AI Services Addendum

In addition to any other terms and conditions applicable to the purchase or use of Invicti services, this AI Services Addendum (the "Addendum”) shall apply to the provisioning and use of AI Services and/or if the entity purchasing or licensed to use the Invicti Solution (“the Client”) acquires aS ubscription to any AI Services and/or one or more Assessments, as identified on an applicable Order Form or partner ordering document.

This Addendum shall be incorporated into, and form an integral part of: (i) the Subscription Services Agreement (https://www.invicti.com/legal/ssa)or other negotiated agreement between Customer and Invicti (the “SSA”),or (ii) the End User License Agreement (https://invicti.com/legal/EULA),as amended, between End User and Invicti, whichever applies to the Client’s access to the Invicti Solution and related Support (the applicable framework agreement being referred to as the “Underlying Agreement”). If there isa conflict between this Addendum and the terms of the Underlying Agreement, this Addendum shall prevail with respect to its subject matter. Capitalized terms used herein but not otherwise defined shall have the meaning ascribed to them in the Underlying Agreement, and references to “Customer” or End User” shall apply to the Client as the context requires.

1. ADDITIONAL DEFINED TERMS.

“Agentic AI Services” means goal-oriented AI Services that are created, orchestrated or initiated by Client to perform multi-step tasks or execute actions in a supervised or autonomous manner, including but not limited to automated form-filling, aided auto-login, or autonomous vulnerability validation.

“Assessment” means an individual, specified and limited security engagement initiated by Client within an Agentic AI Service to attempt to confirm, demonstrate, or test vulnerabilities within a Target, for which the Client has a valid and active Subscription or has otherwise paid the applicable fees, to achieve specific security objectives.

“Generated Output” means the remediation guidance, risk scores, reports or other data generated by an AI Service as a result of processing Content or scanning Client’s designated Targets.

2. ADDITIONAL CLIENT RESPONSIBILITIES AND AUTHORIZATION

2.1. Client Direction. Client acknowledges that Agentic AI Services act solely as a technical tool under the Client's direction. Client is the "principal" and the AI Service is the "agent." The parties agree that any action performed by an AI Service within the scope of a Client-initiated Assessment, scan or workflow will be deemed to be a direct instruction and authorized act of the Client.

2.2. Authority and Access. Client is solely responsible for: (i) authorizing an Agentic AI Service’s access to Client’s applications, APIs, systems, assets and/or data; (ii) ensuring that such access does not violate any third-party terms, internal policies or applicable law; and (iii) maintaining "human-in-the-loop" oversight in all actions performed by AI Services.

2.3. On-Demand Assessments. For AI Services purchased or procured on a per-Assessment basis (e.g., via the Invicti website or portal): (i) the Subscription Term for such purchase shall be limited to the duration of the specific Assessment; (ii) the Agreement shall be deemed to comprise the Underlying Agreement, the Order Form (if applicable), this Addendum and any other commercial terms accepted during the checkout process; (iii) the Client may, upon payment, be granted the right to access the AI Services for the sole purpose of designating proposed Targets and completing required due diligence, provided that Invicti reserves the right to perform due diligence or verify Client's ownership or authorization of any designated Target prior to execution. For the avoidance of doubt, Invicti’s verification of a Target is for its own risk-mitigation purposes and does not relieve Client of its sole responsibility under Section 2.1 or 2.2.

3. RESTRICTIONS

3.1. Prohibited Conduct. In addition to the restrictions set out in the Underlying Agreement and the AUP, Client shall not use any AI Services or any Generated Output to: (i) generate, upload or deploy malicious code; (ii) reverse-engineer Invicti’s proprietary models or prompts; (iii) train, develop, improve or validate any machine learning model or similar artificial intelligence system that is competitive with any AI Services; or (iv) prompt the AI to generate defamatory or illegal content, or any content that infringes an unaffiliated third party’s rights.

4. DATA USAGE AND PRIVACY

4.1. Input Data. Notwithstanding the provisions of the Underlying Agreement, and subject to the terms contained in this section, Invicti may use the statistical and other information derived from Client’s use of the AI Services to analyze, develop and improve the AI Services. Such information shall be used only in an aggregated and de-identified manner that does not identify Client or any Users.

4.2. Restrictions on Use of Input Data. Invicti will not use Content to train or improve any AI Services in a manner that: (i) allows such Content to be incorporated into a shared model accessible by other customers; or (ii) allows the AI Services to disclose or reconstruct information identifying Client’s proprietary vulnerabilities, code or login information to anyone other than: (a) the Client and its Users; or (b) Invicti and its Affiliates and sub-processors who are bound by confidentiality obligations at least as restrictive as those in the Underlying Agreement.

4.3. Client-Specific Optimization. Invicti may use Content to improve the AI Services for Client, provided that any resulting customized system behaviour or performance enhancements are isolated to Client’s instance of the Cloud Service and are not used for any other customer.

5. WARRANTIES AND DISCLAIMERS

5.1. Probabilistic Nature. In addition to and without limiting the generality of Section 11.2 of the SSA or Section 9.3 of the EULA, as applicable, Client acknowledges that the AI Services and any Generated Output may be inaccurate, incomplete, or misleading. Generated Output (including but not limited to risk scoring, autonomous exploit attempts and remediation reporting), represents an automated assessment at a specific point in time. Client agrees that: (i) the AI Services do not constitute a guarantee or warranty or formal certification that Client’s applications are secure or free from all vulnerabilities; (ii) Agentic AI Services may not explore every possible logic path or edge case within a Target or its associated Development Environment. The failure of an Agentic AI Service to identify a vulnerability does not signify the absence of such vulnerability; and (iii) AI Services are intended to augment, not replace, comprehensive security programs. Client remains responsible for performing its own independent validation and manual testing as required by its internal risk profile or regulatory obligations.

5.2. Assumption of Risk. Client hereby acknowledges and accepts sole responsibility and exclusive liability for any adverse impacts, disruptions, or damages, whether sustained by Client’s internal systems or those of a third party, resulting from the execution of the authorized Agentic AI Services. Notwithstanding the foregoing, Invicti shall remain liable only in the event that such impacts are directly attributable to gross negligence, willful misconduct, or any significant failure by Invicti to adhere to the terms of the applicable Order Form. Invicti does not warrant that AI Services will identify every vulnerability or that the remediation guidance provided will be error-free.

6. INDEMNIFICATION. Client shall defend, indemnify, and hold harmless Invicti from and against any third-party claims, damages, or losses (including reasonable attorneys’ fees) arising out of or relating to: (a) Client’s instructions to an Agentic AI Service; (b) any unauthorized access caused by Client’s misconfiguration of AI Services; or (c) Generated Output that is used by Client in violation of third-party intellectual property rights or applicable law.

7. INTELLECTUAL PROPERTY

7.1. Ownership of Generated Output. As between Invicti and Client, and to the extent permitted by applicable law, Client owns all right, title, and interest in and to the Generated Output. Generated Output shall be deemed Content as defined in the Underlying Agreement and shall be subject to the same protections and usage restrictions as set forth in the Underlying Agreement.

7.2.  Invicti Ownership. Notwithstanding the foregoing, Invicti (or its licensors) retains all right, title, and interest in and to: (a) the AI Services, including the underlying models, algorithms, and software; (b) statistical, system-related, operational or telemetry data generated by the AI Services; (c) any anonymized metadata or usage metrics derived from the operation of the AI Technology; and (d) generalized, aggregated learnings, model weight adjustments or optimizations that do not contain or disclose customer Client Confidential Information.

Last modified: 03 June 2026