Terms & Conditions

1.1 These General Terms and Conditions (GTC) apply to all contracts, orders and services between the Provider and the Customer, including the provision of the KaitoSec ISMS Platform as Software-as-a-Service (SaaS) or on-premise installation, as well as the provision of consulting and certification support services. They form an integral part of the business relationship.

1.2 The Provider does not enter into contracts with consumers or private individuals.

1.3 The Provider is entitled to subcontract the required services in its own name and for its own account to subcontractors, who may in turn engage subcontractors. The Provider shall remain the sole contractual partner of the Customer. Subcontractors shall not be engaged if it is apparent to the Provider that their engagement would be contrary to the legitimate interests of the Customer.

1.4 Insofar as additional contractual documents or other terms and conditions in text or written form have become part of the contract in addition to these GTC, the provisions of such additional contractual documents shall prevail over these GTC in the event of conflict.

1.5 Any general terms and conditions of the Customer that deviate from these GTC shall not be recognized by the Provider unless expressly agreed to in writing.

2.1 The Provider's offers are non-binding. Oral agreements are not binding unless confirmed in writing by the Provider.

2.2 Descriptions and information used by the Provider in general documentation or on its website are for informational purposes only and do not constitute warranties or guarantees unless expressly made part of the contract.

2.3 A contract is formed upon the Provider's written order confirmation or upon commencement of the provision of services.

3.1 The Provider, acting as an independent contractor, provides the following services to the Customer:

a) Platform (SaaS or On-Premise): Provision of a browser-based, agentic ISMS platform to support the establishment and operation of an information security management system. The platform includes, in particular, functions for risk management, measure tracking, policy management, audit preparation and reporting. The specific scope of functions is determined by the service package booked by the Customer in accordance with the current service description at kaitosec.app. Access is provided via the internet through a web browser; no installation at the Customer's premises is required. Subject to individual agreement, the platform may also be provided as an on-premise installation.

b) Consulting: Individual consulting services in the field of information security, in particular professional guidance in the implementation of an ISMS, conducting gap analyses, developing security concepts and policies, and training for employees. Consulting services are provided via video conference or on-site, and are commissioned and remunerated separately.

c) Certification Support: Assistance in the preparation for certification audits pursuant to ISO 27001 and comparable standards, including assessment of audit readiness, support during internal audits, and assistance in remediating identified non-conformities. The Provider is not an accredited certification body and does not itself conduct certification audits.

3.2 The specific scope of services is determined by the respective offer, order confirmation, and the service description valid at the time of contract formation at kaitosec.app.

3.3 The detailed scope of services is subject to individual agreements between the Provider and the Customer.

3.4 The Provider shall perform the contractual services with the utmost care and diligence in accordance with the current state of the art.

3.5 The Provider is obligated to perform the contractually owed services. In the performance of its activities, the Provider is not subject to instructions regarding the manner, place, or time of service provision. Services are provided in coordination and consultation with the Customer.

4.1 The Provider grants the Customer, for the duration of the contractual relationship, a non-exclusive, non-transferable, and non-sublicensable right to use the KaitoSec ISMS Platform within the scope contractually agreed upon.

4.2 The right of use is limited to the organization of the Customer named in the contract. Use of the platform by affiliated companies of the Customer requires a separate written agreement.

4.3 The Customer is not entitled to modify, decompile, reverse engineer, or otherwise determine the source code of the platform or parts thereof, unless this is expressly permitted under mandatory statutory provisions (in particular § 69e of the German Copyright Act, UrhG).

4.4 The Customer is not entitled to sublicense, transfer, or otherwise make the platform or access thereto available to third parties, unless the Provider has given prior written consent.

4.5 In the case of SaaS usage, the Provider makes the platform available to the Customer via the internet. No installation on the Customer's systems is required. Updates and upgrades to the platform are automatically deployed by the Provider; no cooperation or acceptance by the Customer is required.

