AppPulse — Authorization to Audit

Version: 1.0 Last updated: May 7, 2026

This is the explicit authorization document customers agree to before any scan runs. It's a separate artifact from the Terms of Service so it can be signed independently for enterprise customers, attached to agency engagements, or surfaced as a click-to-accept on the intake form.

Authorization to Conduct Application Audit

Customer: [Customer legal name and address] AppPulse: Malon Global Tech LLC, Delaware, USA (operating apppulse.net) Audit Scope: As defined in the order/intake form Authorization Date: [Date]

1. Express Authorization

The Customer named above ("Customer") hereby expressly authorizes AppPulse and its authorized personnel and automated systems to conduct non-destructive security, performance, cost, and quality audits of the application(s), repository(ies), and infrastructure listed in the order/intake form (the "Target").

This authorization is granted specifically for the purpose of fulfilling the audit Customer has ordered and includes:

(a) Network-level reconnaissance of the Target's public-facing endpoints;

(b) Inspection of client-side code, public assets, and HTTP responses of the Target;

(c) Source code review via the AppPulse GitHub App with read-only repository access (or equivalent CLI-based local processing);

(d) Database introspection via a read-only Postgres role (or equivalent), limited to schema, policies, and findings — not bulk data export;

(e) Authentication and authorization flow testing using test credentials provided by Customer for a throwaway test account;

(f) Automated scanning using industry-standard tools including Lighthouse, Semgrep, gitleaks, trufflehog, npm audit, MobSF (mobile binaries via CLI), and similar tools;

(g) AI-feature testing (for AI-Feature Safety Audits) including prompt injection attempts and PII leak testing on user-facing AI surfaces;

(h) Cost analysis review of cloud billing dashboards (read-only) when Cost Optimization Audit is ordered.

2. Customer Representations

The Customer represents and warrants that:

(a) Customer owns the Target, OR

(b) Customer has explicit authority from the rightful owner to authorize this audit, AND

(c) Customer has all necessary internal approvals (board, employer, partner consent) to authorize this audit, AND

(d) The audit will not violate any applicable contract, license, terms of service, or law.

Customer agrees to indemnify and hold AppPulse harmless from any third-party claim arising from a misrepresentation in this Section.

3. AppPulse Commitments

AppPulse commits to:

(a) Conduct only non-destructive testing. AppPulse will NOT perform:

• Denial-of-service or load testing
• Data destruction, modification, or exfiltration beyond audit findings
• Active exploitation that could disrupt service
• Social engineering of Customer's employees
• Physical security testing
• Testing of third-party services or infrastructure not owned by Customer

(b) Limit access to the minimum necessary to perform the audit.

(c) Not persist source code beyond the duration of the scan. Source code accessed via GitHub App is processed in an ephemeral sandbox and deleted upon scan completion.

(d) Not share findings or audit data with third parties except per the Terms of Service and Privacy Policy.

(e) Anonymize any findings before publishing on the public AppPulse Findings Feed (with Customer opt-out available within 30 days of delivery).

(f) Comply with applicable data protection laws including GDPR, UK GDPR, and CCPA.

4. Authorized Targets

The following Target(s) are authorized for audit under this agreement:

Application URL(s):       _______________________________________
Repository URL(s):        _______________________________________
Database identifier:      _______________________________________
Mobile app(s) identifier: _______________________________________
Other:                    _______________________________________

Audit activities are explicitly NOT authorized on any other URL, repository, database, or system not listed above.

5. Personnel Authorized

The following AppPulse personnel and systems are authorized to access the Target:

• AppPulse automated scanning systems and Sub-Processors as listed in the Privacy Policy
• AppPulse reviewers assigned to this audit (named in delivery email)
• AppPulse senior leadership for quality review purposes

All AppPulse personnel are bound by confidentiality obligations.

6. Time Window

This authorization is valid for the audit window specified in the order, plus a 14-day extension for any necessary follow-up verification or re-scan included in the order.

For Continuous Monitoring subscribers, this authorization renews automatically each billing period for as long as the subscription remains active.

Customer may revoke this authorization at any time by:

• Uninstalling the AppPulse GitHub App
• Revoking the read-only Postgres role
• Cancelling the subscription
• Emailing omotereolamide@malonglobaltech.com

Revocation takes effect immediately. Any scan in progress at the time of revocation will be halted; partial findings already delivered remain the property of the Customer.

7. Scope Limitations

Customer acknowledges that:

(a) An audit identifies issues observable at the time of testing using AppPulse's methodology and tools. It does not guarantee the absence of all vulnerabilities, performance issues, or cost inefficiencies.

(b) AppPulse is not liable for issues that exist but were not detected, or for issues introduced after audit delivery.

(c) Implementation of remediation is the Customer's responsibility. AppPulse does not implement fixes.

(d) The Customer is responsible for verifying that remediation does not introduce new issues.

8. Customer Responsibilities

Customer agrees to:

(a) Provide accurate Target information (URLs, repos, DB connection strings)

(b) Grant access timely (within 14 days of order, per Service Activation Policy)

(c) Use throwaway test credentials, NOT real user credentials, for authenticated audit access

(d) Notify AppPulse if any Special Categories of Personal Data (health, biometric, etc.) are present in the Target

(e) Disclose any prior known vulnerabilities, ongoing incidents, or active investigations that could affect audit interpretation

(f) Maintain backups before granting access (a non-destructive audit cannot harm data, but defense-in-depth is good practice)

9. Confidentiality

Both parties agree to maintain confidentiality of:

• Findings and audit reports
• Customer's source code, database contents, and infrastructure details observed during the audit
• The fact that an audit is in progress (until Customer chooses to disclose, e.g., via Verified badge)

Confidentiality obligations survive termination for three (3) years.

10. Acknowledgment and Signature

By accepting this Authorization (via signature, click-to-accept on the intake form, or by granting access in response to an audit order), Customer affirms that:

• All representations in Section 2 are true and accurate
• Customer has read and understood this Authorization
• Customer has authority to bind itself (or the entity it represents) to this Authorization

For self-serve customers:
Acceptance is recorded electronically when you check the "I authorize 
this audit" box during checkout or intake. A copy is sent to your 
email and stored in your AppPulse account.

For enterprise / signed authorization:

CUSTOMER:

Signature: _______________________________
Name:      _______________________________
Title:     _______________________________
Date:      _______________________________
Company:   _______________________________


AUDITOR (Malon Global Tech LLC / AppPulse):

Signature: _______________________________
Name:      Olamide Omotere
Title:     Founder
Date:      _______________________________

End of Authorization to Audit.

Operational note: this document is also embedded as an interstitial page in the paid checkout flow. The checkbox "I authorize a non-destructive audit of [Target]" represents acceptance.