Service Schedules

1. Purpose and Incorporation

This Service Schedule B ("Schedule") describes the Governance, Risk, and Compliance ("GRC") Advisory Services offered by Simple Plan IT ("Provider") and the terms under which those services are delivered. This Schedule is incorporated by reference into any Statement of Work executed by Client that identifies Schedule B as applicable. Capitalized terms not defined herein have the meanings ascribed to them in the Master Services Agreement.

2. Service Tracks

Provider offers GRC services under two distinct tracks. The applicable track or combination of tracks is identified in the executed Statement of Work. The tracks are not mutually exclusive — a Client may engage Provider for a Readiness engagement that transitions into a Managed GRC relationship upon audit completion.

3. Track 1 — GRC Readiness Services

3.1 Service Description.

GRC Readiness is a project-based engagement designed to assess Client's current compliance posture, identify gaps relative to the target framework, develop required policies and procedures, and prepare Client for a formal audit or certification assessment. The scope, target framework, and deliverables are defined in the applicable Statement of Work.

3.2 Supported Frameworks.

Provider's GRC Readiness services are currently offered in support of the following compliance frameworks, as specified in the SOW:

• Cybersecurity Maturity Model Certification (CMMC) — Levels 1, 2, and 3
• SOC 2 Type I and Type II (Trust Services Criteria)
• NIST SP 800-171 and NIST Cybersecurity Framework (CSF)
• Additional frameworks as agreed in writing in the applicable SOW

3.3 Readiness Engagement Phases.

A GRC Readiness engagement is delivered in the following phases. Specific deliverables and milestones for each phase are defined in the applicable Statement of Work:

3.4 Milestone Payment Trigger.

The 25% milestone payment for GRC Readiness engagements is triggered upon Provider's delivery of the completed gap analysis report (Phase 2 deliverable) to Client, as confirmed in writing by Provider. Client's acceptance or approval of the gap analysis is not a condition of the payment trigger — delivery constitutes the triggering event.

3.5 Client-Caused Delays.

GRC Readiness engagements are highly dependent on Client's cooperation, availability of personnel, and timely provision of documentation and evidence. If Client fails to fulfill its obligations under Section 3.3 within the timeframes specified in the SOW, and such failure causes a delay of thirty (30) or more calendar days in Provider's ability to progress the engagement, Provider may: (i) invoice the next milestone payment as if the milestone had been achieved; (ii) extend the engagement timeline without penalty; or (iii) both. Provider shall provide Client with written notice of any such delay before invoicing under this provision.

3.6 Client's GRC Platform — Readiness Track.

Under the Readiness track, Provider does not provide or manage a GRC platform. Client is responsible for maintaining its own GRC platform, document management system, or equivalent solution capable of receiving, storing, and managing the policies, procedures, and evidence produced under this engagement. Provider shall deliver all engagement deliverables in standard document formats (PDF and/or Microsoft Word) compatible with Client's chosen system. Provider makes no representation regarding the compatibility of deliverables with any specific third-party platform.

4. Track 2 — Managed GRC Services

4.1 Service Description.

Managed GRC is a recurring monthly service that provides Client with access to Provider's managed GRC platform environment, ongoing compliance monitoring, continuous evidence collection and management, policy maintenance, and advisory support for active compliance programs. Managed GRC is designed to support Client's ongoing compliance posture following initial readiness work or as a standalone compliance management service.

4.2 Platform Provisioning and Access.

Provider shall provision and maintain a dedicated Client environment within Provider's managed GRC platform (currently Drata or a functionally equivalent platform selected by Provider). Provider holds the master account and administers the platform on Client's behalf. Client shall receive designated user access credentials enabling Client personnel to view compliance status, upload evidence, and interact with assigned tasks within the platform. Platform selection and substitution are governed by Section 7 of this Schedule.

4.3 Managed GRC Service Inclusions.

The following services are included in the Managed GRC monthly fee, as applicable to Client's active compliance frameworks:

• Platform provisioning, configuration, and ongoing administration
• Framework control mapping and continuous monitoring configuration
• Automated evidence collection setup and maintenance for supported integrations
• Monthly compliance posture review and status reporting
• Policy and procedure maintenance and annual review cycle
• Evidence gap identification and remediation guidance
• Audit support for applicable annual audit or assessment cycles
• Access to Provider's advisory team for compliance questions and guidance
• Vendor and third-party risk questionnaire management (as specified in SOW)

4.4 Managed GRC Service Exclusions.

The following are expressly excluded from the Managed GRC monthly fee unless separately agreed in writing:

• Initial gap assessment and policy development (available under Track 1 or as a separate SOW)
• Legal advice or legal interpretation of regulatory requirements
• Audit or assessment fees charged by the assessor or audit firm
• Remediation of identified control gaps using Client's own technical resources
• Custom platform integrations not supported by the GRC platform's standard connector library
• Compliance frameworks not identified in the applicable SOW
• Employee training delivery (available under Schedule A — Security Awareness Training)

4.5 Auditor Coordination.

For SOC 2 engagements where Client does not have an existing relationship with a qualified audit firm, Provider will assist Client in identifying and engaging a suitable CPA firm with SOC 2 audit capabilities. Provider's assistance is limited to identification and introduction. The audit engagement is solely between Client and the selected audit firm. Provider does not receive compensation from any audit firm for referrals and has no financial interest in Client's selection of any particular auditor.

5. Audit Support and Provider's Role During Assessments

5.1 Scope of Audit Support.

Provider's engagement includes advisory support to Client throughout the audit or assessment process under both service tracks. Provider's role during an audit or assessment is limited to the following:

• Serving as Client's internal compliance advisor and point of coordination
• Responding to assessor or auditor requests for information on Client's behalf, as authorized by Client
• Producing or locating evidence artifacts required by the assessor
• Advising Client on how to respond to and resolve audit findings or deficiencies
• Assisting with remediation of findings within the scope of Provider's advisory services

5.2 Out-of-Scope Audit Activities.

The following activities are outside the scope of Provider's audit support services and shall require a separately executed SOW or separate engagement if desired:

• Serving as Client's legal representative or legal counsel during any regulatory proceeding
• Appealing or formally contesting audit findings on Client's behalf
• Conducting independent technical remediation of failed controls
• Providing attestation, certification, or sign-off on the adequacy of Client's controls

5.3 Assessor and Auditor Independence.

Client acknowledges that assessors and audit firms are independent third parties not under Provider's control. Provider has no authority to direct, influence, or override any finding, determination, or opinion made by an assessor or audit firm. Provider shall not be liable for any assessment or audit outcome, regardless of the nature or extent of Provider's advisory support.

6. Client Obligations Specific to GRC Services

6.1 Organizational Participation.

GRC engagements require active participation from Client's leadership and operational personnel. Client shall make available, on a timely basis, the personnel, documentation, system access, and organizational information necessary for Provider to perform its services. Client acknowledges that Provider's ability to deliver outcomes is directly dependent on the quality and timeliness of Client's participation.

6.2 Accuracy of Information.

Client represents and warrants that all information, documentation, and evidence provided to Provider is accurate, complete, and current. Provider shall rely on Client-provided information without independent verification. Provider shall not be liable for gaps, deficiencies, or audit findings arising from inaccurate, incomplete, or misleading information provided by Client.

6.3 Timely Review and Approval.

Client shall review and provide feedback on all Provider-drafted deliverables, including policies, procedures, and gap analysis reports, within the timeframes specified in the applicable SOW. Where no timeframe is specified, Client shall provide feedback within ten (10) business days of delivery. Failure to provide timely feedback constitutes Client-caused delay and shall not affect Provider's right to invoice in accordance with the payment schedule.

6.4 Remediation Responsibility.

Provider advises on and guides remediation of identified gaps and control deficiencies. Client is solely responsible for executing remediation activities using its own personnel, technical resources, or separately engaged contractors. Provider's identification of a gap or deficiency and provision of remediation guidance does not create an obligation on Provider to perform the remediation itself unless separately agreed in writing in an executed SOW.

6.5 Legal and Regulatory Decisions.

Client is solely responsible for all legal and regulatory decisions made in connection with its compliance program, including decisions regarding the interpretation of regulatory requirements, the adequacy of implemented controls, the timing and method of regulatory reporting, and the selection and engagement of legal counsel. Where Client requires legal interpretation of regulatory requirements, Client shall engage qualified legal counsel independent of Provider.

7. GRC Platform — Terms and Data Ownership

7.1 Account Ownership.

Provider holds the master account on the GRC platform used to deliver Managed GRC services. Client receives designated user access within Provider's managed environment. Client acknowledges that it does not hold a direct subscription or contractual relationship with the platform vendor and that platform access is a component of the Managed GRC service.

7.2 Client Data Ownership.

All compliance data, evidence artifacts, policies, procedures, and documentation uploaded to or generated within Client's platform environment by or on behalf of Client constitute Client Data and remain the property of Client at all times. Provider's administration of the platform does not create any ownership interest in Client Data.

7.3 Platform Substitution.

Provider reserves the right to migrate Managed GRC services to a functionally equivalent GRC platform upon sixty (60) days' written notice to Client. Provider shall use commercially reasonable efforts to ensure continuity of Client's compliance data and program structure through any platform migration. Client shall cooperate with reasonable migration requirements, including provision of necessary credentials and participation in migration testing.

7.4 Data Export and Offboarding.

Upon termination or expiration of a Managed GRC SOW, Provider shall, within thirty (30) days of the termination effective date: (i) export all of Client's compliance data, evidence artifacts, policies, procedures, audit logs, and platform documentation in a standard portable format (PDF, CSV, and/or Microsoft Word, as applicable); and (ii) deliver the complete export to Client via secure file transfer or agreed delivery method. Following delivery of Client's data export, Provider shall decommission Client's platform environment. Provider shall have no obligation to maintain Client's platform environment or data beyond the thirty (30) day wind-down period.

7.5 Platform Vendor Limitations.

GRC platform availability, feature set, and data retention capabilities are subject to the terms and conditions of the applicable platform vendor. Provider is not responsible for platform outages, data loss, or feature changes imposed by the platform vendor. Provider shall notify Client promptly of any material platform vendor changes that may affect Client's compliance program.

8. Specific Disclaimers — GRC & Compliance Advisory

8.1 No Guarantee of Certification or Audit Outcomes.

Provider does not guarantee that Client will achieve, maintain, pass, or receive any compliance certification, SOC 2 attestation, CMMC certification, or other audit or assessment outcome. Certification and attestation determinations are made solely by the applicable C3PAO, CPA firm, or other third-party assessor based on their independent evaluation of Client's controls and evidence. Provider's advisory support does not influence or bind the outcome of any assessment.

8.2 No Legal Advice.

Nothing provided by Provider under this Schedule constitutes legal advice. Provider's GRC advisory services are operational and technical in nature. Statements made by Provider regarding the requirements of CMMC, SOC 2, NIST, or any other framework represent Provider's professional advisory opinion and do not constitute a legal determination. Client shall consult qualified legal counsel for all legal interpretations and regulatory compliance decisions.

8.3 Readiness Is Not Certification.

Completion of a GRC Readiness engagement, delivery of all engagement deliverables, and achievement of a pre-assessment readiness review does not constitute certification, attestation, or a representation by Provider that Client will pass any subsequent formal audit or assessment. Pre-assessment readiness is Provider's professional advisory opinion based on the information available at the time of the review.

8.4 Control Effectiveness.

Provider's assessment of whether a control, policy, or procedure satisfies a framework requirement represents Provider's professional advisory judgment. Assessors and audit firms may reach different conclusions regarding the same control. Provider shall not be liable for audit findings that contradict Provider's advisory guidance, provided that Provider's guidance was delivered in good faith and consistent with industry-standard interpretations of the applicable framework at the time of delivery.

8.5 Client Responsibility for Remediation.

Provider identifies gaps and advises on remediation. The effectiveness of Client's compliance program depends substantially on Client's commitment to and execution of remediation activities, the accuracy of information provided to Provider, the availability and engagement of Client's personnel, and decisions made by Client's leadership regarding resource allocation and risk acceptance. Provider shall not be liable for compliance failures attributable to Client's failure to implement recommended remediation.

1. Purpose and Incorporation

This Service Schedule C ("Schedule") describes the Risk Assessment and Penetration Testing services offered by Simple Plan IT ("Provider") and the terms under which those services are delivered. This Schedule is incorporated by reference into any Statement of Work executed by Client that identifies Schedule C as applicable. Capitalized terms not defined herein have the meanings ascribed to them in the Master Services Agreement.

2. Service Delivery Model

2.1 Orchestration and Subcontracting.

Provider delivers penetration testing and risk assessment services through a vetted network of specialized security testing partner firms. Provider serves as Client's single point of accountability, coordinates all testing activities, manages the engagement timeline, and is responsible for delivering all reports to Client. Client's contractual relationship is solely with Provider. Client has no direct contractual relationship with any testing partner firm.

2.2 Payment Required Prior to Commencement.

All penetration testing and risk assessment services require payment of one hundred percent (100%) of the engagement fee prior to commencement of any testing activity. Provider will issue an invoice upon execution of the applicable Statement of Work. No testing will begin until payment has been received and confirmed. This requirement applies to all engagements under this Schedule without exception.

2.3 Scope Binding.

The scope of each engagement is defined exclusively in the Rules of Engagement Exhibit attached to the applicable Statement of Work. Testing activities are strictly limited to systems, IP ranges, domains, and assets expressly identified in the approved scope. Any expansion of scope requires a written change order executed by both parties prior to commencement of out-of-scope activities. Additional scope will be quoted and invoiced separately and requires additional payment before expanded testing begins.

3. Available Service Offerings

3.1 External Network Penetration Testing.

Provider conducts security testing against Client's externally facing systems, public IP addresses, and internet-accessible assets to identify vulnerabilities exploitable from outside Client's network perimeter. This service includes:

• User profiling and reputational threat assessment using open-source intelligence (OSINT)
• Information gathering and intelligence collection from publicly available sources
• DNS enumeration, subdomain discovery, and domain reputation analysis
• External vulnerability discovery, validation, and exploitation attempts
• Post-exploitation activities within authorized scope to demonstrate impact
• Executive summary report and detailed technical findings report

3.2 Internal Network Penetration Testing.

Provider conducts security testing against Client's internal network infrastructure, systems, and services to identify vulnerabilities exploitable by an insider threat or attacker who has gained initial access to the internal environment. Testing is conducted using a dedicated testing device shipped to each Client location in scope. This service includes:

• Information gathering and internal network enumeration
• Internal vulnerability discovery, validation, and exploitation attempts
• Privilege escalation and lateral movement attempts within authorized scope
• Active Directory environment analysis where applicable
• Post-exploitation activities to demonstrate full attack chain impact
• Executive summary report and detailed technical findings report

3.3 Combined External and Internal Assessment.

Provider offers a combined engagement covering both external and internal network penetration testing as a single scoped assessment. Pricing for combined assessments is set forth in the applicable Statement of Work. Combined assessments follow the methodology, deliverables, and terms applicable to both service types described in Sections 3.1 and 3.2.

3.4 Vulnerability Assessment (Non-Exploitation).

Provider offers a vulnerability assessment service that includes scanning, identification, and validation of vulnerabilities without active exploitation. This service is appropriate for organizations seeking a lower-risk assessment or environments where exploitation activities are not authorized. Deliverables include a risk-ranked vulnerability report and remediation recommendations. This service does not include exploitation, post-exploitation, or privilege escalation activities.

3.5 Application Penetration Testing.

Web application and mobile application penetration testing are available by separate Statement of Work and are not included in the standard scope of this Schedule. Application testing engagements are subject to all terms of this Schedule and the Master Services Agreement. Clients interested in application testing should request a separate proposal. Provider will engage a qualified application security testing partner appropriate to the application type and technology stack.

4. Testing Methodology and Standards

4.1 Methodology Framework.

Provider's testing activities are conducted in accordance with industry-recognized security testing frameworks, including the MITRE ATT&CK framework, the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, and applicable OWASP testing methodologies. Provider conducts periodic reviews of its testing methodology to ensure techniques and tactics reflect the current threat landscape.

4.2 Testing Phases.

4.3 Black Box Testing Approach.

Unless otherwise specified in the Rules of Engagement Exhibit, testing is conducted using a black box methodology — the testing team begins with no pre-provided knowledge of Client's internal architecture, credentials, or system configuration. This approach simulates a realistic external attacker or opportunistic insider threat scenario.

4.4 Controlled and Careful Exploitation.

All exploitation activities are conducted with care to minimize disruption to Client's business operations. Provider does not employ techniques designed to permanently damage systems, destroy data, or cause irreversible changes to the testing environment. Notwithstanding this commitment, Client acknowledges that penetration testing carries inherent operational risk and that certain testing activities may cause temporary service disruption. Provider shall notify Client promptly if any testing activity produces unexpected system behavior.

5. Testing Tools

Provider utilizes the following categories of industry-standard security testing tools. Specific tools used in any engagement may vary based on scope, environment, and the testing partner engaged.

6. Finding Severity Classification

7. Engagement Deliverables

7.1 Report Delivery Timeline.

Provider shall deliver all engagement deliverables within ten (10) business days of completion of active testing activities. Deliverables are delivered electronically via Provider's secure file transfer process. All report materials are treated as Confidential Information under the Master Services Agreement.

7.2 Executive Summary Report.

The Executive Summary Report is designed for Client's leadership and non-technical stakeholders. It includes a high-level summary of testing activities, an overview of the overall security posture assessment, a summary of findings by severity level, a remediation roadmap with prioritized recommendations, and strategic observations regarding Client's security program.

7.3 Technical Findings Report.

The Technical Report is designed for Client's technical personnel and IT team. It includes detailed documentation of each identified vulnerability, proof-of-concept evidence and screenshots demonstrating vulnerability validation, CVSS scores and severity classifications, step-by-step technical remediation recommendations for each finding, and false positive notations with supporting rationale.

7.4 Post-Engagement Debrief.

Provider shall offer a post-delivery debrief session with Client's designated technical contact to walk through report findings, answer questions, and discuss remediation priorities. The debrief is included in the engagement fee. Additional remediation advisory services beyond the debrief are available under Schedule D (Project and Advisory Services) by separate SOW.

8. Emergency Stop Procedure

8.1 Emergency Stop Rights.

Client may invoke the emergency stop procedure at any time during active testing without penalty. Provider may also independently suspend testing activities if Provider's testing team observes unexpected system behavior, evidence of instability in the testing environment, or indicators that testing activity may be causing unintended impact beyond the authorized scope.

8.2 Effect on Engagement.

An emergency stop does not automatically terminate the engagement or entitle Client to a refund. Following a stop, Provider and Client shall confer to assess the cause, evaluate whether testing can safely resume, and determine whether scope modifications are appropriate. If the parties mutually agree that the engagement cannot safely continue, Provider shall deliver a partial report covering completed testing phases, and the parties shall negotiate in good faith regarding any fee adjustment.

8.3 Emergency Contact Designation.

Client shall designate a primary and secondary emergency contact with 24-hour availability during active testing windows. Emergency contact information is documented in the Rules of Engagement Exhibit. Provider shall not be liable for inability to reach Client during an emergency stop situation if Client has failed to maintain reachable emergency contacts.

9. Client Obligations and Authorizations

9.1 System Ownership Representation.

Client represents and warrants that it owns or has explicit written authorization from the owner to conduct security testing on all systems, IP addresses, domains, applications, and network infrastructure identified in the testing scope. Client acknowledges that testing systems owned by third parties without their explicit authorization — including cloud providers, ISPs, SaaS vendors, and colocation facilities — may be illegal and is strictly prohibited. Client shall obtain all required third-party authorizations prior to execution of the applicable Statement of Work.

9.2 Written Authorization.

Client's execution of the Statement of Work and the Rules of Engagement Exhibit constitutes Client's express written authorization for Provider and its testing partners to conduct all testing activities defined in the approved scope. Client acknowledges that this authorization is the legal basis for all testing activities and that the scope defined in the Rules of Engagement Exhibit is binding on both parties.

9.3 Third-Party Notification.

Client is solely responsible for notifying any third parties who may be affected by testing activities, including but not limited to managed service providers, cloud service providers, colocation facilities, internet service providers, and SaaS vendors. Many third-party providers require advance written notification before authorized security testing may be conducted against systems they host or manage. Provider assumes no responsibility for third-party responses to testing activities, including account suspension or service termination, arising from Client's failure to provide required notifications.

9.4 Cooperation and Access.

Client shall provide Provider with all access credentials, network information, and logistical support necessary to conduct testing within the authorized scope. For internal testing, Client shall designate a technical contact responsible for connecting Provider's testing device to the internal network and confirming connectivity prior to testing commencement. Client shall make designated contacts available during active testing windows.

9.5 Change Freeze During Testing.

Client shall not make material changes to systems within the testing scope during active testing windows without prior written notification to Provider. Changes to systems during active testing may affect results, cause unexpected behavior, or create conflicts with testing activities. Provider shall not be liable for inaccurate or incomplete findings attributable to changes made to in-scope systems during the testing window.

10. Data Handling and Retention

10.1 Secure Storage During Engagement.

All penetration testing data collected during the engagement, including raw test results, logs, screenshots, captured credentials, and draft reports, is stored in a restricted-access secure environment accessible only to Provider personnel and testing partners involved in the engagement. All data in transit between testing systems and Provider's storage environment is encrypted.

10.2 Retention Period.

Provider retains all engagement data, including final reports and supporting evidence, for a period of fourteen (14) calendar days following delivery of the final report to Client. At the conclusion of the fourteen (14) day retention period, all Client engagement data is permanently deleted from Provider's systems. No backups or archives are maintained beyond this period.

10.3 Client Responsibility for Record Retention.

Client is solely responsible for downloading, saving, and maintaining its own copies of all delivered reports and supporting materials within the fourteen (14) day retention window. Provider will not be able to reproduce or re-deliver reports after the retention period expires. Client is responsible for all legal, regulatory, or compliance obligations regarding retention of security assessment records.

10.4 Credential Handling.

Any credentials or authentication tokens captured during testing are used solely for the purpose of demonstrating exploitability within the authorized scope and are included in the Technical Report as evidence. Provider does not retain, store, or use captured credentials for any purpose beyond the engagement. All captured credentials are included in the data deletion process at the end of the retention period.

11. Scope Changes, Additional Locations, and Pricing Structure

11.1 Flat Rate Pricing.

Penetration testing engagements are priced on a flat rate basis as specified in the applicable Statement of Work. Flat rate pricing is based on reasonable estimates of the effort required to complete the authorized scope. Pricing is subject to the scope assumptions documented in the Rules of Engagement Exhibit.

11.2 Additional Locations.

Each Client location requiring internal network testing requires a dedicated testing device and constitutes a separate testing scope. Additional locations beyond the primary location identified in the Statement of Work are priced at the per-location rate set forth in the SOW. Additional location fees are included in the upfront payment requirement.

11.3 Scope Changes.

Any material change to the testing scope following execution of the Statement of Work — including addition of IP ranges, systems, domains, or locations — requires a written change order executed by both parties and additional payment before expanded testing begins. Provider shall not conduct out-of-scope testing without a fully executed change order and confirmed payment. If the change order results in a reduction of scope, Provider may adjust fees at its discretion.

11.4 Proposal Validity.

Testing proposals and Statement of Work pricing are valid for thirty (30) days from the date of issuance. Engagements not executed within thirty (30) days of proposal issuance must be requoted. Provider reserves the right to adjust pricing for engagements that are delayed by Client beyond ninety (90) days from the originally proposed testing window.

12. Non-Solicitation

Client agrees that it and its employees, officers, and agents will not, during the term of any engagement under this Schedule or for a period of twelve (12) months following the conclusion of the engagement, solicit, recruit, or hire as an employee or independent contractor any Simple Plan IT personnel or testing partner personnel involved in the delivery of the engagement. Publication of open positions in media of general circulation does not constitute solicitation under this section. If Client hires any such personnel in violation of this provision, Client agrees to pay Provider, within thirty (30) days of the hiring date, a placement fee equal to fifty percent (50%) of the hired individual's annual compensation at the time of departure.

13. Specific Disclaimers — Risk Assessment and Penetration Testing

13.1 No Guarantee of Complete Coverage.

Provider does not guarantee that testing activities will identify all vulnerabilities present in Client's environment. Penetration testing is conducted within defined time and scope constraints. Zero-day vulnerabilities, vulnerabilities introduced after the testing window, vulnerabilities in systems outside the authorized scope, and vulnerabilities that require specific timing or conditions to reproduce may not be identified. The absence of a finding does not mean the absence of a vulnerability.

13.2 Inherent Risk of Testing.

Client expressly acknowledges that penetration testing and vulnerability assessment activities carry inherent risks, including but not limited to temporary service disruption, system instability, unexpected application behavior, and in rare cases, unintended data modification. Provider takes reasonable precautions to minimize these risks; however, Provider is not liable for disruptions, losses, or damages arising from testing activities conducted within the authorized scope and in accordance with the Rules of Engagement Exhibit.

13.3 Point-in-Time Assessment.

Penetration testing provides a point-in-time assessment of Client's security posture based on the systems and configurations present during the testing window. The security landscape changes continuously. New vulnerabilities may be disclosed, configurations may change, and new systems may be deployed after testing concludes. Provider's findings and remediation recommendations reflect the state of Client's environment during the authorized testing window only.

13.4 Subcontractor Liability.

Testing activities performed by Provider's testing partner firms are conducted under Provider's direction and within the scope authorized by Client. Provider is responsible for selecting qualified testing partners and for directing their activities within the authorized scope. Provider is not liable for independent acts or omissions of testing partners that are outside the authorized scope or that violate Provider's instructions, subject to Provider's overall limitation of liability under the Master Services Agreement.

13.5 Supersession of Prior Terms.

This Schedule, together with the Master Services Agreement and the applicable Statement of Work and Rules of Engagement Exhibit, supersedes and replaces all prior penetration testing terms and conditions, proposals, and agreements between the parties with respect to any engagement executed on or after the effective date of this Schedule.

1. Purpose and Incorporation

This Service Schedule D ("Schedule") governs the delivery of Project and Advisory Services offered by Simple Plan IT ("Provider") that are outside the scope of Schedules A, B, and C. This Schedule provides the legal and operational framework for one-time, project-based, and discrete advisory engagements, including technology procurement and deployment, virtual Chief Information Officer (vCIO) advisory, pre-paid advisory time blocks, break/fix support, and time-and-materials engagements. This Schedule is incorporated by reference into any Statement of Work executed by Client that identifies Schedule D as applicable. Capitalized terms not defined herein have the meanings ascribed to them in the Master Services Agreement.

2. Available Service Types

3. Technology Procurement and Deployment

3.1 Service Description.

Provider offers technology procurement and deployment services encompassing hardware selection, purchasing, configuration, and on-site or remote deployment at Client location(s). The specific products, quantities, configuration requirements, deployment locations, and acceptance criteria are defined in the applicable Statement of Work.

3.2 Procurement Models.

Provider supports two procurement models, which are identified in the applicable Statement of Work:

• Reseller Model: Provider purchases hardware at its cost, applies a margin, and invoices Client at the agreed resale price. In this model, Provider is the seller of record and has a direct commercial relationship with Client for the purchased equipment.
• Procurement Agent Model: Provider procures hardware on Client's behalf at Provider's cost. Client is invoiced separately for the equipment cost at Provider's actual acquisition cost and for Provider's labor and deployment fee. In this model, Client is the beneficial owner of the equipment from the point of purchase.

3.3 Deployment Services.

Provider's deployment services include physical installation, network configuration, integration with Client's existing infrastructure, and basic functionality testing to confirm the deployed equipment is operational. Deployment is considered complete upon Provider's written confirmation of successful deployment and Client's acknowledgment of receipt. Deployment services do not include ongoing management, monitoring, or support of deployed equipment unless separately engaged under Schedule A or another applicable Schedule.

3.4 Warranty Passthrough — Reseller Model.

Under the Reseller Model, Provider passes through all applicable manufacturer warranties to Client. Provider makes no independent warranty regarding the fitness, performance, or longevity of any hardware beyond the manufacturer's warranty terms. Client's recourse for defective equipment is limited to the applicable manufacturer warranty process. Provider will reasonably assist Client in initiating warranty claims but is not responsible for manufacturer warranty fulfillment timelines or outcomes.

3.5 Warranty Passthrough — Procurement Agent Model.

Under the Procurement Agent Model, all manufacturer warranties attach directly to Client as the beneficial owner of the equipment. Provider has no warranty obligation with respect to the procured equipment. Provider's liability is limited to errors in configuration or deployment attributable to Provider's labor, subject to the limitation of liability provisions of the Master Services Agreement.

3.6 Break/Fix Support for Deployed Equipment.

Break/fix support for hardware deployed by Provider is available on a limited basis to select pre-approved clients only. Break/fix support is not included in any deployment engagement by default and requires Provider's express written agreement in a separately executed Statement of Work. Break/fix support is billed on a time-and-materials basis at the rate set forth in the applicable SOW. Provider does not guarantee response times for break/fix support unless specific response time commitments are expressly stated in the applicable SOW.

3.7 Exclusions.

The following are expressly excluded from technology procurement and deployment services unless separately agreed in writing:

• Ongoing device management, monitoring, or patching (available under Schedule A)
• Physical infrastructure work including cabling, rack installation, or electrical work
• Manufacturer warranty fulfillment or repair services
• Software licensing procurement unless expressly included in the SOW
• Equipment disposal or decommissioning of existing hardware
• Third-party carrier or ISP coordination beyond scheduling

4. Virtual CIO (vCIO) Advisory Services

4.1 Service Description.

Provider's vCIO advisory services provide Client with strategic technology leadership and advisory support on a project or engagement basis. Provider's vCIO services are designed to assist Client's leadership in making informed technology decisions, planning for future technology needs, and managing vendor relationships. vCIO services are advisory in nature and do not constitute an employment or fiduciary relationship between Provider and Client.

