Terms and conditions of secunet
Cloud (aaS and Managed Services)

1. General Terms and Conditions Cloud

As of: 14/11/2025

§ 1 General

Secunet refers to secunet Security Networks AG as well as secunet International GmbH, stashcat GmbH, and SysEleven GmbH, in which secunet Security Networks AG directly or indirectly holds at least 50% of the shares or voting rights. The respective contract is concluded exclusively between the relevant secunet company (hereinafter referred to as “secunet”) and the respective contractual partner. Any contractual obligation or liability on the part of other secunet companies are excluded, unless expressly agreed otherwise in writing.

§ 2 Subject matter of the contract Cloud

1. Under this contract (framework agreement), secunet offers the contractual partner the option for the temporary use of the contractual service in return for payment.
2. The specific content of the contractual service owed by secunet in detail is set out in the individual contract.

§ 3 Provision of the contractual service

1. secunet provides the contractual services (IT services) for the contractual partner on its own public cloud platforms. Resources are used in accordance with a fair use model. secunet does not guarantee a minimum level of resources. The contractual partner shall use the contractual services of the public cloud in such a way that the use of the contractual services of other contractual partners is not affected. secunet reserves the right to take measures in the event of misuse in order to protect the availability of other contractual partners and their projects.
2. When providing the contractual service, secunet shall ensure that sufficient capacity is available to cover the contractual partner’s higher requirements at short notice within the usual ranges. Requirements that exceed this will be met subject to availability. The contractual partner may at any time submit a binding request to secunet for an increase in the capacity of the contractual service it uses, with a lead time of two (2) months.
3. Insofar as secunet provides the contractual service on its infrastructure, this shall take place at the interface of the data network within which the contractual service runs (transfer point) to other networks. secunet is not responsible for establishing and maintaining the data connection between the contractual partner’s IT system and the transfer point.

§ 4 Rights of use for cloud

1. secunet grants the contractual partner a simple right of use that is limited in terms of content to the purpose of the contract and in terms of location to the place of contractual use, limited in time to the duration of the contract, and non-transferable, unless otherwise expressly agreed between the contractual partner and secunet.
2. secunet is entitled to update its service and provide the contractual partner with a new version instead of the version provided for use at the start of the contract, provided that the change is reasonable for the contractual partner. The change is reasonable for the contractual partner if the contractual service is not fundamentally altered and is acceptable to the contractual partner in view of the circumstances. In this case, the new version shall constitute the contractual service and shall be subject to the provisions of this contract, and the contractual partner’s rights under this contract with regard to a previously provided contractual service shall expire even without an express request for return. The changes relate, for example, to updates/upgrades of underlying software and will be notified to the contractual partner prior to their implementation if negative effects on the contractual service (e.g., availability, features) are to be expected. If changes are made unplanned, e.g., for security reasons, the contractual partner will be informed as soon as possible. The contractual partner shall have no claim to a newer version of the contractual service originally provided.
3. Without secunet’s consent, the contractual partner is not entitled to make changes, extensions, or other modifications to the service (within the meaning of Section 69c No. 2 UrhG) or to decompile (within the meaning of Section 69e UrhG) the service insofar as this exceeds what is legally permissible. The above provisions of this section on the granting of rights, secunet’s right to update, and the reservation of consent shall apply equally if and to the extent that work results have been developed on behalf of the contractual partner.
4. Furthermore, unless expressly agreed otherwise with secunet, the contractual partner is not entitled to obtain further business secrets by observation, investigation, dismantling, or testing (“reverse engineering”) insofar as the software provided is not publicly available.
5. Insofar as the contractual partner provides secunet with protected content (e.g., graphics or programs protected by copyright or trademark law, hereinafter referred to as “contractual partner materials”), the contractual partner grants secunet a simple right of use, limited in terms of content to the purpose of the contract, limited in terms of location to the place of contractual use, and limited in terms of time to the duration of the contract, for the performance of the contractual service.
6. The Contractual Partner warrants that it holds all necessary rights to the Contractual Partner Materials provided in order to grant secunet the corresponding rights. If the Contractual Partner does not hold the necessary rights, it shall obtain the necessary rights.
7. secunet is entitled to block access to the user account created for the use of the contractual service if there are indications that the access data of the user account has been compromised. In this case, secunet shall inform the user via the contact information stored by the user in the user account.

