Terms and Conditions

1.1 What PresideTech Provides

Subject to payment and compliance with these Terms, PresideTech will provide the RC4 Active Directory Security Assessment ("Assessment") consisting of:

1. Collector Delivery. A digitally signed Windows executable ("RC4 Collector") and a cryptographically bound product key ("Product Key") enabling the Customer to collect Active Directory security data from their own environment.
2. Data Processing. Decryption and analysis of the encrypted output file (".rc4d file") submitted by the Customer following collection.
3. Report Delivery. A comprehensive HTML security report ("Assessment Report") covering RC4 exposure findings, risk scoring, and remediation guidance.

1.2 Tiers

The scope of the Assessment is determined by the tier purchased. The Collector enumerates domains downward from the scan root domain designated by the Customer in breadth-first order. Tier limits apply to this downward-enumerated set only. The product key is bound to the forest root FQDN for licensing; the scan root is a separate operational parameter.

Delivery SLA runs from the date PresideTech receives the Customer's confirmed scan root FQDN to the date the Report URL email is sent. Domains over slow or unreliable WAN links are better purchased as separate Standard engagements.

1.3 Assessment Categories

All tiers include assessment of the following Active Directory security categories across all in-scope domains:

1. User and service account encryption types, Kerberoastable accounts, AS-REP roastable accounts, and privileged account exposure
2. Computer account encryption types, operating system version, and legacy system classification
3. No-SPN privileged accounts subject to NTLM fallback and relay attack risk
4. Domain controller Kerberos configuration, SChannel RC4 cipher status, and registry-level Kerberos policy
5. KRBTGT account password age, rotation history, AES key presence, and Golden Ticket exposure assessment
6. Active Directory domain trust RC4 fallback configuration
7. Kerberos authentication event analysis (7-day sample, Events 4768/4769)
8. Microsoft Entra ID integration, including AZUREADSSOACC (Seamless SSO) and Entra Connect service account configuration
9. Group Policy Objects configuring Kerberos encryption types
10. Federation and SSO SPN Detection. The Collector probes in-scope domains for SPNs associated with known federation and SSO integration patterns. Detected SPNs and accounts are reported for Customer review. Any SPN associated with an account lacking AES encryption configuration is flagged as a potential enforcement-phase risk.

1.4 Assessment Results — No Data, Exclusions, and Errors

Results for any individual assessment category may be absent, empty, or incomplete for reasons including:

1. Customer exclusions. The Customer may exclude specific AD sites or domain controllers from event log collection. Categories relying on data from excluded sources will reflect only included sources.
2. No data to assess. A category may return no results because the environment contains no items meeting the criteria for that category. An empty result in these cases reflects the environment as collected and is not an error.
3. Collection errors. A category may return no or incomplete results due to unreachable domain controllers, insufficient permissions, blocked remote registry access, denied event log access, or other collection failures. Detected errors will be noted in the Report where possible; not all failures can be detected or reported.
4. Audit policy not enabled. Kerberos event log categories depend on Kerberos auditing being enabled on domain controllers. If audit policy is not configured, the Collector will report zero events for affected DCs.

1.5 What Is Not Included

1. Remediation implementation of any kind
2. Penetration testing, exploitation, or active attack simulation
3. Assessment of domains outside the scan root subtree or above the tier limit
4. Assessment of non-Windows identity platforms or non-Active Directory authentication systems
5. Vendor-specific configuration guidance for third-party federation or SSO products
6. Compliance certification, audit attestation, or regulatory filing
7. Internal review, change management, testing, or rollback planning prior to implementing any recommendation
8. Ongoing monitoring, subscription services, or recurring assessments

2.1 Report Contents

1. Executive risk score (0–100) with overall risk rating and plain-language summary
2. Categorized findings with severity ratings (Critical, High, Medium, Low), technical explanations, and business impact statements
3. Detailed data tables with sortable and filterable views, and per-section CSV exports
4. A prioritized remediation roadmap with deadline-sequenced action items
5. A federation and SSO SPN inventory with AES configuration status flags
6. A PresideTech Remediation Support option notice

2.2 Informational Nature of the Report

PresideTech's recommendations are based on generally accepted industry practices, vendor documentation, and information available at the time of data collection. The Report reflects the state of the Customer's environment at the collection timestamp only. Technology environments are dynamic — vendor updates, security patches, and configuration changes may alter the applicability of guidance after delivery. Customers should cross-reference recommendations with the latest vendor documentation and Microsoft advisories.