4.6 In the case of on-premise installation, the conditions for installation, updates, and maintenance set out in the respective individual agreement shall apply in addition.

4.7 Upon termination of the contractual relationship, the Customer's right to use the platform shall expire. The Provider shall make available to the Customer, for a period of 30 days after the end of the contract, the ability to export its data stored on the platform. After expiry of this period, the Provider is entitled to delete the data, provided no statutory retention obligations exist to the contrary.

5.1 The Provider endeavors to ensure a high availability of the platform. Unless an individual service level agreement (SLA) has been agreed upon, the Provider aims for an availability of 99.5% as a monthly average. Scheduled maintenance windows, which the Provider shall announce to the Customer in advance, are excluded from this.

5.2 The Provider is entitled to temporarily restrict the platform if this is necessary with regard to capacity limits, the security or integrity of the servers, or the performance of technical measures (maintenance work). Scheduled maintenance shall, where possible, be carried out outside of regular business hours (Mon–Fri, 08:00–18:00 CET).

5.3 Data processing takes place on servers of Hetzner Online GmbH in ISO 27001-certified data centers in Germany.

5.4 Updates and further developments of the platform are included in the SaaS fee and are automatically deployed by the Provider. The Provider shall inform the Customer of significant functional changes in an appropriate manner.

5.5 Reporting of Incidents and Support: The Provider makes available to the Customer a support channel (e-mail: support@kaitosec.app) through which incidents and defects may be reported. Incidents shall be reported indicating the priority level pursuant to § 10.2.

5.6 Response and Resolution Times: The Provider undertakes to comply with the response and resolution times set out below. The applicable times depend on the service package booked by the Customer.

5.7 Definitions: Response time is defined as the period between the reporting of an incident by the Customer and the initiation of measures by the Provider to resolve the incident. Resolution time is defined as the period between the commencement of incident resolution and the rectification of the defect such that the affected function can be used again without material impairment. The resolution time shall also be deemed met if the Provider provides the Customer with a reasonable workaround.

6.1 The Customer is responsible for providing the information, data, and other content required for the performance of services completely and accurately.

6.2 The Customer shall make available to the Provider at least one qualified contact person with the authority necessary for the smooth execution of the project.

6.3 In the localization and resolution of incidents, the Customer shall support the Provider to a reasonable extent and at no charge, in particular by providing accurate incident and system descriptions and, where necessary, by granting access to affected systems.

6.4 The Customer is obligated to maintain proper data backups. In particular, the Customer shall ensure that all data used with or generated by the platform is backed up in a manner that allows reconstruction of lost data with reasonable effort. For on-premise installations, the Customer is obligated to create a data backup prior to the installation of updates.

6.5 The Provider shall not be responsible for delays in service provision caused by late or incomplete cooperation by the Customer. The provisions of § 9 (Liability) shall remain unaffected.

6.6 The Customer undertakes not to upload any criminal or otherwise unlawful content or data to the platform, and not to use any programs containing viruses or other malware in connection with the platform.

6.7 The Customer is obligated to keep its access credentials confidential and to inform the Provider without undue delay if unauthorized access to its account is threatened or has occurred. The Customer shall be liable for all activities carried out via its access credentials insofar as the unauthorized access is attributable to the Customer.

7.1 Fees are determined by the Provider's current price and conditions lists, unless individually agreed otherwise. All prices are stated in euros and are exclusive of the applicable statutory value-added tax.

7.2 For the SaaS platform, billing is based on the agreed billing period (monthly or annually). Fees are payable in advance at the beginning of each billing period.

7.3 For consulting and certification support services, fees are payable after the services have been rendered. In the case of time-and-materials billing, the Provider is entitled to invoice the services rendered on a monthly basis.

7.4 The Provider shall issue invoices to the Customer by e-mail (as PDF). Fees are due for payment within 14 days of receipt of the invoice. A payment is deemed made only when it has been credited to the Provider's account.

