Do you have any questions, suggestions or simply need technical expertise in the field of cyber? Then don't hesitate to contact DEFENCY! We're happy to help.
A. General Terms and Conditions
DEFENCY Ltd. (hereinafter the "Contractor") provides services to the Client on the basis of a separate individual contract or offer. In addition to the agreements contained in this individual contract or offer, only the general terms and conditions of the contractor listed below apply as agreed. Conflicting conditions of the client are not valid unless and until they have been recognized in writing by the contractor.
§ 1 Services of the Contractor
These general terms and conditions and all other contracts agreed between the client and the contractor are subject to German substantive law.
Unless otherwise agreed in individual cases, the service provided by the contractor consists of independent advice to the client or its affiliated companies, which is free from instructions.
If the contractor acts as a processor within the meaning of the European General Data Protection Regulation (EU-GDPR) for the client, he undertakes to take appropriate technical and organizational measures to ensure that the processing is carried out in accordance with the EU-GDPR.
Should additional or supplementary activities become necessary, the contractor will point this out to the client. The scope of the order will be expanded accordingly if the contractor commissions or accepts the additional or supplementary activities.
The client is solely responsible for deciding on the type, scope and time of carrying out the measures recommended by the contractor or agreed with him. This applies even if the contractor accompanies the implementation of coordinated plans or measures by the client.
The contractor assumes that the information and/or documents provided by the client are complete and correct. The contractor is not obliged to check the correctness, completeness or correctness or to carry out his own investigations. This also applies if plausibility checks are to be carried out by the contractor as part of the order placed, which are solely based on the information, details or documents provided by the customer and do not have the content of their verification.
The transfer or presentation of written work or results of the contractor to third parties by the client requires the prior consent of the contractor and is done exclusively in his name and interest. The third party is not included in the scope of protection of the contract between the client and the contractor. This also applies if the third party bears or accepts the remuneration for the contractor's work for the client in whole or in part.
Service-specific obligations of the contractor can deviate from the general services and are regulated in sections B and C, in the offer or in the respective individual contract.
§ 2 Cooperation obligations of the customer
The client provides the contractor with the complete and correct information and documents required for the execution of the order and guarantees the contractor their completeness and correctness to the best of their knowledge and belief.
If the customer does not perform the cooperative activities incumbent on him or not in full at the request of the contractor, the contractor is entitled to terminate the contract without notice after prior written notification. The contractor can then either invoice the client for the services actually provided up to the time of termination or instead for the agreed or expected total remuneration less the expenses saved by the premature termination of the contract.
If appraisal interviews are required as part of the services offered, the client shall ensure that these can be conducted in English or German.
Service-specific obligations to cooperate can deviate from the general obligations to cooperate and are regulated in Sections B and C, in the offer or in the respective individual contract.
§ 3 Remuneration
Unless otherwise agreed in individual cases, the contractor's services will be billed according to the daily rates agreed in the service offer (these apply to eight hours) plus travel costs and expenses.
The contractor reserves the right to adjust prices. The price adjustments will be communicated in writing two months before they come into effect. They are considered accepted if no objection is raised in writing within 14 days of receipt.
Invoices for services are due immediately net without deductions upon invoicing.
§ 4 Liability
Information, explanations, advice or recommendations by the contractor are given to the best of our knowledge and belief and are only binding with written confirmation.
Liability for the success of the measures taken by the contractor is excluded. This also applies if the contractor accompanies the implementation of coordinated or recommended plans or measures.
Performance-specific liability and warranty may deviate from the general provisions and is regulated in Sections B and C, in the offer or in the respective individual contract.
§ 5 Confidentiality
The client and the contractor (hereinafter jointly the "parties") undertake to use the work results of the other party as well as all other information, in particular of a technical and economic nature, intentions, experiences, knowledge, constructions and documents, including the pre-existing results that become known to them as a result of the joint activity in accordance with this contract (collectively referred to as "confidential information"), to treat them confidentially towards third parties - even beyond the duration of the contract - not to make them accessible to third parties, to protect them from access by third parties and not to the subject matter to make your own application for property rights.
