General Terms and Conditions

of CS Company Shield GmbH

Version 3.3, as of 06.01.2025

  1. Scope of application

    1. These General Terms and Conditions (hereinafter: "GTC") of CS Company Shield GmbH (hereinafter "Company Shield", "we" or "us") apply exclusively to customers (e.g. companies, authorities) who are entrepreneurs within the meaning of Section 14 (1) of the German Civil Code (BGB), i.e. natural or legal persons or partnerships with legal capacity who are acting in the exercise of their commercial or independent professional activity when concluding the transaction, as well as to customers who are legal entities under public law or special funds under public law.

    2. These GTC apply to all contracts with the customer for the provision of services in the area of awareness building and by way of the temporary use of a software and platform as a cloud solution (Software-as-a-Service, SaaS). 

    3. These GTC apply exclusively in our relationship with the customer. They shall also apply to all future business transactions and to all business contacts with the customer, such as the commencement of contract negotiations or the initiation of a contract, even if they are not expressly agreed again or if they are not expressly referred to again. The validity of the customer's general terms and conditions of order or purchase is expressly rejected.

    4. Previous agreements and earlier versions of our General Terms and Conditions are superseded by these GTC.

    5. If, in individual cases, contractual obligations are also established with persons or companies that are not themselves to be parties to the contract, the limitations of liability in these GTC shall also apply to them, provided that these GTC were included in relation to the third parties when the contractual obligation was established. This is particularly the case if the third parties were made aware of these GTC or were already aware of them when the contractual obligation was established.

    6. Acceptance of our services by the customer shall be deemed acceptance of the validity of these GTC.

  2. Conclusion of contract

    1. Unless otherwise agreed, our offers are subject to change and non-binding.

    2. We shall only be bound by an order if it has been confirmed by us in text form by means of an order confirmation or if we commence execution of the order.

  3. Scope of services (performance deadlines)

    1. We offer the customer the provision of awareness-building services. Awareness building consists of three different modules (hereinafter referred to as "service modules"). These include (i) attack simulations via email, SMS, phone call or another agreed communication channel, the provision of (ii) in-the-moment training based on these simulations and the (iii) Company Shield Awareness Monitor (incl. admin and reporting dashboard) as a SaaS system. 

    2. We provide the Customer with the service modules contained in the respective offer or in the respective order confirmation by way of a software-as-a-service model via the Company Shield platform (service modules bundled together hereinafter referred to as "Software"). The software and platform, including the corresponding services, are made available on servers (of a third-party provider Amazon Web Services Inc. (AWS), server location: Frankfurt) for use at the access point of Company Shield's data center. The number of uses covered, as well as other additional services to be provided, is determined by the specific offer or order confirmation.

    3. The customer shall be granted access to all functions of the booked service modules (use of the software and the platform in accordance with Clause 3.2) and the corresponding rights of use in accordance with Clause 5 for the duration of the contract. The software and the platform shall be made available for the contractual use specified in the offer or the order confirmation.

    4. Application documentation is also included. Unless otherwise agreed between the parties, the application documentation is stored as a wiki in the application. The provision of the source code of the software to the customer is not owed.

    5. We offer the customer the use of SaaS (Software as a Service) and web hosting. The customer has network access to a server system that is maintained by us or subcontractors in order to use the software provided via this system. The customer has no administrative access rights.

    6. We use subcontractors to provide SaaS and hosting services. Further information on the subcontractors used can be found in the General Data Processing Agreement (DPA). 

    7. In the case of SaaS and web hosting, there is automated access to the customer's required data, on the basis of which the SaaS service is then provided. Access is set up by us at the start of the SaaS contract. 

    8. The services we provide to the customer as part of SaaS and web hosting are provided via servers of Amazon Web Services Inc. (AWS) in Frankfurt.

    9. Unless otherwise stipulated in these General Terms and Conditions of Service, the hosting conditions of AWS with server location in Frankfurt apply in addition. We will be happy to provide you with the terms and conditions on request.

