Scope & Terms

Dark Data Labs (“DDL,” “we,” “us”) is an independent cybersecurity research lab. These Scope & Terms govern any exposure-intelligence engagement we conduct under the Dark Data Labs name, whether contracted directly or through one of our portfolio properties.

By submitting domains, executives, suppliers, or other targets for intelligence collection, you represent and warrant that you are authorized to do so on behalf of the named organization, and that every listed domain, individual, or entity is owned by or affiliated with that organization.

We rely on this authorization. If you cannot make this representation, do not proceed with intake. We document scope and authorization for every engagement and retain that record for the duration of our evidence-retention period.

We do: passive and open-source collection from breach databases, stealer logs, dark web forums, public data brokers, public infrastructure registries, public code repositories, and commercially licensed threat-intelligence sources. We analyze, correlate, and report findings.

We do not: attempt unauthorized access to your systems or anyone else's. We do not exploit vulnerabilities. We do not attempt credential reuse or password spraying. We do not perform social engineering against your personnel or vendors. We do not install software, run agents, or require credentials on your infrastructure.

Active scanning of client-owned infrastructure (port scans, service fingerprinting against client networks) is performed only when explicitly authorized in writing as part of a separate engagement.

Findings are derived from publicly accessible sources, commercially licensed datasets, and our own passive collection infrastructure. We disclose source categories — but not specific vendor relationships — in every report. We do not buy, trade, or republish raw data acquired through illegal means.

Where reports include redacted attacker identifiers (IP addresses, forum handles, file hashes), we anonymize to country / ASN level in any public-facing material and only disclose specifics inside client-confidential reports.

Each engagement produces a written report and, where included in tier, an evidence vault. Reports are delivered as encrypted PDF. Standard turnaround is 48 hours from confirmed scope, with most reports delivering in 24–36 hours.

Findings are reviewed by a single analyst before delivery. We disclose confidence levels per finding. We do not pad reports with findings we cannot defend.

Client data, intake submissions, evidence, and reports are encrypted at rest and in transit. Access is limited to the analyst assigned to your engagement and the lab principal.

We retain evidence vaults for twelve (12) months by default, after which they are purged. You may request earlier purge in writing at any time. We do not sell, share, or aggregate client data with third parties. We may use anonymized, non-identifying statistics for research, public threat-intelligence briefs, and marketing — never identifying findings tied to a specific client.

Current pricing is published on the pricing section of this site. Payment is collected at intake via the configured payment processor. For engagements over $5,000 USD, we accept bank transfer or ACH on request.

Pricing is per-engagement. There is no retainer. Monitoring subscriptions, where offered, are billed monthly and may be cancelled at any time effective the end of the current billing period.

If you cancel before we deliver a report, we issue a full refund. Once a report has been delivered, all sales are final. If a delivered report contains material errors of fact attributable to DDL, we will correct and re-issue at no charge; we do not refund for findings whose remediation cost is greater than the engagement fee.

DDL provides intelligence; you decide what to do with it. We make no warranty that any report is exhaustive, that all exposures are discoverable, or that remediation of identified findings will prevent any specific incident. Cybersecurity threats evolve; sources go offline; data brokers change hands. A clean report on a given date does not guarantee a clean surface on a later date.

To the maximum extent permitted by applicable law, DDL's aggregate liability for any claim arising from an engagement is limited to the fees paid for that engagement. DDL is not liable for indirect, incidental, consequential, special, or punitive damages, including lost profits, lost data, business interruption, or third-party claims, even if advised of the possibility of such damages.

You own the findings produced for you and the report deliverable. We retain ownership of our methodology, internal tooling, prompts, queries, and proprietary data infrastructure. You may share your report internally and with your professional advisors (insurer, outside counsel, board, MSP, IT contractor); republication or external publication of report contents requires written consent.

Reports and evidence are intended for the named client's internal security and remediation purposes. You agree not to use DDL findings to harass any individual identified in a report, retaliate against third parties whose data appears as a result of their own breach, or pursue any activity that itself constitutes unauthorized access, defamation, or harassment.

Either party may terminate an engagement before report delivery in writing to intel@darkdatalabs.com. On termination, we cease work, issue applicable refunds, and (on written request) purge collected evidence ahead of schedule.

These Scope & Terms are governed by the laws of the State of Michigan, without regard to its conflict-of-laws principles. Any dispute that cannot be resolved by good-faith discussion shall be brought in a state or federal court of competent jurisdiction located in Wayne County, Michigan, and the parties consent to personal jurisdiction in those courts.

We may update these Scope & Terms from time to time. The “Last updated” date above reflects the current version. Engagements already underway are governed by the terms in effect on the date scope was confirmed.

For legal questions about these terms, contact legal@darkdatalabs.com. For engagement, scope, or operational questions, contact intel@darkdatalabs.com.