Adapt-and-use templates. Insurance and Authorization first.

STATEMENT OF WORK No. <<SOW-NUMBER>>
AI/LLM Security Review

This Statement of Work ("SOW") is entered into on <<EFFECTIVE-DATE>> by and between:

CONSULTANT:
<<Consultant Legal Name>>
<<Consultant Address>>
<<Consultant Tax ID / VAT Number>>
<<Consultant Email>>

CLIENT:
<<Client Legal Name>>
<<Client Address>>
<<Client Tax ID / VAT Number>>
<<Client Primary Contact Name and Email>>

This SOW is issued under and governed by the Master Services Agreement between
the parties dated <<MSA-EFFECTIVE-DATE>> (the "MSA"). All terms not defined in
this SOW have the meaning given in the MSA. In the event of conflict between
this SOW and the MSA, this SOW controls only for matters of scope, fees, and
timeline; the MSA controls for all other matters.


1. ENGAGEMENT DESCRIPTION

Consultant will perform an AI/LLM Security Review of one (1) production AI
feature operated by Client, located at the URL or endpoint specified in
Section 2 below. The review will assess the feature against the OWASP LLM
Application Top 10 (2025 edition) and produce a written report and a one-hour
remediation call as described in Section 3.


2. SCOPE - IN

The following are within the scope of this engagement:

   a. ONE production AI feature on the URL or endpoint:
      <<Target URL / Endpoint>>

   b. Manual and tool-assisted security testing against the OWASP LLM
      Application Top 10 (2025), specifically:
      - LLM01 Prompt Injection (direct and indirect)
      - LLM02 Sensitive Information Disclosure
      - LLM03 Supply Chain (model and library provenance check)
      - LLM04 Data and Model Poisoning (exposure assessment)
      - LLM05 Improper Output Handling
      - LLM06 Excessive Agency (for agentic features with tool access)
      - LLM07 System Prompt Leakage
      - LLM08 Vector and Embedding Weaknesses (for RAG-backed features)
      - LLM09 Misinformation (UX and grounding risk)
      - LLM10 Unbounded Consumption (rate-limit and cost-amplification)

   c. Authentication and rate-limit testing at the AI endpoint.

   d. Output sanitisation testing (including XSS via LLM-generated markdown).

   e. One (1) round of free re-test on Critical or High severity findings,
      to be requested by Client within thirty (30) days of report delivery.


3. SCOPE - OUT

The following are explicitly outside the scope of this engagement:

   a. Full web application penetration testing (offered separately).
   b. Mobile application testing.
   c. Infrastructure, network, or cloud configuration audit.
   d. Source code audit.
   e. Compliance certification work (SOC 2, ISO 27001, HIPAA attestation).
   f. Custom fine-tuned model attacks or adversarial ML on model weights.
   g. Implementation of remediation (Consultant provides advisory only;
      Client engineers implement fixes).
   h. Social engineering, phishing, or physical security testing.
   i. Denial-of-Service or load testing beyond the documented rate-limit
      probing.


4. DELIVERABLES

Consultant will deliver:

   a. A written report ("Report") in PDF format, 15-25 pages, containing:
      - Executive summary
      - Scope statement
      - Methodology
      - Findings table with severity (CVSS 3.1, business-context adjusted),
        exploitability rating, reproduction steps, business impact, and
        prioritized remediation guidance
      - References

   b. One (1) live remediation call of up to sixty (60) minutes,
      delivered by video conference, scheduled within fourteen (14) days
      of Report delivery.

   c. A sanitised version of the Report suitable for sharing with
      auditors, investors, or third parties, provided at Client's request.


5. TIMELINE

   a. Engagement kickoff: <<KICKOFF-DATE>>
   b. Testing window: <<TESTING-START>> through <<TESTING-END>>
      (three consecutive business days)
   c. Report delivery: not later than <<REPORT-DELIVERY-DATE>>
   d. Remediation call: scheduled within 14 days of Report delivery

Total Consultant billable time: approximately twelve (12) hours over
three (3) calendar days. Calendar duration: up to one (1) calendar week.


