Penetration Testing
Supplemental Terms and Conditions

1. Scope of Service

For the purpose of this Service Order, "Service" refers to the Quantum Penetration Testing Service as exhaustively described at https://kb.quantum.security/kb/762871825, and as set out in the Service Order and Scope of Work created for and delivered to Customer. Quantum shall not be liable to provide any other works, deliverables or services which are not expressly set out in the Agreement.

2. Penetration Testing Authorisation Form

During the term of this Agreement and solely for the purposes of providing the Service, Customer acknowledges that Quantum may request and require certain access to the Customer's systems. Customer agrees to complete a Penetration Testing Authorisation form ("Authorisation Form") included with the associated Service Order, furnish Quantum with access to all information, passwords, technical matter, data, knowledgeable personnel, and Customer's systems (collectively, "Customer Information") as is reasonably necessary for the performance of the Service. Customer may deny or restrict Quantum's access to the Customer Information at any time; provided, however, Customer acknowledges that if the Authorisation Form is not completed or if Quantum's access to such Customer Information is denied or restricted, Quantum may be unable to perform its obligations arising under this Agreement, and Quantum shall be held harmless from any liability arising from such non-performance.

3. Additional Terms & Conditions

1. Reports
   1. The reports that Quantum issues pursuant to the Service ("Reports") relate specifically to the agreed scope of review and are intended to indicate only the overall security posture of the relevant IT systems and environments as at the time of the issuance of such Reports.
   2. The Reports and the contents of such Reports are confidential and are owned by Quantum. Provided that Customer is not in breach of its obligations under this Agreement, Quantum grants Customer a license on a non-exclusive, non-sublicensable, non-transferable, worldwide, royalty-free and perpetual basis to the extent necessary for the management of Customer to use such Reports for internal purposes only. Quantum does not grant Customer the right to use any of its trademarks, trade names, or other designations.
   3. All information in the Reports is provided "as is", without any warranties of performance, merchantability, fitness for a particular purpose, or of any other kind whether express or implied, other than those expressly stated in the Reports. To the fullest extent applicable under law, Quantum disclaims all liability arising from or in connection with any decision made or action taken by Customer or any third parties in reliance on any Report or its contents, and for any direct, indirect, consequential, special, or similar damages arising as a result thereof.
2. Customer acknowledges that no security assessment service, however well-planned or performed, will be free of inherent limitations and/or will be able to detect all vulnerabilities at the time it was conducted. Customer acknowledges that changes to the relevant IT systems or environment of Customer or external conditions may also result in new vulnerabilities which can only be detected by further assessments.
3. Impacts of Penetration Testing
   1. While Quantum will use reasonable efforts to not interrupt or disrupt Customer's systems and services and to stay within the boundaries defined by Customer when Quantum conducts the Service, Customer acknowledges that it is impossible to avoid unintended side-effects of penetration testing without complete knowledge of the system and network architecture and the Service may involve or cause the securing of access, modification, use or interception, or obstruction of use, with respect to the IT Assets by Quantum.
   2. Customer shall ensure that they have taken the necessary measures (for example and without limitation performing the necessary backups) so that Customer may restore the relevant systems appropriately. In addition, Customer shall be responsible for informing all relevant persons (whether internal or external) of the vulnerability scans or penetration tests.