§ 1 Scope

1. 1.1 These General Terms and Conditions (hereinafter GTC) apply to all contracts between Conbool GmbH (hereinafter Provider) and its customers (hereinafter Customer) regarding the use of the Email Security Gateway, in particular the products “SecureMail” and “MailGuard”, and all related services. The Provider offers the solution as a SaaS-based variant (Software-as-a-Service) or an On-Premise variant (for installation on the Customer's systems).
2. 1.2 Deviating terms and conditions of the Customer shall not be recognized unless the Provider expressly agrees to their validity in writing.
3. 1.3 These GTC apply exclusively to companies within the meaning of §14 German Civil Code (BGB) (natural or legal persons acting in the exercise of their commercial or self-employed professional activity). The services are not directed at consumers (§13 BGB).

§ 2 Subject Matter of the Contract

1. The Provider makes available to the Customer an Email Security Gateway comprising functions such as email cryptography, spam-protection and more. The Customer may choose between a SaaS-based solution or an On-Premise variant. The exact services and technical details are specified in the Service Description.

2.1 SaaS Solution

1. In the SaaS variant, the software is provided exclusively via remote data connection; no physical transfer takes place.

2. The Provider makes storage space available to the Customer on a data server to store, view and process data necessary for using the service. The Provider implements reasonable measures against data loss and unauthorized third-party access.
3. The Customer retains ownership of all stored data and may request its return at any time.

2.2 On-Premise Solution

1. For the On-Premise variant, the Provider grants the Customer a license to use the software on their own infrastructure. Installation and operation of the software are solely the Customer's responsibility unless explicitly covered by a Maintenance Agreement.

2. The Customer is prohibited from reverse engineering, disassembling, or decompiling the software unless expressly permitted by law.

2.3 Usage Rights

1. The Provider grants the Customer a simple, non-exclusive and non-transferable right to use the agreed services during the contract term as specified in the Service Description.

   • For the SaaS variant, the software remains on the Provider's servers; no physical transfer occurs.
   • With the On-Premise variant, the software is installed on the Customer's systems according to license terms; all rights remain with the Provider unless otherwise agreed.
2. Any transfer, sublicensing, or commercial provision of services to third parties is prohibited without prior written consent from the Provider.

2.4 Updates and Developments

1. The Provider is entitled to regularly update and further develop the software to implement technical improvements or legal requirements.

   • For the SaaS variant, updates are automatically implemented by the Provider; the Customer will be informed of major changes in a timely manner with a notice period of at least 14 days.
   • For the On-Premise variant, the Provider makes updates available under the concluded Maintenance Agreement.

2.5 Subcontractors

1. The Provider is entitled to engage subcontractors but remains fully responsible to the Customer for complete contract fulfillment.

2.6 Liability for Certificates

1. The Provider assumes no guarantee for the trustworthiness of certificates or their acceptance by third parties.

§ 3 Contract Formation

1. The contract is formed when the Customer accepts an offer from the Provider or by using the service.
2. The Customer assures that all information provided during registration is complete and correct.

§ 4 Trial Period of the Service

1. 4.1 General Rules
   1. The Provider grants the Customer the right to test the service without obligation and free of charge as described in the Service Description. The trial period is exclusively for product testing; commercial use is prohibited.
   2. Trial accounts are limited to one registration per natural person/company.

1. 4.2 Contract Formation during Trial Period
   1. The trial period begins with the Customer's acceptance of the offer.
   2. There is no entitlement to a trial period. The Provider reserves the right to refuse or terminate the trial period early for the following reasons:
      1. Suspicion of abusive use (e.g., multiple registrations, automated bot usage, sharing of access data)
      2. Violations of §6 (particularly security and usage obligations)
      3. Technical impossibility of provision (including server failures, maintenance work, force majeure as per §12.3)
      4. Apparent criminal acts (e.g., fraud attempts, data manipulation)

1. 4.3 Termination of Trial Period
   1. The trial period ends automatically after the number of days granted in the Service Description, without requiring termination.
   2. All customer data will be deleted no later than 72 hours after the end of the trial period, unless legal retention obligations exist.

§ 5 Contract Duration and Termination

1. 5.1 Contract Duration
   5.1.1 SaaS Solution

   1. Unless otherwise agreed, the contract is concluded for a minimum term of 12 or 1 month(s). After expiration, the contract automatically renews for 12 or 1 month(s) respectively, unless terminated in due time.

1. 5.1.2 On-Premise Solution (Rental License)

   1. The license for the On-Premise solution is granted exclusively as a time-limited rental license. The minimum contract term is 12 months, unless otherwise agreed.
   2. After expiration of the minimum contract term, the rental license automatically renews for successive 12-month periods, unless terminated in due time.
   3. Upon expiration of the contract term, the right to use the software automatically expires, unless the contract is renewed.

1. 5.2 Termination Notice Periods
   5.2.1 SaaS Solution

   1. The contract can be terminated by either party with one month's notice to the end of the respective contract term, unless different notice periods have been individually agreed.

1. 5.2.2 On-Premise Solution (Rental License)

   1. The contract can be terminated with three months' notice to the end of the respective contract term.

1. 5.3 Extraordinary Termination
   The right to extraordinary termination for good cause remains unaffected. Good cause exists particularly if:

   1. The Customer defaults on payment of a due amount despite reminder and reasonable grace period;
   2. The Customer violates essential contractual obligations, particularly the terms of use;
   3. Insolvency proceedings are opened against the Customer's assets or the opening is rejected for lack of assets;
   4. For the On-Premise solution: The Customer violates license terms (e.g., reverse engineering or distribution of the software).

1. 5.4 Form of Termination

   1. The Customer defaults on payment of a due amount despite reminder and reasonable grace period;

   1. 5.5 Consequences of Contract Termination
      1. After contract termination, customer data will be either deleted or returned to the Customer in accordance with § 4 Para. 9 of the Data Processing Agreement.

   1. 5.5.1 SaaS Solution
      1. Upon contract termination, the Customer's access to the SaaS service will be deactivated, and all stored data will be deleted, unless legal retention obligations exist or otherwise agreed.
      2. The Customer is responsible for downloading or otherwise securing all needed data before the contract ends.

   1. 5.5.2 On-Premise Solution
      1. Upon contract expiration, the right to use the software automatically terminates; the Customer is obligated to completely remove the software and delete all copies.
      2. The Provider reserves the right to implement technical measures to deactivate the software after contract expiration.

§ 6 Customer Obligations

1. 6.1 General Obligations
   1. The Customer commits to using the service only within the framework of applicable laws and in accordance with contractual provisions and instructions from the Provider.
   2. The Customer is obligated to securely store access data such as passwords and protect them from unauthorized third-party access.
   3. It is prohibited to send, store, or process unlawful content via the email system, particularly content that violates applicable law or third-party rights, is pornographic, glorifies violence, discriminatory or incites hatred, or violates personality rights.

1. 6.2 Responsibility for Content
   1. The Customer is solely responsible for the content of emails sent, received, or stored via the service, as well as for all data processed with the service.
   2. The Provider does not exercise control over the content and assumes no liability for its legality.

1. 6.3 Security Obligations
   1. The Customer commits to protecting all systems and devices according to current IT security standards (e.g., through firewalls, antivirus software, and regular updates).
   2. The Customer must not take any measures that could impair the security or functionality of the service (e.g., through overload or unauthorized access).

1. 6.4 Special Obligations for On-Premise Solutions
   1. When using the On-Premise solution, the Customer is solely responsible for operating the software in their IT infrastructure and for complying with all applicable data protection and security regulations.
   2. The Customer commits to regularly backing up their data and ensuring that it is available independently of the installed software.
   3. The Customer is obligated to implement security measures such as firewalls and antivirus software to prevent unauthorized access to the software.

1. 6.5 Compliance with Legal Requirements
   1. The Customer ensures that all legal requirements for data processing in their company are met, including obligations towards third parties such as authorities or data subjects.

§ 7 Provider Obligations

1. 7.1 General Obligations
   1. The Provider ensures that the service is provided with a high level of availability (see § 11).
   2. The Provider commits to complying with all data protection requirements according to GDPR and has drafted a Data Processing Agreement (DPA) as part of these GTC.