  4. Duty to cooperate

    1. The software and hardware requirements that the customer must fulfill in order to use the software or the services provided with the software are set out in more detail in the offer.

    2. The actual implementation of the awareness-building measures via the software provided via the platform requires the prior registration of the customer (creation of a customer account, also known as admin access). The creation of the customer account requires the entry of the professional e-mail address and the first and last name of the person entrusted with the administration of the awareness-building services at the customer ("administrator") as well as the creation of a password. The customer account can be created either by the administrator himself or by another employee of the customer. This information must be correct, up-to-date and complete. Alternatively, we can create the account for the customer at the customer's request. In this case, the customer is obliged to change the initial password immediately. In connection with the platform and its awareness-building services, we send product and service-related updates via e-mail to the e-mail address stored in the customer account, unless the customer and/or the administrator objects to this. The customer/administrator can use the admin access to log in to the platform in order to view the reporting and an analysis of the results.

    3. In addition to the customer, only users authorized by the customer may use the awareness-building services provided via the platform in accordance with the provisions and within the scope of this user agreement. The users named by the customer shall be included in the distribution list for the awareness-building services via the user data provided by the customer or the simulations, fakes, etc. created in the course of this shall be sent to the user after the customer has provided the data. The creation of a user account by the respective user is not mandatory. However, the user can register voluntarily, e.g. to gain an insight into their personal results. The creation of the user account requires the entry of the professional e-mail address and the first and last name as well as the creation of a password. This information must be correct, up-to-date and complete. Each user may only register once. The respective user accounts are not transferable, not even to other employees of the customer. Once created, the user accounts are automatically included in the customer's awareness simulations. Personal simulation results can be viewed by the respective user via their account.

    4. Voluntary registration as a user is only permitted for persons for whom the customer has been granted a license to use the awareness-building services. Simultaneous use of the same account via several end devices (in particular simultaneously on a smartphone) is permitted. Unless expressly permitted by us (text form required), users are not permitted to register with private email addresses, in particular freemail services such as gmx, web.de or Google Mail.

    5. The customer is also responsible for monitoring its personnel and, in particular, the users. He is obliged to obligate them to comply with the provisions of the contract that apply to them. The awareness-building services may only be used for the customer's own operational purposes and within the agreed scope of use.

  5. Granting of rights

    1. In return for payment of the remuneration in accordance with Section 9, the customer shall receive the non-exclusive, non-transferable and non-sublicensable right to use the software and the service modules to the extent granted in the contract, i.e. for its own operational purposes for the number of users specified in the respective offer, limited to the term of the contract concluded under these GTC. The contractual use includes access to the software as well as loading, displaying and running the software.

    2. The customer is not entitled to sell, lend, rent or sublicense the software in any other way, to reproduce the software publicly or to make it accessible.

    3. If the customer violates any of the above provisions, all rights of use granted under the contract shall immediately become ineffective and shall automatically revert to us. In this case, the customer must immediately and completely cease using the software and the service modules.

  6. Availability, maintenance window for SaaS and web hosting

    1. We undertake to make commercially reasonable efforts to achieve an annual average network availability of 99% for our SaaS system and server.

    2. The guarantee of availability does not apply to the functionality of telephone or other communication services to the contractual server, to power failures or failures of servers that are beyond our control or to the infrastructure to be provided by the customer (software and hardware requirements of the customer). The guarantee of availability also does not extend to times in which third parties carry out DDoS attacks (Distributed Denial of Service), i.e. third parties flood the server with a vast number of technical requests in order to exhaust the available network capacity, or for the standard maintenance windows provided (see Section 6.3).

    3. We may temporarily restrict availability if this is necessary with regard to software updates, hardware updates, capacity limits, to carry out maintenance work or for security reasons (maintenance window). 

Insofar as we provide standard maintenance windows, i.e. times that we regularly use for maintenance, these are shown in the annex to the offer. The standard maintenance windows specified by our subcontractor shall apply. We are happy to provide the relevant regulations of our subcontractor.

