Platform & Services Agreement

This Platform & Services Agreement (the "Agreement"), together with any Sales Order(s), SOW(s), Addenda (e.g., DPA/BAA), and any Supplemental Terms referenced herein (collectively, the "Order Documents"), governs Customer's access to and use of the Services provided by Aegisbyte, LLC ("Aegisbyte," "we," "us," "our") to the entity identified in the applicable Sales Order or SOW ("Customer"). If there is a conflict, the following order of precedence applies: (1) Sales Order/SOW, (2) this Agreement, (3) Supplemental Terms.

1.1 Affiliate means any entity that controls, is controlled by, or is under common control with a Party. "Control" means ownership of more than 50% of voting interests or the ability to direct management.
1.2 Applicable Laws means all laws, regulations, and governmental orders applicable to a Party's performance under this Agreement.
1.3 Assets means Customer applications, networks, systems, infrastructure, endpoints, IP ranges, URLs, APIs, cloud resources, or other in-scope targets to be tested or assessed.
1.4 Aegisbyte Content means templates, checklists, playbooks, reports formats, dashboards, utilities, and other materials Aegisbyte makes available (excluding Customer Data).
1.5 Confidential Information has the meaning in Section 7.
1.6 Customer Data means data, documentation, configurations, and any information provided by or on behalf of Customer in connection with the Services, including information about Assets and findings generated for Customer.
1.7 Platform means any Aegisbyte web properties and hosted interfaces used to coordinate engagements, exchange data, and deliver reports.
1.8 Professional Services means penetration testing, red/purple team exercises, security posture assessments, vulnerability management, source code review, compliance assessments, advisory/consulting, and related activities Aegisbyte provides under a Sales Order or SOW.
1.9 Report(s) means deliverables produced for Customer (e.g., vulnerability reports, executive summaries, risk registers, evidence).
1.10 Sales Order means a mutually executed ordering document that specifies Services, quantities, term, pricing, and any auto-renewal if applicable.
1.11 Security Personnel means Aegisbyte employees and vetted subcontractors who perform the Services.
1.12 Services means the Platform and Professional Services provided under this Agreement and the applicable Order Documents.
1.13 Supplemental Terms means service-specific or region-specific terms (e.g., Data Processing Addendum (DPA), Business Associate Agreement (BAA)) referenced by this Agreement.

2.1 Orders. Services are purchased via Sales Orders or SOWs, each incorporated herein by reference. The Order will set forth scope, term (the "Service Period"), fees, and any special conditions. Customer Affiliates may place Orders under this Agreement; Customer remains responsible for Affiliate compliance unless an Affiliate signs separately.
2.2 Invoicing & Payment. Unless stated otherwise in an Order, Aegisbyte invoices upon execution (or per the milestone/schedule stated in the Order). Fees are due within 15 days of invoice date via ACH/wire. Fees are exclusive of taxes; Customer is responsible for all applicable taxes other than those based on Aegisbyte's income. Overdue amounts may accrue interest at 1.5% per month (or the maximum allowed by law) plus reasonable collection costs.
2.3 Suspension. Aegisbyte may suspend access to the Platform or pause work for undisputed past-due amounts upon written notice. Aegisbyte will not suspend while the Parties are actively and in good faith resolving a billing dispute.
2.4 Renewal & Price Changes. Upon expiration, any auto-renewal stated in an Order will renew at then-current rates unless otherwise specified. New Orders use then-current pricing.

3.1 Scope & Methodology. Services are delivered in accordance with the applicable Order and industry best practices (e.g., OWASP, NIST, MITRE ATT&CK), as appropriate for the engagement type.
3.2 Reports. Aegisbyte will provide Reports describing findings, evidence, and remediation guidance. Aegisbyte maintains editorial independence to ensure accuracy and integrity of findings.
3.3 Personnel & Subcontractors. Aegisbyte controls staffing and may use vetted subcontractors and/or Affiliates. Aegisbyte remains responsible for their performance.
3.4 Support. During the Service Period, Aegisbyte provides reasonable assistance on use of the Platform and interpretation of Reports.
3.5 Service Changes. Aegisbyte may improve, modify, or replace Platform features, provided changes do not materially degrade core functionality for active engagements.

4.1 Authorization & Safe Harbor. Customer represents and warrants that it has obtained all permissions and legal authorizations required to allow Aegisbyte to access and test the Assets (including cloud providers, third-party hosts, and network owners), and that such authorization is valid for the engagement duration.
4.2 Environment Readiness. Customer will provide accurate scoping information, allowlist ranges, credentials/tokens (if applicable), point-of-contact availability, and prompt decisions on testing constraints.
4.3 Sanctions & Export. Customer represents that Users are not prohibited by U.S. export/sanctions laws and are not located in embargoed jurisdictions.
4.4 Usage Boundaries. Customer will ensure testing remains within agreed scope/targets and time windows and will promptly notify Aegisbyte of service-impacting issues.

5.1 Aegisbyte Property. Aegisbyte (and its licensors) own all rights in the Platform, Aegisbyte Content, methodologies, templates, tools, know-how, and improvements ("Aegisbyte Property").
5.2 Customer Property. Customer owns Customer Data, Assets, and the specific findings and evidence generated for Customer, excluding Aegisbyte Property and third-party IP.
5.3 Marks. Each Party retains its trademarks/service marks. No rights are granted except as expressly stated.

6.1 Access License. Subject to this Agreement and the applicable Order, Aegisbyte grants Customer a limited, non-exclusive, non-transferable license to access and use the Platform and Aegisbyte Content during the Service Period solely for Customer's internal business purposes.
6.2 Customer Data License. Customer grants Aegisbyte a non-exclusive license to use Customer Data as reasonably necessary to provide the Services, generate Reports, and operate/improve the Platform (including quality assurance, troubleshooting, and security).
6.3 Reports License. Aegisbyte grants Customer a perpetual, non-exclusive, non-transferable right to use Reports for Customer's internal security, compliance, and audit purposes (including providing to regulators, customers, and auditors). Customer may not resell Aegisbyte's Services or present Reports as Customer's own work product.
6.4 Aggregated Learning. Aegisbyte may use de-identified, aggregated statistics about vulnerabilities and remediation trends across customers to improve services and publish industry insights, provided no Customer, individual, Asset, or proprietary details are identifiable.

7.1 Definition. "Confidential Information" means non-public information disclosed by a Party that is identified as confidential or that reasonably should be understood to be confidential given its nature and the context of disclosure, including Customer Data, Assets, findings, Reports, pricing, roadmaps, and Aegisbyte Property.
7.2 Obligations. The receiving Party will use Confidential Information only to perform under this Agreement, protect it using at least the same care it uses for its own similar information (no less than reasonable care), and limit disclosure to personnel/contractors with a need to know who are bound by confidentiality obligations at least as protective.
7.3 Exclusions. Confidential Information does not include information that is publicly available without breach, rightfully received from a third party, independently developed, or required to be disclosed by law (with prompt notice and limited disclosure).
7.4 Injunctive Relief. Breach of this Section may cause irreparable harm; non-breaching Party may seek injunctive relief in addition to other remedies.

8.1 Aegisbyte Security. Aegisbyte maintains commercially reasonable technical and organizational measures designed to protect the Platform and Customer Data from unauthorized access or disclosure.
8.2 Sensitive Data. Customer will avoid including unnecessary PII/PHI in testing environments. If processing of personal data is required, the Parties will execute a Data Processing Addendum (DPA) (e.g., GDPR/CCPA). If PHI will be processed, the Parties will execute a Business Associate Agreement (BAA).
8.3 Data Location & Retention. Unless otherwise stated in an Order or DPA/BAA, Aegisbyte may process Customer Data in the U.S. Aegisbyte retains Customer Data for the Service Period and a reasonable period thereafter for quality assurance, unless otherwise required by law or an executed DPA/BAA.

9.1 Customer Warranties. Customer warrants it has all rights and consents necessary for Aegisbyte to perform the Services; that Customer Data does not violate third-party rights; and that Customer will comply with Applicable Laws.
9.2 Aegisbyte Warranties. Aegisbyte warrants it will perform Professional Services in a professional and workmanlike manner consistent with industry standards and materially in accordance with the applicable Order. Customer must notify Aegisbyte of any claimed nonconformance within 30 days of delivery of the relevant Report. As Customer's exclusive remedy, Aegisbyte will re-perform the nonconforming Services or provide reasonable additional testing at no additional charge.
9.3 Disclaimers. EXCEPT FOR THE EXPRESS WARRANTIES ABOVE, THE PLATFORM AND SERVICES ARE PROVIDED "AS IS." AEGISBYTE DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. AEGISBYTE DOES NOT WARRANT THAT TESTING WILL IDENTIFY ALL VULNERABILITIES OR PREVENT SECURITY INCIDENTS, OR THAT THE PLATFORM WILL BE UNINTERRUPTED OR ERROR-FREE.

10.1 By Customer. Customer will defend, indemnify, and hold Aegisbyte harmless from third-party claims arising from (a) Customer's infringement/misuse of third-party rights through Customer Data or instructions; (b) performance of Services on Assets Customer was not authorized to include; or (c) Customer's violation of Applicable Laws.
10.2 By Aegisbyte. Aegisbyte will defend, indemnify, and hold Customer harmless from third-party claims alleging that the Platform (as provided by Aegisbyte) directly infringes a third-party U.S. IP right, except to the extent the claim arises from Customer Data, unauthorized use, or combinations not provided by Aegisbyte. If the Platform is enjoined, Aegisbyte may procure a license, modify the Platform, or terminate the affected Services with a pro-rata refund of prepaid, unused fees.
10.3 Process. The indemnified Party must promptly notify the indemnifying Party, provide reasonable cooperation, and grant control of the defense/settlement (no admission of liability without consent). This Section states each Party's exclusive IP infringement remedy.

11.1 Cap. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY'S AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO AEGISBYTE IN THE 12 MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY.
11.2 Exclusions. NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES; OR LOSS OF PROFITS/REVENUE/GOODWILL, DATA LOSS, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY.
11.3 Super-Cap / Excluded Claims. The above limitations do not apply to: (a) a Party's breach of Section 7 (Confidentiality) or data security obligations; (b) a Party's indemnification obligations; (c) a Party's infringement or misappropriation of the other Party's IP; or (d) Customer's payment obligations. For these Excluded Claims, neither Party's total liability will exceed the lesser of: (i) actual direct damages, (ii) $500,000, or (iii) 3× the amounts paid or payable in the prior 12 months.

12.1 Term. This Agreement starts on the Effective Date of the first Order and continues until all Orders expire or are terminated.
12.2 Termination for Cause. Either Party may terminate for material breach not cured within 30 days after written notice, or immediately if the other Party becomes insolvent/bankrupt.
12.3 Effect. Upon termination/expiration, Customer's Platform access ends, and all fees due remain payable.
12.4 Data Export & Deletion. For 14 days after termination/expiration, Customer may export Reports and Customer Data from the Platform. Upon written request, Aegisbyte will delete remaining Customer Data not required to be retained by law or that has been irreversibly aggregated/anonymized.
12.5 Transition Assistance. Upon request, Aegisbyte will provide reasonable transition services on a time-and-materials basis at then-current rates.

Neither Party is liable for delays or failures caused by events beyond reasonable control (e.g., natural disasters, war, terrorism, civil unrest, labor disputes, outages, or governmental actions). If a Force Majeure event continues for 30 days, the other Party may terminate the affected Order upon written notice.

14.1 Aegisbyte Use. With Customer's prior consent (email is sufficient), Aegisbyte may use Customer's name/logo in customer lists, proposals, and marketing materials.
14.2 Customer Use. Customer may list Aegisbyte as a vendor and share Reports with auditors/regulators/customers for legitimate business purposes. Customer will not modify Aegisbyte's name, marks, or Reports in a misleading manner.

Aegisbyte maintains commercially reasonable insurance, including general liability and technology E&O/cyber. Certificates available upon written request.

16.1 Assignment. Neither Party may assign this Agreement without the other's consent, except to an Affiliate or in connection with a merger, sale of substantially all assets, or similar change of control (with notice).
16.2 Independent Contractors; No Third-Party Beneficiaries. The Parties are independent contractors; no third-party beneficiaries.
16.3 Governing Law; Venue. This Agreement is governed by the laws of the Commonwealth of Virginia, excluding conflict-of-laws rules. The state and federal courts located in Virginia have exclusive jurisdiction, and the Parties consent to personal jurisdiction and venue there. The U.N. Convention on Contracts for the International Sale of Goods and UCITA do not apply. Any claim must be filed within one (1) year after it accrues.
16.4 Notices. Legal notices must be sent by reputable courier, certified mail, or email to the contacts in the applicable Order (with a copy to legal@aegisbyte.com). Notices are deemed received upon confirmed delivery or successful, error-free email transmission.
16.5 Entire Agreement; Waiver; Severability. This Agreement (with the Order Documents) is the entire agreement and supersedes prior discussions. Amendments or waivers must be in writing and signed. If any provision is unenforceable, the remainder remains in effect.
16.6 Electronic Signatures. The Parties consent to e-signatures and electronic records.