Mercury Security

Sample Statement of Work (SOW)
4-Week Audit → Governance Sprint
(Illustrative Template, 2025)

1. Overview

This Statement of Work (“SOW”) describes the scope, deliverables, timelines, roles, and terms of engagement for the Mercury Security 4-Week Audit → Governance Sprint (“Sprint”). This is a fixed-scope engagement with defined outputs and timelines.

2. Objectives

  • Assess [Client AI System/Agent] against governance frameworks (EU AI Act, NIST AI RMF, GDPR, ISO/IEC 42001).
  • Produce evidence artifacts for regulatory, audit, and board readiness.
  • Provide a board-ready roadmap of prioritized remediations within 30 days.

3. Scope

3.1 In-Scope

  • System Coverage: 1 production AI agent (or <10k user reach).
  • Integrations: Up to 2 connectors (CRM, calendar, knowledge base, etc.).
  • Environment: 1 environment (production or sandbox).
  • Evidence Pack: Logs, test results, SOPs, crosswalks, annotated samples.
  • Board Deliverables: Audit Report + 90-day Governance Roadmap.

3.2 Out-of-Scope

  • Legal opinions, DPIA filings, or formal certifications.
  • Model retraining or algorithmic changes.
  • Drafting new moderation/content policies.
  • Contract drafting, vendor negotiations, or legal submissions.
  • Custom red-team suites beyond the included 100 test prompts.

3.3 Add-Ons

Additional scope is available via Mercury’s Add-On Catalog:

  • +1 production agent → $7,500
  • +1 regulated data class → $5,000
  • +1 region → $5,000
  • Extended red-team suite (+50 prompts) → $3,000
  • Board Q&A workshop → $2,000
    (See: mercurysecurity.io/docs/addons)

4. Deliverables

Mercury Security will deliver the following artifacts:

  • Audit Report — plain-English findings + technical appendix.
  • Evidence Pack — logs, tests, SOPs, screenshots, crosswalks.
  • Framework Crosswalk — EU AI Act ↔ NIST ↔ GDPR ↔ ISO/IEC 42001.
  • Board Roadmap — 90-day plan with owners & deadlines.

All deliverables are provided in PDF/DOCX; logs and crosswalks are also available in CSV/JSON formats.

5. Timeline

  • Duration: 20 business days (4 weeks), beginning once all required inputs are provided.
  • Week 1: Scope & system mapping.
  • Week 2: Evidence collection (logs, policies, HITL).
  • Week 3: Testing (bias, safety, transparency, consistency).
  • Week 4: Reporting & roadmap delivery.

If client inputs are delayed, the Sprint clock pauses until inputs are complete.

6. Roles & Responsibilities

Mercury Security:

  • Conduct audit and testing.
  • Produce all deliverables listed in Section 4.
  • Maintain secure evidence handling and client portal.

Client:

  • Provide required inputs (see Inputs Checklist).
  • Ensure system access for testing.
  • Assign named owners for roadmap items.
  • Respond to queries within 2 business days.

7. Revision Policy

One revision cycle is included for the Audit Report and Roadmap (minor edits only). Major scope changes require a new SOW or add-on purchase.

8. Fees

  • Small Scope Sprint (1 agent / <10k users) → $25,000 fixed fee.
  • Enterprise Sprint (multi-agent / regulated) → from $65,000+, scoped separately.
  • Fees for add-ons as defined in Section 3.3.

9. Acceptance

This SOW is accepted upon signature by both parties. Deliverables will be deemed accepted unless objections are raised within 10 business days of delivery.

Authorized Signatures

Client Representative

Mercury Security Representative

✅ This template makes your “fixed deliverables, fixed timelines” promise legally defensible while keeping scope crystal clear.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram