We understand that penetration testing is in the interest of the client to assess the security of their data when processed by service providers. However, without notice and prior coordination with us, pen tests are equivalent to attacks on our services (we lack the context). We take active action against them accordingly, which may involve the technical aspect on the one hand, but also the legal aspect on the other.

Therefore, in order to exclude any misunderstanding, it is necessary to clarify the following points in advance:

• Date of the pen test?
• Scope of the pen test?
• What kind of tests does the customer want to perform?
• Is an impact on our production systems to be expected ("destructive tests", DoS, DDoS)?
• How many tests will the customer perform?
• From where (IP or IP range) will the test be performed?

 We expect the test result to be made available to us.