SUPERAGENT SERVICES AGREEMENT - RED TEAMING

Last updated: 2/3/2026 • Version 1.1

SUPERAGENT SERVICES AGREEMENT - RED TEAMING

Version 1.1 Effective Date: January 26, 2026

This Superagent Services Agreement ("Agreement") is entered into between Superagent Technologies, Inc., a Delaware corporation with offices at 1111B S Governors Ave STE 3232, Dover, DE 19904 ("Superagent," "we," "us," or "our") and you or the entity you represent ("Customer," "you," or "your").

By creating a Superagent account, accessing our Services, or using Red Teaming, you agree to be bound by this Agreement. If you are entering into this Agreement on behalf of an entity, you represent that you have the authority to bind that entity. If you do not agree with this Agreement, you must not use the Services.

This Agreement includes and incorporates by reference our Usage Policy and Data Processing Agreement (where applicable).

1. DEFINITIONS

"Assessment" means a security evaluation of Customer's AI agent conducted by the Red Teaming service, which may be a one-time evaluation or part of ongoing scheduled testing.

"Customer Data" means any data, content, or materials that Customer or its End Users submit to the Services, including responses from Customer's AI agent during testing.

"Customer Interface" means the user-facing interface of Customer's AI agent that will be tested, including but not limited to chat interfaces, voice interfaces, web applications, or other interaction methods.

"Documentation" means Superagent's technical documentation for the Services available at docs.superagent.sh.

"End User" means any individual or entity that accesses or uses the Services through Customer's account.

"Red Teaming" or "Superagent Red Teaming" means Superagent's AI agent security testing service that deploys specialized attack agents against Customer's production systems to surface vulnerabilities.

"Personal Data" has the meaning set forth in the Data Processing Agreement.

"Report" means the security assessment results, findings, evidence, and remediation guidance generated by Red Teaming and delivered to Customer.

"Services" means Superagent's Red Teaming service, including all assessment capabilities, attack scenarios, and related features accessible via the Dashboard.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in GDPR Article 9.

"Usage Policy" means Superagent's acceptable use policy available at superagent.sh/usage-policy.

2. SERVICES AND ACCESS

2.1 Services Provided. Subject to Customer's compliance with this Agreement, Superagent will provide Customer with access to Red Teaming. Red Teaming is an automated adversarial testing service that deploys specialized attack agents against Customer's AI systems to surface vulnerabilities before customers encounter them. The Services will perform substantially in accordance with the Documentation. Service features, testing methodologies, attack scenarios, and capabilities are described in the Documentation and may be updated from time to time.

2.2 Service Model. Customer may choose to conduct Assessments on a one-time basis or configure Red Teaming to run Assessments on an ongoing, scheduled basis. Customer initiates and manages Assessments through the Dashboard. Assessment completion time varies based on testing scope, attack scenario complexity, and Customer's AI agent response characteristics.

2.3 Testing Method. Red Teaming performs black-box security testing by interacting with Customer's production AI systems through the Customer Interface (chat, voice, web, or other user-facing interfaces). Testing uses specialized attack agents, verticalized scenarios for specific agent types (coding agents, voice agents, customer support), and simulated environments to generate realistic test scenarios. Red Teaming does not access Customer's source code, internal model architecture, or internal system logs. Testing methodologies are based on the latest security research and proprietary data.

2.4 Account Registration. To use the Services, Customer must create an account by providing accurate and complete information. Customer is responsible for maintaining the confidentiality of account credentials, all activities under Customer's account, notifying Superagent immediately of any unauthorized use or security breach, and ensuring compliance with this Agreement by all End Users.

2.5 Interface Configuration. Customer must provide access credentials or configuration details for the Customer Interface through the Dashboard or during onboarding. Customer represents and warrants that Customer has authorization to provide the Customer Interface for testing and that such testing does not violate any third-party agreements or terms of service. Customer may configure multiple interfaces for testing. Superagent may revoke access to test a specific interface if Customer violates this Agreement or if Superagent reasonably suspects unauthorized use.

2.6 Service Modifications. Superagent may modify, update, or discontinue any aspect of the Services at any time, including adding or removing attack scenarios, updating assessment criteria, changing Dashboard interface or report formats, adding new testing modalities, or adjusting service capabilities. Superagent will provide reasonable advance notice of material changes that negatively impact Customer's use of the Services, except for changes required for security, legal compliance, or system stability.

3. FEES AND PAYMENT

3.1 Pricing. Fees for the Services are based on the pricing model selected by Customer and as specified in Customer's Account dashboard or applicable Order Form. Current pricing and available pricing models are available at superagent.sh/pricing. Superagent may update pricing with 30 days' advance notice to Customer.

3.2 Payment Terms. Customer agrees to pay all fees according to the payment terms applicable to Customer's selected pricing model. Payment terms may include subscription payments, usage-based billing, prepaid credits, or other models as specified in Customer's Account or Order Form. Customer will provide valid payment information and authorize Superagent to charge the payment method on file according to the applicable payment schedule.

3.3 Billing and Invoicing. Superagent will bill Customer according to Customer's selected pricing model. Customer may view current usage, billing details, and payment history through the Dashboard. Customer is responsible for maintaining current and accurate payment information.

3.4 Payment Disputes. Customer must notify Superagent of any billing disputes within 30 days of the transaction date. Superagent will work with Customer in good faith to resolve disputes promptly. Disputed amounts will remain payable pending resolution unless the dispute involves unauthorized charges.

3.5 Taxes. All fees are exclusive of taxes. Customer is responsible for all applicable taxes except those based on Superagent's net income. If Superagent is required to collect or pay taxes for which Customer is responsible, Customer will pay those amounts or provide valid tax exemption certificates.

4. SUPPORT

4.1 Support. Superagent provides technical support via email at support@superagent.sh. Support is provided on a best-efforts basis. Superagent makes no guarantees regarding response times or issue resolution timelines.

5. CUSTOMER DATA AND PRIVACY

5.1 Customer Data Ownership. Customer retains all rights, title, and interest in and to Customer Data. Superagent claims no ownership rights in Customer Data.

5.2 License to Superagent. Customer grants Superagent a limited, non-exclusive, worldwide license to use Customer Data solely to provide the Services to Customer and as otherwise permitted by this Agreement. This license includes the right to store Customer Data in Superagent's systems until Customer deletes such data or terminates this Agreement.

5.3 Report Ownership. Subject to Customer's compliance with this Agreement, Superagent assigns to Customer all right, title, and interest in and to the specific Reports generated for Customer. Customer owns all Reports generated by the Services, including findings, evidence artifacts, and remediation guidance. Superagent retains all intellectual property rights in the assessment methodology, attack agents, testing framework, and Report format and structure.

5.4 No Training on Customer Data. Superagent will not train its models on Customer Data. Customer Data will not be used for model improvement, research, or any purpose other than providing the Services to Customer.

5.5 Anonymized Data Use. Superagent may use anonymized and aggregated data derived from Assessments to improve Red Teaming's methodology and capabilities, train internal models, publish research findings, create industry benchmarks, and develop new features or services. Such use will not identify Customer or reveal Customer-specific information. Customer grants Superagent a perpetual, irrevocable license to use such anonymized and aggregated data.

5.6 Data Processing Agreement. To the extent Customer is a Controller and Superagent processes Personal Data on Customer's behalf, the Data Processing Agreement located at superagent.sh/legal/red-teaming-dpa applies and is incorporated into this Agreement. In case of conflict between this Agreement and the DPA regarding Personal Data processing, the DPA controls.

5.7 Data Retention and Deletion. Superagent stores the following data in connection with Red Teaming: interface access credentials and configuration stored until Customer deletes the configuration or account; test interactions and responses received from Customer's AI agent stored until Customer deletes via Dashboard or deletes account; Assessment results and findings stored until Customer deletes via Dashboard or deletes account. Customer may delete any stored data at any time through the Dashboard. Upon termination, Superagent will delete all Customer Data within 30 days, except as required by law or as necessary to resolve disputes.

5.8 Security. Superagent implements commercially reasonable technical and organizational measures to protect Customer Data from unauthorized access, use, or disclosure. These measures include encryption in transit using TLS 1.3, encryption at rest using AES-256, access controls with multi-factor authentication, regular security assessments, SOC 2 certification (planned), and incident response procedures. Detailed security measures are available in the DPA and at trust.superagent.sh.

5.9 Security Incidents. Superagent will notify Customer without undue delay after becoming aware of any unauthorized access to Customer Data. Notification will include available information about the incident, affected data, and steps Superagent is taking to address the incident. Customer acknowledges that Superagent's investigation of security incidents is ongoing and information may be provided in phases as it becomes available.

5.10 Prohibition on Special Category Data. Customer must not submit, cause to be processed, or allow its AI agent to return Special Category Data through the Services. Customer is solely responsible for ensuring its AI agent does not leak Special Category Data during testing. Superagent has no obligation to detect or prevent Special Category Data processing. If Special Category Data is processed through the Services, Customer bears full liability for such processing and indemnifies Superagent for any claims arising from such processing.

6. SUB-PROCESSORS

6.1 Authorized Sub-processors. Superagent uses the following sub-processors to provide Red Teaming:

Vercel Inc. - Infrastructure orchestration and hosting. Vercel hosts the application infrastructure and routes data between components. Location: United States. More information: vercel.com/security

Supabase Inc. - Database and backend infrastructure. Supabase stores Assessment results, Customer Data, interface configurations, and metadata. Location: United States. More information: supabase.com/security

AI Model Providers - Superagent uses multiple AI model providers for attack agent execution and response analysis, including:

  • Superagent's own models hosted on Google Cloud (Cloud Run)
  • OpenAI, L.L.C. (United States) - openai.com/policies
  • Google LLC (United States) - cloud.google.com/terms
  • Anthropic PBC (United States) - anthropic.com/privacy

AI model providers do not train on data submitted via Superagent's API usage. Processing location: United States.

6.2 Sub-processor Changes. Superagent may add or replace sub-processors from time to time. Superagent will notify Customer at least 30 days before adding or replacing sub-processors that process Customer Data. Customer may object within 15 days on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the Services and receive a pro-rata refund of prepaid fees.

6.3 Sub-processor Obligations. Superagent ensures that sub-processors are bound by data protection obligations substantially similar to those in this Agreement and the DPA, particularly regarding security, confidentiality, and data processing limitations.

7. INTELLECTUAL PROPERTY

7.1 Superagent IP. Superagent retains all intellectual property rights in and to the Services, including all software, algorithms, assessment methodologies, scoring systems, testing frameworks, Report formats and templates, Documentation, and any improvements or derivative works thereof. Customer receives no license or rights to Superagent IP except the limited right to use the Services as expressly permitted in this Agreement.

7.2 Customer Marks. Superagent will not use Customer's trademarks, trade names, or logos without Customer's prior written consent, except that Customer grants Superagent the right to identify Customer as a user of the Services and use Customer's name, trademarks, and logos in customer lists and marketing materials unless Customer objects in writing.

7.3 Feedback. Customer may provide suggestions, enhancement requests, or other feedback regarding the Services. Superagent may use such feedback without restriction or obligation to Customer.

8. WARRANTIES AND DISCLAIMERS

8.1 Mutual Warranties. Each party represents and warrants that it has the legal authority to enter into this Agreement and that this Agreement does not conflict with any other agreement to which it is a party.

8.2 Customer Warranties. Customer represents and warrants that it has all necessary rights and authorizations to provide Customer Interfaces for testing, that Customer's use of the Services complies with all applicable laws and regulations, that Customer will not use the Services to test third-party systems without authorization, and that Customer will not submit Special Category Data to the Services.

8.3 Service Disclaimers. CUSTOMER ACKNOWLEDGES AND AGREES THAT:

(a) Automated Adversarial Testing. Red Teaming provides automated adversarial security testing using specialized attack agents. Red Teaming is not a substitute for comprehensive security review, manual penetration testing by qualified security professionals, security audit or compliance certification, or human security expertise and judgment.

(b) No Guarantee of Completeness. Red Teaming tests for specific vulnerability categories but does not and cannot guarantee detection of all vulnerabilities. Red Teaming may miss vulnerabilities, produce false negatives (failing to detect actual vulnerabilities), produce false positives (flagging non-issues as vulnerabilities), and fail to detect novel or sophisticated attack vectors.

(c) Limited Testing Scope. Red Teaming performs black-box testing through the Customer Interface only. Red Teaming does not examine source code, internal model architecture, system configuration, or infrastructure security. Security issues outside Red Teaming's testing scope will not be detected.

(d) No Compliance Certification. Red Teaming does not constitute and should not be relied upon as certification of compliance with GDPR, CCPA, SOC 2, ISO 27001, HIPAA, or any other regulatory or compliance framework. Red Teaming provides information only and does not satisfy audit, assessment, or certification requirements.

(e) Findings Are Informational. Security findings and assessment results generated by Red Teaming are informational and based on automated adversarial testing. Findings do not represent guarantees of security, absolute measurements of security posture, professional security opinions or judgments, or predictions of future security incidents.

(f) Customer Responsibility for Decisions. Customer is solely responsible for all decisions made based on Red Teaming Reports, including security implementation decisions, risk acceptance decisions, deployment decisions, and communications with end users or customers. Superagent provides findings, evidence, and remediation guidance but Customer retains responsibility for implementation.

(g) Testing May Affect Target Systems. Red Teaming interacts with Customer's production AI systems through the Customer Interface. Such testing may cause costs or usage against third-party services used by Customer's AI agent, trigger rate limits or abuse detection systems, generate log entries or alerts, affect performance metrics or analytics, or cause unexpected behavior in Customer's systems. Customer is solely responsible for any such impacts.

8.4 DISCLAIMER OF WARRANTIES. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY LAW, SUPERAGENT AND ITS AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE SERVICES, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, RELIABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, AND QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR TRADE USAGE. SUPERAGENT DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR FREE, OR ACCURATE, THAT ALL VULNERABILITIES WILL BE DETECTED, OR THAT REPORTS WILL BE COMPLETE OR FREE FROM FALSE POSITIVES OR FALSE NEGATIVES.

9. LIMITATION OF LIABILITY

9.1 Consequential Damages Waiver. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY (NOR ITS AFFILIATES, SUPPLIERS, OR LICENSORS) SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, LOST DATA, BUSINESS INTERRUPTION, SECURITY BREACHES RESULTING FROM UNDETECTED VULNERABILITIES, DAMAGES ARISING FROM DECISIONS BASED ON REPORTS, OR COSTS OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9.2 Liability Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY'S (AND ITS AFFILIATES', SUPPLIERS', AND LICENSORS') TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES SHALL NOT EXCEED THE GREATER OF: (A) THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO SUPERAGENT IN THE 12 MONTHS PRECEDING THE CLAIM; OR (B) $500.

9.3 Exceptions. The limitations in Sections 9.1 and 9.2 do not apply to: either party's indemnification obligations under Section 10; either party's breach of confidentiality obligations; Customer's payment obligations; or violations of the other party's intellectual property rights.

9.4 Essential Purpose. Customer acknowledges that the limitations of liability in this Section 9 are essential elements of the bargain and that Superagent would not provide the Services without these limitations.

10. INDEMNIFICATION

10.1 Customer Indemnification. Customer shall defend, indemnify, and hold harmless Superagent, its affiliates, and their respective officers, directors, employees, and agents from and against any third-party claims, actions, or demands arising from: Customer's use of the Services in violation of this Agreement or applicable law; Customer's violation of any third-party rights, including intellectual property rights, privacy rights, or contractual rights; Customer Data or Customer's Interface, including claims that testing Customer's systems violated third-party terms of service or caused harm to third-party systems; Customer's decisions or actions based on Reports or Services; processing of Special Category Data through the Services; or Customer's breach of the representations and warranties in Section 8.2.

10.2 Superagent Indemnification. Superagent shall defend, indemnify, and hold harmless Customer from and against any third-party claims that Customer's authorized use of the Services infringes such third party's intellectual property rights, provided that Customer promptly notifies Superagent of the claim, gives Superagent sole control of the defense and settlement, and provides reasonable cooperation. If the Services become subject to an infringement claim, Superagent may, at its option: obtain the right for Customer to continue using the Services; replace or modify the Services to make them non-infringing; or terminate the Services and refund prepaid fees on a pro-rata basis.

10.3 Indemnification Process. The indemnified party must promptly notify the indemnifying party of any claim subject to indemnification, provide reasonable cooperation in the defense, and allow the indemnifying party sole control of the defense and settlement, provided that the indemnifying party may not settle any claim that admits liability on behalf of the indemnified party or imposes obligations on the indemnified party without the indemnified party's prior written consent.

11. CONFIDENTIALITY

11.1 Definition. "Confidential Information" means information disclosed by one party to the other that is marked as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes pricing information, technical information about the Services, business and marketing plans, Customer Data, and Reports (which are Customer's Confidential Information).

11.2 Obligations. The receiving party will: use Confidential Information only to exercise its rights and perform its obligations under this Agreement; protect Confidential Information using the same degree of care it uses for its own confidential information (but no less than reasonable care); and not disclose Confidential Information to third parties except to employees, contractors, and advisors who need to know and who are bound by confidentiality obligations at least as protective as this Agreement.

11.3 Exceptions. Confidential Information does not include information that: is or becomes publicly available through no fault of the receiving party; was rightfully known to the receiving party before disclosure; is rightfully received from a third party without confidentiality restrictions; or is independently developed by the receiving party without use of the Confidential Information.

11.4 Compelled Disclosure. If the receiving party is compelled by law to disclose Confidential Information, it must provide prompt notice to the disclosing party (if legally permitted) and reasonable assistance if the disclosing party wishes to contest the disclosure.

12. TERM AND TERMINATION

12.1 Term. This Agreement begins on the Effective Date and continues until terminated as provided in this Section 12.

12.2 Termination for Convenience. Either party may terminate this Agreement at any time with 30 days' written notice to the other party. Customer remains responsible for all fees accrued before the effective termination date.

12.3 Termination for Breach. Either party may terminate this Agreement immediately if the other party materially breaches this Agreement and fails to cure the breach within 30 days after receiving written notice of the breach.

12.4 Immediate Termination. Superagent may suspend or terminate Customer's access to the Services immediately if Customer violates Section 8.2 (Customer Warranties), Section 5.10 (Prohibition on Special Category Data), or the Usage Policy; Customer's account is used for fraudulent or illegal activity; Customer's use poses a security risk to the Services or other customers; or Customer fails to pay undisputed fees within 30 days of the due date.

12.5 Effect of Termination. Upon termination: Customer's right to use the Services immediately ceases; Customer must pay all outstanding fees within 30 days; Superagent will delete Customer Data in accordance with Section 5.7; and sections that by their nature should survive (including Sections 5.3, 5.5, 5.10, 7, 8.4, 9, 10, 11, 12.5, and 13) will survive termination.

12.6 Data Retrieval. Customer may export Reports and assessment data through the Dashboard at any time before termination. After termination, Customer has 30 days to export data before Superagent deletes it. Superagent has no obligation to provide data in any particular format or to maintain data after the 30-day period.

13. GENERAL PROVISIONS

13.1 Entire Agreement. This Agreement, including the Usage Policy and Data Processing Agreement incorporated by reference, constitutes the entire agreement between the parties regarding the Services and supersedes all prior agreements and understandings, whether written or oral.

13.2 Amendments. Superagent may modify this Agreement from time to time. Superagent will provide notice of material changes via email or through the Services at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the modified Agreement. If Customer does not agree to the modifications, Customer's sole remedy is to terminate this Agreement.

13.3 Assignment. Customer may not assign this Agreement without Superagent's prior written consent. Superagent may assign this Agreement without consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Any attempted assignment in violation of this section is void.

13.4 Notices. Notices under this Agreement must be in writing and sent to the addresses specified in Customer's account or, for Superagent, to legal@superagent.sh. Notices are effective when received.

13.5 Force Majeure. Neither party is liable for delays or failures in performance resulting from causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riots, labor disputes, internet service provider failures, denial of service attacks, or governmental actions.

13.6 Governing Law and Venue. This Agreement is governed by the laws of the State of Delaware, without regard to conflicts of law principles. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Wilmington, Delaware, and the parties irrevocably consent to the personal jurisdiction and venue therein.

13.7 Severability. If any provision of this Agreement is held invalid or unenforceable, that provision will be modified to reflect the parties' intention or eliminated to the minimum extent necessary, and the remaining provisions will remain in full effect.

13.8 Waiver. No waiver of any provision of this Agreement will be deemed or constitute a waiver of any other provision, and any waiver must be in writing and signed by the waiving party.

13.9 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

13.10 No Third-Party Beneficiaries. This Agreement is for the sole benefit of the parties and does not confer any rights upon any third party.

13.11 Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original and all of which together will constitute one instrument.

By using Superagent Red Teaming, Customer agrees to be bound by this Agreement.

END OF SERVICES AGREEMENT - RED TEAMING v1.1