PresideTech does not provide vendor-specific remediation guidance for third-party products. Before making any changes to accounts or configurations associated with third-party integrations, the Customer must consult the relevant vendor.

2.3 Format and Delivery

The Assessment Report is delivered via two separate emails:

1. Email 1 — Report URL. A signed URL pointing to the encrypted Report, valid for 15 calendar days from issue. The URL is not reissuable under any circumstances.
2. Email 2 — Access Key. The decryption key required to view the Report, sent within one hour of the Report URL email.

Upon entering the access key at the Report URL, the Customer's browser will render the decrypted Assessment Report. The Customer may save the rendered Report as an unencrypted HTML file for internal use. The Customer is responsible for saving the Report locally upon first access. PresideTech is not responsible for loss of access arising from failure to save before the URL expires.

2.4 Large Environment Data Bundle

For environments where the encrypted output exceeds 9 MB, the Collector generates a local encrypted data bundle (".rc4x file") containing full CSV datasets. This file remains on the Customer's systems at all times and is never transmitted to PresideTech. A one-time decryption key unique to the engagement is embedded in the delivered Assessment Report. PresideTech does not retain a copy of this key.

3.1 Scan Root FQDN

The Customer must provide their chosen scan root FQDN to PresideTech within five (5) business days of purchase. Failure to do so does not entitle the Customer to a refund and may result in Product Key expiry.

3.2 Technical Prerequisites

1. A domain-joined Windows machine with Domain Admin rights or equivalent delegated AD read access to run the Collector
2. Network connectivity to domain controllers for all domains within the scan root subtree
3. Windows PowerShell 5.1 or later installed on the machine
4. Authority and any required internal approvals to run security assessment tooling against the AD environment
5. Outbound HTTPS access from the Collector machine to https://licensing.presidetech.com, required for product key validation and consumption recording. The Collector will not proceed if this endpoint is unreachable. The Customer is responsible for ensuring firewalls, proxies, and network controls permit this connection.
6. A web browser with outbound internet access to reach the Report URL within the 15-day validity window
7. The Customer saves the Assessment Report locally upon first access. PresideTech is not responsible for loss of access due to URL expiry if the Customer fails to save a local copy.

3.3 Authorized Use Only

The Customer warrants that the scan root FQDN provided accurately identifies a domain within the Customer's own Active Directory forest. The Customer agrees not to run the Collector against any environment for which they do not have explicit authorization.

3.4 Output File Handling

The Customer agrees to submit only the .rc4d encrypted output file to PresideTech and not to transmit the .rc4x local data bundle or any unencrypted Active Directory data to PresideTech or any third party.

3.5 Customer Responsibility for Internal Review and Implementation

Prior to implementing any recommended change in a production environment, the Customer agrees to:

1. Internal review. Evaluate each recommendation through internal IT, security, and infrastructure teams to assess applicability and compatibility, including unique network topology, firewall rules, legacy systems, third-party integrations, patch levels, and configuration baselines.
2. Risk assessment. Identify potential impacts on systems, applications, services, workflows, and downstream interconnected systems.
3. Non-production testing. Test all recommended changes in a non-production or staging environment before deploying to production.
4. Stakeholder coordination. Coordinate with change management, compliance, business continuity, and regulatory teams.
5. Baseline documentation. Document the current state of the environment, including configuration baselines, patch levels, and system dependencies, before making any changes.
6. Rollback planning. Establish a rollback plan for every change so that the environment can be restored to its prior state in the event of an issue.
7. Incremental implementation. Implement changes incrementally rather than applying all recommendations simultaneously, and monitor systems closely after each change.
8. Regulatory and policy validation. Validate recommended changes against existing policies and applicable compliance frameworks including HIPAA, PCI-DSS, SOX, CMMC, and others.
9. Vendor consultation. Before making any changes to accounts or systems associated with third-party integrations — including federation services, SSO providers, and non-Microsoft Kerberos implementations — consult the relevant vendor. PresideTech does not provide vendor-specific remediation guidance for third-party products.

