Managed Governance Service Description and Professional Boundaries Exhibit

Purpose and Relationship to the Agreement

This Managed Governance Service Description and Professional Boundaries Exhibit (this “Exhibit”) describes the standard structure of Borealis Security, Inc.’s managed-governance offering when sold under the Borealis Managed Governance Services and Aurora Command Platform Agreement and an applicable Order Form. This Exhibit is not a promise that every listed workstream or artifact is included in every engagement. The applicable Order Form controls which services, deliverables, review types, and platform features are included.

Engagement Model

Borealis provides governance implementation and operational support around the review work already in front of Customer. Borealis may help organize policies, evidence, reviewer requests, questionnaires, risk records, approvals, vendor-review records, training records, and other governed proof inside Aurora Command so the operating record remains in Customer’s workspace. The standard managed-governance model is built for deadline-driven or recurring review work where Customer wants Borealis to help run the cadence while Customer keeps ownership of the underlying system, business decisions, and control environment. Unless the applicable Order Form states otherwise, Borealis personnel operate only with scoped Advisor Access approved by Customer, and the resulting evidence updates, decisions, approvals, packages, and activity history remain logged in Aurora Command.

Typical Included Workstreams

The applicable Order Form may include some or all of the following standard workstreams, subject to stated assumptions and limits:

Governance cadence management, including recurring working sessions, backlog and next-step tracking, owner follow-up, and milestone coordination tied to a deadline or recurring review cycle.

Policy and document organization, including maintenance of policy records, approval history, version tracking, and preparation of draft operational materials for Customer review.

Evidence organization and freshness management, including evidence intake, owner assignment, cadence tracking, gap identification, and organization of reusable evidence records.

Framework and control mapping support, including mapping requirements to Customer’s maintained control and evidence records, overlap analysis, and packaging of line-of-sight reviewer materials.

Questionnaire, reviewer-package, and response-draft support, including preparation of reviewer-ready packages, response drafts, citations, scoped exports, and follow-up issue tracking.

Risk, vendor, and incident-readiness record support, including maintenance of risk-register items, vendor-review records, incident-readiness artifacts, communication drills, or related governance records where included in the Order Form.

Training, acknowledgment, and operational follow-through tracking where those modules or workstreams are included in the Order Form.

Typical Deliverable Categories

Depending on the Order Form, Customer may receive some or all of the following categories of Deliverables or working artifacts:

Written Information Security Program (WISP) or similar governance package drafted or maintained against Customer’s provided operating context.

Risk register entries with owners, dates, and documented decisions.

Vendor oversight or third-party review lists, cadence notes, and evidence references.

Incident-readiness or notification-plan records and reviewer-facing readiness artifacts.

Evidence maps identifying what proof exists, who owns it, where it lives, and what still needs attention.

Reviewer-ready exports, evidence bundles, questionnaire drafts, and governed proof packages.

Operational history in Aurora Command showing approvals, updates, reviewer activity, and other workflow context.

Aurora Command as the System of Record

Aurora Command is the platform Borealis uses to keep controls, evidence, approvals, framework mappings, freshness tracking, and reviewer handoff connected in one governed operating record. Borealis may perform Services inside Customer’s Aurora workspace or a workspace established for the engagement, as stated in the Order Form. If the applicable Order Form includes Subscription Services, Customer receives the limited rights stated in the Agreement. Borealis may also make reviewer-access or Trust Center functionality available where included. Aurora Command access is subject to the Agreement, the applicable Order Form, the applicable DPA, acceptable-use requirements, any reviewer-access or Trust Center terms, and any AI-feature terms if affected functionality is used.

Customer Responsibilities and Dependencies

The managed-governance model assumes that Customer will timely supply accurate information, documents, access, and approvals; maintain knowledgeable owners; make business and legal decisions; and operate or arrange operation of the underlying technical and administrative controls. Customer remains responsible for the technical environment, internal systems, MSP/MSSP relationships, legal and regulatory obligations, audit and assessor relationships, and final decisions about what to implement, represent, approve, certify, or submit. Borealis may identify missing information, stale evidence, or workflow gaps, but Borealis does not assume responsibility for discovering every deficiency or for independently verifying every Customer statement, system state, or legal requirement.

Explicit Exclusions Unless Separately Purchased

Unless the applicable Order Form expressly includes them, the Services exclude:

Legal advice, legal analysis, legal opinion letters, or law-firm services.

Tax advice, accounting advice, financial-statement work, or CPA services.

Audit, attestation, assessment, certification, or independent assurance services.

MSP, MSSP, managed detection and response, vulnerability management, security engineering, DevOps, or IT administration services.

Custom software development, bespoke integration engineering, or data migration beyond the expressly scoped service setup work.

Representation of Customer before regulators, insurers, customers, or other third parties except for workflow or package preparation support expressly included in the Order Form.

Professional Boundaries and Required Validation

Any governance package, mapping, draft, checklist, state-law summary, incident timeline aid, evidence grouping, reviewer package, policy language, template, or AI-assisted output prepared through the Services is an operational aid only. It may be incomplete, inaccurate, stale, or dependent on Customer assumptions or reviewer context. Customer must independently review and validate all consequential materials and use qualified legal, privacy, compliance, audit, security, accounting, insurance, and business advisors where appropriate before relying on or distributing them. Borealis does not guarantee compliance, audit readiness, certification, reviewer acceptance, procurement success, insurance outcomes, or any other business outcome.

Deliverable Timing, Handoff, and Staleness

Deliverables reflect the information, scope, frameworks, reviewer requests, and operating context available to Borealis at the time of preparation. They may become stale when laws, standards, systems, ownership, vendors, reviewer expectations, or Customer facts change. A clean handoff is part of the engagement model, but handoff does not mean Borealis guarantees that the resulting package will remain sufficient without ongoing refresh, Customer participation, and independent review. Unless otherwise stated in the Order Form, Borealis is not responsible for ongoing refresh after the end of the applicable term.

Precedence

If a conflict exists between this Exhibit and a more specific statement in the applicable Order Form, the Order Form controls for that conflict. If a conflict exists between this Exhibit and a less specific marketing, demo, or website statement, this Exhibit controls to the maximum extent permitted by law.