Rescheduling or Cancellation of Scheduled Work 

Client may cancel or reschedule mutually agreed-upon project start date(s) of professional services, not including subscription or managed services, with no additional fee if Client provides written notice to Aetas Security at least ten (10) business days prior to the original scheduled start date(s), subject to Aetas Security’s reasonable approval. If Client cancels or reschedules the start date by providing written notice less than ten (10) business days prior to the original scheduled start date, Client shall pay a nonrefundable cancellation/rescheduling fee of ten percent (10%) of the service’s budget. This fee is intended to cover costs associated with resource allocation, scheduling impacts, and lost opportunity. Client shall reimburse Aetas Security for all incurred, non-transferable/ non-cancelable travel expenses within thirty (30) days of canceling or rescheduling the project. For the purposes of clarity, subscription and managed services may not be rescheduled, cancelled, or terminated for convenience.

OFFENSIVE SECURITY TESTING AGREEMENT

RELIANCE

Client shall provide a fully validated scope to Aetas Security prior to project kickoff. Aetas Security shall be entitled to rely upon, without verification or investigation, any and all instructions, guidelines, information or materials provided or made available by Client to Aetas Security. If any instructions, guidelines, information or materials provided or made available by Client to Aetas Security are inaccurate or incomplete, the actual effort expended by Aetas Security working with the incorrect data will be consumed from the project’s budget (e.g., if 70% of the assessment budget is used testing the incorrect scope, that portion of the project budget will be consumed and the remaining 30% of the project budget will be used to test the correct scope) and the parties shall enter into a change order to amend the statement of work (e.g., redefine the objectives and/or scope of the original statement of work and accept the testing as performed, or restore the level of effort necessary to complete the testing according to the objectives in the original statement of work) using the same rate of the original statement of work. Client shall reimburse Aetas Security for all nontransferable/noncancelable travel expenses incurred because of any delay arising from Client’s failure to provide accurate and complete instructions, guidelines, information or materials. Client represents and warrants that all information pertaining to the Services, such as Client-provided IP addresses and/or hostnames and devices functioning at those IP addresses and/or hostnames, are owned or controlled by Client and Client is legally entitled to authorize the Services to be performed upon such IP addresses and/or hostnames. Should Aetas Security’s performance of the Services upon such IP addresses and/or hostnames result in liability for any party, Client shall indemnify, hold harmless and defend Aetas Security, its affiliates, business partners and any employee, director, officer or agent thereof against all liability, including reasonable attorneys’ fees and costs, arising from the performance of the Services contemplated in this SOW.

GENERAL ACKNOWLEDGMENT

Any security testing activity inherently carries risk with it.  While Aetas Security makes every effort to perform activities as safely as possible and avoid disrupting business processes, it is impossible to guarantee a flawless assessment. Aetas Security will work with Client to establish the rules of engagement, which will govern assessment activities, communication procedures, and related activities.

In all assessments, Aetas Security makes every effort to avoid reading or copying sensitive information. In some circumstances (e.g., opening a spreadsheet on a file server), there is no indication whether sensitive information will be present.  Should sensitive information be encountered inadvertently, Aetas Security will discontinue viewing the content immediately.  Aetas Security will delete any files copied to assessment systems that contain sensitive information securely. If there is a requirement to retain evidence, Aetas Security will irrecoverably obfuscate all sensitive information in screenshots or text excerpts.  Aetas Security will not delete, modify, release, or destroy any sensitive information.

TECHNICAL ATTACK SIMULATION ACKNOWLEDGMENT

Before the assessment begins, Client is expected to identify any in-scope assets that are known to respond poorly to security testing, either in order to be tested during a predetermined window or to be excluded from the assessment entirely as a precaution.

Aetas Security does not perform testing that may intentionally cause a denial-of-service condition.  Exploitation and other testing that is known to cause or has a risk of causing system or asset instability will be coordinated with Client to determine whether these types of activities should be conducted.  In addition, automated or other testing that may be bandwidth- or processor-intensive will be throttled to levels that are observably tolerable in a standard enterprise environment.

Aetas Security only utilizes tools that are proprietary and internally developed, well-vetted and open-source, and commercially well-known and established.  Should a necessary tool or exploit fall outside of those criteria, Aetas Security will review the code manually and perform testing in a lab environment prior to using it in or against Client’s environment.  If its safety cannot be reasonably verified, it will not be used.