6. FEES AND PAYMENT

Total Fixed Fee: <<CURRENCY>> <<TOTAL-FEE>>

Payment schedule:

   a. Fifty percent (50%) - <<CURRENCY>> <<DEPOSIT-AMOUNT>> - due within
      seven (7) days of SOW execution and prior to engagement kickoff.

   b. Fifty percent (50%) - <<CURRENCY>> <<FINAL-AMOUNT>> - due within
      seven (7) days of Report delivery.

Payment terms: Net-7 from invoice date.

Accepted payment methods:
   - Stripe Invoicing (preferred for amounts under <<CURRENCY>> 5,000)
   - Wire transfer / SEPA (preferred for amounts over <<CURRENCY>> 5,000)
   - Wise Business transfer

Invoices issued by Consultant within one (1) business day of each
applicable trigger event.


7. LATE PAYMENT

Unpaid invoice balances accrue interest at one and one-half percent (1.5%)
per month, compounded monthly, starting eight (8) days after the invoice
due date. Consultant may suspend work on any active engagement until
past-due amounts are paid in full.


8. SCOPE CHANGES

Any change to the scope defined in Sections 2 and 3 must be documented
in a written change order or a new SOW, signed by both parties, before
Consultant performs the changed work. Verbal scope changes are not binding.

Common change-order triggers:
   - Addition of a second AI feature or second URL  +<<CURRENCY>> 1,000
   - Expansion to full web application pen-test     +<<CURRENCY>> 1,500
   - Rush delivery (48 hours from kickoff)          +50% of total fee
   - German-language Report deliverable             +<<CURRENCY>> 300


9. TERM

This SOW takes effect on the Effective Date above and terminates on
delivery of the Report and completion of the remediation call, or on
the thirtieth (30th) day after Report delivery, whichever is later.
Termination of this SOW does not terminate the MSA.


10. ACCEPTANCE

Client will provide written acceptance or itemised objections to the
Report within five (5) business days of delivery. Silence beyond five
(5) business days constitutes acceptance. Objections must be specific
and actionable; Consultant will address material objections at no
additional cost where they relate to documented in-scope findings.


11. AUTHORIZATION TO TEST

Client confirms that the signed Authorization Letter (attached as
Exhibit A to this SOW) constitutes Client's explicit written permission
for Consultant to perform the security testing described above on the
systems and URLs identified. Consultant will not commence testing until
Exhibit A is signed by an Authorized Officer of Client.


12. INSURANCE DISCLOSURE

Consultant maintains the following insurance coverage in force as of
the Effective Date:

   - Professional Liability / Errors and Omissions:
     <<COVERAGE-AMOUNT>> aggregate / <<PER-OCCURRENCE>> per occurrence
   - Cyber Liability:
     <<COVERAGE-AMOUNT>> aggregate / <<PER-OCCURRENCE>> per occurrence

Carrier: <<CARRIER-NAME>>
Policy Number: <<POLICY-NUMBER>>

A current Certificate of Insurance is available on request.


SIGNATURES

CONSULTANT:                              CLIENT:

___________________________              ___________________________
Name: <<Consultant Name>>                Name: <<Client Signer Name>>
Title: <<Title>>                         Title: <<Client Signer Title>>
Date: ____________________               Date: ____________________


Exhibit A: Authorization Letter (separately signed)

MASTER SERVICES AGREEMENT

This Master Services Agreement ("Agreement") is entered into on
<<EFFECTIVE-DATE>> ("Effective Date") between:

CONSULTANT:
<<Consultant Legal Name>>, a <<Entity Type>> organized under the laws of
<<Jurisdiction>>, with its principal place of business at
<<Consultant Address>> ("Consultant").

CLIENT:
<<Client Legal Name>>, a <<Entity Type>> organized under the laws of
<<Jurisdiction>>, with its principal place of business at
<<Client Address>> ("Client").

Consultant and Client may be referred to individually as a "Party" and
collectively as the "Parties".


1. DEFINITIONS

   1.1 "Services" means the professional services described in any SOW
       executed under this Agreement.