7.5 Insofar as the Provider renders services at the Customer's request that were not part of the contract at the time of its formation and for which no separate fee arrangement exists, the fee shall be determined according to the Provider's current price list. If this cannot be established, § 612 (2) of the German Civil Code (BGB) shall apply.

8.1 The Customer shall be in default upon expiry of the payment deadline set out in § 7.4. The Provider is entitled to charge default interest at a rate of eight percentage points above the base rate. The right to claim further damages is reserved.

8.2 In the event of payment default by the Customer, the Provider is entitled to perform its outstanding contractual obligations only against advance payment or provision of security.

8.3 The Provider is entitled to suspend the Customer's use of the platform if the Customer is in default of payment for more than one month. The right of use shall automatically revive once all outstanding amounts have been settled or the Provider expressly permits continued use.

8.4 The Customer may only set off counterclaims that have been finally adjudicated by a court or are undisputed. A right of retention may only be exercised insofar as it is based on the same contractual relationship.

9.1 The Provider shall be liable without limitation under any legal basis in cases of intent or gross negligence, in cases of intentional or negligent injury to life, body, or health, on the basis of a guarantee, unless otherwise provided, or on the basis of mandatory liability (in particular under the German Product Liability Act).

9.2 If the Provider negligently breaches a material contractual obligation, liability shall be limited to the typical, foreseeable damage, unless unlimited liability applies pursuant to § 9.1. Material contractual obligations are obligations whose fulfillment is essential for the proper performance of the contract and on whose compliance the Customer may regularly rely (cardinal obligations).

9.3 All other liability of the Provider is excluded. The foregoing liability provisions shall also apply with respect to the Provider's liability for its vicarious agents and legal representatives.

9.4 In the event of data loss, it is rebuttably presumed that all damages exceeding those that would have occurred with regular and appropriate creation of backup copies are attributable to the Customer's fault, insofar as the obligation to create backup copies did not lie with the Provider.

9.5 The Provider shall not be liable for malfunctions attributable to non-compliance with the applicable system requirements, in particular the use of browsers or devices that do not meet the minimum requirements specified by the Provider.

9.6 Beyond the contractually assured performance, the Provider shall not be liable for the functionality of the Customer's internet connection, power outages at the Customer's premises, or failures of systems outside the Provider's sphere of influence. In cases of force majeure, the Provider shall not be obligated to compensate for resulting delay damages.

9.7 The Customer shall indemnify and hold the Provider harmless against any and all claims by third parties asserted against the Provider due to the Customer's breach of these terms and conditions or of applicable law.

9.8 For any single damage event, the Provider's liability is limited to the annual contract value; in the case of recurring fees, to the amount of twelve months' fees. This limitation shall not apply to liability pursuant to § 9.1. Multiple related damage events shall be treated as a single damage event.

10.1 The Customer shall in principle be entitled to the statutory warranty rights, subject to the limitations set out below.

10.2 Definition of Defect: A defect of the platform exists if it does not meet the performance requirements set out in the associated documentation and service description, in particular if it delivers incorrect results, terminates its operation in an uncontrolled manner, or otherwise does not function properly, such that the use of the platform is prevented or materially impaired.

10.3 No defect exists if: the malfunction is caused by an operating error on the part of the Customer; the system requirements specified by the Provider (in particular supported browsers and devices) are not met; the Customer or third parties at the Customer's direction have made modifications to the platform (applies only to on-premise installations).

11.1 The Provider shall provide the platform free from any third-party rights that conflict with this contract, and shall indemnify the Customer against all claims by third parties arising from intellectual property infringements attributable to the Provider.

11.2 Should third parties assert such claims, the parties shall notify each other without undue delay and in writing. The parties shall fully inform each other and coordinate any action to be taken. In all decisions, priority shall be given to enabling the Customer to continue its business operations.

