Legal

Terms of Use

TucDesk / PTH GlobalLast updated: April 22, 2026
These Terms of Use supplement the TucDesk Terms of Service with specific rules governing how the platform, its APIs, and its infrastructure may be used. They apply to all users, including those accessing via API, CLI, or native clients. These terms exist because TucDesk provides access to real infrastructure and real devices — misuse has real consequences.
Also read
Terms of Service
Binding agreement, liability, IP, termination
You are here
Terms of Use
Usage rules, API policy, security research
Also read
Privacy Policy
Data collection, storage, and your rights
01

Authorized Use Only

TucDesk is a privileged-access tool. Every connection you initiate through TucDesk grants you control over a remote device. With that capability comes a strict authorization requirement.

Authorization is required for every connection.You may only use TucDesk to access devices and systems for which you have explicit, documented authorization. "I own the organization" or "I work there" does not automatically grant you the right to access every device. Follow your organization's access control policies.

Specifically, you must have one of the following before initiating a session:

  • Written or documented authorization from the device owner or designated system administrator
  • A role explicitly granted access to the target agent within your organization's TucDesk access control configuration
  • Ownership or administrative control of the target device, in a context where accessing your own devices is the intended use

Accessing systems without authorization — even systems within your organization — may violate the Computer Fraud and Abuse Act (USA), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. TucDesk will cooperate fully with law enforcement investigations into unauthorized access conducted via our platform.

02

No Unauthorized Access

The following are absolutely prohibited and will result in immediate account termination and referral to relevant authorities:

  • Using TucDesk to access any system, device, or network without explicit authorization from its owner or administrator
  • Registering agents on devices you do not own or are not authorized to manage
  • Exploiting vulnerabilities in TucDesk agents or the platform to gain elevated privileges beyond your authorized access level
  • Using TucDesk connections to pivot into network segments for which you are not authorized, even if the initial connection was authorized
  • Creating or distributing TucDesk agents with deceptive intent (i.e., installing agents on devices without the device owner's knowledge and consent)
  • Using TucDesk to establish persistent unauthorized access ("backdoors") on any system

If you discover that unauthorized access to your organization's devices has been attempted or conducted via TucDesk, please report it immediately to security@tucdesk.app. We take such reports seriously and will act swiftly.

03

Security Research Policy

TucDesk welcomes responsible security research. We recognize that security researchers play a vital role in identifying vulnerabilities and improving the security of software systems. We are committed to working with researchers in good faith.

Safe Harbor for Good-Faith ResearchSecurity researchers who comply with this policy and our responsible disclosure guidelines will not be pursued legally for their research activities, provided they act in good faith and follow the rules below.

Permitted research activities (on your own accounts/devices or with our explicit written authorization):

  • Testing the TucDesk dashboard, API, and client software for security vulnerabilities using accounts you own and control
  • Fuzzing and static analysis of TucDesk client software
  • Reviewing our published cryptographic protocols and proposing improvements
  • Setting up isolated test environments with your own devices to verify agent behavior

Not permitted without explicit written authorization:

  • Testing against accounts, agents, or data belonging to other users or organizations
  • Performing denial-of-service attacks or load testing against TucDesk infrastructure
  • Accessing, modifying, or deleting data belonging to other users as part of vulnerability demonstration
  • Publicly disclosing vulnerabilities before we have had a reasonable opportunity to remediate them (see Responsible Disclosure below)
04

Responsible Disclosure

If you discover a security vulnerability in TucDesk, please report it to us privately before disclosing it publicly. We commit to:

  • Acknowledge your report within 24 hours of receipt
  • Confirm whether the issue is valid and provide an initial assessment within 5 business days
  • Remediate confirmed vulnerabilities according to their severity: critical issues within 24 hours, high severity within 7 days, others within 30 days
  • Notify you when the vulnerability is fixed and coordinate public disclosure timing with you
  • Credit you in our security advisories unless you prefer to remain anonymous

To report a vulnerability:

  • Email: security@tucdesk.app
  • PGP encryption available upon request for sensitive disclosures
  • Include: description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept (without causing harm to others)

We ask that you give us a 90-day coordinated disclosure window from the date of your initial report before publishing details publicly. We will work to meet this timeline; if we need more time, we will communicate that proactively.

Bug Bounty ProgramWe are actively developing a formal bug bounty program. In the interim, we handle bounty payments on a case-by-case basis for confirmed, impactful vulnerabilities. Contact security@tucdesk.app for details.
05

API Usage

The TucDesk API is provided to enable programmatic integration with the platform — automation, custom dashboards, CI/CD pipelines, and system-level access management. The following rules govern API usage:

Permitted API uses:

  • Automating agent registration and deregistration in your organization
  • Retrieving session metadata and audit logs for your organization's compliance and monitoring systems
  • Provisioning and deprovisioning user accounts within your organization
  • Integrating TucDesk into your internal tooling, ticketing systems, or SIEM
  • Building approved internal tools on top of the API for your organization's use

Prohibited API uses:

  • Building commercial products or services on top of the TucDesk API without a written partnership agreement
  • Scraping or bulk-exporting data beyond what is necessary for your stated integration purpose
  • Using the API to probe or enumerate other organizations' agents or users
  • Storing API tokens in client-side code, public repositories, or other insecure locations
  • Sharing API tokens across multiple organizations or entities

API tokens are scoped and should be granted the minimum permissions necessary for their purpose. Tokens should be rotated regularly and revoked immediately upon suspected compromise. Lost or compromised tokens must be reported to security@tucdesk.app.

06

Rate Limits & Fair Use

Rate limits protect the quality and availability of the Service for all users. Limits apply per API token and per organization. Current default limits:

Endpoint categoryLimitBurst
Authentication (/auth/*)20 req / min per IP5 req / 10 sec
Session management (/sessions/*)120 req / min per token30 req / 10 sec
Agent operations (/agents/*)300 req / min per org60 req / 10 sec
Audit log retrieval (/audit/*)60 req / min per token15 req / 10 sec
Admin / org management60 req / min per org10 req / 10 sec

Rate limit status is returned in response headers: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. When a limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header indicating when to retry.

Applications must implement proper backoff strategies when receiving 429 responses. Repeatedly exceeding rate limits or attempting to circumvent them may result in temporary or permanent API access restrictions.

DDoS and stress testing are prohibited.Using automated tooling to generate high volumes of requests against TucDesk infrastructure — regardless of intent — is prohibited and may be treated as an attack. Contact us to arrange authorized load testing.

Higher rate limits are available on enterprise plans. Contact legal@tucdesk.app to discuss enterprise access or custom integration agreements.

07

Enforcement & Violations

We monitor for violations of these Terms of Use using automated systems and manual review. Upon detecting a potential violation, we may:

  • Issue a warning and request that you cease the violating behavior
  • Temporarily suspend API access or specific capabilities
  • Permanently terminate your account and ban associated identities
  • Preserve and disclose records to law enforcement where required by law or where criminal activity is suspected

We will make reasonable efforts to notify you of enforcement actions unless doing so would compromise an active investigation or violate a legal obligation.

If you believe an enforcement action was taken in error, contact legal@tucdesk.app with a description of the situation. We will review appeals in good faith.

08

Contact

For questions about these Terms of Use or to report violations: