You manually tell us where they landed. That's the entire data flow.

5. Test Emails and Your Security Stack

Test emails are designed to simulate techniques used in real-world attacks. Your email security stack (Gmail's built-in filters, third-party SEGs, DMARC policies, etc.) may quarantine, flag, or reject some test emails. This is expected behavior and is the point of the test.

You acknowledge that:

  • Test emails may trigger alerts in your security tools. We recommend notifying your security team before running a test.
  • Some test emails may not reach your mailbox depending on your security configuration. This is a valid test outcome.
  • Test results reflect a point-in-time snapshot. Email filtering behavior can change at any time due to provider updates, policy changes, or threat intelligence feeds.
  • We do not guarantee that all attack patterns are covered. The test suite represents common and emerging techniques, not an exhaustive threat model.

6. Your Results

You own your test results. You may share them internally, include them in security reports, or discuss them publicly. You may not:

  • Misrepresent your results (e.g., claiming a score you did not receive)
  • Attribute results to a different organization
  • Use results to make false or misleading claims about third parties

7. Benchmark (Opt-In)

If you choose to participate in the anonymous benchmark:

  • Your score is anonymized and cannot be traced back to your organization
  • You receive a delete token that lets you remove your entry at any time
  • Benchmark data is used solely for aggregate comparisons

You can opt out of the benchmark at any time by using your delete token or contacting us.

8. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." We make no warranties, express or implied, including but not limited to:

  • Merchantability or fitness for a particular purpose
  • Accuracy — results are estimates, not guarantees of your security posture
  • Availability — the Service may be unavailable due to maintenance, updates, or factors outside our control
  • Completeness — the test suite does not cover every possible attack vector
  • Detection guarantees — a passing score does not mean your organization is immune to email-based attacks

This Service does not constitute professional security advice. It is a testing tool. For specific security guidance, consult a qualified security professional.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM YOUR USE OF THE SERVICE. This includes but is not limited to:

  • Losses from reliance on test results or scores
  • Security incidents that occur before, during, or after testing
  • Actions taken (or not taken) based on recommendations or gap analysis
  • Service interruptions, errors, or inaccuracies
  • Decisions made by your organization using test outputs

Our total aggregate liability for all claims related to the Service shall not exceed $100 USD.

The Service is free. This liability cap reflects that.

10. Indemnification

You agree to indemnify and hold harmless Email Pen Test, its operators, affiliates, and service providers from any claims, damages, losses, or expenses (including reasonable legal fees) arising from:

  • Your use or misuse of the Service
  • Testing mailboxes without proper authorization
  • Violation of these Terms
  • Violation of applicable laws or third-party rights
  • Actions taken based on test results

This obligation survives termination of these Terms.

11. Termination

We may suspend or terminate your access at any time, with or without notice, for any reason, including:

  • Violation of these Terms
  • Unauthorized or malicious use
  • Suspected fraud or illegal activity
  • Abuse of the Service (e.g., excessive automated requests)

Upon termination, your right to use the Service ends immediately. We may (but are not obligated to) delete data associated with your use. Sections on disclaimers, liability, indemnification, and dispute resolution survive termination.

12. Privacy

Your use of the Service is governed by our Privacy Policy, which describes what data we collect, how we use it, who we share it with, and your rights regarding that data.

Key points:

  • We collect only what's needed to run the test
  • We never access your inbox or read your email content
  • We may share your registration email address with marketing partners (opt-out available)
  • You can request deletion of your data at any time

13. Intellectual Property

The Service — including its design, scoring methodology, test cases, content, and source code — is owned by Email Pen Test and protected by applicable intellectual property laws.

You may not copy, modify, reverse engineer, or create derivative works of the Service. You may not use our name, logo, or branding without written permission.

14. Changes to These Terms

We may update these Terms at any time. Changes take effect when posted to this page with a new "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

For material changes that significantly affect your rights, we will make reasonable efforts to notify you (e.g., a notice on the site).

15. Dispute Resolution

15.1 Governing Law

These Terms are governed by the laws of the State of California, United States, without regard to conflict of law principles.

15.2 Informal Resolution First

Before filing any claim, you agree to contact us via our contact page to attempt informal resolution. We commit to responding within 30 days.

15.3 Binding Arbitration

If informal resolution fails, disputes will be resolved through binding arbitration under the rules of JAMS (or a comparable arbitration body), held in San Francisco, California. The arbitration will be conducted by a single arbitrator. Each party bears its own costs.

You waive the right to participate in a class action or class arbitration.

Exception: Either party may bring claims in small claims court if eligible.

16. Miscellaneous

  • Entire agreement. These Terms, together with our Privacy Policy, constitute the entire agreement between you and Email Pen Test regarding the Service.
  • Severability. If any provision is found unenforceable, the rest remains in effect.
  • No waiver. Our failure to enforce a provision does not waive our right to enforce it later.
  • Assignment. You may not assign these Terms. We may assign them in connection with a merger, acquisition, or asset sale.
  • Force majeure. We are not liable for delays or failures caused by events beyond our reasonable control.

17. Contact

Questions about these Terms: