Terms & Conditions.

1.1 These Terms govern all current and future contractual relationships between the Provider and the Customer concerning the CIVAC platform (Software-as-a-Service) and the Officer-as-a-Service offering, irrespective of whether the Customer obtains one or both of these offerings.

1.2 The Terms apply exclusively to entrepreneurs within the meaning of § 14 of the German Civil Code (BGB), to legal persons governed by public law and to special funds under public law within the meaning of § 310 para. 1 BGB. The offering is not directed at consumers within the meaning of § 13 BGB; the use of the platform and the Officer service by consumers is excluded.

1.3 Deviating, conflicting or supplementary general terms and conditions of the Customer shall not become part of the contract, even if the Provider performs without reservation in awareness of such terms, unless the Provider has expressly agreed to their application in text form.

1.4 Individual agreements made in writing between the parties (including side agreements, supplements and amendments) shall take precedence over these Terms. The content of such individual agreements shall be governed by a written contract or written confirmation by the Provider.

2.1 Offers made by the Provider are non-binding and subject to confirmation, unless the offer is expressly designated as binding. Binding offers remain valid for four (4) weeks from the offer date, unless otherwise expressly stated.

2.2 A contract is concluded upon the Customer’s written acceptance of a binding offer, upon signature of an order form, upon written confirmation of an order by the Provider, or upon unconditional commencement of the performance of the service at the Customer’s request.

2.3 Unless expressly agreed otherwise in the individual contract, the initial contract term is twelve (12) months, commencing on the date of provision of the service. The contract renews automatically for successive periods of twelve (12) months each, unless terminated by either party with three (3) months’ notice to the end of the then current term.

2.4 Termination must be declared in text form (§ 126b BGB). Verbal declarations of termination are ineffective.

3.1 The fees applicable to the services are those set out in the individual contract or in the Provider’s then current price list. All fees are stated exclusive of statutory value-added tax and any other applicable levies, duties or taxes, which shall be added at the rate applicable on the date of invoice.

3.2 Recurring fees for the platform are invoiced annually in advance, unless otherwise agreed. Fees for the Officer service are invoiced monthly in arrears, unless otherwise agreed. One-off fees (setup, onboarding, project-based work) are invoiced upon contract signature or upon delivery of the individual deliverable, at the Provider’s discretion.

3.3 Invoices are due for payment within ten (10) days from the date of invoice, without deduction, in the currency stated on the invoice.

3.4 The Customer is in default without a separate reminder upon expiry of the payment deadline. The Provider is entitled to default interest at the statutory rate (§ 288 BGB) and to a flat-rate default fee pursuant to § 288 para. 5 BGB. The right to assert further damages caused by default remains expressly reserved.

3.5 In the event of default of payment for more than thirty (30) days after written reminder, the Provider is entitled to suspend the provision of all services, including access to the platform, until all outstanding amounts have been paid in full, without this constituting a breach of the Provider’s contractual obligations. The Customer’s obligation to pay the fees accrued during the suspension period remains unaffected.

4.1 The Provider is entitled to adjust the fees with effect for the future by giving the Customer at least thirty (30) days’ prior notice in text form.

4.2 If a price adjustment amounts to an increase of more than five percent (5 %) within any rolling twelve-month period, the Customer is entitled to an extraordinary right of termination with effect from the date on which the price adjustment is to take effect. The termination must be declared in text form and must be received by the Provider no later than fifteen (15) days before the effective date of the price adjustment. If the Customer does not exercise the right of termination within this period, the adjusted price shall be deemed accepted.

4.3 Price adjustments below the threshold in section 4.2 shall be deemed accepted if the Customer does not object in text form within thirty (30) days of notification. The Provider shall point out this legal consequence in the announcement of the adjustment.

5.1 The Customer shall contribute all cooperation obligations reasonably required for the performance of the services in full, free of charge and in good time. Timely and complete cooperation by the Customer is a material prerequisite for the proper performance of the services by the Provider.

5.2 In particular, the Customer shall:

• designate at least one internal contact person at management level authorised to make binding decisions and to promptly respond to enquiries;
• provide access to premises, IT systems, records, documentation and personnel relevant to the performance of the service within the scope reasonably required;
• provide complete, accurate and up-to-date information required for the performance of the services and inform the Provider of any material changes without undue delay;
• ensure that its own IT infrastructure (internet connectivity, browser, endpoint devices, identity management) meets the technical requirements reasonably specified by the Provider;
• perform backups of data stored or processed in connection with the platform in accordance with section 6.4 and maintain state-of-the-art protective measures against data loss and unauthorised access;
• maintain the confidentiality of access credentials, tokens and API keys and immediately notify the Provider upon suspicion of unauthorised access.

5.3 If performance of the services is delayed or rendered more costly due to a breach of the Customer’s cooperation obligations, the Provider is entitled to extend deadlines and milestones accordingly and to invoice any additional effort on a time-and-materials basis at the Provider’s then current standard rates.

6.1 The Provider shall be liable without limitation only for the following:

• (a) damages caused by intent or gross negligence of the Provider’s statutory representatives or senior executives (leitende Angestellte);
• (b) damages arising from injury to life, body or health, in accordance with the mandatory provisions of § 309 no. 7a BGB;
• (c) claims under the German Product Liability Act (Produkthaftungsgesetz, ProdHaftG);
• (d) claims based on a guarantee expressly assumed by the Provider in text form, or on an expressly assumed assurance as to a specific characteristic (Beschaffenheitszusicherung);
• (e) claims based on fraudulent intent (Arglist) of the Provider.

6.2 In cases of slight negligence, the Provider shall be liable only for the breach of material contractual obligations (so-called cardinal obligations, i.e. those obligations whose fulfilment is essential to the proper performance of the contract in the first place, on whose observance the Customer regularly relies and may rely). In such cases liability shall be limited to the damage typically foreseeable at the time of conclusion of the contract for a contract of this type. In no event shall the Provider be liable, in cases of slight negligence, for loss of profit, indirect or consequential damages, loss of data, loss of use, loss of business opportunity, loss of goodwill, reputational damage, third-party claims or financial damages of any kind.

6.3 In cases of slight negligence involving the breach of mere ancillary obligations (i.e. obligations other than cardinal obligations), liability shall be excluded in its entirety.

6.4 Liability for the loss of data is limited to the typical recovery effort that would have been required had the Customer made appropriate, state-of-the-art back-ups. The Customer is obliged to perform daily back-ups of all data entered into or processed via the platform in a form that allows their reconstruction at reasonable expense. A breach of this back-up obligation shall be taken into account as contributory fault in accordance with § 254 BGB.

6.5 All limitations and exclusions of liability set out above shall apply equally to the personal liability of the Provider’s statutory representatives, its employees, its agents and its vicarious agents (Erfüllungsgehilfen).

6.6 The allocation of liability agreed in this § 6 reflects the commercial balance of the contract, the Customer’s independent obligation to maintain back-ups and risk mitigation measures, and the fees charged.

7.1 Claims for damages against the Provider shall become time-barred within one (1) year from the end of the calendar year in which the claim arose and the Customer obtained knowledge, or would have obtained knowledge but for gross negligence, of the circumstances giving rise to the claim and of the identity of the obligor, but no later than three (3) years after the occurrence of the damaging event.

7.2 The statutory limitation periods shall apply only in the cases set out in § 6.1 (unlimited liability).

7.3 Warranty claims of the Customer shall become time-barred within one (1) year from the statutory commencement of the limitation period, save for the exceptions set out in § 6.1.

8.1 Each party shall keep strictly confidential all information of the other party marked as confidential or which by its nature, content or the circumstances of its disclosure is to be considered confidential, including in particular technical, commercial and personal information, know-how, source code, documentation, pricing, roadmaps and business plans. Such information shall be used solely for the purpose of performing the contract.

8.2 The confidentiality obligation shall apply for the duration of the contract and for a period of five (5) years after its termination, without prejudice to any statutory confidentiality obligations that apply for longer periods.

8.3 The obligation does not apply to information which (a) is or becomes publicly available without breach of this contract, (b) was lawfully in the possession of the receiving party before disclosure, (c) was lawfully obtained from a third party without confidentiality obligation, or (d) must be disclosed pursuant to mandatory statutory provisions, an enforceable official order or a final court decision, in which case the receiving party shall notify the disclosing party without undue delay, to the extent legally permitted.

9.1 Where the Provider processes personal data on behalf of the Customer in connection with the platform or the Officer service, the parties shall enter into a separate data processing agreement pursuant to Art. 28 GDPR (“DPA”). The DPA shall take precedence over these Terms in all matters of data processing on behalf of the Customer.

9.2 The processing of personal data for which the Provider acts as an independent controller within the meaning of Art. 4 no. 7 GDPR is governed by the CIVAC privacy notice.

9.3 The Customer is responsible for ensuring the lawful basis for the transfer and processing of personal data entered into the platform. The Customer shall indemnify the Provider against third-party claims arising from a breach of this responsibility by the Customer, in accordance with § 12.

10.1 The ordinary right of termination is set out in § 2.3. Termination for cause (extraordinary termination) remains unaffected for both parties.

10.2 Cause for the Provider exists in particular where (a) the Customer is in default of payment of a non-trivial amount for more than thirty (30) days despite written reminder, (b) insolvency proceedings have been opened over the Customer’s assets or the opening has been dismissed for want of assets, (c) the Customer materially breaches the Acceptable Use provisions, the cooperation obligations, the contractual penalty provisions or obligations of confidentiality and fails to cure the breach within fifteen (15) days despite written warning, or (d) circumstances arise that make continued performance unreasonable for the Provider taking all circumstances of the individual case into consideration.

10.3 Termination for cause must be declared in text form and must specify the cause.

11.1 The Customer may set off claims only where such claims are undisputed, legally established by a final court decision or ready for decision in the same legal dispute.

11.2 The Customer may exercise a right of retention only in respect of counter-claims arising from the same contractual relationship and only to the extent such counter-claims are undisputed or legally established.

12.1 For each individual, culpable breach by the Customer of the reverse engineering prohibition, the scraping or mass-extraction prohibition, the non-competition obligation, the confidentiality obligation or the prohibition of unauthorised transfer of access rights or login credentials to third parties (in each case as set out in these Terms or in the individual contract), the Customer shall pay a contractual penalty in the amount of at least EUR 50,000 per case of breach, determined by the Provider at its reasonable discretion pursuant to § 315 BGB and reviewable by the competent court.

12.2 In the case of a continuing breach, each commenced month shall be considered a separate case of breach. Multiple breaches arising from the same factual circumstance shall be treated as separate cases of breach.

12.3 The right to claim further damages is expressly reserved. Any contractual penalty paid shall be credited against claims for damages in respect of the same breach.

12.4 This § 12 applies exclusively to B2B contracts in accordance with § 1.2 and is not applicable to consumers, whose use of the services is excluded.

13.1 The Provider makes the CIVAC platform available to the Customer via the public internet for use by the agreed number of named user accounts during the term of the contract. The functional scope is described in the individual contract, in the current online product documentation or in the service description referenced therein.

13.2 The Provider shall provide support in German and English on business days in Hamburg, Monday to Friday, from 9:00 to 17:00 (CET/CEST), excluding public holidays. Support may be provided via the platform, email or a dedicated ticketing system, at the Provider’s discretion.

13.3 The hand-over point for the services is the router output of the data centre used by the Provider. The Customer is solely responsible for the network connection between the hand-over point and its own systems and users.

14.1 The Provider uses reasonable commercial efforts to achieve a monthly platform availability of 99 % at the hand-over point.

14.2 This figure is a non-binding service target. It does not constitute an assurance, guarantee or warranty, does not give rise to any contractual right to performance at the stated level, does not establish a legal obligation to achieve a specific availability and is not a characteristic of the service within the meaning of §§ 434, 633 BGB. No service credits, contractual penalties or other compensation shall be payable for deviations from the service target.

14.3 Excluded from the service target are, in particular, scheduled maintenance windows pursuant to § 15, downtimes caused by force majeure, downtimes due to attacks on the infrastructure (including distributed denial-of-service attacks) that could not be averted despite the application of reasonable commercial efforts, downtimes due to third-party infrastructure outside the Provider’s sphere of control (in particular the Customer’s internet access, upstream providers or public cloud providers), and downtimes caused by circumstances for which the Provider is not responsible.

15.1 The Provider is entitled to perform scheduled maintenance work on the platform at any time, with prior notification to the Customer. Scheduled maintenance shall not exceed four (4) hours per calendar month in aggregate and shall, where reasonably possible, be announced at least twenty-four (24) hours in advance and take place outside core business hours in Hamburg.

15.2 Scheduled maintenance periods within the scope of § 15.1 shall not be counted as unavailability for the purposes of the service target in § 14.1.

15.3 The Provider is entitled to perform unscheduled maintenance (including emergency patches) at any time and without prior notification in the event of urgent security incidents, severe performance degradations or in order to comply with mandatory regulatory requirements. The Provider shall inform the Customer of the incident without undue delay after it has been remedied.

16.1 Subject to payment of the agreed fees, the Customer receives a simple, non-exclusive, non-transferable, non-sub-licensable right to use the platform, limited in time to the term of the contract and limited in scope to the agreed number of named user accounts, to use the platform for its own internal business purposes.

16.2 The Customer has no right to the surrender of source code, build tooling, internal documentation, training data, machine-learning model weights, algorithms, design artefacts or any other underlying materials of the platform. All intellectual property rights, including copyrights, database rights, trade secrets, patents and trademarks, in and to the platform, its components and all derivative works remain with the Provider or its licensors.

16.3 All improvements, feature enhancements, fixes and other developments of the platform, including those inspired by, suggested by or derived from Customer feedback, feature requests, usage data or support tickets, are the sole and exclusive property of the Provider. The Customer hereby irrevocably grants the Provider a worldwide, royalty-free, perpetual, exclusive right to use any such feedback and suggestions for any purpose, to the extent such rights can be granted.

16.4 All rights not expressly granted in these Terms remain with the Provider or its licensors.

17.1 The Customer and its users shall use the platform exclusively for their own, lawful business purposes and in accordance with these Terms, the applicable law and any usage guidelines published by the Provider. In particular, the Customer and its users shall not:

• reverse-engineer, decompile, disassemble, translate or otherwise attempt to derive the source code, structure or algorithms of the platform, save as mandatorily permitted by § 69e UrhG and then only after prior written request to the Provider;
• scrape, crawl, mass-download, systematically index or otherwise extract data from the platform beyond the functionality expressly made available for this purpose;
• use the platform or any information obtained therefrom to design, develop, train, benchmark or operate a competing product or service;
• upload, transmit or store malicious code, unlawful content, content infringing third-party rights or content in breach of applicable law;
• circumvent technical restrictions, usage limits, rate-limits, authentication measures or other security controls of the platform;
• share, transfer, resell, sub-licence or otherwise make available access credentials, tokens or user accounts to any third party, whether against remuneration or free of charge;
• use the platform to provide services to third parties without a prior written agreement with the Provider.

17.2 The Provider is entitled to block individual users or suspend the service temporarily in the event of actual or reasonably suspected violations, until the issue is remedied. Claims of the Provider for damages, contractual penalties and termination for cause remain unaffected.

18.1 The Provider is entitled to engage, add, replace and remove sub-processors and subcontractors for the provision of the platform at its reasonable discretion. A current list of pre-approved sub-processors is made available to the Customer upon request or in the platform.

18.2 The Provider shall inform the Customer of any intended addition or replacement of a sub-processor at least thirty (30) days in advance. The Customer may object to the change only on objective and substantive grounds that are verifiable (e.g. a documented data protection breach of the proposed sub-processor that has not been remedied). General, commercial, strategic or undocumented concerns do not constitute valid grounds for objection.

18.3 If the Customer raises a valid objection pursuant to § 18.2, the parties shall, within a reasonable period, seek an amicable solution. If no amicable solution is found, the Provider is entitled to terminate the affected contract extraordinarily with a notice period of thirty (30) days to the end of a month. Fees already paid in advance for periods after the effective date of termination shall be refunded pro rata.

19.1 The Provider may at any time change, add, replace or remove individual functions, modules or components of the platform at its reasonable discretion, in particular in order to improve usability, security, compliance or performance, provided that the core utility of the platform for the agreed use case is preserved.

19.2 Beyond the minimum functionality described in the individual contract, the Provider does not assure, guarantee or warrant the continued availability of any specific individual feature, integration or function. Feature roadmaps are non-binding indications and do not give rise to any contractual rights.

20.1 For a period of thirty (30) days after the effective date of termination of the contract, the Customer is entitled to request the export of its data from the platform in a common, structured, machine-readable format reasonably determined by the Provider.

20.2 After expiry of the thirty-day period, the Provider is entitled to delete all Customer data from its productive systems without further notice, unless, and to the extent that, mandatory statutory retention obligations require continued storage. Customer data remaining in routine back-up copies shall be deleted in accordance with the Provider’s standard back-up rotation cycle.

20.3 Export support exceeding the provision of the standard export function in accordance with § 20.1 shall be invoiced by the Provider on a time-and-materials basis at its then current standard rates.

21.1 Under the Officer-as-a-Service offering, the Provider makes available to the Customer a qualified external officer (in particular a data protection officer, an information security officer or a compliance officer) within the scope set out in the individual service specification.

21.2 The Officer shall perform the tasks statutorily assigned to the respective officer role and any additional tasks expressly agreed in the individual contract. In particular, the Officer shall not perform representation of the Customer before courts, shall not conduct criminal defence, shall not perform product-specific technical tests or certifications, and shall not perform financial or tax audits, unless such activities are expressly included in the individual contract.

22.1 The Officer acts in an advisory and operationally supporting capacity. The Officer reports to the management of the Customer in accordance with the applicable statutory requirements.

22.2 The statutory and regulatory responsibility of the Customer towards supervisory authorities, public authorities, courts, data subjects, business partners and other third parties remains exclusively with the Customer and its management. The Officer does not enter into any statutory or contractual representation (Stellvertretung), and does not become an organ of the Customer.

22.3 The Provider shall not be liable for any consequences of decisions taken by the management of the Customer that are contrary to, that deviate from or that disregard the recommendation of the Officer. The Provider’s liability for the Officer service shall in any event be governed by § 6.

22.4 The Customer shall timely notify the competent authority of the appointment of the Officer, where required by law, and shall provide the Officer with the authority, resources and access necessary to perform the role in accordance with the applicable statutory requirements.

23.1 Where the Officer service includes project-based individual deliverables (in particular audits, assessments, written opinions, policies, training materials), each deliverable shall be subject to acceptance by the Customer.

23.2 The Customer shall review each deliverable without undue delay and shall, within ten (10) calendar days after delivery or notification of completion, either declare acceptance in text form or notify any material defects in text form, specifying the defect in sufficient detail to enable reproduction and analysis. If no notification of material defects is received within this period, acceptance shall be deemed granted.

23.3 Non-material defects do not entitle the Customer to refuse acceptance. The Provider shall remedy non-material defects within a reasonable period after acceptance at its discretion by rectification or substitute performance.

23.4 The Customer shall notify obvious defects without undue delay, at the latest within five (5) business days after delivery. Non-obvious defects shall be notified without undue delay after discovery. Failure to comply with these notification periods shall result in the loss of warranty rights in respect of the defect concerned, to the extent permitted by law.

24.1 The Officer shall report to the management of the Customer in accordance with the applicable statutory requirements and at the intervals agreed in the individual contract, and shall notify the management without undue delay of any material findings, risks or incidents identified within the scope of the Officer role.

24.2 The form of reporting (in person, in writing, via the platform, via email or otherwise) shall be determined by the Officer at reasonable discretion, taking into account the nature of the matter, the urgency and the preferences of the Customer’s management.

25.1 The contract and these Terms shall be governed exclusively by the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG) and excluding the rules of private international law to the extent such rules would lead to the application of a foreign law.

25.2 The exclusive place of jurisdiction for all disputes arising from or in connection with the contract or these Terms is Hamburg, Germany. The Provider is, however, entitled, at its discretion, to bring an action at the general place of jurisdiction of the Customer.

26.1 Amendments, supplements and additions to these Terms or to the individual contract, as well as any waiver of contractual rights, require text form (§ 126b BGB) in order to be effective. This also applies to any waiver of the text form requirement itself.

26.2 Statements of termination shall in each case be declared in text form pursuant to § 2.4.

27.1 Should any provision of these Terms or of the individual contract be or become invalid, void or unenforceable in whole or in part, the validity of the remaining provisions shall not be affected.

27.2 The parties undertake to replace the invalid, void or unenforceable provision with a valid provision that comes as close as possible to the economic purpose pursued by the invalid provision. The same applies to any gaps in these Terms. It is the express will of the parties that this severability clause should not merely reverse the burden of proof but should entirely exclude the application of § 139 BGB.