1. 7.2 Security and Incident Notification
   1. The Provider will immediately inform the Customer of security incidents affecting personal data (e.g., data protection breaches according to Art. 33 GDPR).
   2. The Provider commits to taking all necessary measures to contain a security incident and to support the Customer in fulfilling their reporting obligations to supervisory authorities or affected individuals.

1. 7.3 Special Obligations for SaaS Solutions
   1. The Provider provides storage space on a server and commits to taking appropriate measures against data loss and unauthorized third-party access.
   2. The Provider will inform the Customer in a timely manner about planned maintenance work or changes to the service.

1. 7.4 Special Obligations for On-Premise Solutions
   1. When using the On-Premise solution, the Provider supplies the Customer with installation instructions and technical documentation.
   2. Updates or patches are provided by the Provider according to the maintenance contract.

§ 8 Setup and Configuration

1. 8.1 General Regulation
   1. The setup and configuration of the Email Security Gateway are fundamentally the responsibility of the Customer and are not part of the services provided by the Provider in the basic contract.
   2. The Provider provides the Customer with detailed documentation and support materials to facilitate independent setup.

1. 8.2 Additional Services
   1. If desired, the Customer can purchase setup and configuration as an additional paid service from the Provider.
   2. For the On-Premise variant, the Provider can offer assistance with installation and integration into the Customer's IT infrastructure upon request. This service is charged separately.

1. 8.3 Customer Responsibilities (On-Premise)
   1. The Customer bears sole responsibility for the installation, configuration, and operation of the software within their IT infrastructure, unless additional services have been agreed upon with the Provider.
   2. The Customer is obligated to meet all technical requirements as specified in the provided documentation.

§ 9 Data Protection and Data Security

1. 9.1 General Data Protection Regulation
   1. The Provider processes personal data exclusively in accordance with GDPR and has provided a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.
   2. Logs are maintained solely for troubleshooting and security monitoring purposes and can be accessed by the Customer upon request. All stored logs will be deleted after a maximum of 90 days unless there are legal retention obligations.

1. 9.2 Confidentiality and Access
   1. The Provider does not have direct access to email contents; these are processed in-stream without being stored. Customer certificates and keys are password-protected and hashed to prevent direct access by the Provider.
   2. In case of support issues, the Provider may temporarily access metadata with explicit Customer consent to diagnose and resolve technical problems.

1. 9.3 Subcontractors
   1. Subcontractors used by the Provider are listed in Appendix [1] of the DPA and comply with Art. 44 et seq. GDPR requirements.
   2. Changes to subcontractors will be communicated to Customers at least 14 days before their deployment in writing or text form.

1. 9.4 Logging (Logs)
   1. The Provider maintains logs of email traffic and cryptographic operations performed, solely for troubleshooting and security monitoring purposes, which can be reviewed by Customers upon request.
   2. Logs do not contain email contents or other personal data unless technically necessary (e.g., email addresses).

§ 10 Fees and Payment

1. 10.1 General Provisions
   1. The Customer agrees to pay the Provider the agreed-upon fees plus statutory VAT for the contractual services rendered.
   2. Unless otherwise agreed, fees are based on the price list valid at the time of contract conclusion. The current prices are available in the Customer area or upon request.

10.2 Payment Modalities

1. 10.2.1 SaaS Solution
   1. Fixed fees (e.g., base charges) are payable in advance for the first billing period unless a different billing cycle is agreed upon. Subsequent billing periods (e.g., monthly, quarterly, or annually) are also payable in advance.
   2. Payments must be made via credit card, SEPA direct debit, bank transfer, or the payment service provider Stripe, unless explicitly agreed otherwise.

1. 10.2.2 On-Premise Solution
   1. Fees for on-premise licenses are payable as time-limited rental licenses in advance for the entire or a part of the contract term unless otherwise agreed.

1. 10.3 Usage-Based Fees
   1. In addition to the agreed-upon base fees, usage-based charges may apply unless otherwise contractually stipulated. These charges may arise, for example, from performing cryptographic operations as well as certificate and key storage exceeding the included amount. The prices and included quantities can be found on the website.
   2. The calculation of usage-based fees is based on the customer's actual use of the service during the respective billing period and is transparently presented in a summary or invoice.

