Help APA 1

S3-SOW-20-0001

Initials 1

CONSULTING SERVICES AGREEMENT Thank you for choosing JLA ENTERPRISE, LLC as the provider for your comprehensive cyber security needs.

We will be providing monthly vulnerability and compliance scanning exclusively for your business. We are

excited to be part of your team.

This CONSULTING SERVICE AGREEMENT (“The Agreement”), is entered into on this date by and between JLA ENTERPRISE, LLC, a Georgia limited liability company (“The Consultant”) and ;

CLIENT, LLC (“The Client”).

(collectively, “The Parties”)

1 Statement of Work

1.1 Setup Services: The Consultant will perform the following actions to prepare for the Client's

penetration test.

A. The Consultant will install the latest version of Gophish software and conduct necessary updates,

testing, documentation, and troubleshooting to perform the monthly phishing attacks against the

Client. The Consultant will cover all licensing fees.

B. The Consultant will acquire a dedicated server using linode.com hosting services. The Consultant

will install Ubuntu Linux and update all installed software packages necessary. The Consultant will

cover all licensing fees.

1.2 Penetration Testing Services: The Consultant will assign a team to conduct open-source research,

build phishing campaigns, attempt compromise against identified vulnerabilities, gain privileged access, and attempt to exfiltrate data. These services will be performed within the parameters of the agreed upon

Consultant/Client rules of engagement as outlined below:

A. Once the penetration test has started, it could take approximately seven weeks to complete and

produce a report.

B. The Consultant will conduct open-source research in accordance with Blackbox methodology as determined by the Client. The Consultant will acquire data regarding employee’s social media

footprint as well as specific company data to include but not limited to employment, location, and

services. Below are specific Client outcomes:

I. Compromise of Executive's email

II. Compromise of Executive's documents

III. Compromise of financial information and financial systems

IV. Monitoring audio or video especially Executive offices

V. Access to sensitive Intellectual Property

VI. Exfiltration of data

C. The Consultant will use the information found in section 1.2B to create one to three phishing

campaigns utilizing traditional phishing, spearphishing, or whaling methodology.

S3-SOW-20-0001

Initials 2

D. The Consultant’s proprietary penetration testing methodology includes a five-phased approach:

I. Reconnaissance - The Consultant will conduct open-research on the Client’s company to

determine points of interest to further scan for vulnerabilities.

II. Information Gathering - The Consultant will perform in-depth network scans to identify

access vectors to gain access during the Exploitation phase.

III. Exploitation - The Consultant will attempt exploitation against vulnerabilities and seek to gain privileged access based on findings from the Reconnaissance and Information

Gathering phases.

IV. Maintaining Access - The Consultant will maintain access on various points of interest during

the penetration test to exfiltrate data.

V. Cleanup - The Consultant agrees to remove all proprietary tools used during the penetration

test and will remove persistence tools and user accounts from the Client’s systems.

E. During particular circumstances, the Consultant may approach the Client to request switching the

penetration test to white box methodology. The Consultant request would only be made after black box methodology has been exhausted. The Consultant can only switch penetration testing

methodology if it is in the best interest of the Client.

F. The Consultant’s penetration testing methodology is designed and operated on a measured risk basis, with safety for the Client’s systems and personnel at the forefront. The Consultant will

communicate to the Client every vulnerability identified, for written approval, prior to an

exploitation attempt.

G. Penetration testing services will be conducted Monday through Friday from 6 PM to 8 AM after

standard business hours, and anytime on Saturday and Sunday (The time is calculated for any time zone). Penetration testing service will be performed via electronic means; travel is not permitted. If

the Client requests travel, the Client agrees to cover costs.

H. At the end of the penetration testing service, the Consultant will produce a finding report. This

report will contain the scope of work, executive summary, findings, methodology, screenshots per

successful exploit, definitions of risk levels, systems information, and the Consultant’s

recommendations.

I. Retention of Results can be found in section 8.

1.3 Penetration Testing Reporting: The Consultant will produce a report to the Client after the

completion of the penetration testing services outlined in this Agreement. This report will contain the

scope of work, executive summary, findings, methodology, screenshots per successful exploit, definitions

of risk levels, systems information, and the Consultant’s recommendations.

3 Compensation and Payment

A. Set up Fees: For the Services described in this agreement, the Client setup fees are included in

the ongoing management fees section below. The first month of vulnerability scanning service will

act as an installation period. Reports for vulnerability scanning will start on the second month of

service. Setup can take varying lengths of time, but will usually take around ten days.

B. Network Vulnerability and Compliance Scanning Fees: For the Services described in this agreement, the Client agrees to pay to the Consultant $560.00 per month and should be paid via

direct deposit, then check, if necessary. Payment is subject to net-10 payment rules.

S3-SOW-20-0001

Initials 3

C. Additional Fees: Pending Client approval, if the Consultant has determined additional services are required such as, but not limited to: computer forensics, or in-depth vulnerability research, the

Client will be billed at a rate of $250/hr. The Consultant and the Client will agree upon the number

of additional hours required to provide additional services.

4 TERM

A. This Agreement will commence on the effective date first set forth above and remain in full force

and effect for a minimum period of 365 days. This Agreement shall continue on a month to month

basis unless otherwise terminated by the Consultant or Client or unless otherwise agreed to by the Consultant and the Clients.

5 TERMINATION

A. This Agreement may be terminated by either party for any reason or no reason, whether or not

extended beyond the initial term, by giving the other party written notice 30 days in advance.

Written requests to terminate may be made by e-mail. If Client chooses to terminate this agreement in writing, all monies owed to the Consultant will be due immediately. Under no

circumstances will the Consultant give refunds of the amount paid for the Services hereunder.

6 OWNERSHIP OF INTELLECTUAL PROPERTY

All plans, reports, programs, software (source and object code), digital tools, pictures, video, music, content, artwork, designs, websites, framework, web services, software engines, products,

models, footage, applications of any kind, work, ideas, derivative works, confidential information,

concepts, deliverables, results of the services and all other tangible and intangible materials or property provided, prepared or created under or resulting from this Agreement, whether or not

rejected by Client, and all copies thereof (collectively, the “The Materials”), shall be owned by Client and shall be deemed “works made for hire,” under United States copyright Laws (17 U.S.C. §

101 or any future statute). Consultant represents, warrants and covenants that all Materials, along

with all rights contained therein, including, without limitation, the exclusive copyright and all other intellectual property rights, are and shall be the property of Client immediately upon creation. If

any of the Materials are considered by a court of competent jurisdiction not to be a “work made for hire” or under any circumstances where the full title and ownership thereof has not vested in

Client, Consultant hereby assigns to Client all right, title, and interest in such Materials immediately

upon creation and agrees to execute any future assignments to evidence or effect such assignments. Without limiting the generality of the foregoing, Client will have, and Consultant shall

be responsible for ensuring Client has, the unlimited right to reproduce, transmit, distribute, exhibit, perform, create derivative works based upon, exploit or otherwise use the Materials, and

all elements thereof, in any manner and in any and all media now known or hereafter devised

throughout the world in perpetuity.

7 CONFIDENTIAL INFORMATION

A. Except as provided elsewhere in this Agreement, all information disclosed by one Party to the other Party shall be deemed to be confidential and proprietary (“Proprietary Information”). Such

Proprietary Information includes, without limitation, information regarding marketing, sales

programs, sales volume, sales conversion rates, sales methods and processes, sales proposals, products, services, vendors, customer lists, training manuals, sales scripts, telemarketing scripts,

names of investors, and customer information, operating procedures, pricing policies, strategic plans, intellectual property, information about a Party’s employees and other confidential or

Proprietary Information belonging to or related to a Party’s affairs. The Receiving Party

acknowledges and agrees that in any proceeding to enforce this Agreement it will be presumed that the Proprietary Information constitutes protectable trade secrets and that the receiving Party will

bear the burden of proving that any portion of the Proprietary Information was publicly or rightfully known and disclosed by the receiving Party. The Parties, their employees, subsidiaries, affiliates,

agents, and assigns agree to hold all Proprietary Information, regardless of when or how disclosed,

in strict confidence and with not less than the same degree of care that they provide for their own

S3-SOW-20-0001

Initials 4

confidential and proprietary information. The Parties warrant and represent that the degree of care

contemplated herein is adequate and the Parties will take any and all steps reasonably necessary

to preserve such Proprietary Information.

B. Nothing in this Agreement shall prohibit or limit the receiving Party’s use of information that can be

demonstrated as: (a) previously known to the receiving Party, (b) independently developed by the receiving Party, (c) acquired from a third party, not under similar nondisclosure obligations to the

disclosing Party, or (d) acquired through the public domain through no breach by the receiving

Party of this Agreement.

C. License. Client grants The Consultant a limited, nontransferable, nonexclusive license to copy,

use, store, set up, publicly display, publicly perform and transmit any trade names, trademarks, service marks, copyrights, content, text, images, software, functionality, page and other design

and layout, media and other materials therein and solely in connection with creation of the Campaign and direct response marketing in accordance with this Agreement. Other than as

specifically provided herein, the Parties, their employees, subsidiaries, affiliates, agents and

assigns, shall not disclose any Proprietary Information without the express written consent of the other Party. Also, neither Party shall use the Proprietary Information for any purpose other than

purposes related to their business relationship as laid out in this Agreement. In the event that the

receiving Party is required by applicable law, rule, regulation or lawful order or ruling of any court, government agency or regulatory commission to disclose any Proprietary Information, the receiving

Party understands that the disclosing Party may desire to seek an appropriate protective order or take steps to protect the confidentiality of such Proprietary Information. Consequently, the

receiving Party agrees that it will provide the Disclosing Party with prompt notice of such

request(s).

Remedies. The Parties acknowledge that the Proprietary Information exchanged is valuable and

unique, and that disclosure in breach of this Agreement will result in irreparable injury to the adversely affected Party, for which monetary damages, on their own, would be inadequate.

Accordingly, the Parties agree the adversely affected Party shall have the right to seek an

immediate injunction enjoining any such breach or threatened breach of the Agreement.

8 RETENTION OF RESULTS

A. Data will be stored encrypted and, in a manner, accessible only by the Consultant. If relevant, after a period of one year, the Consultant will destroy all historical data not required and provide a

certificate of authenticity (if needed) to the Client.

9 WARRANTY AND DISCLAIMER

A. Consultant warrants that Consultant’s Work will be provided in a workmanlike manner, and in conformity with generally prevailing industry standard and Client’s reasonable requirements.

SUBJECT TO CONSULTANT’S FULFILLMENT OF ITS OBLIGATIONS UNDER THIS AGREEMENT, CONSULTANT WILL NOT

BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DENIAL-OF-SERVICE ATTACK, UNIDENTIFIED VULNERABILITY, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER

PROGRAMS, DATA NETWORK OR OTHER PROPRIETARY MATERIAL, EXCEPT TO THE EXTENT CAUSED BY NEGLIGENCE OF

OR WRONGFUL ACT BY CONSULTANT.

B. Consultant represents, warrants and covenants that it does currently, and will at all times during

the Term, operate its business and provide its services in accordance with industry standard security practices, including, without limitation, the proper use and configuration of industry

standard anti-virus/anti-malware software.

10 LIMITATIONS OF REMEDIES

A. Client’s sole and exclusive remedy for any claim against Consultant with respect to the quality of Consultant’s Work shall be the correction by Consultant of any material defects or deficiencies

therein, of which Client notifies Consultant in writing within 90 days after the completion of that

portion of Consultant’s Work, and Consultant shall fully correct all such material defects and deficiencies to Client’s reasonable satisfaction within 10 business days following the date of such

S3-SOW-20-0001

Initials 5

notice; provided, that Client will be entitled to a full refund of all fees paid with respect to such

defective/deficient work if Consultant does not fully correct the same to Client’s reasonable satisfaction within such 10 day period. In the absence of any such notice within such 90-day

period, Consultant’s Work shall be deemed satisfactory to and accepted by Client.

11 LIMITATIONS OF LIABILITY

A. In no event shall either party be liable for any loss of profit or revenue by the other party, or for any other consequential, incidental or indirect damages incurred or suffered by such other party

arising as a result of or related to this Agreement, whether in contract, tort, or otherwise, even if

such party has advised of the possibility of such loss or damages. Client further agrees that the total liability of Consultant for all claims of any kind arising as a result of or related to this

Agreement, or to any act or omission of Consultant, whether in contract, tort, or otherwise, shall

not exceed an amount equal to the amount actually paid by Client to Consultant for Consultant’s Work during the period preceding the date the claim arises, except for any claims arising from

Consultant’s gross negligence or wrongful acts, which shall not be subject to any limitation of liability. Consultant shall indemnify and hold Client harmless against any claims by third parties,

including all costs, expenses and attorneys’ fees incurred by Client, arising out of or in conjunction

with Consultant’s performance under or breach of this Agreement.

12 RELATIONS OF PARTIES

A. The performance by Consultant of its duties and obligations under this Agreement shall be that of an independent contractor, and nothing herein shall create or imply an agency relationship

between Consultant and Client, nor shall this Agreement be deemed to constitute a joint venture or partnership between the Parties.

13 EMPLOYEE SOLICITATION/HIRING A. During the period of this Agreement and for 12 months thereafter, neither party shall directly or

indirectly solicit or offer employment to or hire any employee, former employee, subcontractor, or

former subcontractor of the other. The terms “former employee” and “former subcontractor” shall

include only those employees or subcontractors of either party who were employed or utilized by that party during the Term.

14 NO GUARANTEE

A. The Consultant does not warrant or guarantee any specific level of performance or results. There is

no guarantee that indicators of compromise exist.

15 ENTIRE AGREEMENT

A. This Agreement is the final, complete, and exclusive Agreement of the Parties. No modification of or amendment to this Agreement shall be valid unless in writing and signed by each of the Parties.

16 SEVERABILITY

A. If any provision of this Agreement shall be held to be illegal, invalid or unenforceable, such

provision shall be fully severable, and this Agreement shall be construed and enforced as if such

illegal, invalid, or unenforceable provision had never comprised part of this Agreement, the remaining provisions of this Agreement shall remain in full force and effect.

17 ADJUSTMENT FOR INFLATION

A. The ongoing vulnerability scanning services fees rate set forth in section 3B above, shall be

increased yearly for inflation by a percentage amount equal to 2.5%.

S3-SOW-20-0001

Initials 6

18 HEADINGS

A. The headings used in this Agreement are for convenience only and shall not be used to limit or

construe the contents of this Agreement.

19 INTERPRETATION AND ENFORCEMENT

A. The parties understand and agree that the construction and interpretation of this Agreement are governed by the laws of the State of Georgia. If either party must initiate legal action to enforce

this Agreement, the Parties agree that the proper venue for such action shall be the courts of the State of Georgia. By their signatures below, the parties hereby understand and agree to all terms

and conditions of this Agreement.

By their signatures below, the Parties hereby understand and agree to all terms and conditions of this

Agreement.

JLA ENTERPRISE, LLC CLIENT, LLC

Jake Gramm, CEO

Jim Halpert, CTO

Date

Date