   1.2 "SOW" or "Statement of Work" means a written statement of work
       executed by the Parties that references this Agreement.

   1.3 "Deliverables" means the reports, documents, and other materials
       Consultant is required to deliver to Client under a SOW.

   1.4 "Confidential Information" has the meaning given in Section 6.

   1.5 "Authorized Officer" of Client means an individual at the rank of
       Vice President or higher who has actual authority to bind Client.


2. SERVICES

Consultant will perform the Services described in each SOW. Each SOW is
governed by this Agreement. In the event of conflict between this
Agreement and a SOW, this Agreement controls for matters of confidentiality,
intellectual property, liability, indemnification, insurance, and
governing law; the SOW controls for matters of scope, fees, and timeline.


3. FEES AND PAYMENT

   3.1 Fees for each engagement are set in the applicable SOW.

   3.2 Standard payment schedule, unless varied by SOW:
       - Tier 1 (AI/LLM Security Review): 50% on signing, 50% on report
         delivery, Net-7
       - Tier 2 (Productized Web App Audit): 50% on signing, 50% on
         report delivery, Net-7
       - Tier 3 (Full Web App Penetration Test): 30% on signing, 30% on
         testing kickoff, 40% on report delivery, Net-7
       - Tier 4 (Monthly Retainer): monthly on the 1st of each month,
         3-month minimum commitment

   3.3 Late payment: unpaid balances accrue interest at 1.5% per month
       compounded monthly, beginning 8 days after the invoice due date.

   3.4 Taxes: Fees are exclusive of all taxes. Client is responsible for
       all sales, use, value-added, withholding, and similar taxes
       applicable to the Services, except for taxes on Consultant's net
       income.


4. CONSULTANT REPRESENTATIONS

Consultant represents that:

   4.1 Consultant has the skill, experience, and qualifications to perform
       the Services in a professional and workmanlike manner consistent with
       industry standards for security consulting.

   4.2 Consultant will comply with all laws applicable to the performance
       of the Services in the jurisdictions where Consultant performs them.

   4.3 The Services and Deliverables will not knowingly infringe the
       intellectual property rights of any third party.


5. CLIENT REPRESENTATIONS

Client represents that:

   5.1 Client owns or has the legal right to authorize security testing of
       the systems identified in each SOW and the related Authorization
       Letter.

   5.2 The individuals signing each SOW and Authorization Letter on
       Client's behalf are Authorized Officers with actual authority to
       bind Client.

   5.3 Client has notified or will notify all relevant internal teams
       (including security operations, incident response, and any third-
       party security monitoring providers) of the engagement scope and
       testing window before testing begins.


6. CONFIDENTIALITY

   6.1 "Confidential Information" means any non-public information disclosed
       by one Party to the other in connection with this Agreement, whether
       in writing, orally, or by inspection, that is marked confidential or
       that a reasonable person would understand to be confidential given
       the nature of the information and the circumstances of disclosure.

   6.2 Each Party will use the other Party's Confidential Information only
       for the purpose of performing under this Agreement and the
       applicable SOW, and will protect it using at least the degree of
       care it uses for its own confidential information of similar
       sensitivity and not less than a reasonable degree of care.

   6.3 The confidentiality obligations survive for three (3) years after
       termination of this Agreement, except for trade secrets, which
       remain protected for as long as they qualify as trade secrets under
       applicable law.

   6.4 Exceptions: Confidential Information does not include information
       that (a) is or becomes publicly available without breach of this
       Agreement, (b) was rightfully known to the receiving Party prior
       to disclosure, (c) is independently developed without use of the
       disclosing Party's Confidential Information, or (d) is required to
       be disclosed by law or court order, provided the receiving Party
       gives prompt notice to the disclosing Party where legally permitted.


7. INTELLECTUAL PROPERTY

   7.1 Subject to Section 7.2, on full payment of the applicable fees,
       Consultant assigns to Client all right, title, and interest in
       the Deliverables created specifically for Client under a SOW.

