1 Subject matter of the contract - scope of application
1.1 Gürtler & Roach Cybersecurity, GmbH, Leopoldstraße 31, 80802 Munich, Germany (hereinafter referred to as “G&R Cybersecurity”), provides services for the client in accordance with the contractually agreed scope of services. G&R Cybersecurity shall provide the services on its own responsibility; the client shall remain responsible for the results sought and achieved by the client.
1.2 The services owed shall be provided in accordance with the service descriptions specified in the contract.
1.3 The results found are only valid at the time of the service provided.
1.4 Due to possible limitations of time, financial and personnel resources, G&R Cybersecurity does not guarantee that all existing errors will be found.
1.5 Conflicting or deviating GTC or other restrictions of the client shall not become part of the contract unless G&R Cybersecurity has expressly agreed to them in text form in individual cases prior to conclusion of the contract.
1.6 These GTC shall also apply to all future similar business relationships, even if they are not expressly agreed again.
1.7 Individual agreements made with the client in individual cases shall always take precedence over these GTC.
1.8 If the GTC and the contract on which the GTC are based contain deviating terms and conditions, the terms of the respective contract shall apply in case of doubt. 2 Formation of the Contract, Schedules
2.1 Offers from G&R Cybersecurity are non-binding unless otherwise stated and are valid for 30 days from the date of the offer.
2.2 A contract is concluded with the acceptance of an offer transmitted in writing or in text form by G&R Cybersecurity by the client, or by means of an order transmitted in writing or in text form by the client and the receipt of a corresponding order confirmation from G&R Cybersecurity by the client.
2.3 The contracting parties agree on schedules for the provision of services. These can be changed by mutual consent. 3 Modification of the Agreed Services
3.1 Either party may request modifications to the agreed scope of services from the other party in written or text form. Upon receiving a modification request, the recipient shall examine whether and under what conditions the modification can be implemented and shall promptly notify the requester in writing or in text form of the approval or rejection of the request, providing reasons if applicable.
3.2 If a modification request from the client requires extensive examination, G&R Cybersecurity may charge for the effort required.
3.3 The contractual adjustments necessary for the examination and/or modification of the agreed terms and services will be stipulated in an addendum to this contract.
3.4 Until the client’s consent is obtained, G&R Cybersecurity will continue the services under the existing contract. However, either party may request that the services affected by the modification be suspended until the modification agreement is concluded. 4 Obligations of Cooperation by the Client
4.1 The client shall provide all reasonable or necessary cooperation services in a timely, complete manner and free of charge to G&R Cybersecurity, including those listed below.
4.2 During the execution of services by G&R Cybersecurity, the client must ensure that all documents necessary for G&R Cybersecurity to perform their activities are provided in a timely manner, all information is communicated to G&R Cybersecurity, and they are informed of all events and circumstances. This also applies to documents, events, and circumstances that become known during the activities of G&R Cybersecurity.
4.3 The client shall designate a contact person and a deputy for G&R Cybersecurity, who will act as a coordinator responsible for the overall obligations of the client under this contract, and provide G&R Cybersecurity with their contact details, as well as the contact details of the client’s IT security officer and data protection officer.
4.4 The client shall appoint a system manager with contact details for G&R Cybersecurity. The system manager and their deputy, in addition to the executive management, are the contact persons for G&R Cybersecurity for all matters regarding the execution of the contract.
4.5 The client is responsible for ensuring that the IT security officer and/or data protection officer, if the client has one, are informed and involved in the services provided by G&R Cybersecurity.
4.6 If the client has outsourced services to a host, the client ensures that the host is also involved in the contract, insofar as the contracted services of G&R Cybersecurity also relate to these services.
4.7 As necessary for the fulfillment of this contract, the coordinator will provide necessary information to G&R Cybersecurity and participate in meetings with them.
4.8 During the fulfillment of the contract, the client grants G&R Cybersecurity free and secure access to its business premises to an appropriate extent and is willing to provide necessary working conditions (such as space, telephone, and data viewing devices) free of charge.
4.9 If requested by G&R Cybersecurity for a planned white-box test, the client shall provide all necessary information, especially the following information, in a timely manner. 5 Client’s Obligation for Backup – Important Notices to the Client
5.1 Prior to conducting penetration tests, the client commits to fully securing all systems to be tested by G&R Cybersecurity and the related data through an external backup. In addition, the client must take all necessary security measures, including those beyond a backup, before using the service, in order to be able to restore the systems and data to their original state if necessary after the penetration tests. The client also commits to regularly ensuring a complete backup of their data outside the target system before conducting the penetration test. 6 Client’s Assurance – Obtaining Consents – Liability of the Client
6.1 The client assures that the target systems are operated and used solely by the client and that third parties will not be affected by any impairment of the target systems or systems associated with them. If the target systems are not used exclusively by the client, the client assures that they have obtained the consent of the affected third parties for an attack on the target system in text form and has informed the affected third parties about the possible effects of the penetration tests according to this agreement.
6.2 The client will obtain any further necessary consents from third parties, e.g., according to the GDPR, in a timely manner. If available, the client will inform their data protection officer / IT security officer in time about the planned penetration tests.
6.3 The client commits to immediately inform the competent supervisory authority and, if applicable, the affected persons in accordance with the GDPR, should there be an obligation to inform in the event of unlawful acquisition of data within the meaning of the EU General Data Protection Regulation (GDPR).
6.4 The client indemnifies G&R Cybersecurity from all claims made by third parties against G&R Cybersecurity, their legal representatives, and/or vicarious agents in the event of a culpable violation of the aforementioned obligations by the client or another third party. This also applies to damages incurred by third parties due to the impairment of systems connected with the target system. The client will bear all costs and fees for the necessary legal pursuit in the statutory amount, as well as all damages, losses, and expenses, insofar as the legal violation is attributable to the client. The foregoing does not apply in the event of gross negligence or intentional conduct by G&R Cybersecurity or in the case of violation of cardinal obligations (essential contractual obligations, the fulfillment of which enables the proper execution of the contract and upon whose compliance the client regularly relies and may rely) or in the case of injury to life, body, or health. 7 Cancellation of the penetration test - end of the penetration test
7.1 The client has the right to cancel the penetration test at any time. For this purpose, a notification in text form by the client’s management or system administrator to G&R Cybersecurity is sufficient.
7.2 G&R Cybersecurity is itself entitled and obliged to cease the attack on the target system immediately if G&R Cybersecurity receives notification of an unauthorised attack on its systems from affected third parties. The client who has commissioned an attack on these target systems shall be liable for the resulting damage.
7.3 If clearly private or incriminated data is found, G&R Cybersecurity shall discontinue the penetration test in this area and terminate it immediately. The cancellation must be documented in the final report without listing the data.
7.4 After completion of the penetration test, G&R Cybersecurity shall immediately and irrevocably delete all data from the client’s target system that was stored by G&R Cybersecurity during the practical tests or that G&R Cybersecurity may have received from the client’s system during the test. 8 Costs in the event of cancellation and inactivity
8.1 If the contract and thus the services of G&R Cybersecurity are cancelled prematurely by the client, or if no progress is made for a period of three months as measured by the agreed milestone plan (‘inactivity’), the activities and expenses of G&R Cybersecurity that are not already covered by any advance payments made by the client shall be invoiced up to a maximum of the total volume of the project at the end of the month.
8.2 In the event of inactivity, invoicing shall not automatically cancel or terminate the contract. 9 Note on the dangers of penetration testing
9.1 Penetration tests are always associated with an unavoidable risk. A restriction to test methods test methods that are not associated with any risk is not recommended, as the significance would be too low. would be too low.
9.2 The client is expressly advised that penetration tests may cause damage to the existing system. existing system may occur. In the course of penetration tests, it can happen, for example that the target systems fail and / or services are temporarily unavailable or impaired. be impaired. In particular, penetration tests can only detect impairments and changes can only be rectified by means of recovery backups or, in some cases, extensive reworking by the client. In addition, there is also the risk of loss of data from the target system or data. 10 Rights to the Work Results
10.1 Rights to work results, such as evaluations, planning documents, reports, documentation, drawings, and similar materials, which are delivered to the client in written, machine-readable and/or other forms of representation according to the agreed scope of services, belong to the client, subject to the provisions below.