§ 5 Rights of use for work results

1. If copyright-protected work results are created by secunet within the scope of this contract, all rights of use thereto shall be exclusively reserved to secunet, including rights to register industrial property rights.
2. If copyright-protected work results arise at secunet within the scope of this contract, secunet grants the contractual partner a simple right of use limited in terms of content to the purpose of the contract and in terms of location to the place of use specified in the contract, limited in time to the duration of the contract, provided that this does not conflict with any legal restrictions and/or rights of use of third parties and no further rights of use have been expressly agreed in writing between the contractual partner and secunet with reference to this provision.
3. If and to the extent that a database or database work is created during the term of the contract, in particular through the compilation of application data, through permitted activities of the contractual partner, all rights thereto shall be vested in the contractual partner.

§ 6 Terms of use for the cloud

1. The contractual partner shall not use secunet’s contractual services in any way that compromises the contractual services provided by secunet to the contractual partner or that results in secunet’s performance vis-à-vis its contractual partner being restricted.
2. The contractual partner is obliged to observe the following terms of use:
   a) The contractual partner shall not use secunet’s contractual services for abusive and/or illegal purposes or to an extent that jeopardizes public safety. Abusive purposes include, in particular, the distribution, downloading, or publication of content and/or activities that may violate or impair the rights of third parties. Abusive purposes also include the publication and distribution of depictions of sexual abuse, content that is likely to harm the welfare of children and young people and/or seriously endanger their morals, cyberstalking, content that serves to incite hatred or terrorism, that incites criminal acts or is illegal for any other reason.
   b) If and to the extent that secunet becomes aware of a violation of the Terms of Use, secunet will block and/or remove the relevant content. Secunet shall be deemed to have become aware of such violations if it is requested by the competent authority to block or remove certain content. Secunet shall also be deemed to have become aware of such violations if a user reports content that violates the Terms of Use. Secunet does not moderate content on its services.
   c) To the extent permitted by law, secunet will inform the contractual partner about the blocking/removal of their content.
   d) If secunet becomes aware of this due to a report from a user, it will examine the extent to which the blocking of the content will be maintained, taking into account all interests and ensuring proportionality.
   e) In the event of the blocking/removal of its content, the contractual partner is entitled to contest the decision.

§ 7 Third-party software products

1. The contractual service includes third-party software components. The contractual partner undertakes to comply with the relevant license terms and conditions, which secunet will provide in advance if the contractual partner obtains this software from secunet and manages it independently.
2. The contractual partner is aware that the license terms for third-party software components may be changed by the third party. If the change in the terms and conditions affects secunet’s provision of the contractual service to the contractual partner, secunet is entitled but not obliged to use an adequate substitute for the provision of the contractual service. secunet will inform the contractual partner of any changes in advance.
3. If the software contains errors, secunet is entitled to provide a replacement solution.

