Terms of Service

Important Notice: This English version is a non-binding translation of the original German General Terms and Conditions (AGB). The legally binding version is the German text. In case of discrepancies, the German version shall prevail.

§ 1 Scope

1.1 These General Terms and Conditions (hereinafter “GTC”) apply to all contracts between Conbool GmbH (hereinafter the “Provider”) and its customers (hereinafter the “Customer”) for the use of the email security gateway, in particular the products “SecureMail” and “MailGuard”, as well as all related services and additional modules (e.g., Disclaimer/Signature Manager, message portal, Outlook add-in). The Provider offers the solution both as a SaaS-based variant (Software-as-a-Service) and as an on-premise variant (for installation on the Customer’s systems).

1.2 The Customer’s deviating terms and conditions shall not be recognized unless the Provider expressly agrees to their applicability in writing.

1.3 These GTC apply exclusively to businesses within the meaning of § 14 BGB (natural or legal persons acting in the exercise of their commercial or self-employed professional activity). The services are not directed at consumers (§ 13 BGB).

§ 2 Subject Matter of the Contract

The Provider provides the Customer with an email security gateway which may include functions such as email cryptography, spam protection, and other features. The Customer may choose between a SaaS-based solution and an on-premise variant. The exact services and technical details are set out in the service description: https://conbool.com/service-description.

2.1 SaaS Solution

1. In the SaaS variant, the software is provided exclusively via a remote data connection; there is no physical delivery.
2. The Provider provides the Customer with storage space on a data server to store, view, and process the data required to use the service. The Provider undertakes to implement appropriate measures against data loss and unauthorized access by third parties.
3. The Customer remains the owner of all data stored on the servers and may request its return at any time.

2.2 On-Premise Solution

1. In the on-premise variant, the Provider grants the Customer a license to use the software on the Customer’s own infrastructure. Installation and operation of the software are the sole responsibility of the Customer unless a maintenance agreement has been expressly concluded.
2. The Customer is prohibited from reverse engineering, disassembling, or decompiling the software unless expressly permitted by law.

2.3 Rights of Use

1. The Provider grants the Customer a simple, non-exclusive, non-transferable right to use the agreed services during the term of the contract within the scope of the service description:
   • In the SaaS variant, the software remains on the Provider’s servers; there is no physical delivery.
   • In the on-premise variant, the software is installed on the Customer’s systems in accordance with the license terms; all rights remain with the Provider unless otherwise agreed contractually.
2. Passing on, sublicensing, or providing the services to third parties for remuneration is not permitted without the Provider’s prior written consent.
3. The granting of contractual rights of use is subject to the suspensive condition of full payment of the remuneration owed.

2.4 Updates and Further Development

1. The Provider is entitled to regularly update and further develop the software in order to implement technical improvements or legal requirements.
   • In the SaaS variant, updates are carried out automatically by the Provider; the Customer will be informed of material changes in due time with at least 14 days’ notice.
   • In the on-premise variant, the Provider makes updates available within the scope of a concluded maintenance agreement.

2.5 Subcontractors

The Provider is entitled to engage subcontractors, but remains responsible to the Customer for full performance of the contract.

2.6 Certificate Services (MPKI)

1. The Provider enables the Customer to connect an existing MPKI of the Customer or to use certificate services via certification authorities mediated or integrated by the Provider.
2. Customer MPKI: If the Customer uses its own MPKI, the Customer bears sole responsibility for configuration, policies, application and approval processes, identity verification, issuance, renewal, blocking, and revocation of certificates. The Provider merely provides technical interfaces and does not owe any legal or substantive review of the Customer’s certificate policies.
3. MPKI obtained via the Provider: If the Customer obtains certificate services via the Provider, the terms and conditions of the respective certification authority shall also apply, including its Certificate Policy (CP) / Certification Practice Statement (CPS). Decisions of the certification authority regarding verification, issuance, rejection, suspension, or revocation are outside the Provider’s sphere of influence.
4. The Customer shall ensure that all information and evidence required for certificate applications are correct, complete, and up to date, and shall cooperate without undue delay in any re-validations.
5. The Customer shall protect private keys and, where applicable, cryptographic carriers from unauthorized access. Unless a separate escrow service has been agreed, restoration of lost private keys is excluded.
6. The Customer consents that, as part of certificate applications, personal data may be transmitted to the respective certification authority. The Customer declares that it has taken note of and accepts the certificate policies (CP/CPS) of the respective certification authority. Consent is given expressly for each MPKI order, electronically or in writing.
7. In the event of suspected misuse, legal violations, or policy violations, the Provider is entitled to temporarily block the technical connection to certificate services and to request the Customer to remedy the situation.

2.7 Outlook Add-in and Third-Party Platform Integrations (e.g., Microsoft 365/Outlook)

1. If contractually agreed, the Provider provides the Customer with an Outlook add-in (e.g., “Signature Manager/Disclaimer Add-in”) which—depending on configuration and permissions—can insert or display signatures/disclaimers client-side in email drafts.
2. Use of the add-in may require integration of third-party platforms (in particular Microsoft 365/Outlook and, where applicable, Microsoft Graph/Entra ID). Functionality may depend on the availability, technical specifications, policies, and changes of these third-party platforms.
3. Where provision of the add-in takes place via marketplaces/stores or third-party administration portals, the respective third-party terms and conditions shall apply in addition. The Provider does not owe that the store/platform terms and conditions remain unchanged on a permanent basis.

§ 3 Conclusion of Contract

1. The contract is concluded by the Customer’s acceptance of an offer made by the Provider or by use of the service.
2. The Customer warrants that all information provided during registration is complete and correct.

§ 4 Trial Phase of the Service

4.1 General Rule

1. The Provider grants the Customer the right to test the service on a non-binding basis and free of charge as described in the service description. The trial phase serves solely for product evaluation; commercial use is prohibited.
2. Trial accounts are limited to one registration per natural person/company.

4.2 Contract Formation During the Trial Phase

1. The trial phase begins upon the Customer’s acceptance of the offer.
2. There is no entitlement to a trial phase. The Provider reserves the right to refuse the trial phase or terminate it early for the following reasons:
   • suspicion of abusive use (e.g., multiple registrations, automated bot use, sharing of access credentials)
   • violations of § 6 (in particular security and usage obligations)
   • technical impossibility of provision (including server outages, maintenance, force majeure pursuant to § 12.4)
   • evident criminal acts (e.g., attempted fraud, data manipulation)

4.3 End of the Trial Phase

1. The trial phase ends automatically after expiry of the number of days granted in the service description, without requiring termination.
2. All Customer data will be deleted no later than 72 hours after the end of the trial phase in accordance with § 5.5, unless statutory retention obligations apply.

§ 5 Term and Termination

5.1 Term

5.1.1 SaaS Solution

1. Unless otherwise agreed, the contract is concluded for a minimum term of 12 months. After the minimum term expires, the contract automatically renews for successive 12-month periods unless terminated in due time.

5.1.2 On-Premise Solution (Rental License)

1. The license for the on-premise solution is granted exclusively as a time-limited rental license. The minimum term is 12 months unless otherwise agreed.
2. After the minimum term expires, the rental license automatically renews for successive 12-month periods unless terminated in due time.
3. Upon expiry of the contract term, the right to use the software automatically lapses unless the contract is extended.

5.2 Notice Periods

5.2.1 SaaS Solution

1. Either party may terminate the contract with three months’ notice to the end of the respective contract term unless different notice periods have been agreed individually.

5.2.2 On-Premise Solution (Rental License)

1. Either party may terminate the rental license contract with three months’ notice to the end of the respective contract term unless different notice periods have been agreed individually.

5.3 Extraordinary Termination

The right to extraordinary termination for cause remains unaffected. Cause exists in particular if:

1. the Customer is in default with payment of a due amount despite reminder and reasonable grace period;
2. the Customer breaches material contractual obligations, in particular the terms of use;
3. insolvency proceedings are opened over the Customer’s assets or opening is rejected due to lack of assets;
4. in the on-premise solution: the Customer violates license terms (e.g., reverse engineering or distribution of the software).