4.2 Service Inclusions.

vCIO advisory engagements may include the following activities as defined in the applicable Statement of Work:

• Technology solution evaluation and vendor comparison analysis
• Technology roadmap development aligned with Client's business objectives
• Technology budget planning and spend optimization advisory
• Vendor relationship management and contract review advisory
• Participation in Client leadership meetings as technology advisor
• IT governance framework advisory and policy guidance
• Strategic cybersecurity program advisory in coordination with Schedule A services

4.3 Advisory Nature of vCIO Services.

Provider's vCIO services are advisory and consultative only. Provider does not make binding technology or purchasing decisions on Client's behalf. All final decisions regarding technology selection, vendor engagement, capital expenditure, and strategic direction rest solely with Client's leadership. Provider's recommendations, roadmaps, and analyses represent Provider's professional advisory opinion based on information available at the time of delivery and do not constitute guarantees of specific technology outcomes, cost savings, or business results.

4.4 Vendor Management Advisory.

Where Provider assists Client in managing vendor relationships, Provider's role is limited to advisory coordination and communication facilitation. Provider does not assume contractual obligations under Client's vendor agreements and is not a party to any agreement between Client and Client's technology vendors. Client remains solely responsible for all vendor contract terms, payment obligations, and dispute resolution with its vendors.

4.5 Exclusions.

The following are expressly excluded from vCIO advisory services:

• Legal review or negotiation of vendor contracts (Client should engage qualified legal counsel)
• Financial advisory, accounting, or tax planning services
• Day-to-day IT management or helpdesk support (available under Schedule A)
• Human resources advisory regarding Client's technology staff
• Execution of contracts or agreements on Client's behalf
• Guarantee of specific vendor pricing, availability, or performance outcomes

5. Pre-Paid Advisory Time Blocks

5.1 Service Description.

Provider offers pre-paid advisory time blocks that Client may purchase in advance and draw upon reactively for any advisory or consulting service within Provider's scope of practice. Time blocks provide Client with flexible access to Provider's expertise without the need to execute a new Statement of Work for each discrete advisory request. Purchase of a time block does not guarantee the availability of specific personnel or a specific response time unless expressly stated in the applicable SOW.

5.2 Available Block Sizes.

5.3 Payment and Activation.

Pre-paid time blocks require full payment of one hundred percent (100%) of the block fee prior to activation. Provider will issue an invoice upon execution of the applicable Statement of Work. The block is activated and time begins accruing toward the expiration date upon Provider's confirmation of payment receipt.

5.4 Usage and Scheduling.

Time block hours may be used reactively as Client's advisory needs arise. Client initiates use of block time by submitting a request to Provider's designated advisory contact. Provider shall make reasonable efforts to accommodate Client's scheduling requests within normal business hours. Time is tracked in increments of no less than one-quarter (0.25) hour per interaction. Provider shall provide Client with a usage summary upon request and shall notify Client when the block balance falls below five (5) remaining hours.

5.5 Expiration Policy.

All pre-paid time block hours expire twelve (12) months from the date of purchase as confirmed in the applicable Statement of Work. Unused hours at the expiration date are forfeited with no refund, credit, or rollover. Provider will use commercially reasonable efforts to provide Client with written notice of pending expiration no less than thirty (30) days prior to the expiration date.

5.6 Scope of Block Usage.

Time block hours may be applied to any advisory or consulting service within Provider's scope of practice, including but not limited to security advisory, GRC guidance, technology review, vCIO advisory, and vendor coordination. Time block hours may not be applied toward: (i) managed recurring services billed under Schedules A or B; (ii) penetration testing or risk assessment fees under Schedule C; (iii) hardware procurement costs; or (iv) any third-party vendor or tool costs.

5.7 Additional Block Purchase.

Client may purchase additional time blocks at any time by executing a new Statement of Work. Each block purchase is independent and carries its own twelve (12) month expiration date from the date of that purchase. Hours from multiple blocks are tracked separately and expire independently according to their respective purchase dates.

6. Break/Fix Support

6.1 Availability.

Break/fix support is available on a limited, pre-approved basis only. Provider does not offer break/fix support as a standard service to all clients. Eligibility for break/fix support is determined by Provider at its sole discretion and must be expressly confirmed in a Statement of Work executed prior to any break/fix services being rendered. Client may not assume break/fix support availability solely on the basis of having an active engagement under any other Schedule.

6.2 Scope.

Break/fix support covers reactive technical troubleshooting and resolution of technology issues within the scope expressly defined in the applicable Statement of Work. Break/fix support is not a managed service and does not include proactive monitoring, preventive maintenance, or service level commitments unless specifically stated in the SOW.

6.3 Billing.

Break/fix support is billed on a time-and-materials basis at the hourly rate set forth in the applicable Statement of Work. Time is tracked in increments of no less than one-quarter (0.25) hour. Travel time, if applicable, is billed at the rate stated in the SOW. Provider will invoice Client for break/fix services rendered, with payment due within fifteen (15) days of invoice in accordance with the Master Services Agreement.