The Customer acknowledges that PresideTech cannot account for every variable within the Customer's environment and that the Customer bears full responsibility for evaluating how any recommended change will interact with their specific infrastructure and operational context.

4.1 Fees

4.2 Payment

Payment is due within thirty (30) days of purchase. PresideTech will issue an invoice upon purchase confirmation. PresideTech reserves the right to withhold delivery of the Product Key and Collector until payment is received in full.

4.3 Product Key Validity

The Product Key is valid for seven (7) calendar days from issuance. If the Customer cannot complete collection within that window, PresideTech will reissue the Product Key once, at no charge, upon written request to engage@presidetech.com. This one-time reissuance is provided as an exception and does not extend or reset any other obligation. No further reissuances will be provided. If the Customer is unable to complete collection within the reissued key's validity window, a new Assessment must be purchased at the applicable fee.

4.4 Cancellation and Refunds

Issuance of a Product Key constitutes formal commencement of the engagement and renders the full fee non-refundable. Approved pre-issuance refunds are processed within thirty (30) days via the original payment method.

5.1 PresideTech Ownership

The following are and shall remain the sole and exclusive intellectual property of Preside Inc.: the RC4 Collector and all underlying source code and binaries; the Assessment Report format, layout, visual design, risk scoring methodology, and remediation framework; the two-layer AES-256-CBC encryption architecture, .rc4d and .rc4x file formats, and all cryptographic implementation details; the PresideTech name, logos, and marks; and the overall Assessment methodology and analytical framework.

5.2 License to Customer — Report

PresideTech grants the Customer a non-exclusive, non-transferable, perpetual, royalty-free license to use, copy, store, and distribute the Assessment Report internally for the Customer's internal business purposes, including sharing with employees, contractors, auditors, regulators, and legal counsel.

5.3 License to Customer — Collector

PresideTech grants the Customer a limited, non-exclusive, non-transferable license to execute the RC4 Collector solely to complete the purchased Assessment on systems owned or operated by the Customer within the Product Key validity period. The Customer may not copy, distribute, reverse engineer, decompile, modify, or use the Collector for any other purpose.

5.4 Customer Data

The Customer retains all right, title, and interest in and to their Active Directory data and all content derived from it during report generation ("Customer Data"). PresideTech's access is limited solely to generating and delivering the Assessment Report. PresideTech will not use Customer Data for any other purpose, will not sell or transfer it to third parties, and will permanently delete the .rc4d file and all derived content within thirty (30) days of Report delivery. PresideTech may retain the delivered Assessment Report as an engagement record for up to three (3) years.

5.5 Aggregated Data

PresideTech may use fully anonymized and aggregated statistical data derived from assessments for internal research and marketing purposes, provided such data cannot identify the Customer or any specific aspect of their environment.

5.6 No Implied Licenses

All rights not expressly granted herein are reserved by PresideTech.

6.1 Customer Data

PresideTech will treat all Customer Data as confidential and will not disclose it to any third party except: (a) as required by applicable law or court order, with reasonable advance notice where legally permissible; (b) to PresideTech employees or contractors bound by equivalent confidentiality obligations; or (c) with the Customer's prior written consent.

6.2 PresideTech Confidential Information

The Customer will treat the following as confidential: the Collector Software, the encryption architecture, the Assessment Methodology, non-public technical details of the Report framework, and any proprietary information disclosed by PresideTech. The Customer will not disclose such information to any third party without PresideTech's prior written consent.

6.3 Report Sharing

The Customer may share the Assessment Report with internal teams, auditors, regulators, legal counsel, and cyber insurance carriers. The Customer may not publish the Report publicly or provide it to competitors of PresideTech without prior written consent.