Additional maintenance windows may become necessary, e.g. in the event of acute problems with the software or the platform or if the standard maintenance windows are not sufficient in individual cases; the following applies to these: As far as possible, we take into account the legitimate interests of the customer by informing them in advance of the availability restriction. If the customer does not object to the maintenance window within 24 hours before the announced maintenance window, we shall assume that the customer agrees to the maintenance window. We will point this out to the customer when sending the information about the maintenance window. 

The period of a maintenance window shall not be taken into account when calculating availability in accordance with Section 6.1.

  1. Access data, use by employees, liability for employees with SaaS and hosting

    1. The customer undertakes to protect access to our systems against unauthorized use by third parties. Access data (user ID or password) may not be passed on. The customer shall be liable for any unauthorized use of his access data made possible by his conduct and the associated unauthorized use of his access; this shall not apply if he is not at fault. As soon as the customer becomes aware that his access data has become accessible to third parties, he is obliged to change his password. If he is unable to do so, he must inform us immediately.

    2. Access is not transferable.

    3. Additional accesses may be created for the customer for the use of individual employees in the name of the customer, whereby the provision in Section 4.4 must be observed. In such a case, the customer undertakes to obligate the employee concerned in accordance with the above Section 7.1 and Sections 5, 8 and 11; any parallel responsibility of the customer remains unaffected. The customer itself is obliged to have access for employees deleted immediately if the access authorization (e.g. due to the employee leaving the customer) should lapse.

  2. Rights to customer data/content, granting of rights of use, customer liability for data/content, indemnification, deletion after the end of the contract

    1. The customer assures that he has the necessary rights to the content (including personal data) provided by him for the respective use.

    2. The customer grants us a simple, non-transferable right, limited in time to the duration of the contract, limited in space to the location of our servers and the location of our backups, to reproduce the protected content for the purposes of this contract on the server, on another server used for mirroring, and for a sufficient number of backups. After termination of the contract, copies on backups may still be stored for a transitional period of one month; within this period, the customer may demand that the data stored for him in the backup be surrendered for a fee; unless otherwise agreed, the costs for such surrender shall be invoiced on the basis of an hourly fee based on our general price list at the time the service is provided, calculated on the basis of commenced quarter hours. At the end of the month, we may irretrievably delete the content unless the customer requests and performs the release.

    3. The customer grants us a simple, worldwide, non-transferable right, limited in time to the duration of the contract, to use the data and content provided by the customer for the further development of our software and, after the end of the contract, to continue to use the information anonymously for the further development of the software, insofar as this is necessary for the operation of the further developed software within the framework of big data processes for the further developed software.

    4. The customer shall be liable for the data and content it has entered into the system and shall indemnify us against all claims asserted by third parties against us due to the infringement of rights or other claims based on the customer's content in our system. The customer is obliged to compensate us for any damage we incur as a result of the assertion of such third-party claims, including the costs of an appropriate legal defense. This shall only apply if the customer is at fault.

  3. Remuneration, terms of payment

    1. The customer must pay us the contractually agreed remuneration for the provision of the awareness-building services, which can be found in the offer.

    2. We will invoice the customer for the remuneration due for the entire term of the contract immediately after conclusion of the contract. In the event of a contract extension, the invoice shall be issued at the beginning of the additional term. Unless otherwise contractually agreed, our claim shall be due immediately after invoicing, without any deduction. If we provide our services in definable partial sections, we shall be entitled to demand payment of a corresponding part of the remuneration for each partial section.

    3. Our prices are net prices and refer to the performance of the service at the agreed place of performance. When the invoice is issued, VAT shall be added at the applicable statutory rate. Any taxes and duties incurred shall be borne by the customer.

    4. In the case of an agreed installment payment, the agreed remaining amount shall become due immediately if the customer is in default with two installments in whole or to a not insignificant extent or if he is in default in a period extending over more than two installment payment dates in the amount of at least one monthly installment payment.

    5. The customer is not entitled to make deductions without express agreement.

    6. If the customer is in default of payment, he shall compensate us for any damage caused by default, in particular interest at a rate of 9 percentage points above the prime rate. If the customer is more than 14 days in arrears with the payment of a due amount or partial amount, if the customer breaches the obligations arising from a reservation of title or if the consideration to which we are entitled is jeopardized due to poor financial circumstances of the customer, the entire remainder of all outstanding claims shall become due for payment immediately.

    7. Payment by bill of exchange or acceptance is only permitted by express agreement and even then only on account of payment. Any costs incurred in the event of payment by bill of exchange or acceptance shall be borne by the customer and shall be invoiced to the customer separately.

    8. Only undisputed or legally established claims may be offset against our remuneration claims. The same applies to the exercise of a right of retention. The customer is otherwise only authorized to exercise a right of retention if it is based on the same contractual relationship.

    9. The assignment of claims against us by the customer requires our prior approval, which we will only refuse for good cause.

    10. We are entitled to demand an adjustment of the remuneration with effect from the beginning of a calendar year if our costs of maintaining the software or the service modules have increased. If our costs have decreased, the customer may demand a reduction in the remuneration at the beginning of a calendar year. If no agreement is reached between the parties within three months of our request for an adjustment, the contract shall continue to run at the previously agreed remuneration for the previous contract year and may be terminated by the party requesting the adjustment with three months' notice.

  4. Contract term, termination

    1. Unless otherwise agreed in the offer, the contract is initially concluded for a fixed term of one year (minimum contract term). The contract shall be extended by a further year (additional term) after expiry of the minimum contract term and after expiry of each subsequent term, unless the contract is terminated by one of the parties subject to a notice period of one month to the end of the respective (minimum) contract term.

    2. Both parties are also entitled to terminate the contract for good cause without observing a notice period (extraordinary termination). Good cause entitling us to terminate the contract shall be deemed to exist in particular if 

  • the customer infringes rights of use by using the software or the service modules beyond the extent permitted under this contract and does not remedy the infringement within a reasonable period of time following a warning from us, 

  • the customer commits a serious breach of the provisions of this contract.

  1. Any notice of termination must be given in text form. Notices of termination can be sent by e-mail to cancellation@company-shield.de.

  2. In the event of termination, the customer must stop using the software.

  1. Prohibited content and actions, blocking, ensuring harmless content

    1. The customer himself is responsible for ensuring that his content/data and the use of the server comply with legal regulations.

    2. The customer undertakes not to store any content on the servers, to make it publicly accessible via the servers or to use the servers in any other way with regard to content that

  • are punishable by law (in particular incitement to hatred, insult, defamation, threats)

  • are considered pornographic, vulgar or obscene, harassing or offensive in any other way,

  • are anti-constitutional, extremist, racist or xenophobic, or content that originates from banned groups, 

  • interfere with the rights of third parties (in particular personal rights, data protection rights, copyrights, trademark rights, patent rights or other rights of third parties).

  1. The customer undertakes not to take any actions that could impair, damage or destroy the software, hardware or performance of another server or a system used by us for the provision of services, in particular not to make any content publicly accessible that contains malicious code or serves to carry out or forward snowball systems, (genuine) mass e-mails (genuine spam) or chain letters or to bring our services to a standstill.

  2. The customer must ensure that the customer's content used within the SaaS system does not contain any malware, viruses, Trojans or other content that could cause technical damage to the computer system.

  3. We may temporarily or permanently block the connection to the Internet in whole or in part (e.g. with regard to individual files) as well as the customer's access to the server,

  • if there is a suspicion or it has already been established that the customer is violating statutory provisions or these T&Cs, the rights of third parties are being infringed or we otherwise have a legitimate interest in blocking. We have a legitimate interest in blocking if the blocking is necessary to protect one or more other customers, in particular if there is a suspicion that the server provided to the customer is being used for fraudulent activities or the customer has provided false contact details;

  • if there is reasonable suspicion that the customer has stored or made publicly accessible prohibited content. Reasonable suspicion exists in particular if we receive a warning from an alleged infringer (unless the warning is obviously unfounded) or if we become aware of investigations by state authorities.