5.4 Form of Termination

1. Any termination must be made in text form (e.g., email) or in writing, unless expressly agreed otherwise.

5.5 Consequences of Contract Termination

After termination, Customer data will either be deleted or returned to the Customer in accordance with Section 4(9) of the Data Processing Agreement (https://conbool.com/dpa).

5.5.1 SaaS Solution

Upon termination, the Customer’s access to the SaaS service is deactivated and all stored data is deleted, unless statutory retention obligations apply or otherwise agreed. The Customer is responsible for downloading or otherwise securing all required data prior to contract end.

5.5.2 On-Premise Solution (Rental License)

Upon expiry of the contract, the right to use the software automatically lapses; the Customer is obliged to fully remove the software and delete all copies. The Provider reserves the right to implement technical measures to deactivate the software after expiry of the contract.

5.6 Special Rules for MPKI Terms

1. Terms and renewals of certificates obtained via the Provider are governed exclusively by the conditions of the respective certification authority and are independent of the term of the SaaS or on-premise contract.
2. Termination of the contract with the Provider does not affect existing certificates. The Customer bears any fees of the certification authority until the respective expiry or effective termination vis-à-vis the certification authority.

§ 6 Customer Obligations

6.1 General Obligations

The Customer undertakes:

1. to use the service only in compliance with applicable laws and in accordance with the contractual provisions and the Provider’s instructions;
2. to keep access data such as passwords secure and protect them from unauthorized third-party access;
3. not to send, store, or process unlawful content via the email system, in particular no content that
   • violates applicable law or third-party rights,
   • is pornographic, glorifies violence, discriminatory, or constitutes incitement of hatred,
   • violates personal rights or calls for criminal acts.

6.2 Responsibility for Content

1. The Customer is solely responsible for the content of emails sent, received, or stored via the service, as well as for all data processed with the service.
2. The Provider does not monitor content and assumes no liability for its legality.

6.3 Use of the Message Portal and Disclosure to Third Parties

1. The Customer may make messages stored in the message portal accessible to third parties only via the security mechanisms provided by the Provider (e.g., password protection, temporary links).
2. The Customer must ensure that a data protection legal basis exists for disclosure to third parties. The Customer is obliged to fulfill all relevant information obligations pursuant to Arts. 13 and 14 GDPR vis-à-vis affected third parties, e.g., by providing notices upon first access.
3. In case of suspected abusive use of access, the Customer must immediately take appropriate measures to block access.
4. Responsibility for content, legality, and access sharing remains entirely with the Customer.

6.4 Security Obligations

1. The Customer undertakes to protect all systems and devices in accordance with current IT security standards (e.g., firewalls, antivirus software, regular updates).
2. The Customer must not take any measures that could impair the security or functionality of the service (e.g., overloading or unauthorized access).

6.5 Special Obligations for On-Premise Solutions

1. When using the on-premise solution, the Customer is solely responsible for operating the software in its IT infrastructure and for compliance with all applicable data protection and security regulations.
2. The Customer undertakes to perform regular backups of its data and to ensure these are available independently of the installed software.
3. The Customer must implement security measures such as firewalls and antivirus software to prevent unauthorized access to the software.

6.6 Compliance with Legal Requirements

1. The Customer shall ensure that all statutory requirements for data processing within its company are complied with, including obligations towards third parties such as authorities or data subjects.

6.7 Additional Obligations When Using the Disclaimer/Signature Manager and Outlook Add-in

1. The Customer is responsible for the substantive correctness, up-to-dateness, and legal permissibility of the signatures/disclaimers used (e.g., mandatory information, data protection notices, advertising content), as well as for selecting the use cases (e.g., which recipient groups, languages, exceptions).
2. The Customer warrants that it holds all necessary rights to embedded assets (e.g., logos, images, fonts, files) and that their use does not infringe third-party rights.
3. The Customer shall ensure that all necessary technical prerequisites for the use of third-party integrations (e.g., Microsoft 365/Outlook, Entra ID, connectors) are met, in particular required administrative approvals (e.g., consent), roles/permissions, and configurations.
4. The Customer is obliged to configure settings and permissions according to the principle of data minimization and to activate only those data flows necessary for the intended purpose.
5. The Customer is responsible for ensuring that internal policies (e.g., works council, compliance, IT security) cover use of an add-in and the associated processing.

§ 7 Provider Obligations

7.1 General Obligations

1. The Provider ensures that the service is provided with a high level of availability (see § 11).
2. The Provider undertakes to comply with all data protection requirements under the GDPR and has provided a Data Processing Agreement (https://conbool.com/dpa) as part of these GTC.

7.2 Security and Incident Notification

1. The Provider will inform the Customer without undue delay if security incidents occur that affect personal data (e.g., personal data breaches pursuant to Art. 33 GDPR).
2. The Provider undertakes to take all necessary measures to contain a security incident and to support the Customer in fulfilling any reporting obligations towards supervisory authorities or data subjects.

7.3 Special Obligations for SaaS Solutions

1. The Provider provides storage space on a server and undertakes to implement appropriate measures against data loss and unauthorized third-party access.
2. The Provider informs the Customer in due time about planned maintenance or changes to the service.

7.4 Special Obligations for On-Premise Solutions

1. When using the on-premise solution, the Provider provides installation instructions and technical documentation.
2. Updates or patches are provided by the Provider in accordance with the maintenance agreement.

7.5 Special Notes on the Outlook Add-in

1. Within the scope of the contract, the Provider provides the technical availability and updating of the add-in in accordance with the service description.
2. However, the Provider does not warrant compatibility of the add-in with all third-party environments, policies, client versions, or add-in restrictions; in the event of material third-party changes, the Provider will endeavor to make reasonable adjustments insofar as economically and technically feasible.

§ 8 Setup and Configuration

8.1 General Rule

1. Setup and configuration of the email security gateway are generally the Customer’s responsibility and are not part of the Provider’s services under the main contract.
2. The Provider provides the Customer with comprehensive documentation and support materials to facilitate independent setup.

8.2 Additional Services

1. Upon request, the Customer may purchase setup and configuration as an additional paid service from the Provider.
2. For the on-premise variant, the Provider may, upon request, support installation and integration into the Customer’s IT infrastructure. This service is billed separately.

8.3 Customer Responsibility (On-Premise)

1. The Customer bears sole responsibility for installation, configuration, and operation of the software in its IT infrastructure unless additional services by the Provider have been agreed.
2. The Customer undertakes to meet all technical requirements as set out in the provided documentation.

§ 9 Data Protection and Data Security

9.1 General Data Protection Rules

1. The Provider processes personal data exclusively in accordance with the GDPR and has provided a Data Processing Agreement (https://conbool.com/dpa) pursuant to Art. 28 GDPR.
2. Logs are maintained exclusively for troubleshooting and security monitoring and can be made available to the Customer upon request. All stored logs are deleted after no later than 90 days unless statutory retention obligations apply.

9.2 Confidentiality and Access

1. The Provider generally processes emails in a streaming manner and stores content only where technically required for certain functions (e.g., display in the message portal). Access to stored content takes place exclusively in encrypted form and in compliance with applicable data protection standards. Customer certificates and private keys are stored encrypted. Passwords are stored exclusively as hash values. Technical access to plain text by the Provider is not possible.
2. In support cases, the Provider may—with the Customer’s express consent—temporarily access metadata to diagnose and remedy technical issues.
3. External recipients who access messages via the message portal receive GDPR-compliant information about data processing upon first access. The Provider provides the technical means for this information obligation (e.g., banner or notice text).

9.3 Subcontractors

1. Subcontractors used by the Provider are listed in the DPA and meet the requirements pursuant to Arts. 44 et seq. GDPR.
2. Changes to subcontractors will be communicated to the Customer at least 14 days before their use, in writing or in text form.