10.2 All rights to the basic materials introduced by G&R Cybersecurity, including the rights to working documents, remain with G&R Cybersecurity.
10.3 Both contracting parties may freely use ideas, concepts, know-how, and techniques that are developed by G&R Cybersecurity or in collaboration with the client. Inventions made by G&R Cybersecurity within the framework of this contract and the protective rights granted thereon belong to G&R Cybersecurity. However, the client receives a non-exclusive, irrevocable, royalty-free, worldwide license for the inventions made by G&R Cybersecurity within the framework of this contract. Joint inventions and the protective rights granted thereon belong to both contracting parties, and each of these parties may grant licenses or confer or transfer rights without informing the other party or making payments to them.
10.4 This contract does not prevent G&R Cybersecurity from developing materials for third parties, granting them rights to use these materials, or granting rights to them, which are similar to the materials delivered to the client. However, in developing materials for third parties, G&R Cybersecurity will not wholly or partially copy the work results created exclusively and directly for the client in fulfillment of this contract. 11 Personnel
11.1 G&R Cybersecurity will appoint a contact person for the coordinator of the client for mutual coordination and clarification of all questions that arise during the provision of services.
11.2 During the provision of services, the contracting parties are responsible for the supervision, management, control, and remuneration of their respective employees.
11.3 Employees of G&R Cybersecurity will not enter into an employment relationship with the employer (client). 12 Confidential Data, Data Protection
12.1 The contracting parties commit to treating all information related to the affairs of the other party, which are made accessible in the course of the contract or obtained during collaboration, as confidential. This includes information that is marked as confidential, designated as confidential, or recognizable as confidential by an objective observer, as well as business and trade secrets, particularly, but not limited to, information, data, ideas, concepts, and business models. The contracting parties are prohibited from exploiting confidential information for any purpose other than fulfilling contractual obligations, disclosing it to third parties, or using it in any other way without the written consent of the other contracting party.
12.2 Both contracting parties commit to imposing the obligation of confidentiality on all employees and/or third parties (freelancers, etc.) who have access to the aforementioned business transactions.
12.3 The obligation of confidentiality does not apply to information that was already known to the respective other party at the conclusion of the contract, that was already published at the time of disclosure by the disclosing party without this being due to a breach of confidentiality by the respective other party, that the respective other party has expressly released in writing for disclosure, that the respective other party has lawfully obtained from other sources without confidentiality restrictions, provided that the disclosure and exploitation of such confidential information do not violate contractual agreements, legal regulations, or official orders, that the respective other party has developed independently without access to the client’s confidential information, or that must be disclosed due to legal information, instruction, and/or publication obligations or official orders. As far as permissible, the obligated party will inform the other party as early as possible and support them to the best of their ability in opposing the disclosure obligation.
12.4 G&R Cybersecurity commits to not communicate to third parties about the security vulnerabilities found, the organizational structures, the structure of the reviewed IT systems, or any company know-how of the client that has been observed.
12.5 The obligation of confidentiality continues after the termination of the contract.
12.6 The contracting parties commit to complying with the provisions of the GDPR. Insofar as the processing of personal data is carried out by the contractor, the parties will conclude a separate agreement for this purpose. 13 Contract Duration – Termination
13.1 The contract ends after the agreed services have been provided. An extension of the contract can be agreed in writing or in text form at any time before its termination, subject to the current prices and conditions of G&R Cybersecurity.
13.2 Otherwise, the notice period for termination is four weeks to the end of the month, unless agreed differently in individual cases.
13.3 The right to terminate the contract without notice for important reasons remains unaffected.
13.4 Each termination must be in writing to be effective. 14 Remuneration and Payment Terms
14.1 All prices are subject to the respective applicable statutory value-added tax.
14.2 The services of G&R Cybersecurity and any additional costs (travel expenses, materials, shipping costs, etc.) will be invoiced according to the payment terms listed in the offer or contract.
14.3 Invoices are payable immediately upon receipt without deduction.
14.4 If the invoice amount is not received by G&R Cybersecurity within 30 days of the invoice date, G&R Cybersecurity is entitled to charge default interest at the statutory rate.