§ 8 Contractual partner’s obligations to cooperate

1. The contractual partner shall receive access data for accessing secunet’s contractual services and may, depending on the service, create and manage additional access data. All access data must be kept confidential at all times and may not be made available to unauthorized third parties. If the contractual partner suspects or becomes aware that its access data is being used without authorization, the contractual partner shall inform secunet immediately and make reasonable efforts to prevent unauthorized use. The contractual partner is responsible for all activities in connection with its access data.
2. The contractual partner is responsible for ensuring that data is backed up properly and regularly in accordance with the state of the art. This shall be carried out outside the scope of secunet’s contractual services. In addition, the contractual partner is solely responsible for entering and maintaining the data and information required to use the software.
3. secunet shall be released from its obligation to provide the agreed service if and to the extent that the contractual partner fails to fulfill its obligations to cooperate. Any existing schedules shall be automatically adjusted accordingly. If the contractual partner is responsible for the failure to cooperate and if secunet suffers damage as a result, the contractual partner shall compensate secunet for this damage.
4. The contractual partner shall ensure that data stored on secunet systems is free of any malware.
5. The contractual partner shall always use the latest versions of applications, tools, and software provided by secunet. If the contractual partner violates this obligation to cooperate, secunet shall be entitled to extraordinary termination.
6. The contractual partner is fully responsible for updates within its area of responsibility. Before updating, the contractual partner shall ensure that it has the necessary backups for recovery and has checked that the new versions function correctly.
7. If the contractual partner fails to fulfill its obligations to cooperate despite repeated reminders when updating the software within its area of responsibility, secunet reserves the right to carry out these updates. secunet will set the contractual partner a reasonable deadline for the update.
   secunet shall inform the contractual partner 30 days prior to an update carried out by secunet
   a) that and when an update will be carried out by secunet and
   b) to which new version of the software it will be updated.
8. The contractual partner is obliged to report functional failures, malfunctions, impairments, and security incidents to secunet immediately and as precisely as possible. If the contractual partner fails to cooperate, § 536c BGB shall apply analogously.
9. Any false reporting of security incidents shall have no negative consequences for the reporting party.
10. secunet shall not be in default as long as the contractual partner fails to fulfill its obligation to cooperate in accordance with the contract. In all other respects, the statutory provisions shall apply.

§ 9 Disclosure of License and Terms of Use

If the contractual partner is entitled to grant a third party rights of use to the contractual service, it is obliged to ensure that the end customer is obliged to comply with the license and usage conditions. The granting of rights of use to the contractual service to a third party is only permitted with the prior consent of secunet.

§ 10 Contract term and termination Framework agreement

1. This contract is concluded for an indefinite period and begins with the conclusion of the so-called onboarding service.
2. Termination of the framework agreement requires the deletion of the organization in the onboarding service. The deletion of an organization is carried out by the last remaining user of an organization. Deletion of the organization is only possible upon termination of all individual contracts, with the restriction that the termination of the framework agreement only becomes effective upon termination of the last remaining individual contract.
3. The right to extraordinary termination remains unaffected. secunet has an extraordinary right of termination in particular if
   a) the contractual partner fails to properly fulfill its obligations under this contract despite prior written warning and setting of a reasonable deadline, or
   b) if the contractual partner violates the terms of use. This applies in particular if the blocking/removal of the content is due to an official or court order or
   c) the contractual partner fails to meet its payment obligations despite a reminder after invoicing, or
   d) if the contractual partner has filed for insolvency proceedings or
   e) if insolvency proceedings have been opened against the contractual partner’s assets or the opening of such proceedings has been rejected due to lack of assets.

§ 11 Contract term and termination Commitment and On-Demand

1. The term of use of the contractual service is based on the agreement in the contract and begins with the provision of the contractual service. If an automatic extension of the term of a contractual service has been agreed, this is based on the agreement in the contract.
2. The notice period is based on the agreement made in the contract. If no notice period has been agreed, the following applies: If a commitment of at least twelve (12) months is agreed in a contract, the term is extended by a further twelve (12) months if the contract is not terminated in writing with six (6) months’ notice to the end of the term. If the use of on-demand services is agreed in the contract, no fixed term is agreed. The contractual partner may terminate the use of the on-demand service at any time without notice.
3. Termination of a contract or termination of the use of the on-demand service shall not be equated with termination of the framework agreement.
4. The provision on extraordinary termination of the framework agreement applies accordingly.
5. If the contractual partner wishes to switch to a cloud solution from another service provider before the end of the contract term or transfer all exportable data and/or digital assets to the contractual partner’s own infrastructure, the Special Conditions for Cloud Switching in the secunet Group (EU Data Act) shall apply in addition.

