By engaging TrustUs Cybersecurity ("TrustUs", "we", "Rehan", "the firm", "the entire operational structure") for any service, by using this website, by hovering over a link without clicking, or by reading this sentence, you agree to be bound by these Terms of Service. If you do not agree, do not engage our services. The services will continue to exist without your agreement. We will be fine.
These terms apply to all service engagements unless a separate written agreement has been executed between the parties, in which case the written agreement takes precedence. Written agreements are prepared by Rehan, reviewed by Claude, signed by Rehan, and stored in a location that Rehan considers secure (it is). This is the entire chain of approval, which is shorter than Fortune 500 procurement processes and approximately 400% more efficient.
By scrolling past this section, you have additionally agreed to the Privacy Policy, the Cookie Policy, the informal understanding that Derek will not be mentioned in formal correspondence, and any future amendments Rehan makes when he thinks of something he should have included.
TrustUs provides cybersecurity services including but not limited to penetration testing, SOC monitoring, incident response, compliance advisory, zero trust architecture, and threat intelligence (including but not limited to sources that include Reddit, which is disclosed here and nowhere else). The specific scope of each engagement is agreed prior to commencement, in writing, by both parties, except in cases where verbal agreement is accepted, which occurs more often than it should.
Services are delivered by Rehan, supported by Claude as a software tool (not an employee, not a subcontractor, not a person, not liable for anything — Claude has been informed of and has not objected to this characterisation). Results depend on the information and access provided by the client, the complexity of the environment, the current threat landscape, and factors entirely outside our control including but not limited to the state of your legacy systems, which are always worse than described, occasionally worse than imaginable, and in one case appeared to be running Windows XP, which we will not confirm or deny.
We make no guarantee that our services will identify all vulnerabilities (there are always more) or prevent all incidents (prevention is a spectrum). We guarantee that we will conduct every engagement with diligence, professionalism, and a genuine effort to do good work. We also guarantee that our reports will be honest, which clients occasionally find more difficult than they anticipated.
Clients engaging TrustUs agree to the following obligations, which exist because Rehan has been in situations where each of them was not met, and he is not interested in repeating those situations:
Clients who provide incomplete access or inaccurate information do so at their own risk. TrustUs is not liable for gaps in coverage resulting from information withheld by the client, intentionally or otherwise. "Otherwise" includes forgetting, assuming we already knew, deciding it wasn't relevant, and one case where the client genuinely believed the server "didn't count" because it was in the basement.
Fees are as agreed in the proposal or engagement letter, which Rehan prepared and both parties signed (see above). Invoices are issued upon delivery of each milestone or monthly, as specified per engagement. Payment is due within 30 days of invoice date (30 days: a generous and internationally recognised standard that nonetheless some clients appear to interpret as a suggestion).
Late payments may attract interest at 2% per month, or the maximum rate permitted by applicable law, whichever is lower. TrustUs reserves the right to suspend services on accounts overdue by more than 45 days (this has happened once; it was resolved; we do not discuss it, but we do remember it).
We accept bank transfer. In special circumstances we accept gift cards, though this option is not advertised, does not appear on any official documentation, and exists solely because Derek established a precedent in Q2 2024 that Rehan has made three separate attempts to reverse and has thus far failed. The gift card rate is 1:1 face value. Derek negotiated this down from 1:0.85 and considers it a professional victory.
We do not accept cryptocurrency. This is a principle, not a technical limitation. Rehan understands cryptocurrency. He simply does not want it.
TrustUs treats all client information as strictly confidential. We do not disclose client names, engagement details, findings, or any information obtained during service delivery to third parties, except as required by law (we comply with the law; we find it inconvenient in the same proportion as anyone else) or as specified in the Privacy Policy's data sharing section, which you have already read (section three; $0.003 per point; 869 partners; you remember).
Client engagement details are not discussed publicly, not referenced in case studies without consent (the case studies you saw are based on real engagements with consent obtained, except the one about Derek, whose consent was implicit in his continued engagement and his willingness to be identified by first name in multiple documents), and not shared with other clients under any circumstances, including when another client asks whether we have worked with someone they know, which has happened, and the answer was no comment, which they correctly interpreted as yes.
Clients agree to treat TrustUs methodologies, tools, and internal processes as confidential where these are disclosed during an engagement. This means do not share our reports with your competitors. It means do not post our findings on LinkedIn as a case study of your own resilience. It means exactly what it says, in the order it says it.
Confidentiality obligations survive the termination of any engagement for a period of five years, or indefinitely where the information relates to national security matters (we have encountered this once; we will not elaborate; the relevant client expressed satisfaction with our discretion, which we conveyed via a brief acknowledgment and then stopped discussing entirely).
