Security Testing Agreement

1. Parties

Contractor: IE / LLP "1CYBER", represented by ________________________________________, acting on the basis of ________________________________________,

Client: ________________________________________, represented by ________________________________________, acting on the basis of ________________________________________,

hereinafter jointly referred to as the "Parties", have entered into this Agreement as follows:

2. Subject of the Agreement

2.1. The Client engages, and the Contractor undertakes to perform penetration testing (pentest) and security assessment of the Client's information resources to identify vulnerabilities in the security system.

2.2. The Client confirms that they are the legal owner (or authorized representative of the owner) of the information resources specified in Section 4 and have full authority to authorize testing.

2.3. This Agreement constitutes the Client's written authorization to conduct security testing within the agreed scope of work.

3. Confidentiality (NDA)

3.1. The Parties undertake not to disclose confidential information obtained in connection with the performance of this Agreement, including but not limited to:

• — Discovered vulnerabilities and testing results
• — Internal data, documents and systems of the Client
• — Trade secrets and know-how of both Parties
• — Terms and contents of this Agreement
• — Personal data of the Client's employees and customers

3.2. The testing results report shall be provided exclusively to the Client or their authorized representatives.

3.3. Confidentiality obligations shall remain in effect indefinitely after completion of work under this Agreement.

3.4. The breaching Party shall be liable for violation of confidentiality obligations in accordance with the laws of the United Arab Emirates.

4. Testing Scope

4.1. The following Client resources are subject to testing:

4.2. Testing outside the specified scope is strictly prohibited.

5. Authorization to Test

5.1. This section constitutes the Client's official written authorization to conduct security testing of the resources specified in Section 4.

5.2. The Client confirms that they have full authority to grant such authorization.

5.3. The Client agrees not to hold the Contractor liable (safe harbor) for actions performed within the agreed scope of work and during the validity period of this Agreement.

5.4. Testing period: from "____" ______________ 20___ to "____" ______________ 20___.

6. Authorized Actions

The Contractor is authorized to perform the following types of work:

• — Infrastructure information gathering (reconnaissance)
• — Automated scanning for known vulnerabilities
• — Manual penetration testing
• — Source code and configuration analysis (if access is provided)
• — Mobile application (APK/IPA) analysis: decompilation, traffic analysis, API testing
• — Authentication and authorization mechanism testing
• — API endpoint testing
• — Server and service configuration review

7. Prohibited Actions

The Contractor is prohibited from:

• — Conducting denial-of-service attacks (DDoS/DoS)
• — Intentionally disrupting the Client's services
• — Deleting or modifying the Client's data (except test data)
• — Disclosing discovered vulnerabilities to third parties
• — Exploiting discovered vulnerabilities for personal gain
• — Testing resources not specified in Section 4 of this Agreement
• — Social engineering against the Client's employees (unless separately agreed)

8. Obligations of the Parties

The Contractor undertakes to:

• — Conduct testing exclusively within the agreed scope
• — Minimize impact on the Client's system operations
• — Provide a detailed report with proof-of-concept (PoC) for each vulnerability
• — Maintain confidentiality of all obtained information
• — Immediately notify the Client upon discovery of critical vulnerabilities

The Client undertakes to:

• — Provide necessary access and information for testing
• — Designate a contact person for communication
• — Verify provided PoCs within 14 days and sign the acceptance act
• — Pay for the Contractor's services within 30 days after signing the acceptance act
• — Not hold the Contractor liable for actions performed within the agreed scope of work

9. Cost and Payment Terms

9.1. The cost of work is determined by one of the following plans:

• — PENTEST (one-time engagement): from $20,000
• — SECURITY PARTNER (12-month subscription): from $10,000/month

9.2. The final cost depends on the scope of work and is fixed by a separate agreement between the Parties.

9.3. Payment in USD or equivalent in AED/KZT/RUB at the exchange rate on the invoice date.

9.4. Payment deadline: 30 calendar days from the date of signing the acceptance act.

9.5. Alternative payment arrangement (if applicable): ________________________________________.

10. Reporting and Acceptance

10.1. Upon completion of testing, the Contractor shall provide the Client with a report containing:

• — Description of each discovered vulnerability
• — Severity level according to CVSS 3.1
• — Working proof-of-concept (PoC) for each vulnerability
• — Remediation recommendations

10.2. The Client shall verify the PoCs within 14 days and sign the acceptance act.

10.3. In case of disagreements, the Parties shall conduct joint verification.

11. Liability

11.1. The Contractor shall be liable for damage caused intentionally or through gross negligence when exceeding the agreed scope of work.

11.2. The Client releases the Contractor from liability for actions performed within this Agreement and the agreed scope of work (safe harbor).

11.3. The Parties confirm that testing is conducted to improve the security of the Client's information systems and is not intended to cause harm.

12. Final Provisions

12.1. This Agreement shall enter into force upon signing by both Parties.

12.2. All disputes shall be resolved through negotiations, and if no agreement is reached — in court at the location of the Contractor.

12.3. This Agreement is made in two copies of equal legal force, one for each Party.