§ 12 Termination

1. Upon termination of the right of use, the contractual partner shall immediately cease using the contractual service.
2. The contractual partner is obliged to return or delete any contractual service provided to secunet immediately after termination of the right of use or, if and as long as it is legally obliged to store it for a longer period, immediately after expiry of the storage period. This also applies to all copies made by the contractual partner for this purpose. Upon request, the contractual partner must provide secunet with written confirmation that this has been done. In the event of termination of the contract or withdrawal from the contract, this paragraph shall apply accordingly.
3. Termination of use of services shall result in the deletion of the data generated or stored therein. Unless otherwise agreed in the contract, the contractual partner shall have the option at any time to download its data itself in the usual format(s) offered by the service before termination of use and to back it up outside the contractual services of secunet or in suitable storage offerings from secunet.
4. Upon request, secunet may cooperate with the contractual partner and/or the third party designated by the contractual partner to ensure that no disruptions to service provision occur during the transition and that the contractual partner or the third party designated by the contractual partner is able to commence operation of the contractual services after the date of termination of the contract. In this respect, secunet may prepare and provide appropriate documentation. The contractual partner shall cooperate in this regard. Upon receipt of written notification that the contractual partner has been able to read and process all transferred data, the data shall be deleted from the systems in secunet’s data center and the contractual partner shall be notified of this deletion in writing (at least in text form).
5. If the contractual partner uses the contractual service beyond the end of the contract period because a switch to its own IT systems or to another provider or for another reason was not implemented in time after termination of the contract, this use shall be remunerated until the final cessation of use. This continued use does not extend a terminated contractual relationship or constitute a new contract for the use of the contractual services.

§ 13 Offsetting and right of retention

The contractual partner shall only be entitled to offset claims if its counterclaims are undisputed or have been legally established. The contractual partner shall only be entitled to assert rights of retention on the basis of counterclaims arising from the same contractual relationship.

§ 14 Remuneration for cloud services

1. Each contract is billed on a monthly basis.
2. Billing is based on the prices specified in the contract or the price list valid at the time the service is ordered via the self-service portal, according to the volume consumed or the service booked. Invoice items whose amount is known in advance in the billing month are billed monthly in advance. Services that are billed according to consumption, such as traffic, are billed retrospectively in the following month. If services are billed according to time, the intervals can be found in the corresponding product descriptions. The service records are deemed to have been accepted if the contractual partner does not object to them within a maximum of ten (10) working days of receipt.
3. Unless otherwise indicated, prices quoted by secunet are exclusive of the applicable statutory value added tax.
4. In the case of agreed partial services and for partial invoices, the provisions regarding remuneration and pricing shall apply accordingly.
5. Invoices are due for payment without deduction within thirty (30) days of receipt. The conditions and consequences of default are governed by the statutory provisions. If part of an invoice is disputed, the undisputed part must always be paid.

§ 15 Standard reporting channel

The contractual partner must submit all types of notifications by email tosupport@syseleven.de or via the ticket system. In urgent cases (malfunctions, security incidents, etc.), the notification must also be made by telephone to secunet’s emergency numbers:
+49 30 233 2012 30 (during service hours) or
+49 30 609 89 22 11 (24/7 emergency hotline)

§ 16 Incident management for malfunctions, security incidents, and vulnerabilities

1. secunet provides regularly updated information about malfunctions, security incidents, and vulnerabilities (hereinafter referred to as “incidents”) on the status page if the affected contractual partners cannot be informed individually and directly.
2. secunet acts at its own discretion when detecting and remedying incidents in services offered by secunet and used by the contractual partner. Depending on the severity of the incident, secunet reserves the right to take measures without prior notice or consultation with the contractual partner. These include, among other things:
   a) isolation of the affected systems,
   b) completely restricting the accessibility of contractual partner systems, or
   c) the shutdown of compromised services.
   This list is not exhaustive.
3. If secunet becomes aware of security vulnerabilities in installations for which the contractual partner is responsible, secunet shall inform the contractual partner. The contractual partner is obliged to remedy the vulnerability promptly. If this does not happen, secunet reserves the right to take measures to protect its own systems.
4. Once an incident has been resolved, secunet informs the affected contractual partners about the measures taken and any further steps that may be necessary.

§ 17 Cloud warranty

1. secunet guarantees the functionality and operational readiness of the contractual service. Unless expressly stated otherwise below or in the contract, the statutory warranty provisions shall apply.
2. secunet shall be liable for defects in the contractual service provided by secunet in accordance with the warranty provisions of tenancy law (Sections 536 et seq. BGB), but with the proviso that, contrary to Section 536a (1) BGB, liability for damages shall only exist in the event of fault in accordance with the provisions of the contract.
3. Any defects must be reported immediately using the contact options available on the secunet website, providing a detailed description of the defect complained about. Complained defects must be reproducible.
4. A defect exists if secunet does not perform the contractual service in accordance with the contract and this has a significant effect on the suitability for the use agreed in the contract.
5. The contractual partner shall have no warranty claims
   a) in the case of only insignificant deviations from the agreed quality or only insignificant impairment of the usability of secunet’s contractual performance
   b) in the event of incorrect operation by the contractual partner
   c) in the event of the use of hardware, software, or other equipment of the contractual partner that is not suitable for the use of the contractual service
   d) if the contractual partner does not report a defect immediately and secunet was unable to remedy the defect as a result of the failure to report it immediately, or
   e) if the contractual partner is aware of the defect at the time of conclusion of the contract and has not reserved its rights with express reference to this provision.
6. If a defect has been reported by the contractual partner and the contractual partner’s warranty claims are not excluded, secunet is entitled to remedy the defect within a reasonable period of time by taking measures of its own choosing. The contractual partner shall give secunet reasonable time and opportunity to remedy the defect. Subsequent performance shall also be deemed to have been fulfilled if the contractual partner is shown ways of avoiding the effects of the defect. An equivalent new program version of the software underlying the contractual service or an equivalent previous program version of the software underlying the contractual service that did not contain the error shall be adopted if this is reasonable for the contractual partner.
7. If it is impossible or fails to remedy the defect, if there is a culpable or unreasonable delay, or if secunet seriously and definitively refuses to remedy the defect, the contractual partner is entitled in particular to reduce the remuneration owed in accordance with the extent of the impairment (reduction) if it asserts the credit balance specified in the contract within ten (10) days.
8. If secunet provides services for troubleshooting or rectification upon request without being obliged to do so, it may demand remuneration for this in accordance with its usual rates. This applies in particular if a defect cannot be proven.

§ 18 Liability Cloud

1. secunet shall be liable – regardless of the legal basis – for damages and reimbursement of futile expenses only in cases of intent or gross negligence or culpable breach of a material contractual obligation. In the event of a breach of a material contractual obligation, secunet’s liability shall be limited to typically foreseeable damage, except in cases of intent and gross negligence.
2. The contractual partners’ liability for data loss is limited to the restoration costs that would have been incurred if the other contractual partner had made regular and appropriate backup copies and taken the necessary precautionary measures. Section 254 of the German Civil Code (BGB) remains unaffected.
3. The above limitations of liability do not apply to injury to life, limb, or health, to statutory liability under the Product Liability Act, or to the assumption of a guarantee.
4. The above limitations of liability shall also apply directly in favor of secunet’s employees, representatives, and vicarious agents.
5. In the event that contractual services provided by secunet are used by unauthorized third parties using the contractual partner’s access data, the contractual partner shall be liable for any fees incurred within the scope of civil liability until receipt of the order to change the access data or notification of loss or theft, provided that the contractual partner is at fault for the unauthorized third party’s access.
6. If a third party asserts against one contractual partner that a service provided by the other contractual partner infringes the rights of third parties, the one contractual partner shall notify the other immediately. The contractual partner who infringes the rights of a third party is entitled, but not obliged, to defend the asserted claims at its own expense, insofar as this is permissible. The other contracting party is not permitted to acknowledge claims by third parties without the prior consent of the contracting party that has infringed the rights of third parties, or to admit the underlying facts or to conclude a settlement in this regard.

