TestPilot AI← Back to home

Acceptable Use Policy

Effective date: March 19, 2026

This Acceptable Use Policy (“AUP”) sets out the rules for using TestPilot AI by NuralStack (“Service”). This AUP is incorporated by reference into our Terms of Service. Violations may result in immediate suspension or termination of your account without refund.

1. Authorisation Requirement

You may only test web applications, APIs, and URLs for which you have explicit written authorisation from the application owner. This includes:

  • Applications and services you own or operate.
  • Applications where you have a signed penetration testing or QA agreement with the owner.
  • Staging, development, or sandbox environments you control.

Testing production systems of third parties without authorisation may be illegal under computer misuse laws in your jurisdiction (e.g. Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK, IT Act in India). NuralStack accepts no liability for unauthorised use.

2. Prohibited Activities

You must not use the Service to:

2.1 Unauthorised Access & Attacks

  • Probe, scan, or test systems you do not have authorisation to access.
  • Exploit vulnerabilities in third-party systems (the Security test type is for testing your own applications only).
  • Attempt to bypass authentication controls of systems you are not authorised to access.
  • Conduct brute-force attacks against any system.

2.2 Denial of Service

  • Use the Load Testing feature to intentionally degrade or disrupt services you do not own or control.
  • Configure load tests with parameters designed to cause permanent damage to target systems.
  • Circumvent our rate limits to issue excessive requests to any external system.

2.3 Harmful or Illegal Content

  • Upload requirements or test data containing child sexual abuse material, content promoting terrorism, or other unlawful content.
  • Submit content that infringes third-party intellectual property, privacy, or data protection rights.
  • Use the Service to harvest or collect personal data about third parties without a lawful basis.

2.4 Service Abuse

  • Create multiple accounts to circumvent credit or trial limits.
  • Resell, sublicense, or white-label the Service without a written partnership agreement.
  • Interfere with or attempt to disrupt the Service infrastructure (e.g. by overloading our API endpoints).
  • Attempt to access other customers’ data.
  • Reverse-engineer, decompile, or extract source code from the Service.

2.5 Misuse of AI

  • Use the AI generation features to produce content designed to harm, deceive, or defraud third parties.
  • Attempt to extract training data, system prompts, or model weights from the underlying AI systems.
  • Use the Service to generate malicious code, exploits, or attack scripts.

3. Load Testing Guidelines

Load testing can have a significant impact on target systems. When using Load / Stress Testing features:

  • Only target systems you own or have explicit load-testing authorisation for in writing.
  • Start with low concurrency and increase gradually — do not immediately max out concurrency settings.
  • Schedule load tests during off-peak hours where possible.
  • Our platform enforces maximum concurrency limits (50 concurrent requests, 200 total per test). Do not attempt to circumvent these limits.
  • Notify affected teams before running significant load tests, even on systems you control.

4. Security Testing Guidelines

The Security test type (OWASP checks, XSS/SQL injection probes) is designed for testing your own applications in controlled environments:

  • Only use Security tests on staging or development environments unless you have explicit written consent for production security testing.
  • Ensure your security testing does not violate any contracts or SLAs with your hosting provider or cloud services.
  • Do not attempt to exploit vulnerabilities discovered through the Service in production systems without coordinating remediation first.
  • Responsible disclosure: if you discover a vulnerability in a third-party system during testing you were authorised to perform, follow responsible disclosure practices.

5. API Key & Credentials Security

  • Treat your TestPilot AI API key as a secret. Do not commit it to public repositories or share it openly.
  • Rotate your API key immediately if you suspect it has been compromised (support@nuralstack-testpilot.com).
  • Auth credentials you store for test automation (e.g. test account passwords) should use dedicated test accounts, not production admin credentials.

6. Reporting Violations

If you suspect a violation of this policy, or if you discover a vulnerability in our own systems, please contact us immediately at support@nuralstack-testpilot.com. We take security reports seriously and will respond within 48 hours.

7. Enforcement

We reserve the right to:

  • Immediately suspend or terminate accounts that violate this AUP, without notice or refund.
  • Report illegal activity to appropriate law enforcement authorities.
  • Preserve and disclose data when required by legal process or to protect the rights and safety of NuralStack or others.
  • Cooperate with investigations by law enforcement or regulatory authorities.

8. Changes to this Policy

We may update this AUP from time to time. Material changes will be notified to you by email or in-app notice at least 14 days before taking effect.

9. Contact

Questions about this AUP? Contact us at support@nuralstack-testpilot.com.