aisecurity.llc
Contracts and Legal Docs
Procurement paths and signer-ready documents for AI product security assessments, adversarial testing, agentic workflow hardening, evidence handling, and buyer-ready security claims.
Procurement paths
Start from the service, then open the right documents
AI Launch Review Fast Start
The fastest path to a pre-release review. Start no-cost, move legal and procurement in parallel, and get a launch-ready review in 5–10 business days. Documents auto-populate from your scope intake.
Procurement / Legal First
Use this when vendor onboarding, NDA, and procurement must clear before scoping. No-cost scoping means confidentiality, access boundaries, and review planning — not free consulting.
AI Product Security Assessment
Use this path when a SaaS or AI-native team needs an authorized review of product architecture, AI workflows, controls, findings, and buyer-facing evidence.
Pen Test & Red Team Readiness (Fast Start)
Cobalt-style onboarding for scoped pentests, cloud reviews, authenticated/business-logic testing, and adversarial red team work. Define targets, authorization, ROE, access, evidence handling, and deliverables before active testing begins. Build the packet at /services/pen-test-red-team-readiness.
AI Red Team & Adversarial Testing
Use this path when adversarial testing, abuse-path exploration, prompt injection, agent misuse, or scenario-based validation is in scope.
Agentic Workflow Security & Hardening
Use this path when delegated actions, tools, approvals, identities, retrieval, or rollback paths need security review and hardening.
RAG / Knowledge System Review
Use this path when retrieval, embeddings, vector stores, ingestion, permissions, and tenant boundaries need review for leakage and cross-tenant exposure.
SSO / SCIM Enterprise Onboarding
Use this path when SAML/OIDC, SCIM provisioning, RBAC, deprovisioning, and auditability are becoming an enterprise deal blocker.
AI Security Sales Enablement
Use this path when the goal is buyer-ready questionnaire answers, trust-center language, evidence packs, attestation language, and claim boundaries.
AI Governance & Security Program Build
Use this path when executive AI risk needs to become controls, owners, approvals, telemetry, backlog items, and governance evidence.
Sponsorship / Research
Use this path only for sponsor-supported research, distribution, or public programs. Sponsor terms stay separate from client security delivery.
AI Launch Security Review — Launch Gate
Use this path when a pre-release AI product needs a structured release gate review: targets, testing window, abuse-path analysis, and buyer-ready findings in 5–10 business days.
Academy Enterprise Training
Use this path when buying enterprise seat access, an LMS package, private cohort delivery, or a white-label content license for AI security training.
Scanner OEM / Partner
Use this path when a scanner vendor, MSSP, or security platform partner wants to embed the SecEng AI security engine in their product. Pilot does not grant production resale rights — white-label production rights require an executed license.
Workforce Readiness Partner
Use this path when a training provider, L&D platform, or HR technology partner wants to license workforce readiness content, role taxonomy, or Q&A bank for delivery within their own programs.
Fast review
Common enterprise packet
Most enterprise reviews start with mutual NDA, SOW, assessment terms, evidence handling, and DPA if customer or personal data is in scope. Red-team work also requires rules of engagement before testing begins.
Commercial placement
Documents commonly staged into packets
Scoped Services Framework
Master services framework for discovery, product review, red-team validation, governance evidence, and paid scopes without a standing retainer.
Sponsorship Agreement
Commercial sponsorship terms with explicit research-independence and disclosure boundaries.
Mutual NDA
Mutual confidentiality protections for pre-sales, delivery, and research collaboration contexts.
Commercial Services Addendum
Converts the services framework into scoped paid work with rate card, invoicing, and activation terms.
Data Processing Addendum
Controller/processor allocation, data protection obligations, subprocessing, security measures, AI provider boundaries, and customer-data handling for scoped services.
Assessment Terms Addendum
Scope, authorization, evidence use, testing boundaries, safe harbor, retesting, reporting limitations, and reliance limits for AI product security assessments.
Statement of Work Template
Mission-specific scope, deliverables, timeline, access, assumptions, and acceptance criteria for scoped AI security engagements.
AI Red Team Rules of Engagement
Rules of engagement for authorized AI red-team validation, including targets, test windows, allowed techniques, prohibited actions, safety controls, evidence handling, escalation paths, and stop conditions.
Consultant Mission Brief
Defines specialist role, client relationship model, confidentiality, deliverables, and independence boundary for consultant-led missions.
Sponsorship Launch Addendum
Campaign schedule, sponsor assets, labeling, approval process, and launch deliverables.
Security Operations Schedule
Operational control schedule for authorized AI security work, covering access, credentials, logging, AI/ML testing boundaries, incident handling, evidence retention, and client escalation.
Evidence Handling Policy
How aisecurity.llc collects, protects, uses, redacts, retains, and shares security evidence across scoping, assessments, red-team work, generated packets, and buyer-ready deliverables.
Publication & Claim-Readiness Policy
Claim-readiness criteria for public research, trust pages, scorecards, attestations, sponsor materials, security review outputs, and buyer-facing evidence.
Data Retention & Redaction Policy
How aisecurity.llc retains, redacts, returns, and deletes platform records, scoping data, evidence, packets, billing records, and operational logs across customer and engagement workflows.
How to use these docs
What the documents do and do not do
They authorize scoped work
SOWs, assessment terms, and ROE documents define systems, access, test windows, allowed techniques, escalation paths, deliverables, and stop conditions.
They govern evidence
Evidence handling and retention policies define what may be collected, how sensitive material is redacted, who can access it, and when it is deleted.
They limit public claims
Claim-readiness rules distinguish public-ready language from caveated, internal-only, and do-not-claim statements. Attestations are not formal certifications.
Core
Core agreements
Core
Available
No-Cost Scoping Retainer
Pre-engagement scoping: $0 fees, no obligation, NDA path, access boundaries, and a draft review plan before any paid work. Converts to a paid SOW only after approval.
Open document
Core
Available
AI Launch Security Review SOW
Scoped statement of work for the pre-release AI Launch Security Review — first findings in 5 business days, launch-ready review in 5–10. Auto-populated from your scope intake.
Open document
Core
Available
Scoped Services Framework
Master services framework for discovery, product review, red-team validation, governance evidence, and paid scopes without a standing retainer.
Open document
Core
Available
Sponsorship Agreement
Commercial sponsorship terms with explicit research-independence and disclosure boundaries.
Open document
Core
Available
Mutual NDA
Mutual confidentiality protections for pre-sales, delivery, and research collaboration contexts.
Open document
Core
Available
Statement of Work Template
Mission-specific scope, deliverables, timeline, access, assumptions, and acceptance criteria for scoped AI security engagements.
Open document
Core
Available
Launch Gate Statement of Work
Scope template for the AI Launch Security Review: targets, testing window, deliverables (Launch Risk Memo, Abuse-Path Findings, Release Gate Checklist, Sprint Backlog, Buyer Evidence Summary), retesting terms, and 50/50 payment schedule.
Open document
Core
Available
Academy Enterprise Training Terms
Enterprise seat access, materials rights, LMS package terms, private cohort conditions, completion records, data handling, acceptable use, support, and claim boundaries for AI security academy training.
Open document
Core
Available
Scanner Provider Pilot SOW
30-day OEM pilot scope for scanner vendors: integration path, success criteria, support boundaries, usage credits, and conversion path to production OEM license.
Open document
Core
Available
Annual OEM License Order Form
Annual OEM license order form: partner details, licensed modules, seat/org counts, pricing schedule, payment terms, and effective date.
Open document
Core
Available
Workforce Content License Agreement
Content licensing terms for workforce readiness programs: permitted uses, role-taxonomy rights, Q&A bank access, white-label conditions, sublicensing limits, and claim boundaries.
Open document
Core
Available
Workforce Partner Pilot SOW
Pilot engagement scope for workforce readiness partners: delivery scope, cohort configuration, success criteria, data handling, support terms, and production conversion path.
Open document
Core
Available
Workforce Platform Order Form
Order form for workforce platform access: organization details, seat counts, licensed modules, pricing, and effective date.
Open document
Addendum
Commercial addenda and authorization
Addendum
Available
Commercial Services Addendum
Converts the services framework into scoped paid work with rate card, invoicing, and activation terms.
Open document
Addendum
Available
Data Processing Addendum
Controller/processor allocation, data protection obligations, subprocessing, security measures, AI provider boundaries, and customer-data handling for scoped services.
Open document
Addendum
Available
Assessment Terms Addendum
Scope, authorization, evidence use, testing boundaries, safe harbor, retesting, reporting limitations, and reliance limits for AI product security assessments.