§ 19 Special conditions for free trial

1. If the contracting party uses secunet’s contractual services free of charge and exclusively for testing purposes (hereinafter referred to as “trial installation”), the trial installation shall be limited in time and shall be based on the term agreed in the contract.
2. If a free trial has been agreed, no warranty shall be provided, insofar as this is legally permissible.
3. Within the scope of the free trial of the service, the provider shall be liable in accordance with the statutory provisions of Sections 599 and 600 of the German Civil Code (BGB).

§ 20 Limitation period

All claims arising from this contract shall become time-barred within a period of one year from the start of the statutory limitation period. This shall not apply to claims arising from liability for intent and gross negligence, in cases of malice, claims arising from the Product Liability Act and in cases of an assumed guarantee, as well as in cases of injury to life, limb or health.

§ 21 Confidentiality

1. Confidential information is any information about facts relating to a business operation that is known only to a limited group of people, i.e., that is not public knowledge and should be kept secret due to the legitimate interests of the business owner, regardless of its nature and form. This includes, in particular, verbal information, letters, memoranda, reports, documents, studies, analyses, drawings, letters, computer printouts, software programs, specifications, data, graphic representations, tables, sound recordings, pictorial reproductions, and any type of copies of the aforementioned information for which the disclosing contracting party has taken appropriate confidentiality measures.
2. The contracting parties shall treat confidential information as strictly confidential and shall not disclose it to third parties without the prior written consent of the other contracting party. None of the following companies shall be considered third parties: secunet Security Networks AG, secunet International GmbH, stashcat GmbH, and SysEleven GmbH, insofar as information must be made available to them by secunet in order to fulfill the purpose of the contract. The contracting parties may disclose confidential information to employees who need the respective confidential information for the purposes of executing the contract, provided that the respective employee has undertaken to maintain confidentiality by signing a written confidentiality agreement.
3. The above obligation does not apply to information that
   a) was already public knowledge at the time of receipt by the receiving contracting party;
   b) was already in the possession of the receiving contracting party at the time of receipt by the receiving contracting party;
   c) becomes public knowledge after receipt without the receiving contracting party’s involvement;
   d) becomes accessible from third parties without any obligation of secrecy and non-use, provided that these third parties have not received the information directly or indirectly from the receiving contracting party; or
   e) must be disclosed due to legal provisions, official or court decisions. The disclosing contracting party shall only inform the disclosing contracting party to the extent that legal provisions, official or court decisions require disclosure of confidential information.
4. Unless the contracting parties have agreed otherwise, the confidentiality obligations under the provisions of this paragraph shall end five
5. years after the termination of this contract.

§ 22 Data protection

The contracting parties shall comply with all laws, guidelines, and regulations applicable to them and secunet concerning data protection and data security. If personal data is entrusted to one contracting party, the other contracting party shall keep it confidential and protect it from misuse by taking appropriate technical and organizational measures. When processing or passing on personal data, the relevant data protection laws and the provisions of the contractual agreements with secunet shall be observed.
a) The contractual partner shall only employ staff who have undertaken to maintain confidentiality when handling personal data in order to fulfill their obligations. Corresponding declarations of commitment from employees must be submitted at secunet’s request.
b) The contractual partner is prohibited from processing, disclosing, making accessible, or using personal data without authorization for any purpose other than the lawful performance of its tasks.
c) The loss, unlawful transfer, or disclosure of personal data must be reported to secunet immediately at Datenschutz@secunet.com, as there may be information obligations.

