$0 Services Retainer

Purpose

1.1 This Zero-Dollar Services Retainer ("Agreement") establishes a master services framework between [CLIENT_LEGAL_NAME] ("Client") and aisecurity.llc ("Provider").

1.2 This Agreement creates no minimum spend, no prepaid retainer, no obligation to purchase services, and no obligation for Provider to begin billable work unless a separate signed Statement of Work, Retainer Billing Addendum, change order, or written authorization expressly activates paid services.

1.3 The parties may use this Agreement as the governing framework for future AI security engineering, advisory, research, assessment, governance, claim-readiness, skills validation, private benchmark, and operating model services.

Definitions

2.1 "Agreement" means this Zero-Dollar Services Retainer and any signed Statement of Work, Retainer Billing Addendum, schedule, change order, or exhibit that references it.

2.2 "Services" means the professional services expressly authorized under a signed Statement of Work, Billing Addendum, change order, or other written authorization issued under this Agreement.

2.3 "Deliverables" means the reports, memoranda, templates, diagrams, findings, recommendations, code, configurations, playbooks, assessments, workshops, or other work product expressly identified in an applicable Statement of Work.

2.4 "Client Materials" means information, credentials, systems, documents, data, prompts, logs, artifacts, job descriptions, policies, records, software, and other materials provided by Client for use in connection with Services.

2.5 "Provider Materials" means Provider's pre-existing tools, templates, frameworks, methods, research structures, scoring concepts, code libraries, documentation patterns, know-how, and intellectual property created independently of this Agreement.

2.6 "Confidential Information" means non-public information disclosed by one party to the other, marked or reasonably understood to be confidential, including security findings, pricing, system details, vulnerability information, benchmark outputs, and Client Materials.

2.7 "Statement of Work" or "SOW" means a written document signed by both parties that specifies the scope, timeline, fees, deliverables, acceptance criteria, and any special terms for a discrete engagement.

Zero-Dollar Baseline

3.1 The baseline commitment value of this Agreement is zero dollars ($0).

3.2 No fees, costs, or expenses are due from Client unless paid services are expressly activated by a written instrument meeting the requirements of Section 4.

3.3 This Agreement does not reserve Provider's availability, guarantee response times, create any exclusivity, impose any minimum purchase obligation, or obligate Provider to begin work without proper activation.

Activation of Paid Services

4.1 Paid services are activated only by execution of one or more of the following:

1. a fully executed Statement of Work;
2. a fully executed Retainer Billing Addendum;
3. a signed change order modifying an existing activated engagement;
4. a written authorization that specifies scope, deliverables, rates, invoice cadence, and acceptance criteria; or
5. another written instrument signed by authorized representatives of both parties that expressly references this Agreement and activates billable work.

4.2 Provider has no obligation to begin work until an activating instrument is fully executed. Provider may decline to begin work if the activation requirements in Section 4.1 are not satisfied.

4.3 In the event of conflict between this Agreement and an activated Statement of Work or addendum, the later-signed, more-specific document controls for that engagement only. All non-conflicting terms of this Agreement remain in effect.

Scope of Services

5.1 Services that may be performed under this Agreement include, without limitation: AI security engineering advisory; LLM application security review; agentic system threat modeling; secure RAG architecture review; model supply-chain assessment; AI red-team planning and facilitation; governance evidence design; claim-readiness review; private benchmark analysis; AI incident response planning; security operations design; and related work.

5.2 Unless an applicable Statement of Work expressly states otherwise, Services are advisory and engineering support. Services do not constitute legal advice, regulated audit opinions, investment advice, psychological or clinical assessment, hiring decisions, or compliance certification.

5.3 Where Provider's work intersects with areas requiring licensed professional services, Provider will identify those areas and recommend that Client seek appropriate licensed counsel.

Client Responsibilities

6.1 Client will provide timely access, accurate information, appropriate cooperation, subject-matter contacts, and any approvals or authorizations required for Provider to perform Services.

6.2 Client is responsible for maintaining data backups, production controls, change management approvals, user notices, third-party permissions, legal bases for any data processing, and internal governance approvals.

6.3 Client will not provide regulated, sensitive, or highly restricted information unless it is necessary for the authorized scope and Client has obtained any required approvals.

6.4 Client will ensure that testing authorization covers all systems, domains, APIs, models, agents, datasets, accounts, and third-party environments within scope before testing begins. Client remains solely responsible for obtaining any third-party authorizations required for Provider to act within scope.

6.5 Delays caused by Client's failure to provide required access, approvals, or materials may extend timelines and do not reduce Client's payment obligations for work completed.

Provider Responsibilities

7.1 Provider will perform authorized Services in a professional and workmanlike manner consistent with generally accepted practices in the AI security engineering field.