1. 10.4 Price Adjustments
   1. The Provider is entitled to adjust prices once annually at its reasonable discretion in accordance with § 315 BGB to account for changes in cost factors that are significant for pricing:
      1. Operating costs (e.g., data centers, hardware, technical services).
      2. License costs (e.g., software licenses).
      3. Personnel and energy costs as well as government-imposed fees or taxes.
   2. A price adjustment is limited to the extent of changes in cost factors and can lead to both an increase and a decrease in prices. Cost reductions will be considered to the same extent as cost increases.

1. 10.5 Notification and Termination Right for Price Adjustments
   1. The Provider will notify the Customer of a price change at least eight weeks before it takes effect in text form (e.g., via email).
   2. In case of a fee increase, the Customer has the right to terminate the contract without notice period at the time the change takes effect. This right of termination does not apply if the change is solely based on government-imposed taxes, fees, or charges, or if it is exclusively in favor of the Customer.

1. 10.6 Payment Default
   1. The Customer is considered in default if a due payment is not made within 30 calendar days after receiving the invoice and the amount has not been credited to the Provider's account (§ 286 Abs. 3 BGB).
      • The Provider will remind the Customer in writing or in text form (e.g., via email) of the outstanding payment and set a grace period of at least 10 calendar days.
      • If payment is still not made despite the reminder and grace period, the Provider will issue a second reminder, granting an additional grace period of 14 calendar days, explicitly warning of potential service deactivation.
   2. From the moment of default, the Provider is entitled to:
      • Charge default interest of up to 9 percentage points above the base interest rate (§ 288 Abs. 2 BGB, in business transactions);
      • Temporarily deactivate the contractual service (e.g., access to the Customer account, software, or service) if:
        • The Customer was warned of deactivation in the second reminder
        • The grace period from the second reminder (14 days) has expired without payment
   3. Deactivation will be reversed immediately once the Customer has fully settled all outstanding amounts. Deactivation does not release the Customer from their payment obligations.
   4. If the Customer remains in default for more than 60 days or in cases of severe payment delay, the Provider is entitled to terminate the contract without notice (§§ 314, 323 BGB).
   5. The assertion of further claims for damages (e.g., judicial or extrajudicial collection costs) is expressly reserved.

   1. 10.7 Chargebacks
      • Costs incurred due to chargebacks for which the Customer is responsible shall be borne by the Customer in full.

§ 11 Availability and Support

11.1 Service Availability

11.1.1 SaaS Solution

1. The Provider guarantees an annual average availability of 99% for the SaaS service at the handover point.
2. Excluded from the availability guarantee are:
   • Scheduled maintenance work, which will be announced to the Customer at least 48 hours in advance and, if possible, carried out outside regular business hours;
   • Events of force majeure (e.g., natural disasters, power outages);
   • Disruptions caused by the Customer or their IT infrastructure.

11.1.2 On-Premise Solution

1. For the on-premise solution, the Provider does not guarantee the availability of the service, as operation and maintenance are the sole responsibility of the Customer, unless a hybrid solution is used.
2. The Provider will provide updates and patches as part of a maintenance agreement to ensure the functionality of the software.

11.2 Maintenance and Troubleshooting

1. 11.2.1 SaaS Solution
   • Critical disruptions (e.g., when core functions are unusable) will be resolved within four hours after receiving the disruption report, provided it is submitted during business hours.
   • For less critical disruptions, the Provider will aim to resolve them within a reasonable timeframe.
   • During maintenance work, it may be necessary for the Provider to access the Customer's configuration. The Customer must grant permission for this access.

1. 11.2.2 On-Premise Solution
   • The Provider offers support for critical disruptions only as part of an agreed-upon maintenance contract.
   • Resolving disruptions may require interventions in the Customer's IT infrastructure; the Customer is obligated to grant the Provider access for this purpose.

1. 11.3 Support Services

1. 11.3.1 General Support Provisions
   • The Provider offers support via email or ticket system with a guaranteed response time of 48 hours on business days.
   • Support inquiries can be submitted through the channels specified in the Customer area.

1. 11.3.2 Telephone Support
   • The Provider offers support via email or ticket system with a guaranteed response time of 48 hours on business days.

1. 11.3.3 Limitations
   • The Provider is not obligated to provide support for issues caused by improper use or modifications to the software made by the Customer.