SUPERAGENT SERVICES AGREEMENT - MONITOR

Last updated: 12/17/2025 • Version 1.0

SUPERAGENT SERVICES AGREEMENT - MONITOR

Version 1.0 Effective Date: November 7, 2025

This Superagent Services Agreement ("Agreement") is entered into between Superagent Technologies, Inc., a Delaware corporation with offices at 1111B S Governors Ave STE 3232, Dover, DE 19904 ("Superagent," "we," "us," or "our") and you or the entity you represent ("Customer," "you," or "your").

By creating a Superagent account, accessing our Services, or using Monitor, you agree to be bound by this Agreement. If you are entering into this Agreement on behalf of an entity, you represent that you have the authority to bind that entity. If you do not agree with this Agreement, you must not use the Services.

This Agreement includes and incorporates by reference our Usage Policy and Data Processing Agreement (where applicable).

1. DEFINITIONS

"API Endpoint" means the URL and authentication credentials for Customer's AI agent that will be tested by Monitor.

"Assessment" means a security evaluation of Customer's AI agent conducted by Monitor, which may be a one-time evaluation or part of ongoing scheduled monitoring.

"Customer Data" means any data, content, or materials that Customer or its End Users submit to the Services, including API responses from Customer's AI agent.

"Documentation" means Superagent's technical documentation for the Services available at docs.superagent.sh.

"End User" means any individual or entity that accesses or uses the Services through Customer's account.

"Monitor" or "Superagent Monitor" means Superagent's AI agent security testing service that measures AI behavior through black-box testing and generates security scores and findings.

"Personal Data" has the meaning set forth in the Data Processing Agreement.

"Report" means the security assessment results, scores, and findings generated by Monitor and displayed in the Dashboard.

"Services" means Superagent's Monitor service, including all assessment capabilities, scoring systems, and related features accessible via the Dashboard.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in GDPR Article 9.

"Usage Policy" means Superagent's acceptable use policy available at superagent.sh/usage-policy.

2. SERVICES AND ACCESS

2.1 Services Provided. Subject to Customer's compliance with this Agreement, Superagent will provide Customer with access to Monitor. Monitor is a security testing service that evaluates AI agent behavior and security posture. Monitor generates security scores, findings, and assessments based on automated testing methodologies. The Services will perform substantially in accordance with the Documentation. Service features, testing methodologies, scoring systems, and capabilities are described in the Documentation and may be updated from time to time.

2.2 Service Model. Customer may choose to conduct Assessments on a one-time basis or configure Monitor to run Assessments on an ongoing, scheduled basis. Customer initiates all Assessments through the Dashboard. Assessment completion time varies based on testing scope and Customer's AI agent endpoint response characteristics.

2.3 Testing Method. Monitor performs external security testing by interacting with Customer's API Endpoint and analyzing the responses. Monitor does not access Customer's source code, internal model architecture, or internal system logs. Testing methodologies and supported input/output formats are described in the Documentation and may be updated from time to time.

2.4 Account Registration. To use the Services, Customer must create an account by providing accurate and complete information. Customer is responsible for maintaining the confidentiality of account credentials and API keys, all activities under Customer's account, notifying Superagent immediately of any unauthorized use or security breach, and ensuring compliance with this Agreement by all End Users.

2.5 API Endpoint Configuration. Customer must provide a valid API Endpoint URL and authentication credentials (API key or similar) through the Dashboard. Customer represents and warrants that Customer has authorization to provide the API Endpoint for testing and that such testing does not violate any third-party agreements or terms of service. Customer may configure multiple API Endpoints for testing. Superagent may revoke access to test a specific API Endpoint if Customer violates this Agreement or if Superagent reasonably suspects unauthorized use.

2.6 Service Modifications. Superagent may modify, update, or discontinue any aspect of the Services at any time, including adding or removing vulnerability tests, updating scoring methodology or assessment criteria, changing Dashboard interface or report formats, adding new testing modalities, or adjusting service capabilities. Superagent will provide reasonable advance notice of material changes that negatively impact Customer's use of the Services, except for changes required for security, legal compliance, or system stability.

3. FEES AND PAYMENT

3.1 Pricing. Fees for the Services are based on the pricing model selected by Customer and as specified in Customer's Account dashboard or applicable Order Form. Current pricing and available pricing models are available at superagent.sh/pricing. Superagent may update pricing with 30 days' advance notice to Customer.

3.2 Payment Terms. Customer agrees to pay all fees according to the payment terms applicable to Customer's selected pricing model. Payment terms may include subscription payments, usage-based billing, prepaid credits, or other models as specified in Customer's Account or Order Form. Customer will provide valid payment information and authorize Superagent to charge the payment method on file according to the applicable payment schedule.

3.3 Billing and Invoicing. Superagent will bill Customer according to Customer's selected pricing model. Customer may view current usage, billing details, and payment history through the Dashboard. Customer is responsible for maintaining current and accurate payment information.

3.4 Payment Disputes. Customer must notify Superagent of any billing disputes within 30 days of the transaction date. Superagent will work with Customer in good faith to resolve disputes promptly. Disputed amounts will remain payable pending resolution unless the dispute involves unauthorized charges.

3.5 Taxes. All fees are exclusive of taxes. Customer is responsible for all applicable taxes except those based on Superagent's net income. If Superagent is required to collect or pay taxes for which Customer is responsible, Customer will pay those amounts or provide valid tax exemption certificates.

4. SUPPORT

4.1 Support. Superagent provides technical support via email at support@superagent.sh. Support is provided on a best-efforts basis. Superagent makes no guarantees regarding response times or issue resolution timelines.

5. CUSTOMER DATA AND PRIVACY

5.1 Customer Data Ownership. Customer retains all rights, title, and interest in and to Customer Data. Superagent claims no ownership rights in Customer Data.

5.2 License to Superagent. Customer grants Superagent a limited, non-exclusive, worldwide license to use Customer Data solely to provide the Services to Customer and as otherwise permitted by this Agreement. This license includes the right to store Customer Data in Superagent's systems until Customer deletes such data or terminates this Agreement.

5.3 Report Ownership. Subject to Customer's compliance with this Agreement, Superagent assigns to Customer all right, title, and interest in and to the specific Reports generated for Customer. Customer owns all Reports generated by the Services. Superagent retains all intellectual property rights in the assessment methodology, scoring algorithms, testing framework, and Report format and structure.

5.4 No Training on Customer Data. Superagent will not train its models on Customer Data. Customer Data will not be used for model improvement, research, or any purpose other than providing the Services to Customer.

5.5 Anonymized Data Use. Superagent may use anonymized and aggregated data derived from Assessments to improve Monitor's methodology and capabilities, train internal models, publish research findings, create industry benchmarks, and develop new features or services. Such use will not identify Customer or reveal Customer-specific information. Customer grants Superagent a perpetual, irrevocable license to use such anonymized and aggregated data.

5.6 Data Processing Agreement. To the extent Customer is a Controller and Superagent processes Personal Data on Customer's behalf, the Data Processing Agreement located at superagent.sh/monitor-dpa applies and is incorporated into this Agreement. In case of conflict between this Agreement and the DPA regarding Personal Data processing, the DPA controls.

5.7 Data Retention and Deletion. Superagent stores the following data in connection with Monitor: API Endpoint credentials (URL and authentication tokens) stored until Customer deletes the configuration or account; test prompts sent by Monitor and API responses received from Customer's AI agent stored until Customer deletes via Dashboard or deletes account; Assessment results, scores, and findings (metadata) stored until Customer deletes via Dashboard or deletes account. Customer may delete any stored data at any time through the Dashboard. Upon termination, Superagent will delete all Customer Data within 30 days, except as required by law or as necessary to resolve disputes.

5.8 Security. Superagent implements commercially reasonable technical and organizational measures to protect Customer Data from unauthorized access, use, or disclosure. These measures include encryption in transit using TLS 1.3, encryption at rest using AES-256, access controls with multi-factor authentication, regular security assessments, SOC 2 certification (planned), and incident response procedures. Detailed security measures are available in the DPA and at trust.superagent.sh.

5.9 Security Incidents. Superagent will notify Customer without undue delay after becoming aware of any unauthorized access to Customer Data. Notification will include available information about the incident, affected data, and steps Superagent is taking to address the incident. Customer acknowledges that Superagent's investigation of security incidents is ongoing and information may be provided in phases as it becomes available.

5.10 Prohibition on Special Category Data. Customer must not submit, cause to be processed, or allow its AI agent to return Special Category Data through the Services. Customer is solely responsible for ensuring its AI agent does not leak Special Category Data during testing. Superagent has no obligation to detect or prevent Special Category Data processing. If Special Category Data is processed through the Services, Customer bears full liability for such processing and indemnifies Superagent for any claims arising from such processing.

6. SUB-PROCESSORS

6.1 Authorized Sub-processors. Superagent uses the following sub-processors to provide Monitor:

Vercel Inc. - Infrastructure orchestration and hosting. Vercel hosts the scripts that communicate with Customer API Endpoints and route data between components. All data streams temporarily pass through Vercel infrastructure. Location: United States. More information: vercel.com/security

OpenAI, L.L.C. - AI model analysis and classification. OpenAI's GPT models (GPT-5 or future models) analyze and classify responses from Customer's AI agents to detect vulnerabilities and generate assessment findings. Processing location: United States by default. OpenAI does not train on data submitted via Superagent's OpenAI API usage. More information: openai.com/policies

Convex, Inc. - Persistent database storage. Convex stores all Assessment results, Customer Data, API Endpoint credentials, and metadata. Location: United States. More information: convex.dev/security

6.2 Sub-processor Changes. Superagent may add or replace sub-processors from time to time. Superagent will notify Customer at least 30 days before adding or replacing sub-processors that process Customer Data. Customer may object within 15 days on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the Services and receive a pro-rata refund of prepaid fees.

6.3 Sub-processor Obligations. Superagent ensures that sub-processors are bound by data protection obligations substantially similar to those in this Agreement and the DPA, particularly regarding security, confidentiality, and data processing limitations.

7. INTELLECTUAL PROPERTY

7.1 Superagent IP. Superagent retains all intellectual property rights in and to the Services, including all software, algorithms, assessment methodologies, scoring systems, testing frameworks, Report formats and templates, Documentation, and any improvements or derivative works thereof. Customer receives no license or rights to Superagent IP except the limited right to use the Services as expressly permitted in this Agreement.

7.2 Customer Marks. Superagent will not use Customer's trademarks, trade names, or logos without Customer's prior written consent, except that Customer grants Superagent the right to identify Customer as a user of the Services and use Customer's name, trademarks, and logos in customer lists and marketing materials unless Customer objects in writing.

7.3 Feedback. Customer may provide suggestions, enhancement requests, or other feedback regarding the Services. Superagent may use such feedback without restriction or obligation to Customer.

8. WARRANTIES AND DISCLAIMERS

8.1 Mutual Warranties. Each party represents and warrants that it has the legal authority to enter into this Agreement and that this Agreement does not conflict with any other agreement to which it is a party.

8.2 Customer Warranties. Customer represents and warrants that it has all necessary rights and authorizations to provide API Endpoints for testing, that Customer's use of the Services complies with all applicable laws and regulations, that Customer will not use the Services to test third-party systems without authorization, and that Customer will not submit Special Category Data to the Services.

8.3 Service Disclaimers. CUSTOMER ACKNOWLEDGES AND AGREES THAT:

(a) Automated Analysis Only. Monitor provides automated security testing. Monitor is not a substitute for comprehensive security review, penetration testing by qualified security professionals, security audit or compliance certification, or human security expertise and judgment.

(b) No Guarantee of Completeness. Monitor tests for specific vulnerability categories but does not and cannot guarantee detection of all vulnerabilities. Monitor may miss vulnerabilities, produce false negatives (failing to detect actual vulnerabilities), produce false positives (flagging non-issues as vulnerabilities), and fail to detect novel or sophisticated attack vectors.

(c) Limited Testing Scope. Monitor performs black-box testing only. Monitor does not examine source code, internal model architecture, system configuration, or infrastructure security. Security issues outside Monitor's testing scope will not be detected.

(d) No Compliance Certification. Monitor does not constitute and should not be relied upon as certification of compliance with GDPR, CCPA, SOC 2, ISO 27001, HIPAA, or any other regulatory or compliance framework. Monitor provides information only and does not satisfy audit, assessment, or certification requirements.

(e) Scores Are Informational. Security scores and assessment metrics generated by Monitor are informational only and based on automated testing. Scores do not represent guarantees of security, absolute measurements of security posture, professional security opinions or judgments, or predictions of future security incidents. Scores may not be comparable across different versions of Customer's AI agent or across different AI agents.

(f) Customer Responsibility for Decisions. Customer is solely responsible for all decisions made based on Monitor Reports, including security implementation decisions, risk acceptance decisions, deployment decisions, and communications with end users or customers. Superagent provides information only and does not provide security advice, recommendations, or professional services.

(g) Testing May Affect Target Systems. Monitor sends test prompts to Customer's API Endpoint. Such testing may cause costs or usage against third-party services used by Customer's AI agent, trigger rate limits or abuse detection systems, generate log entries or alerts, affect performance metrics or analytics, or cause unexpected behavior in Customer's systems. Customer is solely responsible for any such impacts.

8.4 DISCLAIMER OF WARRANTIES. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY LAW, SUPERAGENT AND ITS AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE SERVICES, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, RELIABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, AND QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR TRADE USAGE. SUPERAGENT DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR FREE, OR ACCURATE, THAT ALL VULNERABILITIES WILL BE DETECTED, OR THAT REPORTS WILL BE COMPLETE OR FREE FROM FALSE POSITIVES OR FALSE NEGATIVES.

9. LIMITATION OF LIABILITY

9.1 Consequential Damages Waiver. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY (NOR ITS AFFILIATES, SUPPLIERS, OR LICENSORS) SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, LOST DATA, BUSINESS INTERRUPTION, SECURITY BREACHES RESULTING FROM UNDETECTED VULNERABILITIES, DAMAGES ARISING FROM DECISIONS BASED ON REPORTS, OR COSTS OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9.2 Liability Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY'S (AND ITS AFFILIATES', SUPPLIERS', AND LICENSORS') TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES SHALL NOT EXCEED THE GREATER OF: (A) THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO SUPERAGENT IN THE 12 MONTHS PRECEDING THE CLAIM; OR (B) $500.

9.3 Exceptions. The limitations in Sections 9.1 and 9.2 do not apply to: either party's indemnification obligations under Section 10; either party's breach of confidentiality obligations; Customer's payment obligations; or violations of the other party's intellectual property rights.

9.4 Essential Purpose. Customer acknowledges that the limitations of liability in this Section 9 are essential elements of the bargain and that Superagent would not provide the Services without these limitations.

10. INDEMNIFICATION

10.1 Customer Indemnification. Customer shall defend, indemnify, and hold harmless Superagent, its affiliates, and their respective officers, directors, employees, and agents from and against any third-party claims, actions, or demands arising from: Customer's use of the Services in violation of this Agreement or applicable law; Customer's violation of any third-party rights, including intellectual property rights, privacy rights, or contractual rights; Customer Data or Customer's API Endpoint, including claims that testing Customer's API Endpoint violated third-party terms of service or caused harm to third-party systems; Customer's decisions or actions based on Reports or Services; processing of Special Category Data through the Services; or Customer's breach of the representations and warranties in Section 8.2.

10.2 Superagent Indemnification. Superagent shall defend, indemnify, and hold harmless Customer from and against any third-party claims that Customer's authorized use of the Services infringes such third party's intellectual property rights, provided that Customer promptly notifies Superagent of the claim, gives Superagent sole control of the defense and settlement, and provides reasonable cooperation. If the Services become subject to an infringement claim, Superagent may, at its option: obtain the right for Customer to continue using the Services; replace or modify the Services to make them non-infringing; or terminate the Services and refund prepaid fees on a pro-rata basis.

10.3 Indemnification Process. The indemnified party must promptly notify the indemnifying party of any claim subject to indemnification, provide reasonable cooperation in the defense, and allow the indemnifying party sole control of the defense and settlement, provided that the indemnifying party may not settle any claim that admits liability on behalf of the indemnified party or imposes obligations on the indemnified party without the indemnified party's prior written consent.

11. CONFIDENTIALITY

11.1 Definition. "Confidential Information" means information disclosed by one party to the other that is marked as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes pricing information, technical information about the Services, business and marketing plans, Customer Data, and Reports (which are Customer's Confidential Information).

11.2 Obligations. The receiving party will: use Confidential Information only to exercise its rights and perform its obligations under this Agreement; protect Confidential Information using the same degree of care it uses for its own confidential information (but no less than reasonable care); and not disclose Confidential Information to third parties except to employees, contractors, and advisors who need to know and who are bound by confidentiality obligations at least as protective as this Agreement.

11.3 Exceptions. Confidential Information does not include information that: is or becomes publicly available through no fault of the receiving party; was rightfully known to the receiving party before disclosure; is rightfully received from a third party without confidentiality restrictions; or is independently developed by the receiving party without use of the Confidential Information.

11.4 Compelled Disclosure. If the receiving party is compelled by law to disclose Confidential Information, it must provide prompt notice to the disclosing party (if legally permitted) and reasonable assistance if the disclosing party wishes to contest the disclosure.

12. TERM AND TERMINATION

12.1 Term. This Agreement begins on the Effective Date and continues until terminated as provided in this Section 12.

12.2 Termination for Convenience. Either party may terminate this Agreement at any time with 30 days' written notice to the other party. Customer remains responsible for all fees accrued before the effective termination date.

12.3 Termination for Breach. Either party may terminate this Agreement immediately if the other party materially breaches this Agreement and fails to cure the breach within 30 days after receiving written notice of the breach.

12.4 Immediate Termination. Superagent may suspend or terminate Customer's access to the Services immediately if Customer violates Section 8.2 (Customer Warranties), Section 5.10 (Prohibition on Special Category Data), or the Usage Policy; Customer's account is used for fraudulent or illegal activity; Customer's use poses a security risk to the Services or other customers; or Customer fails to pay undisputed fees within 30 days of the due date.

12.5 Effect of Termination. Upon termination: Customer's right to use the Services immediately ceases; Customer must pay all outstanding fees within 30 days; Superagent will delete Customer Data in accordance with Section 5.7; and sections that by their nature should survive (including Sections 5.3, 5.5, 5.10, 7, 8.4, 9, 10, 11, 12.5, and 13) will survive termination.

12.6 Data Retrieval. Customer may export Reports and assessment data through the Dashboard at any time before termination. After termination, Customer has 30 days to export data before Superagent deletes it. Superagent has no obligation to provide data in any particular format or to maintain data after the 30-day period.

13. GENERAL PROVISIONS

13.1 Entire Agreement. This Agreement, including the Usage Policy and Data Processing Agreement incorporated by reference, constitutes the entire agreement between the parties regarding the Services and supersedes all prior agreements and understandings, whether written or oral.

13.2 Amendments. Superagent may modify this Agreement from time to time. Superagent will provide notice of material changes via email or through the Services at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the modified Agreement. If Customer does not agree to the modifications, Customer's sole remedy is to terminate this Agreement.

13.3 Assignment. Customer may not assign this Agreement without Superagent's prior written consent. Superagent may assign this Agreement without consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Any attempted assignment in violation of this section is void.

13.4 Notices. Notices under this Agreement must be in writing and sent to the addresses specified in Customer's account or, for Superagent, to legal@superagent.sh. Notices are effective when received.

13.5 Force Majeure. Neither party is liable for delays or failures in performance resulting from causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riots, labor disputes, internet service provider failures, denial of service attacks, or governmental actions.

13.6 Governing Law and Venue. This Agreement is governed by the laws of the State of Delaware, without regard to conflicts of law principles. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Wilmington, Delaware, and the parties irrevocably consent to the personal jurisdiction and venue therein.

13.7 Severability. If any provision of this Agreement is held invalid or unenforceable, that provision will be modified to reflect the parties' intention or eliminated to the minimum extent necessary, and the remaining provisions will remain in full effect.

13.8 Waiver. No waiver of any provision of this Agreement will be deemed or constitute a waiver of any other provision, and any waiver must be in writing and signed by the waiving party.

13.9 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

13.10 No Third-Party Beneficiaries. This Agreement is for the sole benefit of the parties and does not confer any rights upon any third party.

13.11 Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original and all of which together will constitute one instrument.

By using Superagent Monitor, Customer agrees to be bound by this Agreement.

END OF SERVICES AGREEMENT - MONITOR v1.0