Blocking will be limited to the extent necessary. The account will only be blocked permanently in the event of particularly serious or repeated violations. The customer shall be informed of the blocking without delay, stating the reasons, provided that the customer has duly provided their contact details. The blocking shall be reversed as soon as the suspicion giving rise to the blocking has been invalidated. We are also entitled to modify or delete prohibited content within the meaning of sections 11.1 to 11.5 above.

  1. If personal data of the customer or personal data of unknown third parties is processed by the customer via the software, this data will also be passed on to us. As a result, disclosure to our web host is unavoidable. In this respect, we refer to the General Data Processing Agreement (DPA) concluded separately with the customer.

  1.  Backups, backups, limitation of liability for hosting customer data/content

    1. Unless otherwise agreed in individual contracts, we make weekly backup copies of the customer's data (backups). The previous backup copy will be overwritten. The backups only include the user data, not the software (the operating system and the user software).

    2. In addition to the limitations of liability in Section 13, liability for the restoration of the customer's data shall be limited to the costs necessary to restore the data if it is regularly backed up or can otherwise be reconstructed from machine-readable data material with reasonable effort.

  2.  Warranty and liability

    1. We guarantee the maintenance of the contractually agreed quality of the software during the term of the contract.

    2. Any strict liability for initial defects is excluded. Any liability pursuant to § 536a BGB is excluded. We are not aware of any such defects.

    3. The customer is obliged to notify us of defects in the software immediately after their discovery. In the case of material defects, this must be done with a description of the time of occurrence of the defects and the more detailed circumstances. If the customer fails to notify us, he shall be obliged to compensate us for the resulting damage in accordance with § 536c para. 2 sentence 1 BGB. Insofar as we were unable to remedy the situation as a result of the failure to notify us, the customer shall not be entitled to assert any rights pursuant to Sections 536, 536a (1) or Section 543 (3) sentence 1 BGB.

    4. We shall rectify any defects within a reasonable period of time. Defects shall be remedied at our discretion either by repair or replacement free of charge.

    5. The customer's rights due to defects shall be excluded if the customer makes or has made changes to the software, the conditions of use of the software or the system environment without our consent, unless the customer proves that the changes have no unreasonable effects on the analysis and/or elimination of the defects for us. The customer's rights due to defects shall remain unaffected insofar as the customer is entitled to make changes, in particular within the scope of exercising the right of self-remedy pursuant to Section 536a (2) BGB, and carries these out professionally and documents them in a comprehensible manner.

    6. If we are not able to rectify the defect or provide an error-free subsequent delivery, the customer will be shown ways of avoiding the error. The workarounds shall be deemed to be subsequent performance, provided that they do not lead to a significant impairment of the functionality or processes of the software. Error workarounds are temporary workarounds for an error or fault without interfering with the source code.

    7. If necessary, the user documentation will also be adapted in the event of a rectification.

    8. Termination by the customer in accordance with Section 543 (2) sentence 1 no. 1 BGB due to failure to grant use in accordance with the contract is only permissible if we have been given a sufficient period of time to rectify the defect and this has failed. Failure to remedy the defect shall only be deemed to have occurred if it is impossible, if we refuse to remedy it or delay it in an unreasonable manner, if there are reasonable doubts as to the prospects of success or if it is unreasonable for the customer for other reasons.

    9. We are not liable for the fact that the service modules do not meet the customer's further expectations or do not fulfill legal requirements that apply outside Germany. Irrespective of whether the software meets the requirements in Germany, it shall not be deemed defective if it meets the legal requirements at the agreed location or if there is nothing to prevent normal use at the agreed location.

    10. The customer can only demand compensation from us: 

  1. for damage caused by

  • an intentional or grossly negligent violation or 

  • is based on an intentional or grossly negligent breach 

of obligations of one of our legal representatives, executives or vicarious agents that are not material contractual obligations (cardinal obligations) and are not primary or secondary obligations in connection with defects in our services.

  1. for damages resulting from the intentional or negligent breach of material contractual obligations (cardinal obligations) on our part, on the part of one of our legal representatives, executives or vicarious agents.