7.1 Aggregate Cap

7.2 Exclusion of Consequential Damages

7.3 Informational Purpose

The Assessment and Assessment Report are provided for informational purposes only and reflect the state of the Customer's environment at the time of data collection. PresideTech does not warrant that the Assessment identifies all security vulnerabilities or exposures. The Customer is solely responsible for all remediation decisions and for conducting the review described in Section 3.5 prior to implementing any recommendation.

7.4 Environment Variability

PresideTech's guidance is based on generally accepted industry practices and information available at the time of the Assessment. Each customer environment is unique. PresideTech cannot account for all variables present in the Customer's environment, including unique network topology, firewall configurations, legacy systems, third-party integrations, patch levels, compliance frameworks, multi-domain or multi-forest architectures, and non-Microsoft Kerberos implementations.

8.1 PresideTech Warranties

PresideTech warrants that: (a) it has the right to enter into these Terms and grant the licenses described herein; (b) the RC4 Collector is digitally signed with an Authenticode certificate issued to Preside Inc. at the time of delivery; (c) the RC4 Collector is designed to operate as a read-only tool and will not intentionally modify, delete, or alter any Active Directory objects, accounts, policies, or configurations.

8.2 Disclaimer

9.1 Governing Law

These Terms are governed by the laws of the State of California, without regard to conflict of law principles. The UN Convention on Contracts for the International Sale of Goods does not apply.

9.2 Informal Resolution

Before initiating formal proceedings, the parties will attempt to resolve any dispute in good faith. The party asserting a dispute must provide written notice describing it in reasonable detail. The parties have thirty (30) calendar days from that notice to resolve the matter informally.

9.3 Binding Arbitration

Disputes not resolved informally will be submitted to final and binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules, conducted by a single arbitrator in Los Angeles County, California. The arbitrator's award is final, binding, and may be entered as a judgment in any court of competent jurisdiction.

9.4 Injunctive Relief

Either party may seek emergency injunctive or provisional relief to prevent irreparable harm, including to protect PresideTech's intellectual property or confidential information, without waiving the right to arbitrate the underlying dispute.

9.5 Class Action Waiver

10.1 Entire Agreement

These Terms constitute the entire agreement between the parties regarding the Assessment and supersede all prior representations, warranties, and understandings, whether written or oral.

10.2 Amendments

PresideTech may update these Terms from time to time. Updated Terms will be posted at presidetech.com and will apply to Assessments purchased after the effective date of the update. For Assessments already in progress, the Terms in effect at the time of purchase apply.

10.3 Severability

If any provision is held invalid or unenforceable, the remaining provisions continue in full force. The invalid provision will be modified to the minimum extent necessary to make it enforceable.

10.4 Assignment

The Customer may not assign these Terms or any rights hereunder without PresideTech's prior written consent. PresideTech may assign these Terms without consent in connection with a merger, acquisition, or sale of substantially all of its assets.

10.5 Force Majeure

Neither party is liable for delays or failures caused by circumstances beyond their reasonable control, including acts of God, natural disasters, government actions, cyberattacks on PresideTech's systems, or widespread internet or cloud service outages.

10.6 Notices

All notices must be in writing and delivered by email with confirmation of receipt: to PresideTech at engage@presidetech.com | 100 Pine Street, Suite 1250, San Francisco, CA 94111 | +1 415 915 4450. To Customer at the email address provided at purchase.

10.7 Relationship of Parties

The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, franchise, or employment relationship.

10.8 Survival

Sections 5 (Intellectual Property), 6 (Confidentiality), 7 (Limitation of Liability), 8.2 (Disclaimer), 9 (Governing Law and Dispute Resolution), and 10 (General) survive expiration or termination.

10.9 Acceptance

By purchasing an Assessment, requesting a Product Key, downloading the RC4 Collector, or submitting any encrypted output file to PresideTech, the Customer accepts these Terms in full. Electronic acceptance has the same legal effect as a signed original.