§ 23 Compliance

1. The contractual partner undertakes to comply with the provisions of the Code of Conduct for Suppliers and Business Partners (Code of Conduct for Suppliers and Business Partners) and, in particular, to observe the applicable legal regulations on combating corruption and the applicable antitrust laws.
2. In the event of a breach of these obligations, the provider is entitled to terminate this contract without notice. The contractual partner shall indemnify the provider against all damages and claims by third parties arising from the breach and shall hold the provider harmless.

§ 24 Export restrictions

1. The contracting parties are obliged to independently review and comply with all foreign trade regulations applicable to them, in particular import, export control, customs, and national, European, and international sanctions and embargo regulations. This applies both to independent exports or cross-border transfers, in particular resales, of deliveries and to cross-border delivery and service relationships.
2. The contracting party responsible under foreign trade regulations must obtain any necessary (export) licenses from the competent authorities. It shall bear all customs duties, fees, and other charges incurred in connection with cross-border deliveries and services. secunet is not obliged to provide advice.
3. Within the framework of their contractual relationships, the contracting parties mutually agree to regularly check their data for any entries on economic, financial, or trade-related sanctions lists in compliance with data protection regulations, in particular with regard to compliance with the above-mentioned sanctions and embargo regulations.
   With regard to the aforementioned sanctions list screening, the following also applies:
   (i). The contracting parties assure that neither they themselves nor their employees, nor any natural or legal persons in which they hold a direct or indirect majority ownership interest, are listed on any of the above-mentioned sanctions lists.
   (ii). The contractual partner is obliged to immediately notify secunet in writing (compliance@secunet.com) of any positive results confirmed during the check against the aforementioned sanctions lists.
   (iii). In the event of a positive screening result, secunet is entitled to terminate the contract for cause.
   (iv). The contractual partner shall indemnify secunet against all claims by third parties resulting from the breach of statutory and contractual obligations.
4. In accordance with Council Regulation (EU) No. 833/2014, the following applies:
   a) The contractual partner may not sell, export, or re-export goods delivered under or in connection with this contract and falling within the scope of Article 12g of Council Regulation (EU) No. 833/2014, either directly or indirectly, to the Russian Federation, nor may it carry out such actions for use in the Russian Federation.
   b) The Contracting Party shall use all reasonable efforts to ensure that the purpose of paragraph 4 a) is not undermined by third parties in the commercial chain, including possible resellers.
5. Any culpable breach of the preceding paragraph shall constitute a material breach of the provisions of this contract, and secunet shall be entitled to take appropriate measures, including, but not limited to:
   (i). Termination of this contract; and
   (ii). assertion of a contractual penalty amounting to 5% of the value of the goods sold, exported, or re-exported in violation of paragraph 4 a); and
   (iii). Assertion of a contractual penalty in the event of a breach of paragraph 4 b), whereby the amount of the contractual penalty shall be determined by secunet at its reasonable discretion in accordance with § 315 BGB (German Civil Code). The amount may be reviewed by a court in the event of a dispute. The contractual penalty shall be offset against claims for damages.
6. The contractual partner shall immediately inform secunet of any problems in the application of paragraph 4, including any relevant activities of third parties that could frustrate the purpose of paragraph 4 a). Upon request, the contractual partner shall provide secunet with information on compliance with the obligations under paragraph 4 within two weeks.

