Product Specific Terms

The Product Specific Terms (“Product Specific Terms”) form part of the existing executed agreement between Customer and Synack or, in the absence of an agreement, the Synack terms and conditions (found here: https://www.synack.com/master-service-agreement) (the “Agreement”). Capitalized terms used but not defined in this Addendum shall have the meanings ascribed to them in the Agreement. To the extent there is any conflict between the Product Specific Terms and the Agreement, the Product Specific Terms govern.

1. AI-SPECIFIC PROVISIONS. The following terms apply if a Customer purchases AI Services or redeems Synack Credits for AI Services and the underlying Agreement does not contain AI-specific terms:

1.1. Definitions.

1.1.1. “Agentic AI Services” means goal-oriented AI systems or workflows that perform actions or tasks on behalf of Customer in a supervised or autonomous manner that Customer may create, orchestrate, or initiate within an AI Service. For example, Sara is an Agentic AI Service.

1.1.2. “AI Services” means Synack Services that are designated as “Artificial Intelligence” or “AI” in the service name or description. AI Services includes without limitation all Agentic AI Services.

1.1.3. “Generated Output” means the data or content generated by an AI Service as a result of processing, analyzing or interacting with Customer Materials.

1.1.4. “Exploitation Activities” means the actions undertaken by Synack Personnel or Agentic AI Services, upon explicit Customer authorization in a Work Order, to attempt to confirm, demonstrate, or leverage identified Vulnerabilities within Customer Materials using known exploit scripts or techniques for the sole purpose of validating the existence and potential impact of such Vulnerabilities.

1.1.5. “Synack Autonomous Red Agent” or “Sara” means the Synack Agentic AI Service that is specifically designed to assist with the Exploitation Activities.

1.2. Customer Restrictions.

1.2.1. Customer shall not (and shall not permit any user or any third party to) use any AI Services for the following purposes: (i) for intentional disinformation or deception; (ii) in violation of Privacy and Security Laws; (iii) to harass, harm, or encourage the harm of individuals or specific groups; or (iv) to intentionally circumvent safety filters and functionality or prompt models to act in a manner that violates this Agreement.

1.2.2. Customer shall not: (i) use AI Services or the Synack Platform to generate, disseminate, or deploy malware, ransomware, or any other malicious code, or to intentionally disrupt, damage, or exfiltrate data from any system; (ii) use AI Services, Generated Output, or the Synack Platform for the purpose of benchmarking, model extraction, reverse engineering, or developing competing products or services; (iii) attempt to circumvent, disable, or interfere with any security or usage controls, rate limits, or technical restrictions implemented in the AI Services or Synack Platform; or (iv) permit any third party to access or use the AI Services or the Synack Platform except as expressly authorized by Synack in writing.

1.3. Customer Acknowledgments. Customer acknowledges that AI Services may produce the same or similar Generated Output for multiple customers.

1.4. Customer Responsibilities for Agentic AI Services. Customer is solely responsible for: (a) the actions and tasks performed by an Agentic AI Service within the agreed upon scope; (b) determining whether the use of an Agentic AI Service is fit for its use case; (c) authorizing an Agentic AI Service’s access and connection to data, applications, and systems; and (d) exercising judgment and supervision when and if an Agentic AI Service is used in production environments to avoid any potential harm the Agentic AI Service may cause. The actions or tasks that an Agentic AI Service performs are not Generated Output.

1.5. Exploitation Activities. Where a Work Order includes Exploitation Activities, Customer acknowledges and agrees to the following:

1.5.1. Customer shall be solely responsible for configuring, preparing and securing the target environments (including all systems and networks), including by ensuring appropriate backups are in place prior to any Exploitation Activities.

1.5.2. Customer understands and accepts the inherent risks of performing Exploitation Activities, which may include, without limitation, unintended system disruption, downtime, data corruption or loss, or other adverse impacts on Customer’s systems. Customer assumes responsibility and liability for any such impacts to its systems or any third party systems arising from the performance of the explicitly authorized Exploitation Activities, except to the extent caused by Synack’s gross negligence, willful misconduct, or material breach of Synack’s obligations to conduct activities within the scope of Exploitation Activities set forth in the Work Order.

1.5.3. Customer will clearly define and limit the scope of Exploitation Activities in the applicable Work Order, through the Synack Platform, or in other mutually agreed upon written documentation. The documented scope will include: specific target IP addresses, URLs, systems, and permitted methods. Customer is responsible for the accuracy and completeness of all such provided scope information.

1.5.4. Prior to instructing Synack to commence the Exploitation Activities, Customer will ensure that it has obtained all necessary permissions, including all permissions required by law, with respect the performance of the Exploitation Activities, including permissions to perform the Exploitation Activities from the asset owner with respect to third party systems (if applicable). Customer will be solely responsible for any failure to obtain such permissions.

