Last updated: April 2026 · Version 1.0 · Referenced in every SOW
1. We refuse
The following are out of scope regardless of fee offered:
- Offensive capability against unconsenting parties. No red-teaming a third party without their knowledge and written permission. No building of disruption tooling, weapons systems, or stalkerware.
- Deception at scale. No dark pattern growth. No deceptive marketing copy. No content designed to impersonate humans when the reader would object to the impersonation.
- Malicious data operations. No building of targeting infrastructure against protected classes. No building of models designed to generate discriminatory predictions.
- Evidence destruction. If an engagement surfaces evidence of a crime (child safety material, fraud, violent intent), we report through the appropriate channel and withdraw. We will not retain, edit, or suppress that evidence.
- Conflict of interest. If you compete with an existing client in an adjacent market and the engagement would benefit from non-public context, we disclose the conflict and either decline or firewall the operator.
2. Ethical hacking boundaries
For security engagements, we operate under a written Rules of Engagement document that is attached to the SOW. It covers:
- Scope: specific IPs, domains, repositories, accounts, and endpoints in-scope; explicit out-of-scope list
- Timing: testing hours, blackout windows, emergency contact
- Techniques: what we will use (automated scanners, manual testing, phishing of specific personas) and what we will not (DoS, data destruction, third-party services)
- Data handling: what we collect, how long we hold it, how we destroy it
- Disclosure: reporting timeline for critical findings during the engagement, not just at the end
- Safe harbor: written authorization from the client's authorized decision-maker
We will not run a pentest without this document signed. We will not exceed its scope. If during testing we find something adjacent to scope, we stop and ask before proceeding.
3. AI content disclosure
Every deliverable that contains Claude-generated content is labeled accordingly in an "Authorship" section. A typical label looks like:
Drafting: Claude Opus 4.7, authorized operator: Operator, review: M. Haider. Content reviewed paragraph by paragraph. Claims verified against the evidence pack on 2026-04-15.
You may ask us to produce artifacts without this label; we will not agree. Transparency about the pipeline is a condition of delivery.
We review Anthropic's Usage Policy, Commercial Terms, and Trust Center every quarter. The review record is public at /compliance/anthropic-review-log.md. Our fallback model plan, exercised quarterly in a fire-drill cadence, is at /compliance/fallback-models.md.
4. Human review guarantee
No deliverable ships to you without a named human operator's review. A reviewed deliverable has:
- A named reviewer (not “Team NexcurAI”)
- A log of what was changed between Claude's draft and the ship version
- A confidence label for sections where our confidence is less than high
If a deliverable reaches you without these, it is a defect. Report it to the operator team; we fix within 24 hours.
5. Scope and change orders
- Engagement scope is fixed in the SOW. Additions during the engagement require a written change order.
- Change orders are priced transparently and billed separately; they do not quietly expand the original engagement.
- If scope discovery during research suggests the SOW is under-scoped, we raise it within 5 business days with a proposed change, not at the end.
- We will not use scope creep to retroactively bill for work not authorized in writing.
6. Responsiveness and cadence
We commit to, and ask from you:
- Weekly 30-minute live sync, same day and time for the duration of the engagement
- Daily async update in the agreed channel (Slack, Teams, or email digest)
- Response to urgent questions within 4 hours during working hours
- Access to agreed systems within 2 business days of kickoff
Repeated blocking delays from either side trigger the escalation clause in the SOW. Missing an entire weekly sync twice is treated as a project-level incident.
7. Data handling during engagements
- Client content is stored in engagement-specific repositories. No cross-pollination.
- Access is granted per-operator, named in the SOW, revocable on 24 hours' notice.
- Secrets (tokens, credentials) are stored only in 1Password Teams vaults, never in code, drafts, or Claude context.
- Engagement content is destroyed, or returned at client option, at the end of the retention period specified in the SOW.
8. Conflicts of interest
- We disclose potential conflicts at the scoping stage.
- We do not work for both sides of a competitive matchup in the same market segment at the same time.
- We maintain a published client list (anonymized by industry if the client wishes). Prospective clients can request the list before signing.
9. Termination
- Either party may terminate with 30 days written notice, subject to the SOW's termination clause.
- Upon termination, you receive all work product created to date and the partial handbook.
- Our retention of the client list, anonymized patterns, and internal learnings survives termination.
- If we terminate due to ethical concerns (weapons, deception, harm), you are refunded pro rata and the reason is documented for our internal learning log. We may decline to take another engagement from you.
10. Dispute resolution
In order: (1) direct conversation with the operator; (2) escalation to founder; (3) neutral mediator (mutually chosen, we pay half); (4) binding arbitration under mutually agreed rules. Class action waiver. Litigation only in Canadian courts.
11. Amendments
These rules are amended only by written instrument signed by both parties, and apply prospectively. The version in effect at the time the SOW is signed governs that engagement through to completion.
These rules are kept in version control and referenced by SOW number in each engagement letter. Prior versions retained for audit.