Terms
Last updated: July 15, 2026
These terms describe the current MCPScan fixed-scope audit service. They are a practical operating policy, not a substitute for legal advice or a negotiated master services agreement.
Service
MCPScan provides focused production-readiness reviews of MCP server configuration, tool exposure, permissions, secret exposure, transport signals, and related evidence provided by the customer.
Scope
Each package is limited to the server, environment, delivery, call, and re-scan limits described at purchase. Scope changes require written approval before work continues.
Authorization
The customer must have authority to submit all reviewed materials and authorize the review. MCPScan does not perform live exploitation, penetration testing, social engineering, destructive testing, or remediation implementation unless separately agreed in writing.
Customer Materials
Customers should provide sanitized configs or safe test targets where possible. Do not send raw production credentials, tokens, private customer data, or unrelated source code through public issues or ordinary email.
Deliverables
Deliverables may include a written report, inventory, findings, remediation checklist, findings call, buyer-facing summary, and re-scan depending on the package purchased.
No Guarantee
MCPScan audits are not compliance certifications, legal opinions, security guarantees, or complete penetration tests. Findings reflect the reviewed snapshot and materials available at the time of assessment.
Payment
Payment is due before audit work begins unless otherwise agreed. The delivery clock starts after intake materials are complete.
Contact
Until a dedicated domain mailbox is live, use the GitHub audit request flow for sanitized scope questions.