9.4 Logging

1. The Provider maintains logs relating to mail flow and cryptographic operations used. These logs serve exclusively for troubleshooting and security monitoring and can be made available to the Customer upon request.
2. Logs do not contain email content or other personal data unless technically necessary (e.g., email addresses, technical status information).

9.5 Particularities for Add-ins and Third-Party Platforms

1. Where the Outlook add-in is executed in third-party environments (e.g., Microsoft 365/Outlook), parts of the processing take place within the third party’s technical sphere and under its terms.
2. The Provider processes data in connection with the add-in (e.g., template retrievals, technical event data) only insofar as necessary for service provision, troubleshooting, and security, and otherwise in accordance with the DPA.

§ 10 Remuneration and Payment Terms

10.1 General Rule

1. The Customer undertakes to pay the agreed fee for the contractual services plus statutory VAT.
2. Unless otherwise agreed, remuneration is based on the price list valid at the time of contract conclusion. Current prices are available in the customer area or upon request.

10.2 Payment Methods

10.2.1 SaaS Solution

1. Remuneration for SaaS licenses is payable exclusively in advance on an annual basis. The billing period is 12 months.
2. Payments are made by credit card, SEPA direct debit, bank transfer, or via the payment service provider Stripe, unless another payment method is expressly agreed.

10.2.2 On-Premise Solution

1. Remuneration for on-premise rental licenses is payable annually in advance. The billing period is 12, 24, or 36 months.

10.3 Price Adjustments

1. The Provider is entitled to adjust prices once per year at its reasonable discretion pursuant to § 315 BGB in order to reflect changes in cost factors relevant to pricing, in particular:
   • operating costs (e.g., data centers, hardware, technical services),
   • license costs (e.g., software licenses),
   • personnel and energy costs as well as fees or taxes imposed by public authorities.
2. Any price adjustment is limited to the extent of changes in the cost factors and may result in price increases or decreases. Cost reductions are taken into account to the same extent as cost increases.

10.4 Notice and Right of Termination in Case of Price Adjustments

1. The Provider will notify the Customer of any price change at least eight weeks prior to its effective date in text form (e.g., email).
2. In the event of a fee increase, the Customer has the right to terminate the contract without observing a notice period effective at the end of the current contract period. Fees paid in advance for the current period remain unaffected.

10.5 Late Payment

1. The Customer is in default if it fails to pay a due amount within 30 calendar days after receipt of the invoice to the Provider’s account (§ 286(3) BGB).
   • The Provider will remind the Customer of the outstanding payment in writing or text form (e.g., email) and set a grace period of at least 10 calendar days.
   • If payment is still not made despite reminder and grace period, the Provider will, in a second reminder with an additional grace period of 14 calendar days, expressly point out the imminent deactivation of the service.
2. From the time of default, the Provider is entitled to:
   • charge default interest of up to 9 percentage points above the base interest rate (§ 288(2) BGB, business-to-business);
   • temporarily deactivate the contractual service (e.g., access to the customer account, software, or service) if the Customer was informed of deactivation in the second reminder and/or the grace period in the second reminder (14 days) has expired without success.
3. Deactivation will be lifted without undue delay as soon as the Customer has fully paid all due amounts. Deactivation does not release the Customer from its payment obligation.
4. If the Customer remains in default for more than 60 days or there is a particularly serious default, the Provider is entitled to terminate the contract without notice (§§ 314, 323 BGB).
5. The assertion of further claims for damages (e.g., judicial or extrajudicial collection costs) remains expressly reserved.

10.6 Chargebacks

The Customer bears in full any costs arising from chargebacks for which the Customer is responsible.

10.7 Costs for MPKI

1. If the Customer uses a Customer MPKI, the Customer bears all resulting costs in full. This includes in particular fees for identity verification, issuance, renewal, revocation, OCSP or CRL, smartcards or security tokens, shipping, HSM capacity, and other charges of the bodies used by the Customer.
2. If the Customer obtains certificate services via the Provider, the Customer bears all fees and charges of the certification authority, including any price changes. The Provider may pass these costs on to the Customer as pass-through items.
3. Certification authority fees are payable independently of software use. Refunds of already incurred CA fees are excluded unless the certification authority provides for a refund.

10.8 Overuse, True-Up, and Blocking

1. Overuse occurs if the actual number of active users or mailboxes exceeds the number licensed under the contract.
2. Usage is counted quarterly based on the active users or mailboxes for which at least one productive processing event occurred during the respective quarter.
3. The Customer is obliged to immediately cease the overuse or to purchase the corresponding number of additional licenses.
4. The Provider is entitled to invoice additional licenses by way of a true-up. The fee for additional licenses becomes due from the beginning of the calendar month in which the overuse first occurred, at the latest from the time the Provider identifies the overuse, in each case pro rata until the end of the current contract period.
5. The Provider will inform the Customer of the identified overuse and grant a period of 10 business days to remedy. If the Customer fails to remedy within this period, the Provider may technically restrict or suspend the affected excess use insofar as this is necessary to ensure license compliance.
6. A subsequent reduction of usage within the current contract period does not entitle the Customer to any refund of already invoiced additional licenses.
7. To verify license compliance, the Provider is entitled to conduct a license audit once per year based on usage data available to the Provider. Upon request, the Customer shall cooperate to a reasonable extent, in particular by providing an up-to-date user and/or mailbox list. The Customer’s trade and business secrets shall be protected.
8. The Provider’s rights under § 10.5 (Late Payment) and § 12 (Liability) remain unaffected.

§ 11 Availability and Support

11.1 Service Availability

11.1.1 SaaS Solution

1. The Provider warrants availability of the SaaS service of 99% on an annual average at the transfer point.
2. The availability warranty does not cover:
   • planned maintenance announced to the Customer at least 48 hours in advance and, where possible, performed outside normal business hours;
   • force majeure events (e.g., natural disasters, power outages);
   • disruptions caused by the Customer or the Customer’s IT infrastructure;
   • impairments caused by certification authorities, MPKI services, OCSP/CRL infrastructures, trust store changes, or MPKI policies set by the Customer;
   • impairments caused by third-party platforms (e.g., Microsoft 365/Outlook, store/policy changes) insofar as they are outside the Provider’s control.

11.1.2 On-Premise Solution

1. For the on-premise solution, the Provider does not warrant availability, as operation and maintenance are the Customer’s responsibility.
2. The Provider provides updates and patches in accordance with the maintenance agreement to ensure the functionality of the software.

11.2 Maintenance and Troubleshooting

11.2.1 SaaS Solution

1. Critical incidents will be qualified and handled within four hours after receipt of the incident report during business hours. The Provider will endeavor to resolve the incident as quickly as possible.
2. For less critical incidents, the Provider will endeavor to remedy them within a reasonable period of time.
3. Maintenance activities may require the Provider to access the Customer’s configuration; the Customer must grant permission for such access.

11.2.2 On-Premise Solution

1. The Provider offers support for critical incidents only within the scope of the agreed maintenance agreement.
2. Remedying incidents may require interventions in the Customer’s IT infrastructure; the Customer is obliged to grant the Provider access for this purpose.
3. Maintenance activities may require the Provider to access the Customer’s configuration; the Customer must grant permission for such access.

11.3 Support Services

11.3.1 General Support Rules

1. The Provider offers support via email or ticket system with a guaranteed response time of 48 hours on business days.
2. Support requests can be submitted via the channels specified in the customer area.

11.3.2 Phone Support (Enterprise Customers Only)

1. Phone support is not part of the standard support services and can only be used under a separate enterprise agreement.

11.3.3 Limitations

1. The Provider is not obliged to provide support for problems caused by improper use or modifications to the software by the Customer.

