Pentest Service Agreement

This Agreement governs your use of Kosuke Pentest, a free penetration testing assessment service offered by Kosuke, Inc., a Delaware corporation ("Kosuke", "we"). By signing this Agreement, you ("Customer", "you") agree to be bound by these terms. If you are accepting on behalf of a company, you confirm you have the authority to bind that company.

This Agreement is between Kosuke and Customer as legal entities established for business or professional purposes. Customer represents it is not a consumer under applicable law.

This Agreement applies to both self-serve customers and enterprise customers. Where a separate signed Master Services Agreement exists between you and Kosuke, that MSA prevails over this document.

1. The Service — free assessment + optional paid detail reports

1.1 What we do

We perform a penetration test on the web applications, APIs, and digital assets you designate ("Target Systems") at no charge to you. We identify and document security vulnerabilities, and we deliver a Summary Report showing how many vulnerabilities we found, grouped by severity. You then have the option — entirely at your discretion — to purchase detailed information on any vulnerability.

This is an information service, not consulting. We identify and document vulnerabilities. We do not advise you on how to fix anything, do not write code for you, do not validate your remediation, and do not perform any service that constitutes professional advice under applicable law. You are solely responsible for what you do with our findings.

1.2 How it works

• You execute a Service Order identifying your Target Systems, the testing window, and your company size class.
• You sign the Authorization Letter (Exhibit B) — this is the legal authorization for us to test.
• We perform the test at no cost to you.
• We deliver the Summary Report at no cost to you, showing how many vulnerabilities we found at each severity level (Critical / High / Medium / Low / Informational).
• You decide if and which vulnerabilities you want to see in detail. You may purchase Vulnerability Detail Reports for any vulnerabilities you wish to unlock, at the per-vulnerability prices set forth in the Pricing Schedule for your company size class.
• Total payment for Vulnerability Detail Reports under a single engagement is capped at the Engagement Cap for your size class. Once you reach the cap, all remaining details are delivered at no additional cost.
• You may purchase none, some, or all detail reports. There is no obligation to purchase anything.

1.3 No charge for the assessment itself

There is no fee for the assessment or the Summary Report. Customer's only payment obligation under this Agreement arises if and when Customer voluntarily elects to purchase one or more Vulnerability Detail Reports. If Customer purchases nothing, Customer owes nothing.

1.4 Critical Finding Notification

If during the assessment we identify any vulnerability of Critical severity (CVSS 9.0+), we will notify you within 48 hours at no cost, regardless of whether you have purchased any Vulnerability Detail Report. This Critical Finding Notification will include:

• The number of Critical vulnerabilities identified;
• The general class of risk (e.g., "authentication bypass", "data exposure", "code injection", "privilege escalation");
• The macro-level asset affected (e.g., "your main web application", "your customer-facing API");
• A recommendation that you take prompt action.

The Critical Finding Notification is a convenience warning provided as a safety measure to enable you to make informed decisions. It does not constitute consulting, remediation advice, or a complete assessment. Customer must independently verify findings and make its own response decisions. Kosuke has no liability for Customer's reliance on this notification, for any delay in delivery, or for any consequences resulting from Customer's response (or non-response) to it. Technical reproduction details, specific endpoints, exploit paths, and remediation guidance are available exclusively through the corresponding Vulnerability Detail Report, which you may purchase at your discretion.

2. Your authorization to test (important)

Penetration testing without authorization is a crime in most jurisdictions (e.g., U.S. Computer Fraud and Abuse Act, EU Directive 2013/40, Italian Criminal Code Art. 615-ter). Your authorization is the legal basis for our work. We will not begin any test until you have signed the Authorization Letter.

By executing a Service Order and signing the Authorization Letter, you represent and warrant that:

• (a) You own or have full legal authority over the Target Systems, or you have obtained authorization from anyone who does.
• (b) You have authority to bind your company to this Agreement.
• (c) You have obtained any required authorizations from your cloud or hosting providers (AWS, Azure, GCP, etc.) per their penetration testing policies.
• (d) You have notified your security team / SOC / MSSP of the testing window.
• (e) You have backed up Target Systems and have rollback procedures in place.
• (f) The testing will not breach any contract, license, or law to which you are subject.

If any of the above is or becomes untrue, you will tell us immediately. We may suspend or terminate any test at any time. You will hold us harmless from any alarm, false positive, or third-party response triggered by the test.

3. Right of withdrawal before testing begins

You may withdraw your authorization and cancel any scheduled assessment at any time before the testing window begins, by written notice (email to security@kosuke.ai is sufficient), without penalty, fee, or obligation. Such withdrawal does not affect any Service Order already in execution. Because the assessment itself is provided at no charge, no refund or compensation is required.

Once a test has begun, either party may pause or terminate the test at any time by written notice. Costs incurred prior to that point are borne by Kosuke.

4. Pricing for Vulnerability Detail Reports

The following prices apply only if and when you voluntarily elect to purchase Vulnerability Detail Reports. You incur no payment obligation by signing this Agreement, by undergoing the assessment, or by receiving the Summary Report.

Pricing depends on your company size class, declared by you in the Service Order based on your most recent annual turnover:

All prices in EUR. Low and Informational findings are included in the Summary Report count at no cost; detailed reports for these severity levels are made available at no additional cost upon request. The Engagement Cap is the maximum aggregate amount you can be required to pay for Vulnerability Detail Reports under a single Service Order — additional details beyond the cap are delivered at no extra charge.

Kosuke may, at its discretion, offer discounts or special pricing for individual customers or engagements. Any such pricing variations must be specified in writing in the applicable Service Order to be effective.

You represent that your declared size class is accurate; we may verify it and adjust pricing retroactively for material misrepresentation.

4.1 Payment terms (if you purchase)

• Per-vulnerability fees: due upon your purchase election, payable within 15 days of invoice. We deliver each Detail Report within 3 business days of payment receipt.
• Late payments accrue interest at the maximum rate permitted by applicable law. For EU customers, interest accrues at the rate specified in Directive 2011/7/EU or equivalent national law; for all other customers, 1.5% per month or the maximum permitted rate, whichever is lower.
• Fees for delivered Vulnerability Detail Reports are non-refundable.

5. Scope and rules of engagement

We only test what's explicitly listed in your Service Order. Anything not listed is out of scope. Unless your Service Order says otherwise, we will not:

• Perform denial-of-service or DDoS attacks.
• Brute-force credentials of real end users.
• Exfiltrate or store personal data beyond what's needed to validate a finding.
• Run social engineering attacks against your team.
• Install persistent backdoors or malware.
• Attack systems belonging to your cloud/hosting providers or any third party.

During testing, you will give us a 24/7 emergency contact authorized to halt or modify the engagement. Either party can pause or stop a test at any time by written notice (email is fine). Kosuke commits to pause all active testing within 30 minutes of receipt of a halt request via the emergency contact.

Customer acknowledges that our penetration testing uses AI-assisted and automated tooling, which by its nature involves some degree of unpredictability. We implement safeguards (including blocklists, rate limiting, and kill switches) to minimize unintended impact, but Customer acknowledges that automated testing may produce alarms, performance impact, or data access patterns not fully anticipated. Customer's responsibilities under Sections 2 and 5 (authorization, backups, scope, emergency contacts) are designed to mitigate this risk.

6. Deliverables and IP

We deliver the Summary Report and any purchased Vulnerability Detail Reports electronically via secure transfer, marked Confidential. Subject to payment of any applicable fees, we grant you a perpetual, worldwide, non-exclusive license to use the reports internally for security and compliance purposes — including sharing with your auditors, regulators, and prospective acquirers under reasonable confidentiality.

We retain ownership of our methodologies, tools, scripts, and know-how. Neither party will publicly disclose vulnerabilities, methodologies, or proof-of-exploit content without the other's written consent. We may use anonymized aggregated data for research and product improvement; this data will never identify you or any specific finding.

7. Confidentiality

Each party will treat the other's non-public information as confidential, use it only for the purposes of this Agreement, and protect it with reasonable care. This obligation continues for 5 years after termination (longer for trade secrets and personal data, as long as they remain protected by law).

Within 90 days of completing each engagement, we will destroy or return your confidential information, keeping only (i) one archival copy for legal/audit purposes and (ii) aggregated anonymized data. Certificate of destruction available on written request.

8. Data protection (GDPR)

Where testing may involve personal data subject to GDPR, UK GDPR, or Swiss FADP, the parties will execute Kosuke's Data Processing Agreement (DPA) before testing begins. The DPA is available at /legal/dpa and is incorporated by reference for any engagement involving such data. The DPA includes the EU Standard Contractual Clauses (Commission Decision 2021/914) for international transfers.

During testing, we minimize access to personal data to the strict minimum needed to validate findings. We will notify you of any confirmed or suspected personal data breach within 24 hours.

9. Warranty and disclaimers

We warrant that the services will be performed in a professional and workmanlike manner consistent with industry standards for penetration testing (OWASP, NIST SP 800-115, PTES). Because the assessment is provided at no charge, your sole remedy for breach of this warranty is re-performance of the deficient services at no cost, provided you notify us in writing within 30 days of delivery of the Summary Report. For purchased Vulnerability Detail Reports found to be materially deficient, your remedy is a refund or re-performance at our election.

EXCEPT FOR THE LIMITED WARRANTY ABOVE, THE SERVICE AND DELIVERABLES ARE PROVIDED "AS IS" AND "AS AVAILABLE". WE DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

PENETRATION TESTING IS A POINT-IN-TIME ASSESSMENT. WE DO NOT GUARANTEE WE WILL FIND ALL VULNERABILITIES, OR THAT YOUR SYSTEMS ARE FREE FROM VULNERABILITIES WE DID NOT FIND, OR THAT YOU WILL NOT EXPERIENCE A SECURITY BREACH.

YOU ARE SOLELY RESPONSIBLE FOR ADDRESSING VULNERABILITIES WE IDENTIFY. WE ARE NOT RESPONSIBLE FOR ANY DAMAGES FROM UNADDRESSED VULNERABILITIES OR FROM YOUR DECISION NOT TO PURCHASE VULNERABILITY DETAIL REPORTS. NOTHING IN ANY DELIVERABLE CONSTITUTES PROFESSIONAL ADVICE.

10. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, BUSINESS, GOODWILL, OR DATA.

EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED FIFTY THOUSAND U.S. DOLLARS ($50,000). WHERE CUSTOMER HAS PAID KOSUKE MORE THAN $25,000 IN FEES IN THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, THE CAP INCREASES TO THE GREATER OF $50,000 OR THREE (3) TIMES SUCH FEES.

These caps do not apply to: (a) confidentiality breaches; (b) GDPR Article 82 liabilities; (c) gross negligence, willful misconduct, or fraud; (d) your payment obligations; (e) indemnification obligations. The parties agree these limits reflect a reasonable allocation of risk given the nature of a free assessment service and any fees paid for optional detail reports.

11. Indemnification

You will defend and indemnify Kosuke from any third-party claim arising from: (a) your breach of the representations in Section 2; (b) your lack of authority to authorize testing; (c) claims by your cloud or hosting providers; (d) alarms or responses by your security systems; (e) your decisions concerning remediation, mitigation, or non-action; (f) any claim that you relied on our findings as professional advice; (g) your election not to purchase Vulnerability Detail Reports.

We will defend and indemnify you from any third-party claim arising from: (a) our material breach of confidentiality; (b) IP infringement by our deliverables (excluding modifications by you or your materials); (c) our gross negligence or willful misconduct.

The indemnified party will: (i) notify promptly, (ii) give the indemnifying party control of defense and settlement (with no admission of liability without consent), and (iii) cooperate at the indemnifying party's expense.

12. Term and termination

This Agreement remains in effect until terminated. Either party may terminate for convenience on 30 days written notice, or immediately for material breach not cured within 30 days (15 days for payment breach). Open Service Orders survive termination through completion.

Upon termination, sections that by their nature should survive will survive — including warranty disclaimers, liability limitations, indemnification, confidentiality, data protection obligations, and dispute resolution.

13. General

Governing law and disputes

This Agreement is governed by the laws of the State of Delaware, USA, excluding conflict-of-law principles and the UN Convention on Contracts for the International Sale of Goods. Any DPA executed between us is governed by the EEA Member State law of the customer for GDPR matters.

Disputes will be finally settled by binding arbitration administered by JAMS International under its International Arbitration Rules, with a single arbitrator, in English, seated in London, UK. Judgment on the award may be entered in any court of competent jurisdiction.

EACH PARTY WAIVES ANY RIGHT TO TRIAL BY JURY. DISPUTES WILL BE RESOLVED ONLY ON AN INDIVIDUAL BASIS — NO CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTIONS.

Other

• Independent contractors — no partnership, agency, or employment relationship.
• We may use subcontractors and remain responsible for their performance; the liability caps in Section 10 and the indemnification obligations in Section 11 apply equally to direct and subcontracted services.
• You may not assign without our consent; we may assign to an affiliate or successor in a merger or acquisition.
• With your written consent (revocable on 30 days notice), we may identify you as a customer in marketing materials.
• Force majeure excuses performance failures beyond reasonable control.
• If a provision is unenforceable, the rest survives and the provision is modified minimally to be enforceable.
• This Agreement, together with any signed Service Order, Authorization Letter, and (where applicable) DPA, is the entire agreement and supersedes prior agreements.
• This Agreement may be modified by us with notice for new engagements; modifications do not apply retroactively to executed Service Orders.
• Electronic signatures (including DocuSign and click-to-accept) are valid and binding.
• Notices to Kosuke: legal@kosuke.ai. Notices to you: the email on your account or in the Service Order.

Exhibit A — Service Order Template

The Service Order template, which incorporates this Agreement by reference, sets forth the engagement details: Service Order ID, Customer Size Class, Test Start and End Dates, Methodology (Black-box / Grey-box), Assessment Fee (€0), Engagement Cap, Target Systems (in scope), Out-of-scope exclusions, Cloud provider authorization, Acknowledgment of pricing, and Emergency contacts. The Service Order is executed via DocuSign between Kosuke and Customer prior to testing.

Exhibit B — Authorization Letter

The Authorization Letter is the standalone legal authorization for Kosuke to perform penetration testing on Customer's Target Systems. It identifies Customer (legal name, address), the Target Systems, the authorized testing period, the signatory's authority, cloud/hosting provider authorizations, and emergency contacts. The Authorization Letter is a complete defense to any claim of unauthorized access under applicable law (including the U.S. Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and Italian Criminal Code Art. 615-ter). It is executed via DocuSign prior to testing.

Contact

To request execution of this Agreement, contact support@kosuke.ai. For data protection inquiries, contact security@kosuke.ai.