6.4 No Guarantee of Outcomes.

Provider will use commercially reasonable efforts to resolve reported issues within the scope of the engagement. Provider does not guarantee resolution of all reported issues, and certain issues may require third-party vendor involvement, hardware replacement, or actions outside Provider's control. Provider's liability for break/fix engagements is subject to the limitation of liability provisions of the Master Services Agreement.

7. Incident Response Advisory — Time and Materials

7.1 Service Description.

Provider offers post-incident advisory and coordination services on a time-and-materials basis for qualifying security incidents. Incident response advisory services are available to both existing and prospective clients subject to Provider's availability and execution of a Statement of Work prior to or concurrent with commencement of services. Provider's incident response advisory role is distinct from forensic investigation services, which require engagement of a qualified forensic firm.

7.2 Scope of Advisory Services.

Provider's incident response advisory services may include:

• Initial incident triage and scoping advisory
• Coordination with Client's internal IT team and third-party vendors
• Vendor and forensic firm engagement coordination
• Communication strategy advisory for internal and external notifications
• Post-incident remediation prioritization and advisory
• Lessons-learned review and security posture recommendations

7.3 Out of Scope.

The following are expressly excluded from Provider's incident response advisory services:

• Forensic investigation, evidence collection, or chain-of-custody preservation
• Legal advice or regulatory breach notification drafting
• Technical remediation and system rebuilding (available by separate SOW)
• Ransom negotiation or cryptocurrency transaction coordination
• Insurance claim preparation or public relations services

7.4 Billing.

Incident response advisory services are billed on a time-and-materials basis. There is no minimum engagement fee. Provider will provide a good-faith estimate of expected effort prior to commencement where practicable; however, incident response engagements are inherently unpredictable in scope and duration. Client acknowledges that actual fees may exceed initial estimates. Provider will invoice Client weekly for hours rendered during active incident response engagements, with payment due within fifteen (15) days of invoice.

8. General Project Terms — All Schedule D Engagements

8.1 Statement of Work Required.

No work under this Schedule commences without an executed Statement of Work. Provider shall not be obligated to perform any service, deliver any deliverable, or incur any cost on Client's behalf under this Schedule without a fully executed SOW. Verbal authorizations, email approvals, and purchase orders do not substitute for an executed SOW unless expressly provided in a written amendment to this Schedule signed by an authorized officer of Provider.

8.2 Billing Structure.

Engagements under this Schedule are billed as follows, as specified in the applicable SOW:

• Project-Based (Milestone): Sixty percent (60%) at engagement kickoff, twenty-five percent (25%) upon completion of the milestone defined in the SOW, and fifteen percent (15%) upon final delivery.
• Flat Rate: One hundred percent (100%) as specified in the SOW, due prior to commencement or as otherwise stated.
• Pre-Paid Block: One hundred percent (100%) upfront prior to block activation.
• Time and Materials: Invoiced weekly or upon completion of the engagement as specified in the SOW, at the hourly rate stated therein.

8.3 Change Orders.

Any material change to the scope, deliverables, timeline, or fee of an engagement under this Schedule requires a written change order executed by both parties before the changed work commences. Provider is not obligated to perform out-of-scope work based on verbal direction, email instruction, or informal agreement. If Client requests work beyond the SOW scope and Provider performs such work without a change order, Client shall pay for such work at Provider's standard rates; however, Provider's practice of performing out-of-scope work without a change order in any instance does not constitute a waiver of this requirement.

8.4 Client-Caused Delays.

Engagements under this Schedule are dependent on Client's cooperation, availability of personnel, and timely provision of information, access, and approvals. If Client causes a delay of thirty (30) or more calendar days in Provider's ability to progress an engagement, Provider may: (i) invoice the next milestone payment as if the milestone had been achieved; (ii) extend the engagement timeline without penalty; (iii) both; or (iv) treat the delay as a termination for convenience by Client and invoice the applicable early termination fee under the Master Services Agreement. Provider shall provide Client with written notice before exercising any of the foregoing remedies.

8.5 Deliverable Acceptance.

Unless the applicable SOW specifies a formal acceptance process, Provider's deliverables are deemed accepted by Client ten (10) business days after delivery unless Client provides specific written objections within that period. General dissatisfaction, preference for a different approach, or disagreement with advisory recommendations does not constitute valid grounds for rejection of a deliverable. Provider will address specific, articulable deficiencies in deliverables that are inconsistent with the agreed scope.

8.6 Advisory Recommendations.

Recommendations, roadmaps, assessments, and advisory opinions delivered under this Schedule represent Provider's professional judgment based on information available at the time of delivery. Provider does not guarantee specific business outcomes, cost savings, operational improvements, or technology performance resulting from Client's implementation of Provider's recommendations. Client is solely responsible for evaluating and acting upon Provider's recommendations.

8.7 Non-Solicitation.

Client agrees that it and its employees will not, during the term of any engagement under this Schedule or for a period of twelve (12) months following conclusion of the engagement, solicit, recruit, or hire as an employee or independent contractor any Simple Plan IT personnel involved in the delivery of services under this Schedule. If Client hires any such personnel in violation of this provision, Client agrees to pay Provider a placement fee equal to fifty percent (50%) of the hired individual's annual compensation at Simple Plan IT at the time of departure, due within thirty (30) days of the hiring date.