The parties shall not be entitled to disclose such confidential information to any subcontractor companies imposing obligations of confidentiality without the prior consent of the other party.
The foregoing obligations do not apply to such Confidential Information that was known to a party prior to its disclosure under this Agreement, was independently developed or otherwise lawfully obtained, or is in the public domain or becomes generally known without breach of this Agreement.
The parties will ensure in a suitable form that the employees, freelancers and subcontractors they engage in the implementation of this contract also maintain the above confidentiality.
After the end of this contract, the work results embodied in documents etc., including all copies, and other confidential information of a party that is owned or controlled by another party must be returned to the party concerned in full and immediately.
§ 6 privacy
As part of the provision of services, it is possible for the contractor's consultants to inspect the personal data stored by the client. The inspection is classified as a data protection transmission process.
By signing the individual contract or the offer, which is part of the intended individual contract, the client assures that he is entitled to the possible transmission of personal data. Otherwise, the client excludes access to personal data by taking appropriate measures (e.g. pseudonymization or anonymization).
The contractor has committed all employees entrusted with the fulfillment of the contract to strict compliance with the applicable data protection regulations. The contractor will not save the personal data collected as part of the provision of services or will only save, use or process them to the extent and for as long as this is absolutely necessary for the fulfillment of the respective contract.
Due to the independent advisory activity of the contractor and the free processing of data and information from the client to fulfill the contract, this is expressly not a contractual relationship within the meaning of the EU GDPR.
Service-specific data protection regulations may deviate from the general data protection regulations and are regulated in the respective sections.
§ 7 Copyright, usage and exploitation rights
The customer is entitled to use the contractual services for the contractually agreed purpose without local, personal or quantitative restrictions. For this purpose, the contractor grants the client the irrevocable, worldwide, unrestricted and non-exclusive right of use. The transferred rights are not subject to any restrictions on disposal.
§ 8 Final Provisions
Should one of the clauses of these general terms and conditions be ineffective, this does not affect the effectiveness of the remaining clauses.
As far as legally permissible, the place of jurisdiction is Frankfurt am Main.
In case of doubt, the German text of the general terms and conditions and their components as well as the service offers of the contractor have priority over translations into other languages.
Service-specific terms and conditions can deviate from the general terms and conditions and are in the individual agreements, the offer or under B and C
B. Technical Security Analysis & Penetration Testing
§ 1 Liability and Warranty
The contractor is not obliged to check whether the client has full and unrestricted rights to the IT system to be checked and/or the application to be checked.
Liability for data loss is limited to the typical recovery effort that would have occurred if backup copies had been made regularly and in accordance with the risk. The contractor is not liable for damage caused by the client interrupting the technical security analysis while it is being carried out.
The contractor does not have any further obligations or guarantees. The contractor is not subject to any warranty obligations in the event of damage due to impairment of the integrity and/or availability of the tested IT system and/or the application, which is or was caused by a proper technical security analysis, i.e. one carried out according to generally recognized and appropriate standards.
§ 2 Client's obligation to indemnify
The obligation to indemnify relates to all costs and fees for the necessary legal prosecution as well as all damages, losses and expenses that the provider or its vicarious agents necessarily incur as a result of extrajudicial, official and/or judicial claims by a third party.
§ 3 Cooperation obligations of the client
By commissioning the individual contract or accepting the offer, the client assures in writing that the technical security analysis will be carried out on the IT systems and/or applications provided by the client.
If the technical security analysis is not carried out on the client's IT systems and/or applications, the client assures with the assignment that he has the full and unrestricted right to carry out the technical security analysis on the IT systems and/or applications.
The customer will inform affected third parties within a reasonable period of time before the technical security analysis is carried out, since a technical security analysis also uses third-party IT systems and/or applications, such as the provider’s router or a host’s web server, and despite sufficient security, impairment of the proper operation of these IT systems and/or applications cannot be ruled out.
The client is expressly informed that the technical security analysis can cause damage to existing IT systems and/or applications. In particular, the technical security analysis can lead to impairments and changes to content and data, e.g. on a website in the form of layout changes or impairments on the client's server. As a rule, this damage can only be remedied by importing backups or by post-processing - sometimes extensive - by the client. In addition, the customer is informed that the IT systems and/or applications of the customer may not be usable during the technical security analysis.