11.3 The Provider shall promptly resolve any undisputed third-party rights. Alternatively, the Provider may replace the affected area with an equivalent service that is reasonable for the Customer and free from conflicting rights.

11.4 The Provider shall not be liable under this § 11 if the Customer or third parties at the Customer's direction have made modifications to the platform, unless such modifications had no influence on the occurrence of the defect in title.

12.1 The contract term and the periods for ordinary termination shall be agreed individually between the parties.

12.2 For the SaaS platform, unless individually agreed otherwise, a minimum contract term of 12 months shall apply. The contract shall be automatically renewed for additional periods of 12 months each unless terminated in writing with a notice period of 3 months prior to the end of the respective contract term.

12.3 The right of either party to terminate without notice for good cause shall remain unaffected. Good cause for the Provider shall exist in particular if the Customer is in default of payment of due fees despite a reminder and the setting of a reasonable grace period.

12.4 If the Customer terminates a contract for consulting or certification support services before complete performance, the Customer shall be obligated to pay for services rendered up to the date of termination as well as demonstrably incurred expenses.

12.5 Upon termination of the contract, the Provider shall, at the Customer's choice, promptly return or destroy all documents and other content provided by the Customer. The assertion of a right of retention in respect thereof is excluded. Electronic data shall be completely deleted. Excepted from this are documents and data for which a statutory retention obligation exists. The Provider shall, upon the Customer's request, confirm the deletion in writing.

12.6 Upon termination of the contractual relationship, the Customer's use of the platform is prohibited. The data export provision of § 4.7 shall apply.

13.1 The Provider is entitled to withdraw from the contract if the Customer has filed for the opening of insolvency proceedings over its assets, has made an affidavit in lieu of oath pursuant to § 807 of the German Code of Civil Procedure (ZPO), or if insolvency proceedings have been opened over its assets or the opening thereof has been refused for lack of assets.

14.1 The Provider shall treat all matters that come to its knowledge in connection with the contract as strictly confidential. The Provider undertakes to impose this obligation of confidentiality on all employees and/or third parties who have access to the information subject to the contract. The obligation of confidentiality shall apply for an unlimited period beyond the term of this contract.

14.2 The Provider undertakes to comply with all data protection regulations in the performance of the contract, in particular the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

14.3 Insofar as the Provider processes personal data on behalf of the Customer in the course of providing services, the parties shall enter into a separate data processing agreement (DPA) pursuant to Art. 28 GDPR.

14.4 The parties shall use all documents, information, and data received for the performance of the contract exclusively for the performance of the contract. As long as and to the extent they have not become publicly known, they shall be treated as confidential. This obligation shall continue to apply after the performance of the contract.

15.1 The law of the Federal Republic of Germany shall apply, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

15.2 If the Customer is a merchant (Kaufmann), a legal entity under public law, or a special fund under public law, or has no general place of jurisdiction in Germany, Berlin shall be the exclusive place of jurisdiction for all disputes arising from this contractual relationship. Exclusive places of jurisdiction shall remain unaffected.

15.3 Amendments and supplements to these GTC shall be made in writing. This shall also apply to the waiver of this written form requirement.

15.4 The Provider is entitled to amend these GTC for objectively justified reasons (e.g., changes in case law, legislation, market conditions, or business or corporate strategy) and subject to a reasonable notice period. Existing customers shall be notified by e-mail no later than two weeks before the amendments take effect. If the existing customer does not object within the period set in the amendment notification, their consent to the amendment shall be deemed given. If the customer objects, the amendments shall not take effect with respect to that customer; in this case, the Provider is entitled to terminate the contract on an extraordinary basis as of the date the amendments were to take effect. The notification of the intended amendment shall refer to the deadline and the consequences of objection or failure to object.

15.5 Should any provision of these GTC be or become invalid, the validity of the remaining GTC shall not be affected. The invalid provision shall be replaced by such valid provision whose effects most closely approximate the objective pursued by the parties with the invalid provision.