7.2 Provider will use commercially reasonable efforts to preserve confidentiality, minimize operational disruption, and operate within agreed testing boundaries and scope limitations.

7.3 Provider will promptly communicate material limitations, assumptions, blockers, and dependencies discovered during performance that may affect delivery, scope, or quality.

7.4 Provider may rely on information supplied by Client and is not responsible for errors, omissions, or deficiencies in Services arising from inaccurate, incomplete, or materially delayed Client Materials.

Deliverables and Acceptance

8.1 Deliverables will be identified in the applicable Statement of Work or written authorization.

8.2 Unless otherwise stated in the applicable instrument, Deliverables are accepted upon delivery except for material nonconformity reported by Client in writing within [ACCEPTANCE_REVIEW_DAYS] days of delivery.

8.3 A "material nonconformity" means a substantial failure of a Deliverable to meet the acceptance criteria or scope expressly stated in the applicable Statement of Work. Disagreement with Provider's recommendations, risk ratings, or conclusions does not constitute a material nonconformity.

8.4 Provider will use commercially reasonable efforts to correct timely-reported material nonconformities within the agreed scope at no additional charge.

Fees and Payment

9.1 No fees are due under this Agreement unless paid services are activated pursuant to Section 4.

9.2 All fee structures, hourly rates, minimum time increments, invoice schedules, expense policies, late fee terms, and acceptance procedures will be specified in the applicable Statement of Work, Retainer Billing Addendum, or change order.

9.3 Provider may suspend Services for non-payment of undisputed invoices consistent with the terms of the applicable paid-services instrument.

Intellectual Property

10.1 Client retains all right, title, and interest in Client Materials.

10.2 Provider retains all right, title, and interest in Provider Materials, including pre-existing and independently developed methods, templates, frameworks, research structures, scoring systems, tools, know-how, and any background intellectual property.

10.3 Upon full payment of all applicable fees for an engagement, Provider grants Client a non-exclusive, royalty-free, perpetual, non-transferable license to use and reproduce Deliverables for Client's internal business purposes. This license does not include the right to sublicense, resell, or commercially exploit Deliverables.

10.4 If Client requires ownership of specific Deliverables rather than a license, the parties must expressly agree to an assignment in the applicable Statement of Work. In that case, Provider retains a perpetual, royalty-free, non-exclusive license to any residual know-how and methods embodied in the assigned Deliverables.

10.5 Provider may use and apply general knowledge, skills, methodologies, techniques, and non-identifying lessons learned during Services, provided Provider does not disclose Client Confidential Information.

Confidentiality

11.1 Each party may disclose Confidential Information to the other. The receiving party will: (a) use Confidential Information only to perform or receive Services; (b) protect it with at least reasonable care, but not less care than it uses to protect its own confidential information of similar sensitivity; and (c) restrict disclosure to employees, contractors, and advisors who need to know it and are bound by obligations at least as protective as this Section.

11.2 Confidential Information does not include information that: (a) is or becomes publicly available through no act of the receiving party; (b) was known without restriction before disclosure; (c) is independently developed without reference to the disclosing party's information; or (d) is lawfully received from a third party without restriction.

11.3 A party may disclose Confidential Information required by law, court order, or regulatory process, provided it gives the other party prompt advance notice (to the extent legally permitted) and cooperates with efforts to limit the disclosure.

11.4 Confidentiality obligations survive for [CONFIDENTIALITY_SURVIVAL_YEARS] years after termination, except that trade secrets remain protected as long as they qualify as trade secrets under applicable law.

Security and Access

12.1 Client will grant only the access necessary for the authorized scope. Provider will not request, use, or retain access beyond what the authorized scope requires.

12.2 Provider will apply reasonable safeguards to Client access credentials, evidence artifacts, logs, and work materials, and will store them in access-controlled environments.

12.3 Unless otherwise agreed in a Statement of Work, Provider will not retain production credentials, privileged tokens, or system access after completion of the applicable scope.

12.4 Provider will promptly notify Client of any known or reasonably suspected unauthorized access to Client Materials or systems discovered in connection with Services.

Research and Output Caveats

13.1 Where Services include job-description intelligence, public hiring signal analysis, aggregate benchmark work, or claim-readiness review, Provider's outputs are directional, informational, and based on publicly available signals.

13.2 Job-description intelligence reflects aggregate role-language evidence, not proof of any individual organization's internal security maturity.

13.3 Any psychometric or assessment outputs are role-language evidence and are not diagnosis, clinical assessment, employee evaluation, medical inference, or hiring recommendation.

13.4 Provider will avoid accusatory company-level language unless expressly authorized and supported by verified evidence agreed upon in writing.

Warranties and Disclaimers

14.1 Each party represents and warrants that: (a) it has full authority to enter into this Agreement; (b) this Agreement does not conflict with any other obligation; and (c) it will comply with applicable laws.

14.2 Provider warrants that authorized Services will be performed in a professional and workmanlike manner.

14.3 Provider does not warrant that Services will identify every vulnerability, risk, compliance gap, attack vector, defect, or issue. Security assessments are point-in-time and based on information available at the time of delivery.

14.4 Except as expressly stated, Services and Deliverables are provided without implied warranties, including merchantability, fitness for a particular purpose, and non-infringement, to the maximum extent permitted by applicable law.

Indemnification

15.1 Each party will defend, indemnify, and hold harmless the other party from third-party claims arising from its own: (a) material breach of this Agreement; (b) gross negligence or willful misconduct; or (c) infringement of a third party's intellectual property rights through materials it provides under this Agreement.

15.2 Indemnification is conditioned on: (a) prompt written notice of the claim; (b) the indemnifying party having sole control of the defense and settlement; and (c) the indemnified party providing reasonable cooperation at the indemnifying party's expense.

15.3 Neither party will settle any claim that imposes obligations or restrictions on the other without prior written consent.

Limitation of Liability

16.1 Neither party will be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, lost revenue, or loss of goodwill, even if advised of the possibility of such damages.

16.2 Each party's total aggregate liability under this Agreement and all activating instruments will not exceed the total fees paid or payable during the twelve (12) months before the event giving rise to liability.

16.3 The limitations in Sections 16.1 and 16.2 do not apply to: (a) payment obligations; (b) indemnification obligations; (c) breaches of confidentiality; or (d) liability that cannot be excluded under applicable law.

Non-Solicitation

17.1 During the term of any active Statement of Work and for twelve (12) months after its completion, each party will not, directly or indirectly, solicit for employment or engage as an independent contractor any individual who: (a) is an employee or contractor of the other party; and (b) was materially involved in the performance of Services under this Agreement.

17.2 General job postings not targeted at specific individuals do not violate this Section.

Term and Termination

18.1 This Agreement begins on the Effective Date and continues until terminated.

18.2 Either party may terminate this Agreement for convenience on [TERMINATION_NOTICE_DAYS] days' written notice, provided no active Statement of Work is in progress, or the parties agree to orderly wind-down of any active work.

18.3 Either party may terminate this Agreement for material breach if the breach is not cured within [CURE_PERIOD_DAYS] days after written notice describing the breach in reasonable detail.

18.4 Termination of this Agreement does not affect: (a) accrued payment obligations; (b) active Statements of Work (which continue under their own terms unless separately terminated); (c) confidentiality obligations; (d) IP rights and licenses; or (e) any provision that by its nature survives termination.

Governing Law and Disputes

19.1 This Agreement is governed by the laws of [GOVERNING_LAW], without regard to conflict-of-law provisions.

19.2 The parties will first attempt to resolve any dispute through good-faith negotiation between senior representatives within thirty (30) days of written notice of the dispute.

19.3 If negotiation fails, disputes will be resolved in [DISPUTE_VENUE].

19.4 Either party may seek emergency injunctive or equitable relief in any court of competent jurisdiction to prevent irreparable harm, without waiving the right to proceed under Section 19.3.

General Provisions

20.1 Independent Contractor. Provider is an independent contractor. Nothing in this Agreement creates an employment, agency, partnership, joint venture, or fiduciary relationship. Provider's personnel are not Client's employees and are not entitled to Client's benefits, workers' compensation, or employment law protections.

20.2 Force Majeure. Neither party is liable for failure or delay caused by circumstances beyond its reasonable control, including natural disasters, government actions, infrastructure failures, labor disputes, or cyberattacks, provided the affected party gives prompt written notice and uses reasonable efforts to mitigate the impact.

20.3 Assignment. Neither party may assign this Agreement without the other party's prior written consent, except to an affiliate or successor in a merger, acquisition, or sale of substantially all assets. Any prohibited assignment is void. This Agreement binds permitted successors and assigns.

20.4 Waiver. Failure to enforce any right or provision is not a waiver. Waivers must be in writing and signed by the waiving party.

20.5 Entire Agreement. This Agreement, together with any executed Statements of Work and exhibits, is the entire agreement between the parties regarding its subject matter and supersedes all prior discussions, proposals, and understandings.

20.6 Amendments. Amendments require a written instrument signed by authorized representatives of both parties.

20.7 Severability. If any provision is unenforceable, the remaining provisions continue in force. The unenforceable provision will be modified to the minimum extent necessary to be enforceable.

20.8 Counterparts and Electronic Signatures. This Agreement may be executed in counterparts. Electronic signatures have the same legal effect as handwritten signatures.

Signature Blocks