§ 4 Tools
The contractor will use globally recognized tools for technical security analyses.
Technical security analyses carried out by the provider's offices via the Internet are carried out from their own public network with known fixed IP addresses. This ensures that the provider's activities can be clearly identified at any time for the client's operational managers.
§ 5 Responsible Disclosure
Vulnerabilities in standard products that are not manufactured by the client are to be reported by the contractor in a structured process for the responsible disclosure of security gaps.
This must be done in the strictest confidence, in writing and in a form that enables the manufacturer to understand and close the vulnerability.
The contractor reserves the right to publish the vulnerabilities found.
The manufacturer must offer a solution within 60 days. If this does not happen, the publication can also take place after this period has expired.
The contractor can deviate from this procedure if a different approach demonstrably reduces the risks for all parties involved.
By commissioning the individual contract or accepting the offer, the client agrees to the procedure described.
§ 6 privacy
Contrary to the provisions in the General Terms and Conditions, penetration tests may lead to access to personal data processed by the client. Penetration tests are an important tool to check and ensure compliance with the measures according to Art. 32 EU-GDPR. For the purpose of possible processing, an order processing contract is concluded in section E exclusively for this purpose, taking into account the TOMS (section F).
C. Provisions Relating to the DEFENCY Hotline
§ 1 Priority of the provisions of this section
The provisions contained in this Section relating to the DEFENCY Hotline Service shall prevail over those of Section "A: General Conditions" where they conflict, or supplement them to the extent that they address the more specific matter of a Hotline Service.
§ 2 Services and obligations of the contractor
§ 3 Cooperation obligations of the customer
The client undertakes to keep all devices through which they receive notifications and recommendations for action ready to receive.
§ 4 Data Protection / Confidentiality
The contractor undertakes not to pass on any customer data to third parties unless this is necessary to fulfill the contract. In order to fulfill the contractual purpose, it may be necessary to pass on facts and customer information to third parties in order to be able to provide services in accordance with the contractual agreements. The contractor undertakes to only pass on this information if there is a corresponding confidentiality agreement with the third party, measured against the level of protection of the underlying agreement. Insofar as the circumstances permit, the contractor will endeavor to remain anonymous until the contact is established.
However, it is hereby expressly pointed out that the contractor collects, stores and processes data obtained within the framework of the contractual relationship in accordance with the statutory data protection regulations, on the one hand to fulfill his contractual obligations and on the other hand to prove the individual usage fees incurred. Due to the advisory independent activities of the contractor, this is not order processing within the meaning of the EU GDPR.
The confidentiality obligations extend beyond the collaboration. Upon request, the client will receive a separate confidentiality agreement.
The contractor uses an external service provider to ensure permanent availability. The external service provider is to be regarded as a processor within the framework of the applicable General Data Protection Regulation and is subject to the applicable legal requirements.
The client assures that if he passes on personal data to the contractor, it is a lawful passing on of personal data by the client.
§ 5 Liability
The contractor is only liable for delays, misdirection and technical complications in the routing and setting of service numbers if there is intentional or grossly negligent action. This also applies to employees and other vicarious agents of the contractor.
§ 6 Contract term
The contractual agreements have a minimum term of 24 months and can be terminated with a notice period of 6 months to the end of the term. If no notice is given, the contract will be extended by a further 12 months. The contractor has the right to terminate the agreements without notice for good cause. The termination must be made in text form. The contractor reserves the right to claims for damages in connection with termination without notice.
After termination of the contract, the client is obliged to refrain from any use of the assigned DEFENCY telephone number and to remove any call diversion immediately. If this is not fulfilled, the contractual fees will continue to be due for settlement.
If, at the request of the contractor, the client fails to provide the duties of cooperation incumbent on him or not in full, the contractor is entitled, but not obliged, to terminate the concluded contract without notice after prior written notification. In this case, the contractor can either invoice the client for the services actually provided up to the time of termination or instead for the agreed or forecast total remuneration less expenses saved by the premature termination of the contract.
