SECURITY TESTING AUTHORIZATION & CONSENT

This document authorizes Evolve Unlimited AB (Evolve CyberSec) to conduct automated security testing on systems, networks, and/or applications owned or operated by the undersigned organization, under the terms described below.

1. Parties

Authorizing Organization (the “Client”):

• Organization Name:
• Address:
• Contact Name:
• Contact Email:
• Contact Phone:

Testing Provider:

• Company: Evolve Unlimited AB (Evolve CyberSec)
• Contact Email: exposureindex@evolvecybersec.se
• Contact Phone: +46 707588521

2. Testing Period

• Start Date:
• End Date:

Automated testing will only run within the dates specified above. Any extension requires written agreement from both parties.

3. Scope of Testing

The Client authorizes the following types of automated security testing:

• Domain Name (DNS) Discovery and Scanning
• Web Application Security Testing
• API Security Testing
• Vulnerability Scanning & Assessment
• Infrastructure Assessment
• Social Engineering Simulation (automated phishing, etc.)

Target Systems and Assets (IP ranges, domains, applications):

Domain name (DNS) from contact email (if not edited in test configuration).

Excluded Systems (explicitly out of scope):

If there are systems out of scope, contact exposureindex@evolvecybersec.se before test period starts.

4. How Testing Works

All testing is performed by automated tools and processes operated by Evolve. No individual person will manually access, browse, or interact with the Client’s systems. The automated process will:

• Scan and probe only the systems and assets defined in Section 3.
• Identify and report security vulnerabilities without intentionally exploiting them to cause damage.
• Avoid storing, copying, or exfiltrating any sensitive data (PII, PHI, financial records, credentials).
• Operate within industry-standard practices and recognized security testing frameworks.
• Automatically halt if it detects potential for significant service disruption or data loss.

Permitted Testing Window:

• Hours / Days: 24 / 7

5. Emergency Contact

If the automated testing causes any unexpected issues, the Client can reach Evolve immediately:

• Email: exposureindex@evolvecybersec.se
• Phone: +46 707588521

6. Confidentiality

Evolve will treat all information discovered during testing as strictly confidential. Test results, findings, and vulnerability details will not be shared with any third party without the Client’s prior written consent.

All engagement-related data will be securely stored and deleted within thirty (30) days after the engagement concludes, unless otherwise agreed in writing.

7. Liability

The Client acknowledges that automated security testing carries an inherent risk of minor service disruptions. Evolve will not be held liable for incidental disruptions that occur within the agreed scope.

Evolve will be liable for damages resulting directly from gross negligence or actions taken outside the authorized scope defined in this document.

The Client confirms that they have the legal authority to authorize security testing on all systems listed in Section 3, and will indemnify Evolve against any claims arising from testing conducted within the authorized scope.

8. Data Processing Agreement (GDPR Article 28)

Where the testing services described in this document involve the processing of personal data on behalf of the Client, the following data processing terms apply in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

8.1 Roles

For the purposes of this engagement:

• Data Controller: The Client (the authorizing organization identified in Section 1).
• Data Processor: Evolve Unlimited AB (Evolve CyberSec), Org. no. 559289-5452, Sweden.

8.2 Categories of Data Subjects and Personal Data

The personal data processed under this agreement relates to the following categories:

• Data subjects: Employees and staff of the Client organization.
• Personal data categories: Email addresses and names provided by the Client for phishing simulations; technical metadata automatically collected from simulation interactions (IP address, browser type and version, operating system, internet service provider, approximate geolocation).

8.3 Purpose and Instructions

Evolve shall process personal data solely for the purpose of delivering the security testing services authorized in Section 3 of this document, and only in accordance with the documented instructions of the Client. Evolve shall not process the data for any other purpose, and shall promptly notify the Client if it believes an instruction infringes applicable data protection law.

8.4 Confidentiality of Processing

Evolve shall ensure that all persons authorized to process personal data under this agreement are subject to a binding duty of confidentiality, whether by contract or statutory obligation.

8.5 Security Measures

Evolve shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2 or higher) and at rest.
• Access controls limiting data access to authorized personnel only.
• Regular review of security measures in line with recognized frameworks (ISO 27001, NIST SP 800-53).

8.6 Sub-processors

The Client grants Evolve general written authorization to engage the following sub-processor for the delivery of phishing simulation emails:

• Brevo SAS, 7 rue de Madrid, 75008 Paris, France — transactional email delivery.

Evolve shall impose data protection obligations on Brevo equivalent to those set out in this section. Evolve shall inform the Client of any intended changes to sub-processors, giving the Client the opportunity to object before the change takes effect.

8.7 Assistance with Data Subject Rights

Evolve shall assist the Client, insofar as reasonably possible, in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, and objection).

8.8 Deletion and Return of Data

Upon conclusion of the engagement, Evolve shall securely delete all personal data processed under this agreement within thirty (30) days, as described in Section 6 (Confidentiality). Evolve shall confirm deletion in writing upon request.

8.9 Audit Rights

Evolve shall make available to the Client all information reasonably necessary to demonstrate compliance with this section, and shall allow for and contribute to audits or inspections conducted by the Client or an auditor mandated by the Client, subject to reasonable advance notice and confidentiality obligations.

8.10 International Transfers

All personal data is processed within the European Economic Area (EEA). The Exposure Index platform and all engagement data are hosted exclusively on European cloud infrastructure, operated by providers headquartered within the EEA. Brevo SAS is established in France and subject to GDPR. No transfers to third countries are made in connection with this engagement.

9. Authorization

By signing below, the Client confirms that they have the authority to grant this authorization and that they have read, understood, and agreed to all terms in this document.

The Client authorizes Evolve to run automated security testing tools and processes against the systems listed in Section 3, within the testing period defined in Section 2 and subject to the conditions described above.

This authorization is valid only for the testing period and scope specified. Any testing outside the defined scope or period is not authorized by this document.

Document Reference: STA-4301 | Version 1.0 | CONFIDENTIAL