Open document
Addendum
Available
AI Red Team Rules of Engagement
Rules of engagement for authorized AI red-team validation, including targets, test windows, allowed techniques, prohibited actions, safety controls, evidence handling, escalation paths, and stop conditions.
Open document
Addendum
Available
Penetration Test & Red Team Rules of Engagement
Rules of engagement for scoped penetration testing and adversarial red team work — authorization, targets, allowed and prohibited techniques, testing window, access plan, evidence handling, emergency stop, and reporting. Covers web/API, cloud, authenticated, business-logic, and AI/agentic testing.
Open document
Addendum
Available
Cloud Testing Boundary Addendum
Bounds cloud/infrastructure testing — separates customer-owned active testing targets from configuration-review targets and from provider infrastructure, with account/region scope, access model, and provider-rules responsibility.
Open document
Addendum
Available
Special Approval Addendum
Explicit authorization gate for high-impact activities (DoS/stress, phishing, social engineering, physical, malware/C2, third-party/shared-tenant). Excluded from standard scope unless signed here and separately approved.
Open document
Addendum
Available
Agentic Workflow ROE Addendum
Bounds testing of tool-using agents and automated workflows — tools/actions in scope, authorized adversarial techniques, action boundaries, rollback, persistence prohibition, and audit-gap reporting.
Open document
Addendum
Available
Consultant Mission Brief
Defines specialist role, client relationship model, confidentiality, deliverables, and independence boundary for consultant-led missions.
Open document
Addendum
Available
Sponsorship Launch Addendum
Campaign schedule, sponsor assets, labeling, approval process, and launch deliverables.
Open document
Addendum
Available
Launch Gate Assessment Terms Addendum
Authorized scope, safe harbor, reliance limits, and claim caveats for pre-release AI Launch Security Reviews. Required for all launch-gate engagements.
Open document
Addendum
Available
Academy LMS Package Addendum
LMS delivery rights, seat limits, SCORM 1.2 preview status, modification restrictions, branding, reporting, update obligations, and expiration for enterprise LMS deployments.
Open document
Addendum
Available
Academy Content License Addendum
Licensed content definition, permitted use, white-label rights, sublicensing limits, prohibited uses, IP ownership, claim boundaries, and wind-down terms for enterprise content licensing.
Open document
Addendum
Available
OEM Scanner License Addendum
Technical licensing terms for scanner OEM embeddings: permitted use, redistribution scope, white-label rights, customer-org tracking, usage credit reconciliation, and production license requirements.
Open document
Policy
Operational trust policies
Policy
Available
Security Operations Schedule
Operational control schedule for authorized AI security work, covering access, credentials, logging, AI/ML testing boundaries, incident handling, evidence retention, and client escalation.
Open document
Policy
Available
Evidence Handling Policy
How aisecurity.llc collects, protects, uses, redacts, retains, and shares security evidence across scoping, assessments, red-team work, generated packets, and buyer-ready deliverables.
Open document
Policy
Available
Publication & Claim-Readiness Policy
Claim-readiness criteria for public research, trust pages, scorecards, attestations, sponsor materials, security review outputs, and buyer-facing evidence.
Open document
Policy
Available
Data Retention & Redaction Policy
How aisecurity.llc retains, redacts, returns, and deletes platform records, scoping data, evidence, packets, billing records, and operational logs across customer and engagement workflows.
Open document
Policy
Available
Launch Gate Evidence Handling Policy
Evidence handling, retention schedule, destruction obligations, and redaction requirements for launch-gate review evidence. Governs working notes, correspondence, and system artifacts.
Open document
Policy
Available
Academy Credential & Completion Policy
What Academy course completion badges and records mean — and explicitly do not mean. Not product-security certification, employment qualification, SOC 2, ISO, or compliance attestation.
Open document
Post-engagement deliverables
Security Review Attestations and evidence packs
After a completed scoped engagement, we may issue a public-safe attestation or evidence pack describing what was reviewed, which services were performed, what evidence was available, and what result level was observed within that scope. It is designed for buyer enablement, procurement review, and investor communication, not as a formal audit, certification, warranty, or guarantee of future security.
Contact
Request or negotiate a document
To request a negotiated version, initiate a signing workflow, or ask questions about any of these documents, contact hello@davidwolf.org.
Documents are templates or negotiation drafts until completed, reviewed, and executed by the relevant parties. They are provided for business workflow purposes and do not constitute legal advice.