Authorized Security Testing Agreement

1. Purpose

This Authorized Security Testing Agreement ("Agreement") governs any manual review, penetration test, red-team exercise, vulnerability assessment, or other offensive or active security testing ("Security Testing") that Cyrolo LLC ("Cyrolo", "we", "us") performs at your request for systems, applications, networks, or data you identify as in scope ("Targets").

By electronically accepting this Agreement, you confirm that you are authorized to bind the organization on whose behalf you act ("Client", "you", "your") and that Security Testing is permitted under applicable law only for the Targets and methods described in your written scope.

2. Definitions

The following terms apply throughout this Agreement:

• "Authorized Representative" means the individual accepting this Agreement who certifies they have authority to contract for the Client.
• "In-Scope Targets" means only the domains, URLs, IP ranges, applications, APIs, mobile apps, cloud accounts, and environments explicitly listed by you in the Cyrolo platform, order form, or written statement of work — not systems discovered incidentally unless you later add them in writing.
• "Security Testing" includes automated and manual techniques such as reconnaissance, vulnerability scanning, authentication testing, injection testing, business-logic testing, exploitation, privilege escalation attempts, and proof-of-concept demonstrations, as agreed in the engagement scope.
• "Rules of Engagement" means the constraints, windows, contacts, and prohibitions you provide and that Cyrolo documents for the engagement.

3. Grant of authorization

Subject to this Agreement and your accurate scope submission, Client grants Cyrolo and its personnel and subprocessors a limited, non-exclusive, revocable license to access and test the In-Scope Targets using Security Testing techniques for the purpose of identifying security weaknesses and reporting them to Client.

This authorization is effective from the date of acceptance until revoked in writing or until the engagement ends, whichever occurs first.

4. Your representations and warranties

You represent, warrant, and covenant that:

• You are an Authorized Representative with legal authority to bind Client to this Agreement.
• Client owns the In-Scope Targets, or has obtained all legally required prior written consent from owners, operators, hosting providers, insurers, customers, and data controllers before requesting Security Testing.
• Security Testing of the In-Scope Targets is not prohibited by contract, law, regulation, court order, or government restriction in any relevant jurisdiction (including where Targets are hosted or where users are located).
• You have identified all material third parties (e.g., SaaS vendors, payment processors, CDNs, bug-bounty programs) whose systems could be affected, and testing those parties without their permission is out of scope unless separately authorized.
• Information you provide about scope, credentials, test accounts, and emergency contacts is accurate and will be kept current during the engagement.

5. Client responsibility and lawful use

Client remains solely responsible for determining whether Security Testing is lawful and permitted. Cyrolo does not provide legal advice. If you are uncertain, consult qualified counsel before accepting.

You agree not to request Security Testing against systems you do not control, public infrastructure you do not own, competitor properties, or any target listed on exclusion lists (e.g., US government systems, critical infrastructure) without explicit written approval and applicable authorizations.

You will not use findings to attack third parties, commit fraud, violate privacy rights, or exceed the scope of this Agreement.

6. Rules of engagement

The following rules apply to all Security Testing engagements unless superseded by written agreement:

• Cyrolo will use commercially reasonable efforts to follow your Rules of Engagement, including testing windows, rate limits, and "do not test" areas you specify.
• Unless explicitly agreed in writing for a paid penetration test, complimentary manual reviews are performed on a best-effort basis and may exclude destructive testing, denial-of-service, social engineering against employees, or physical security.
• Cyrolo may pause or stop testing immediately if we believe testing is unlawful, out of scope, causes unacceptable risk, or if we receive a credible cease request from Client or a target owner.
• Client will provide a security contact reachable during testing and will respond promptly to critical findings or accidental impact.

7. Data handling and confidentiality

Cyrolo will treat non-public information discovered during Security Testing as confidential, use it only to deliver the engagement, and retain it according to our privacy policy and applicable law.

You are responsible for ensuring that testing accounts, production data access, and personal data processing have a lawful basis (e.g., GDPR Article 6) where applicable.

You may not publish or share raw exploit artifacts in a way that endangers third parties without redaction and Cyrolo's prior written consent.

8. Complimentary manual review

If you opt in to a complimentary manual review during onboarding or elsewhere, Cyrolo may offer exploratory testing at no charge when capacity allows. Such reviews do not create a service-level commitment, fixed timeline, or guarantee of coverage. Cyrolo may decline, limit, or reschedule complimentary work without liability.

Complimentary reviews still require this Agreement when active probing beyond passive scanning is performed.

9. Paid penetration testing

Paid engagements are governed by this Agreement plus a separate statement of work or order describing deliverables, fees, insurance, and retesting. In case of conflict on commercial terms, the order form controls; on authorization and lawful testing, this Agreement controls unless the order form expressly states otherwise.

10. Indemnification

Client will defend, indemnify, and hold harmless Cyrolo and its officers, directors, employees, and contractors from claims, damages, fines, and costs (including reasonable attorneys' fees) arising from: (a) Security Testing performed in accordance with this Agreement based on your misrepresentation of authority or scope; (b) your breach of Section 4; or (c) your use of findings outside this Agreement.

Cyrolo will promptly notify you of claims and cooperate in defense. Neither party's indemnity limits liability for gross negligence or willful misconduct where prohibited by law.

11. Disclaimers

Security Testing cannot guarantee discovery of all vulnerabilities. Findings are provided "as is" for your internal risk management. Cyrolo disclaims implied warranties to the maximum extent permitted by law.

Cyrolo is not liable for indirect, consequential, or punitive damages arising from Security Testing except where such limitation is prohibited by law.

12. Revocation

You may revoke authorization at any time by email to [email protected] with subject "Revoke Security Testing Authorization" and your organization name. Cyrolo will cease new testing within a commercially reasonable period after confirmation.

Revocation does not affect obligations accrued before revocation (fees, confidentiality, indemnity).

13. Electronic acceptance

Your click-through acceptance in the Cyrolo application constitutes your electronic signature. We store acceptance timestamp, policy version, signer name, title, scope, user ID, and IP address for audit purposes.

This Agreement supplements Cyrolo's Terms of Service and Privacy Policy. If there is a conflict regarding Security Testing authorization, this Agreement prevails.

14. Governing law

This Agreement is governed by the laws of the State of Wyoming, United States, without regard to conflict-of-law rules. Exclusive venue for disputes relating to this Agreement shall be courts located in Sheridan County, Wyoming, except where mandatory consumer protection law requires otherwise.