Supplement: Penetration Testing Policy

EFFECTIVE DATE: 13th April 2026

BatchHeader Ltd t/a EncodeDotHost ("EncodeDotHost", "we", "us", or "our") takes the security of our infrastructure and our customers' data very seriously. While we understand and support our customers' need to perform security assessments, vulnerability scans, and penetration tests on their own hosted applications, such activities can resemble malicious attacks.

Under Schedule 4: Acceptable Use Policy (AUP), unauthorized probing, scanning, or testing of systems and networks is strictly prohibited. This Penetration Testing Policy outlines the mandatory rules of engagement and the authorization process required before any security testing can commence.

1. Scope of Permitted Testing

Customers are only permitted to perform security assessments against infrastructure and applications that they outright own or have a direct, active subscription for under the EncodeDotHost Master Services Agreement (MSA).

Permitted Targets (Subject to Authorization):

• Customer-owned website code and applications (e.g., custom WordPress themes/plugins hosted on our servers).

• Virtual Private Servers (VPS) or Dedicated Servers assigned exclusively to the Customer.

Strictly Prohibited Targets:

• Shared hosting infrastructure (e.g., underlying web servers, MySQL servers, or shared IP addresses).

• EncodeDotHost's corporate infrastructure, website (encode.host), billing portals, or client area.

• Third-party software infrastructure (e.g., the core cPanel control panel interface, Webmail interfaces).

• Infrastructure or applications belonging to any other EncodeDotHost customer.

2. Mandatory Pre-Authorization Process

No security testing may commence without explicit, prior written authorization from the EncodeDotHost Security Team. To request authorization, the Customer must submit a formal request via the Support Portal at least seven (7) working days prior to the intended start date of the test. The request must include:

1. Target IP Addresses / URLs: The exact IP addresses and domain names to be tested.

2. Source IP Addresses: The static IP addresses from which the testing traffic will originate.

3. Testing Window: The specific start and end dates and times (in UK Time / GMT/BST).

4. Testing Methodology: A high-level overview of the types of tests being performed and the primary tools being used (e.g., Nessus, Burp Suite, automated vulnerability scanners).

5. Contact Information: Direct contact details (phone and email) for the individual or third-party agency conducting the test.

EncodeDotHost reserves the right to deny any penetration testing request at its sole discretion, particularly if the proposed testing poses an unacceptable risk to shared infrastructure.

3. Rules of Engagement (Prohibited Activities)

Even with authorization, the following activities are strictly prohibited during any penetration test or vulnerability scan:

• Denial of Service (DoS / DDoS): Any testing designed to exhaust network bandwidth, server resources, or application availability (e.g., volumetric attacks, slowloris, SYN floods).

• Social Engineering: Phishing, vishing, or any other social engineering attempts targeting EncodeDotHost staff, contractors, or other customers.

• Physical Security Testing: Any attempt to physically access the data centres where EncodeDotHost equipment is housed.

• Exploitation of Shared Resources: If a vulnerability is discovered in the underlying shared hosting environment, hypervisor, or network layer, the tester must stop immediately and report it. Under no circumstances should a shared infrastructure vulnerability be exploited to gain further access or extract data.

4. Third-Party Testing

If the Customer employs a third-party security firm to conduct the penetration test, the Customer remains entirely responsible for ensuring the third party complies strictly with this Policy and the EncodeDotHost AUP. The Customer assumes full liability for any damages or service disruptions caused by their third-party testers.

5. Reporting Vulnerabilities

If during the course of an authorized test, a vulnerability is discovered that affects EncodeDotHost's core infrastructure, networking, or control panels (rather than just the Customer's own website code), it must be reported to us immediately.

• Please report findings securely by raising a high-priority ticket in the Client Portal directed to the Management/Security team.

• Do not publicly disclose any vulnerabilities related to EncodeDotHost infrastructure without our prior written consent and until a mutually agreed remediation period has passed.

6. Incident Response and Interruption

EncodeDotHost employs automated security systems. We will make reasonable efforts to whitelist the authorized Source IP addresses provided in the request. However:

• If the testing causes severe degradation to our network or impacts other customers, EncodeDotHost reserves the right to immediately block the testing traffic or suspend the target server without notice.

• EncodeDotHost is not liable for any downtime, data loss, or associated Service Level Agreement (SLA) credits resulting from the Customer's penetration testing activities.

7. Enforcement

Failure to obtain proper pre-authorization, or violating the Rules of Engagement outlined in this policy, constitutes a material breach of the Acceptable Use Policy (AUP). EncodeDotHost reserves the right to take immediate action, which may include suspension of Services, permanent termination of the Customer's account, and holding the Customer liable for any resulting damages or recovery costs.