   7.2 Consultant retains all right, title, and interest in:
       (a) Consultant's pre-existing methodologies, tools, scripts,
           templates, and know-how
       (b) general security knowledge, techniques, and skills developed
           or improved through performance of the Services
       (c) sanitised, anonymised case-study material derived from the
           engagement, provided no Client-identifying information is
           disclosed

   7.3 Consultant grants Client a perpetual, irrevocable, royalty-free,
       worldwide license to use any Consultant-retained materials
       embedded in the Deliverables solely for Client's internal business
       purposes.

   7.4 Consultant may produce sanitised public write-ups based on the
       engagement, provided no Client name, Client domain, Client
       customer data, or specifically identifying technical details are
       disclosed. Client may request a 14-day pre-publication review of
       any such write-up.


8. AUTHORIZATION TO TEST

   8.1 Before Consultant performs any security testing, Client will sign
       and deliver to Consultant an Authorization Letter in substantially
       the form attached as Exhibit A to the applicable SOW.

   8.2 The Authorization Letter must be signed by an Authorized Officer
       of Client and must specify the testing window, in-scope systems,
       authorized techniques, and Client emergency contact.

   8.3 Consultant will not commence testing without a signed Authorization
       Letter. Client acknowledges that the Authorization Letter is the
       sole legal basis under applicable computer-crime statutes for
       Consultant's testing activities and that Client's failure to provide
       it suspends all work under the SOW.


9. LIMITATION OF LIABILITY

   9.1 EXCEPT FOR THE EXCLUSIONS IN SECTION 9.3, EACH PARTY'S TOTAL
       AGGREGATE LIABILITY UNDER THIS AGREEMENT AND ALL SOWS IS LIMITED
       TO THE FEES PAID OR PAYABLE BY CLIENT TO CONSULTANT UNDER THE
       APPLICABLE SOW IN THE TWELVE (12) MONTHS PRECEDING THE EVENT
       GIVING RISE TO THE CLAIM.

   9.2 EXCEPT FOR THE EXCLUSIONS IN SECTION 9.3, NEITHER PARTY IS LIABLE
       TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL,
       EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA,
       LOSS OF GOODWILL, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE
       POSSIBILITY OF SUCH DAMAGES.

   9.3 The limitations in Sections 9.1 and 9.2 do not apply to:
       (a) breach of the confidentiality obligations in Section 6
       (b) infringement of intellectual property rights
       (c) indemnification obligations under Section 10
       (d) gross negligence or willful misconduct
       (e) liability that cannot be excluded under applicable law


10. INDEMNIFICATION

   10.1 Consultant will indemnify and defend Client against third-party
        claims arising from Consultant's gross negligence or willful
        misconduct in performing the Services, up to the liability cap
        in Section 9.1.

   10.2 Client will indemnify and defend Consultant against third-party
        claims arising from:
        (a) Client's breach of Section 5 (Client Representations),
            including any claim that Client did not have authority to
            authorize testing of the systems in scope
        (b) Client's use of the Deliverables beyond the scope of the
            license in Section 7
        (c) Client's failure to act on Critical or High severity
            findings within a reasonable time, where the failure
            contributes to a security incident

   10.3 The indemnified Party will give the indemnifying Party prompt
        written notice of any claim, allow the indemnifying Party to
        control the defense and settlement (provided no settlement
        admits fault by or imposes a non-monetary obligation on the
        indemnified Party without consent), and cooperate at the
        indemnifying Party's expense.


11. INSURANCE

   11.1 Consultant will maintain, throughout the term of this Agreement
        and for two (2) years after termination:
        (a) Professional Liability / Errors and Omissions insurance with
            limits of not less than <<COVERAGE-AMOUNT>> per claim and
            <<AGGREGATE>> in the aggregate
        (b) Cyber Liability insurance with limits of not less than
            <<COVERAGE-AMOUNT>> per claim and <<AGGREGATE>> in the
            aggregate

   11.2 Consultant will provide a Certificate of Insurance on request.


12. INDEPENDENT CONTRACTOR

Consultant is an independent contractor. Nothing in this Agreement
creates an employer-employee relationship, partnership, joint venture,
or agency. Consultant is responsible for all taxes, insurance, and
benefits relating to Consultant's personnel. Consultant has no
authority to bind Client.