§ 25 audit

1. secunet or a third party commissioned by secunet shall be entitled to carry out audits at the contractual partner’s premises in order to verify the proper fulfillment of this contract and the individual contracts as well as the requirements of the Code of Conduct for Suppliers and Business Partners (Code of Conduct for Suppliers and Business Partners of secunet). In addition to observing the necessary security measures and any confidentiality obligations of the contractual partner towards third parties, secunet shall:
   a) notify the contractual partner of audits at least two weeks in advance,
   b) take into account the contractual partner’s operational processes,
   c) limit audits to the rooms and facilities affected by the subject matter of the contract,
   d) comply with data protection regulations and act on the premise of affecting the contractual partner’s trade and business secrets as little as possible.
2. Any use of such secrets beyond what is necessary to enforce secunet’s contractual and legal claims against the contractual partner is prohibited.
3. Each contractual partner shall bear its own costs of verification. However, the contractual partner shall also bear secunet’s costs if the verification reveals violations of this contract or legal provisions.

§ 26 Amendment of the contractual provisions

1. secunet is entitled to amend individual provisions of the contract if there is a valid reason for doing so and the amendment is necessary for the continuation of the contract and reasonable for the contractual partner. A valid reason in this sense exists, among other things, if a change in the legal situation or the highest court ruling or doubts about interpretation that have arisen make it necessary to amend the provisions concerned. A valid reason also exists if a change in market conditions or other legal, economic, or technical conditions that was not foreseeable at the time the contract was concluded and over which secunet has no influence has occurred, leading to a disruption of the contractual equivalence and requiring an adjustment of the terms and conditions to restore equivalence.
2. secunet shall notify the contractual partner of the upcoming changes in writing (e-mail) at least six weeks before the amended terms and conditions are scheduled to take effect. The contractual partner is entitled to object to the changes within six (6) weeks of receiving the notification. If the contractual partner does not object within the deadline and continues to use the service after the objection period has expired, the amended contractual terms and conditions shall be deemed to have been agreed. secunet shall inform the contractual partner of its right of objection and the consequences of not exercising this right in the notification of change.
3. Provisions that affect the main performance obligations of the contracting parties and thus significantly change the relationship between main and counter-performance obligations, as well as other fundamental changes to the contractual obligations that are equivalent to the conclusion of a new contract, are excluded from the right to amend individual provisions of the contract. Such amendments require an express contractual agreement.

§ 27 Final provisions

1. This contractual relationship is subject to German law, excluding the UN Convention on Contracts for the International Sale of Goods and the provisions of international private law.
2. The courts in Germany shall have exclusive jurisdiction for all disputes arising from or in connection with this contractual relationship. However, secunet may, at its discretion, also bring an action before the courts competent for the contractual partner’s place of business.
3. The establishment of this contractual relationship and all agreements that contain an amendment, supplement, cancellation, or specification of this contractual relationship—in whole or in part—must be made in writing. If this contractual relationship contains references to the written form, the written form may also be replaced by electronic form or text form, provided that no legally binding formal requirements apply. The text form requires an electronic signature using a software solution. The aforementioned formal requirement also applies to the amendment or cancellation of this text form clause.
4. Should individual provisions of this contract be or become invalid or unenforceable, or should a loophole become apparent in this contract, this shall not affect the legal validity of the remaining provisions. To fill the gap, the contracting parties shall then agree on an appropriate provision which, as far as possible, comes closest to what the contracting parties would have agreed had they recognized the gap. This applies accordingly to invalid provisions that are not part of secunet’s General Terms and Conditions.
5. Deviating, conflicting, or supplementary general terms and conditions shall not become part of the contract unless their validity is expressly agreed to in writing at least.
6. Upon request by the other party, the contracting parties undertake to hand over or destroy all business documents and any business material, such as software copies, relating to the contract to the other contracting party in accordance with data protection regulations, at the latest upon termination of the contractual relationship, in compliance with the statutory retention periods. The deletion of the data must be confirmed to the other contracting party upon request. This does not apply to backup copies of electronic data traffic
7. Even if this contract is written in English it has to be understood that it was prepared by German lawyers against a German commercial and legal background. If any term of the contract is open to interpretation, the intended German meaning shall prevail.