§ 12 Liability

12.1 General Liability Provisions

1. The Provider shall be liable without limitation for damages caused by intentional misconduct or gross negligence on the part of the Provider or its vicarious agents, as well as for damages arising from injury to life, body, or health.
2. In cases of slight negligence, the Provider shall only be liable for damages resulting from the breach of essential contractual obligations. Essential contractual obligations include, in particular, ensuring contractual availability in accordance with Section 11, safeguarding personal data pursuant to Art. 32 GDPR, as well as the general provision of the contractually agreed main services and system functions in accordance with the Service Description, but not the achievement of a specific security-related outcome in each individual case unless an express guarantee has been assumed. Liability in cases of slight negligence shall be limited to damages that were typically foreseeable at the time the contract was concluded, up to a maximum of the annual fee payable by the Customer.
3. The Provider shall not be liable for indirect damages, consequential damages, or loss of profit unless such damages are attributable to intentional misconduct or gross negligence, or concern the breach of essential contractual obligations to the extent permitted by law (Section 309 No. 7 German Civil Code (BGB)).
4. Liability under the German Product Liability Act shall remain unaffected.
5. The Provider shall not be liable for data loss unless the Customer can demonstrate that it performed regular backups. For data loss caused by subcontractors, the Provider shall only be liable if it failed to exercise due care in selecting such subcontractors (Section 278 German Civil Code (BGB)).
6. The Provider shall not be liable for delays in the delivery or processing of emails caused by technical issues outside the Provider’s sphere of influence.

12.2 Special Liability Provisions for MailGuard / Protection Functions

12.2.1 Purpose of the MailGuard Functions
The functions provided by the Provider as part of MailGuard serve the risk-based detection, assessment, filtering, marking, quarantining, sanitization, rewriting, or other handling of potentially harmful, unwanted, fraudulent, or policy-violating emails, attachments, files, links, QR codes, and comparable content.

12.2.2 No Specific Success Owed in Individual Cases
The Provider does not owe complete, error-free, or continuously successful detection, classification, blocking, sanitization, neutralization, or prevention of all spam, phishing, malware, fraud, business email compromise, social engineering, zero-day, or other attacks, content, or delivery events.
The provision of the MailGuard functions does not constitute a guarantee of the achievement of a specific security-related outcome in any individual case.

12.2.3 Possible Misclassifications and Technical Limitations
In particular, it cannot be excluded that
a) harmful, unwanted, or fraudulent messages or content may pass through, be detected late, or be incorrectly classified despite the protection mechanisms in use,
b) legitimate messages or content may in individual cases be incorrectly marked, delayed, rewritten, sanitized, quarantined, rejected, or blocked,
c) inspections cannot be carried out, or cannot be carried out completely, due to technical, content-related, or format-related limitations, in particular in the case of encrypted, damaged, password-protected, nested, unusually structured, or otherwise only partially analyzable content,
d) the results of reputation, link, QR, file, malware, DLP, heuristic, AI/ML, sandbox, or other inspection mechanisms may be incomplete, delayed, inaccurate, or unavailable in individual cases.

12.2.4 Shared Responsibility and Security Obligations of the Customer
MailGuard does not replace an appropriate multi-layered security concept of the Customer, in particular not endpoint protection, patch and vulnerability management, multi-factor authentication, data backup, user awareness, organizational control measures, quarantine review, or proper policy configuration.

12.2.5 Exclusion in the Event of Causes Within the Customer’s or Third Parties’ Sphere
To the extent that damage is wholly or partly attributable to the fact that
a) the Customer has deactivated, restricted, or improperly configured protection functions,
b) customer-side thresholds, policies, exceptions, approvals, whitelists, blacklists, routing, delivery, or DLP rules enabled or contributed to the incident,
c) third-party information, third-party infrastructures, or third-party platforms were unavailable, delayed, or faulty, or
d) the Customer failed to review, implement, or follow up warnings, logs, quarantine events, notices, or recommended measures, or failed to do so in a timely manner,
the Provider shall not be liable for this unless the Provider acted intentionally or with gross negligence.

12.2.6 Application of the General Liability Provisions
In all other respects, the Provider shall only be liable for damages in connection with MailGuard in accordance with this Section 12.

12.3 Liability for Sharing Messages with Third Parties via the Message Portal

1. If the Customer makes messages accessible to third parties via the message portal, the Customer bears sole responsibility for the selection, timing, and legal permissibility of such disclosure.
2. The Provider is not liable for access by unauthorized third parties resulting from insufficient access protection, incorrect configuration, or misuse by the Customer or third parties.
3. Subject to § 12.1, the Provider’s liability is limited exclusively to technical defects in access control or data encryption insofar as the Provider is responsible for such defects.