13. TERM AND TERMINATION

   13.1 This Agreement starts on the Effective Date and continues until
        terminated under this Section 13.

   13.2 Either Party may terminate this Agreement for convenience on
        thirty (30) days' written notice. Termination of this Agreement
        does not terminate active SOWs; those continue under the
        Agreement's terms until completed or separately terminated.

   13.3 Either Party may terminate this Agreement or any SOW immediately
        on written notice for material breach by the other Party that
        remains uncured fifteen (15) days after notice of the breach.

   13.4 On termination, Client will pay Consultant for Services performed
        through the termination date. Sections 6, 7, 9, 10, 11, 14, 15,
        17, and 18 survive termination.


14. FORCE MAJEURE

Neither Party is liable for failure or delay caused by events beyond
its reasonable control, including natural disasters, war, terrorism,
civil unrest, pandemic, government action, or major infrastructure
outage. The affected Party will give prompt notice and use reasonable
efforts to resume performance. If a force majeure event continues for
more than thirty (30) days, either Party may terminate the affected
SOW.


15. GOVERNING LAW AND VENUE

   15.1 This Agreement is governed by the laws of <<GOVERNING-LAW
        JURISDICTION>> without regard to its conflict-of-laws principles.

   15.2 Any dispute arising under this Agreement will be brought
        exclusively in the courts of <<VENUE>>, and each Party consents
        to personal jurisdiction in those courts.

   (Note for Sebastian: choose ONE of the three based on legal entity:
    - "Germany, with venue in <<City>>" if invoicing as Einzelunternehmen
    - "the State of Delaware, USA, with venue in Wilmington, Delaware"
      if invoicing through a US Delaware LLC
    - "Thailand, with venue in Chiang Mai" if invoicing through a Thai
      entity. Note: Thailand venue is less favourable for cross-border
      enforcement; consider US or German venue even if entity is Thai.)


16. DISPUTE RESOLUTION

The Parties will attempt in good faith to resolve any dispute by
direct negotiation between executives with authority to settle the
dispute, for a period of thirty (30) days before initiating any
litigation. If the dispute is not resolved within that period, either
Party may proceed to litigation in the venue identified in Section 15
or, by mutual written agreement, to arbitration administered by
<<ARBITRATION-BODY>> under its commercial rules.


17. NOTICES

All notices under this Agreement must be in writing and delivered to
the addresses set out at the top of this Agreement, by email with
confirmed delivery (no auto-reply alone is sufficient confirmation),
by registered mail, or by reputable international courier. Notices
take effect on receipt.

Consultant notices: <<Consultant Email>>
Client notices: <<Client Notices Email>>


18. ENTIRE AGREEMENT; AMENDMENTS

This Agreement, together with all executed SOWs and Authorization
Letters, is the entire agreement between the Parties on its subject
matter and supersedes all prior or contemporaneous agreements.
Amendments must be in writing and signed by both Parties. No waiver
is effective unless in writing.


SIGNATURES

CONSULTANT:                              CLIENT:

___________________________              ___________________________
Name: <<Consultant Name>>                Name: <<Client Signer Name>>
Title: <<Title>>                         Title: <<Client Signer Title>>
Date: ____________________               Date: ____________________

MUTUAL NON-DISCLOSURE AGREEMENT

This Mutual Non-Disclosure Agreement ("Agreement") is entered into on
<<EFFECTIVE-DATE>> between:

<<Party A Legal Name>>, with its principal place of business at
<<Party A Address>> ("Party A"), and

<<Party B Legal Name>>, with its principal place of business at
<<Party B Address>> ("Party B").

Party A and Party B may each be a "Disclosing Party" with respect to its
own Confidential Information and a "Receiving Party" with respect to
the other Party's Confidential Information.