1.6. Warranties and Disclaimers. Customer acknowledges that the AI Services are probabilistic in nature and may generate inaccurate, incomplete or inappropriate content or may fail to identify all vulnerabilities. Further, Customer acknowledges that while Synack exercises reasonable care in developing and deploying AI Services, Exploitation Activities involve inherent risks and may cause unintended effects, including but not limited to system disruption, malfunction or data loss. Customer’s use of AI Services and reliance on any output generated by AI Services or the results of any Exploitation Activities is at Customer’s sole risk.

1.7. Indemnification. Customer shall defend, indemnify, and save harmless Synack and its officers, directors, employees, Synack Personnel, agents and representatives from and against any and all damages, liabilities, losses and other costs (including without limitation reasonable attorneys’ fees) relating to any claim, demand, suit, or any other proceeding brought by a third party against Synack arising from: (a) the testing of any breach of Customer Materials owned or controlled by a third party, including, without limitation, any claim arising from Customer’s failure to obtain the necessary permissions for such testing as required by Section 5.4; or any Claim seeking damages against Synack in excess of the limitations of liability set forth in the Agreement; or (b) Customer’s misuse or unauthorized use of any Agentic AI Services.

2. BETA SERVICES. The following terms apply if a Customer purchases or receives Beta Services:

2.1. Definition. “Beta Services” means Synack Services that are designated as alpha, beta, preview, early access, or evaluation (or similar designation) in the Service name or description.

2.2. Acknowledgement. Customer acknowledges and agrees that: (i) Beta Services may not be complete or fully functional; (ii) Beta Services may contain errors, design flaws or other problems; (iii) Beta Services may generate unpredictable or unexpected results; (iv) Beta Services may be modified or discontinued at any time with or without notice; and (v) Synack makes no representations, promises or guarantees that Beta Services will be released as a general availability product or service.

2.3. Use & Safeguards. Customer understands that its use of Beta Services is entirely at its own risk. Customer should not rely on Beta Services for any production, security-critical, or business-critical purposes. Customer is solely responsible for determining whether Beta Services are appropriate for its environment and use case. Customer shall implement appropriate safeguards and testing protocols when using Beta Services, including but not limited to: (i) testing in isolated environments before any production use; (ii) maintaining backup systems and data; (iii) implementing additional monitoring during Beta Services use; and (iv) establishing rollback procedures in case of Beta Services failure or malfunction.

2.4. Feedback. Synack may collect feedback, usage data, and performance metrics related to Customer’s use of Beta Services. Customer agrees to provide reasonable feedback on Beta Services when requested by Synack.

3. SYNACK CREDITS. The following terms apply if a Customer purchases or receives Synack Credits:

3.1. Definition. “Synack Credits” are issued by Synack and are identified as “Credits” or “Synack Credits” in order documentation.

3.2. Redemption. To the extent Customer has purchased Synack Credits in a Work Order, such Synack Credits will be promptly credited to the Customer Account and will be redeemable for the Synack Services described in the catalog published within the Synack Platform or such other site as indicated by Synack (the “Synack Catalog”). The Synack Services and the number of Synack Credits required to redeem Synack Services set forth in the Synack Catalog may change at any time. Synack Credits may only be redeemed for the Synack Services listed in the Synack Catalog. Synack Credits have no cash value, are non-transferable and non-refundable. All Synack Credits are valid only during the Subscription Period defined in the Work Order in which they were purchased. Synack Credits will expire upon the earlier of the end of the applicable Subscription Period or the termination of the Agreement unless used prior to such expiration or termination.

4. SCOPE. The Customer Product(s) to be tested under each Synack Services will be limited according to the asset types and scope specified in the applicable service description. Customer may select the Customer Product for testing, and each Customer Product selected is subject to approval by Synack.

5. FEDRAMP. The following terms apply to FedRAMP Customers:

5.1. Definition. “FedRAMP Customer” means any Customer using Synack’s FedRAMP cloud environment as part of the Synack Services.

5.2. FedRAMP. Non-federal Customers who purchase FedRAMP Synack Services will be required to enter into a FedRAMP addendum to be provided by Synack prior to the commencement of such use. FedRAMP Customers must notify and receive prior approval from Synack for third party functions, ports, protocols, and services intended for organizational use. The only integrations the FedRAMP Customer may use in Synack’s FedRAMP cloud environment are those integrations provided by Synack. Further, these integrations may only integrate with environments which are hosted by FedRAMP authorized cloud providers or self-hosted by the FedRAMP Customer which adhere to the NIST SP 800-53 compliance standards. FedRAMP Customers must notify Synack prior to making any changes that will cause any previously approved integrations to no longer adhere to the NIST SP 800-53 compliance standards.

Last Updated: October 27, 2025