12.4 Data Protection and Joint and Several Liability

1. The Provider is liable towards data subjects pursuant to Art. 82 GDPR only if it violates obligations imposed on it under the GDPR or lawful instructions of the Customer.
2. The Provider is released from liability if it can prove that it is not responsible in any way for the circumstance that caused the damage.
3. In the event of a data protection violation, the Provider and the Customer are jointly and severally liable towards data subjects pursuant to Art. 82(4) GDPR.
4. Internally, each party bears responsibility for violations within its sphere of responsibility:
   1. The Customer shall indemnify the Provider against third-party claims arising from unlawful use of the service by the Customer (e.g., unlawful content in emails).
   2. Conversely, the Customer may request indemnification from the Provider if the Provider is solely responsible for the violation.

12.5 Exclusion of Liability in Case of Force Majeure

1. The Provider is not liable for damages or service failures caused by force majeure events (e.g., natural disasters, strikes, official orders, power outages, or cyberattacks), provided the Provider takes all reasonable measures to mitigate damage without undue delay. Cyberattacks qualify as force majeure only if the Provider can demonstrate that it complied with current security standards.

12.6 Rules Specific to the Operating Model

1. SaaS Solution
   1. The Provider ensures that subcontractors act in compliance with the GDPR and informs the Customer about their use.
   2. The Provider is liable for outages of third parties (e.g., cloud providers) only in the event of its own breach of duty.
   3. The Provider is liable for decisions and services of certification authorities and for damages resulting from Customer MPKI configurations only in accordance with § 12 and only in the event of its own breach of duty.
2. On-Premise Solution
   1. The Provider assumes no liability for damages or disruptions caused by improper installation, configuration, or use by the Customer.
   2. The Provider is also not liable for security vulnerabilities or system failures due to missing updates or insufficient security measures on the Customer’s side.

12.7 Additional Liability/Warranty Notes for Add-ins, Templates, and Third-Party Platforms

1. The Provider is liable for malfunctions, restrictions, or outages caused by changes, policies, security measures, or disruptions of third-party platforms (e.g., Microsoft 365/Outlook, store/admin center, API limits) that are outside the Provider’s control only in accordance with § 12.1 and only in the event of the Provider’s own breach of duty.
2. The Provider does not warrant the legal validity, completeness, or suitability of signatures/disclaimers created or provided by the Customer. The Customer remains responsible for content and legal compliance.
3. Where the Outlook add-in accesses drafts client-side, display and insertion may depend, inter alia, on client versions, add-in policies, local settings, and network conditions; the liability standards of this § 12 apply accordingly.

§ 13 Amendments to the GTC

13.1 Amendment Reservation

The Provider reserves the right to amend these GTC if this is necessary

• due to statutory/official requirements,
• to adapt to technical or economic developments, or
• to extend/differentiate the scope of services.

13.2 Notification and Consent

1. The Customer will be informed of changes at least 14 days before they take effect by email. Changes are deemed approved if the Customer does not object in writing before they take effect.
2. In the event of a change, the Customer has the right to terminate the contract in text form without observing a notice period effective at the time the change becomes effective.
3. In the case of legally mandatory changes (e.g., new data protection requirements), consent is deemed granted if the Customer continues to use the service after the changes take effect. This also applies if the change exclusively benefits the Customer.

§ 14 Final Provisions

1. Governing law
   This contract is governed by German law to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).
2. Place of jurisdiction
   For all disputes arising out of or in connection with this contract, the place of jurisdiction shall be Hamburg, insofar as legally permissible.
3. Severability clause
   Should individual provisions of these GTC be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision whose effects come closest to the economic purpose pursued by the contracting parties with the invalid/unenforceable provision.
4. Contract language
   The contract language is German. If these GTC are translated into another language, the German version shall prevail in case of doubt.