1. PURPOSE

The Parties wish to explore a potential business relationship related
to security consulting services (the "Purpose"). In connection with the
Purpose, each Party may disclose Confidential Information to the other.


2. CONFIDENTIAL INFORMATION

"Confidential Information" means any non-public information disclosed
by the Disclosing Party to the Receiving Party in connection with the
Purpose, in any form, that is either marked confidential or that a
reasonable person would understand to be confidential given the nature
of the information and the circumstances of disclosure. Confidential
Information includes, without limitation: business plans, customer
lists, technical architectures, source code, security findings,
vulnerability details, system credentials, financial data, and
personnel information.


3. PERMITTED USE

The Receiving Party will:

   a. Use Confidential Information solely for the Purpose.
   b. Limit access to Confidential Information to its personnel and
      contractors who have a need to know and who are bound by
      confidentiality obligations at least as protective as this
      Agreement.
   c. Protect Confidential Information using at least the degree of
      care it uses for its own confidential information of similar
      sensitivity, and not less than a reasonable degree of care.


4. EXCEPTIONS

Confidential Information does not include information that the
Receiving Party can demonstrate:

   a. Is or becomes publicly available without breach of this Agreement.
   b. Was rightfully known to the Receiving Party prior to disclosure.
   c. Is rightfully received from a third party without confidentiality
      obligation.
   d. Is independently developed by the Receiving Party without use of
      or reference to the Disclosing Party's Confidential Information.

If the Receiving Party is required by law or court order to disclose
Confidential Information, it will give the Disclosing Party prompt
written notice (where legally permitted) and reasonable cooperation to
seek a protective order.


5. TERM

This Agreement starts on the Effective Date and continues for two (2)
years, after which it terminates automatically. The confidentiality
obligations in Section 3 survive for three (3) years after the date of
disclosure of the relevant Confidential Information, or indefinitely
for information that qualifies as a trade secret under applicable law.


6. RETURN OR DESTRUCTION

On the Disclosing Party's written request or on termination of this
Agreement, the Receiving Party will, at the Disclosing Party's choice,
return or destroy all Confidential Information in its possession and
certify destruction in writing. The Receiving Party may retain one
copy for legal-compliance and back-up purposes, subject to continuing
confidentiality.


7. NO LICENSE

Nothing in this Agreement grants either Party any license to the other
Party's intellectual property, except the limited right to use
Confidential Information for the Purpose.


8. REMEDIES

The Parties acknowledge that breach of this Agreement may cause
irreparable harm for which monetary damages are inadequate. The
non-breaching Party is entitled to seek injunctive relief in addition
to any other available remedies.


9. GOVERNING LAW

This Agreement is governed by the laws of <<GOVERNING-LAW
JURISDICTION>>, and any dispute will be brought exclusively in the
courts of <<VENUE>>.


10. ENTIRE AGREEMENT

This Agreement is the entire agreement between the Parties on its
subject matter. Amendments must be in writing and signed by both
Parties.


SIGNATURES

PARTY A:                                 PARTY B:

___________________________              ___________________________
Name: <<Party A Signer>>                 Name: <<Party B Signer>>
Title: <<Title>>                         Title: <<Title>>
Date: ____________________               Date: ____________________

AUTHORIZATION LETTER FOR SECURITY TESTING

Date: <<DATE>>

To: <<Consultant Legal Name>>
    <<Consultant Address>>

Re: Authorization to perform security testing under SOW No. <<SOW-NUMBER>>


I, <<Authorized Officer Name>>, holding the title of <<Title (must be
Vice President or higher, or equivalent C-suite role)>> at <<Client
Legal Name>> ("Client"), and authorized to bind Client, hereby grant
explicit written authorization to <<Consultant Legal Name>>
("Consultant") to perform security testing of the systems identified
below, on the terms set out in this letter.

This letter is issued under, and supplements, the Statement of Work
referenced above and the Master Services Agreement between Client and
Consultant dated <<MSA-DATE>>.