§ 7 Use of assigned telephone and service numbers
The assigned telephone number may not be published and distributed beyond the contractually agreed purposes without the prior written consent of the contractor. Furthermore, it cannot be transferred. The service number provided to the customer for temporary, limited or unlimited use is routed via an external service provider according to the contractor's specifications.
§ 1 Rights of data subjects
Responsible for the collection, processing and use of your personal data within the meaning of Art. 4 No. 7 DSGVO is:
Kentia Court / Psaron 22
Republic of Cyprus (EU)
(2) Right to Confirmation
Every data subject has the right to information as to whether personal data relating to them is being processed. To assert this right, the data subject can contact an employee who is responsible for processing the personal data.
(3) Right to Information
Furthermore, every person affected by the processing of personal data has a right to information. Information about data processing is provided and an overview of the data stored about you is provided.
The right to information also includes information as to whether the personal data was transmitted to a third country or to an international organization. If this is the case, the person concerned has the right to receive information about suitable guarantees in connection with the transmission. To assert this right, the data subject can contact an employee who is responsible for processing the personal data (Article 15 GDPR).
(4) Right to Rectification
Every person affected by the processing of personal data has the right to demand the immediate correction of incorrect personal data concerning them. The data subject also has the right to request the completion of incomplete personal data. To assert this right, the data subject can contact an employee who is responsible for processing the personal data.
(5) Right to erasure (right to be forgotten)
Furthermore, every person affected by the processing of personal data has the right to deletion. This is a so-called right to be forgotten. To assert this right, the data subject can contact an employee who is responsible for processing the personal data. The employee of the Offenbach district rescue service will ensure that the request for deletion is complied with immediately.
(6) Right to restriction of processing
Any person affected by the processing of personal data has the right to request the restriction of processing. This could be the case, for example, if you believe that the data we hold about you is incorrect. To assert this right, the data subject can contact an employee who is responsible for processing the personal data.
(7) Right to Data Portability
Every person affected by the processing of personal data has the right to receive the personal data relating to them, which the person concerned has provided to a person responsible, in a structured, common and machine-readable format. This means that if you wish, a digital copy of the data you have provided will be made available to you. To assert this right, the data subject can contact an employee who is responsible for processing the personal data.
(8) Right to Object
Any person affected by the processing of personal data has the right to object at any time to the processing of personal data relating to them (which is based on Article 6 (1) (e) or (f) GDPR).
Competent data protection authority:
Commissioner for Personal Data Protection
CY - 1082 Nicosia
Telephone: +357 22 818 456 - Email: email@example.com
(9) Right to withdraw consent under data protection law
Any person affected by the processing of personal data has the right to revoke consent to the processing of personal data at any time. To assert this right, the data subject can contact an employee who is responsible for processing the personal data.
§ 2 Processing of personal data
DEFENCY processes personal data as part of their contractual relationships in accordance with Article 6 Paragraph 1 Sentence 1 lit. b GDPR. DEFENCY is expressly not a processor. As part of its work, DEFENCY records facts and makes its own independent decisions about recommendations and, if necessary, the disclosure of contact information as part of its contractual obligations.
If it is personal information from third parties, which is not processed by Defency Ltd. were collected themselves, the clients are contractually obliged to only send lawfully collected data to Defency Ltd. to transmit. The case mentioned occurs when a client also uses the services of Defency for its own customers/partners. The data then serves as proof of authorization to Defency Ltd.
In the event that Defency Ltd. If insured persons act on the basis of an existing contractual relationship with the responsible insurer or affiliated companies of the insurer (agents, brokers, etc.), personal information may be transmitted to the insurer or affiliated companies within the framework of the insurer's existing contractual relationships.
If contact is established outside of existing contractual relationships, DEFENCY processes the contact information within the scope of the implied consent of the contact person in accordance with Article 6 Paragraph 1 Sentence 1 lit 6 paragraph 1 sentence 1 lit b GDPR.
Beyond the aforementioned cases of passing on personal information, data is expressly not passed on to third parties or partners.
Sascha M. Kessel
As of: Nov. 2021