beacon report · purchase terms · v1.1

Terms for the beacon paid report

This page is the contract that applies when you buy the beacon paid report. It’s product-specific and sits alongside the general site terms at /terms; where this page and the general terms conflict on a matter specific to the report, this page controls. The methodology of the underlying scan is at /methodology.

Version 1.1 · last reviewed 6 May 2026.

1. Who you’re dealing with

The beacon paid report is sold by Giuseppe Giona, a sole trader based in England. Contact: [email protected]. Not registered for VAT at the time of this version; if that changes, the change is reflected on the receipt at the point of sale.

2. What you’re buying

A single PDF report covering the result of one beacon scan against one domain that you’ve proven control of. The report contains:

  • The grade letter (A to F) computed by the scanner under the rules at /methodology.
  • Every individual finding produced by each of the seven scanner categories, with severity classification and a short technical explanation.
  • Each finding mapped to one or more documented breach precedents from the curated database, with citation to the primary regulator decision, court filing, or report.
  • A prioritised remediation checklist with the specific configuration steps a system administrator would take to address each finding.
  • Industry-profile annotations (where the buyer’s sector is declared at checkout), explaining why a finding may carry different severity in that sector.
  • An executive summary suitable for sharing with non-technical stakeholders, generated from the same underlying data.

Delivered as a single PDF, attached to an email sent to the address provided at checkout, plus a one-time download URL valid for thirty days.

3. Domain verification — precondition to delivery

Payment is taken at checkout (see Section 5). Before the report is generated and delivered, you complete a verification step that proves you control the domain. Two methods are offered and you may pick either.

  • DNS TXT record. I provide a one-time verification token at the moment of payment. You publish it as a TXT record at a named host under the target domain. I confirm by public DNS resolution.
  • Verified administrative mailbox. I send a one-time verification code to one of the administrative addresses defined by RFC 2142 (security@, postmaster@, webmaster@, or abuse@ at the target domain). You enter the code on the verification page that opens immediately after payment.

You have seven calendar days from the moment of payment to complete verification. Reminder emails go at one, three, and six days. If verification isn’t completed within seven days, the order is treated as undelivered and the payment is refunded automatically in full (see Section 6).

The free scan that produced the underlying findings is a public, anonymous, in-browser run of the scanner; you’re paying for the formal report and remediation analysis built from those findings, not for the scan itself.

4. Authorisation

By completing verification and proceeding to payment, you confirm one of the following is true:

  • You own the registered domain.
  • You administer the domain on behalf of the entity that owns it.
  • You hold written authorisation from the owner to purchase a security report for it.

The verification step is technical evidence of control; this confirmation is the legal restatement. Both apply. Unauthorised use of the service may engage the Computer Misuse Act 1990.

5. Payment

The price of the report is £39 GBP at the time of this version. Payment is processed by Stripe; I don’t receive or store your full card number. Apple Pay and Google Pay are accepted in addition to direct card payment.

Payment is captured at the moment you click the pay button on the checkout page. A receipt is emailed automatically to the address you provided. The receipt is issued before the report is generated; the order is fulfilled when verification (Section 3) completes and the report is delivered (Section 7).

6. Cancellation, refund, and immediate-performance consent

Where you’re buying as a consumer, the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 would normally give you a fourteen-day right of cancellation for a digital service of this kind. By ticking the consent box on the checkout page you give your express prior consent to performance beginning before the end of the cancellation period and you acknowledge that, once the report has been generated and delivered following successful verification under Section 3, the fourteen-day cancellation right is lost.

Where you’re buying as a business, the consumer cancellation right under those Regulations doesn’t apply.

That said, I’ll issue a full refund automatically and within seven days, without you having to ask, where:

  • Domain verification under Section 3 isn’t completed within seven calendar days of payment. The order is cancelled, no report is generated, and the full amount is refunded to the original payment method.
  • Verification was completed but the report isn’t generated or delivered for any reason within my control.
  • The report was delivered but covers a domain other than the one verified.
  • The report file is structurally corrupt or contains no findings due to a scanner failure.

Where you think the report is materially defective in a way not covered above, email [email protected] within fourteen days of delivery, identifying the order and the defect. I’ll respond in writing within fourteen days of receipt and, where the complaint is accepted, issue a refund.

7. Delivery

The report is generated automatically on successful payment. The PDF is then:

  • Attached to an email sent to the address you provided at checkout, with the order reference in the subject line.
  • Available at a one-time download URL, communicated in the same email, valid for thirty days from the moment of generation.

Typical delivery time is under five minutes. Where upstream services (email provider, scanner, payment processor) are degraded, delivery may take longer.

8. Limitations of the report

  • The report is a point-in-time snapshot of the externally observable configuration at the moment of scanning. It doesn’t describe future state.
  • A clean grade isn’t a security assurance. The methodology page enumerates the limitations of each check; those limitations apply to every report.
  • The report doesn’t assess application logic, authenticated functionality, internal infrastructure, third-party services not visible from the public surface, or any system requiring credentials.
  • The report isn’t legal, regulatory, security, or compliance advice. It’s a structured set of observations, severity assessments, and remediation suggestions.

9. Acceptable use of the report

The report is licensed for the buyer’s internal use, including sharing with employees, professional advisers, insurers, regulators, and law-enforcement agencies acting in the course of their duties.

The report may not be:

  • Republished, in whole or in substantial part, on a public website or in a public publication, except as permitted by Section 30 of the Copyright, Designs and Patents Act 1988 (criticism, review, news reporting).
  • Resold, sublicensed, or made the subject of a paid derivative.
  • Modified to misrepresent its findings, the date of the scan, or the identity of the scanner.

10. Liability

Nothing in these terms limits liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that can’t lawfully be limited.

Subject to that paragraph, and to the maximum extent permitted by law: the report is provided without warranty of any kind, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement; total aggregate liability arising out of one order is capped at the price paid for that order; and there’s no liability for indirect, consequential, or special loss, including lost profits, lost data, or reputational harm.

11. Data and privacy

The general privacy notice at /privacy applies. Records associated with a paid order — the verified domain, the buyer’s email, the order reference, the scan result, the PDF, and the receipt — are kept at least six years from the date of the order to satisfy HMRC self-employment record-keeping requirements.

The lawful basis for processing payment-related data is Article 6(1)(b) UK GDPR (necessary for the performance of a contract). The lawful basis for retention beyond contract performance is Article 6(1)(c) (legal obligation, in respect of the HMRC requirement).

12. Governing law and disputes

These terms, and any dispute or claim arising out of or in connection with them or with a purchase of the beacon paid report, are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction, except that nothing prevents a consumer from relying on protections that apply to them in their country of residence.

Where you’re a consumer and the dispute can’t be resolved by direct contact, you may be entitled to use an alternative dispute resolution service. I’m not currently a member of any ADR scheme but will co-operate with one nominated by a regulator on a specific dispute.

13. Versioning

These terms are versioned. The version current at the moment you click the pay button is the version that applies to your purchase, regardless of subsequent changes. Earlier versions are kept and available on request.