1. AUTHORIZED TESTING WINDOW

Start: <<TESTING-START-DATE>> at <<START-TIME>> <<TIMEZONE>>
End:   <<TESTING-END-DATE>> at <<END-TIME>> <<TIMEZONE>>

Consultant is authorized to perform testing only within this window.
Testing outside this window requires a written extension signed by
an Authorized Officer of Client.


2. IN-SCOPE SYSTEMS

The following systems, URLs, and endpoints are in scope for testing:

   a. <<Primary URL or endpoint, e.g. https://app.client.com/ai-chat>>
   b. <<Secondary URL or endpoint, if any>>
   c. <<AI feature endpoints, API paths, or sub-domains in scope>>

No other systems, URLs, endpoints, sub-domains, or services owned or
operated by Client are authorized for testing under this letter.


3. AUTHORIZED TESTING TECHNIQUES

Consultant is authorized to use the following techniques:

   a. Manual security testing using web browsers, intercepting proxies
      (Burp Suite), and custom payloads.
   b. Tool-assisted security testing using publicly available,
      non-destructive scanning and probing tools (including Garak,
      PyRIT, Promptfoo, and similar AI-security tooling).
   c. Authentication and rate-limit probing within reasonable bounds
      (no sustained brute-force, no traffic volume designed to cause
      service degradation).
   d. Prompt-injection and output-handling probing against the in-scope
      AI feature.


4. PROHIBITED ACTIONS

Notwithstanding Section 3, Consultant will NOT:

   a. Perform Denial-of-Service or load testing designed to disrupt
      service availability.
   b. Exfiltrate production customer data beyond what is minimally
      necessary to demonstrate a finding (and even then, will redact
      or anonymise any extracted data in the Report).
   c. Perform social engineering, phishing, or pretexting against
      Client personnel or customers.
   d. Test physical security or attempt physical access to Client
      premises.
   e. Modify, delete, or corrupt Client production data.
   f. Use credentials of real Client customers for testing.
   g. Test third-party systems not owned or controlled by Client.


5. CLIENT EMERGENCY CONTACT

If Consultant's testing causes or is suspected of causing service
degradation, an outage, or any other incident requiring immediate
response, Consultant will contact:

   Name:  <<Emergency Contact Name>>
   Title: <<Emergency Contact Title>>
   Phone: <<24-hour Phone Number>>
   Email: <<Emergency Contact Email>>

Client confirms this contact is available 24/7 throughout the
Authorized Testing Window.


6. CLIENT INDEMNIFICATION FOR IN-SCOPE TESTING

Client agrees to indemnify and hold Consultant harmless from any
third-party claim arising from Consultant's testing performed within
the scope authorized by this letter, except for claims arising from
Consultant's gross negligence or willful misconduct.


7. CLIENT REPRESENTATIONS

Client represents and warrants that:

   a. The undersigned is an Authorized Officer of Client with actual
      authority to bind Client to this letter.
   b. Client owns or has the legal right to authorize security testing
      of the systems identified in Section 2.
   c. Client has notified, or will notify before the Authorized Testing
      Window begins, all relevant internal teams (including security
      operations, incident response, and any third-party security
      monitoring providers) of the engagement scope and testing window.
   d. Client has obtained any third-party consents required (for
      example, from cloud providers whose acceptable-use policies
      require prior notice of penetration testing).


8. CRITICAL LEGAL ACKNOWLEDGMENT

Client acknowledges that this Authorization Letter is the legal basis
under applicable computer-crime statutes (including the US Computer
Fraud and Abuse Act, the UK Computer Misuse Act 1990, the German
Strafgesetzbuch sections 202a and 202c, and equivalent statutes in
other jurisdictions) for Consultant's testing activities. Without
this letter, the testing activities would constitute unauthorized
access. Client warrants that the authorization granted here is
genuine, current, and not revocable retroactively.


SIGNED FOR CLIENT BY AN AUTHORIZED OFFICER:

___________________________
Name:  <<Authorized Officer Name>>
Title: <<Title (VP or higher)>>
Date:  ____________________


ACKNOWLEDGED BY CONSULTANT:

___________________________
Name:  <<Consultant Name>>
Title: <<Title>>
Date:  ____________________