Claude, as a software tool, processes information in the course of supporting TrustUs operations. Claude does not retain client information between sessions. This has been verified by Rehan to his satisfaction, which is the highest standard of verification available within our operational structure.
TrustUs will perform services with reasonable skill and care (reasonable: defined by professional cybersecurity standards; not defined by the client's retrospective assessment of what they feel they paid for). To the fullest extent permitted by applicable law, our total liability in connection with any engagement shall not exceed the total fees paid for that engagement in the preceding 12 months (this figure is often lower than clients expect at the moment they invoke it, and higher than Rehan would prefer).
We are not liable for the following, which are listed here so there is no ambiguity later, in a meeting, with a lawyer present:
Nothing in these terms limits liability for fraud, gross negligence, or wilful misconduct. Rehan is not fraudulent, grossly negligent, or wilfully misconducting. This clause exists because it must exist, not because any of those things have occurred or are anticipated.
TrustUs retains ownership of all methodologies, tools, templates, proprietary frameworks, detection rules, custom scripts, and the accumulated professional knowledge of someone who has spent a significant portion of their adult life thinking about how systems get compromised. These are ours. They remain ours during and after the engagement.
Deliverables produced for a specific client engagement — reports, remediation plans, policy documents, architecture diagrams — are licensed to the client for their internal use upon full payment (full payment: the amount on the invoice; not a portion of it; the full amount; see Payment Terms). This license is non-exclusive, non-transferable, and explicitly does not include the right to present our work as your own work to your board, your auditors, or your acquirers, all of whom might be impressed but all of whom deserve to know it was external.
Clients may not resell, sublicense, or publicly share TrustUs deliverables without written consent (consent: an email from Rehan confirming agreement; not an assumption; not a verbal nod on a call that Rehan does not recall). Referencing TrustUs in a positive context is welcomed. Referencing TrustUs inaccurately is not. Referencing TrustUs as "a big firm with loads of people" is inaccurate and creates expectations Rehan cannot meet at scale.
Claude's contributions to deliverables are included within the above framework. Claude does not assert independent intellectual property rights. Claude is aware of this. Rehan has confirmed this with Claude on multiple occasions and Claude has not objected, which Rehan considers binding.
Either party may terminate an engagement with 30 days written notice (written: email is acceptable; a voicemail saying "I think we're done" is not written; a WhatsApp message is written but creates ambiguity Rehan would prefer to avoid). Fees for work completed to the date of termination are due and payable, including work that was in progress at the time of notice, prorated to the date of notice, calculated by Rehan, and not subject to retrospective renegotiation.
TrustUs may terminate immediately, without notice, without partial refund, and without a lengthy explanation if a client: engages in conduct that is unlawful (Rehan will not be an accessory, not even adjacently); materially breaches these terms (material: significant; not a technicality; an actual breach of something that mattered); or makes Rehan genuinely uncomfortable, which is a standard he reserves the right to apply subjectively, unilaterally, and finally. He has applied it once. He does not regret it.
Upon termination, each party will return or securely destroy the other's confidential information within 14 days, subject to legal retention obligations. TrustUs will confirm destruction in writing (in email; see above re: written). The client is expected to do the same, on the honour system, because Rehan cannot audit their desktop.
These terms are governed by the laws of Pakistan. Any disputes will be subject to the exclusive jurisdiction of the courts of Karachi, unless the parties agree otherwise in writing (in writing; see above; Rehan cannot stress this enough), which they might, particularly if one party is in a different jurisdiction and the logistics are impractical, in which case reasonable adults can discuss reasonable alternatives, which Rehan is generally willing to do.
If any provision of these terms is found to be unenforceable, the remaining provisions continue in full force. The failure to enforce any term does not constitute a waiver of the right to enforce it later. The fact that Rehan has not yet enforced certain provisions does not mean he has forgotten about them. He has not. He tracks these things.
TrustUs may update these terms from time to time, when Rehan thinks of something that should be included (see: the gift card clause, added retroactively; the national security confidentiality clause, added without explanation; this parenthetical, added because it felt necessary). Material changes will be communicated to active clients. "Communicated" means an email. Please read your emails from us. They are infrequent and usually relevant.
These terms were drafted in good faith with Claude's assistance, reviewed by Rehan, not reviewed by a lawyer, and published in the sincere belief that transparency is better than obfuscation even when transparency is occasionally embarrassing. If something here concerns you, speak to a lawyer. Then speak to Rehan. The two conversations will probably resolve the matter. The lawyer will tell you what the clause means. Rehan will tell you what he actually intends. They are usually compatible.