Material contractual obligations (cardinal obligations) within the meaning of the above provisions are obligations whose fulfillment is essential for the proper execution of the contract and on whose compliance the customer regularly relies.

  1. Furthermore, we shall be liable for damages due to the negligent or intentional breach of obligations in connection with defects in performance (subsequent performance or ancillary obligations) and

  2. for damages that fall within the scope of protection of a guarantee (assurance) expressly given by us or a guarantee of quality or durability.

  1. In the event of a breach of a material contractual obligation due to simple negligence, liability shall be limited to the amount of damage typically to be expected and foreseeable by us at the time of conclusion of the contract when exercising due care.

  2. Claims for damages by the customer in the event of a simple negligent breach of a material contractual obligation shall become time-barred one year after the statutory limitation period begins. This does not apply to damages resulting from injury to life, limb or health.

  3. Claims for damages against us arising from mandatory statutory liability, for example under the Product Liability Act, as well as from injury to life, limb or health shall remain unaffected by the above provisions of this Section 7 and shall exist to the extent permitted by law within the statutory time limits.

  1.  Secrecy

    1. During the term of the contract concluded under these GTC, the customer and we undertake to keep confidential all information which becomes accessible in connection with the respective contract and which is designated as confidential or is recognizable as business or trade secrets due to other circumstances ("confidential information") and - unless expressly approved in writing in advance or required to achieve the purpose of the contract - not to record it, pass it on to third parties or exploit it in any way. This confidentiality obligation shall remain in force for a further five years after termination of the contract.

    2. The obligations under Section 14.1 also apply to business secrets within the meaning of Section 2 No. 1 GeschGehG.

    3. The customer and we undertake to protect business secrets within the meaning of § 2 No. 1 GeschGehG as well as other confidential information from being obtained by third parties by means of confidentiality measures appropriate to the circumstances. The confidentiality measures must at least correspond to the customary care and the level of protection that the customer or we apply to our own business secrets of the same category.

    4. This does not apply to confidential information,

  • which were already known to the receiving party prior to the commencement of the contractual negotiations or which are communicated by third parties as non-confidential, unless these third parties themselves are in breach of confidentiality obligations,

  • which the receiving party has developed independently,

  • which are or become publicly known through no fault or action of the receiving party or

  • which must be disclosed due to legal obligations or official or court orders.

In the latter case, the receiving party must inform the disclosing party immediately prior to disclosure. If the receiving party invokes one of the above exceptions, it shall bear the burden of proof in this respect. Further statutory confidentiality obligations shall remain unaffected.

  1. The customer is not entitled to obtain trade secrets or other confidential information by observing, examining, disassembling or testing a product or object within the meaning of Section 3 (1) GeschGehG ("reverse engineering"), unless the product or object has been made publicly available.

  1.  Miscellaneous

    1. Company Shield is entitled to name the Customer as a reference customer. The Customer grants Company Shield the right to use the Customer's logo and name in electronic, printed or other form for internal or external marketing activities, e.g. on the Internet, in brochures, offers, presentations or press releases, free of charge, without restriction in terms of territory or content and for the duration of the customer relationship.

    2. The place of performance and exclusive place of jurisdiction for all disputes arising between the parties from the contract concluded under these GTC or concerning the validity of these GTC is the registered office of Company Shield if the Customer is a merchant, a legal entity under public law or a special fund under public law or the Customer has no general place of jurisdiction in the Federal Republic of Germany or has relocated its place of jurisdiction abroad. As an exception to this, we are also entitled to take legal action against the customer at his general place of jurisdiction.

A merchant is any entrepreneur who is entered in the commercial register or who operates a commercial business and requires a commercially organized business operation. The customer has his general place of jurisdiction abroad if he has his place of business abroad.

  1. We reserve the right to amend the awareness-building services offered and these GTC insofar as the respective amendment is necessary to reflect changes that were not foreseeable when the respective contract of use for the awareness-building was concluded and the non-observance of which would impair the contractual balance between us and the customer, in particular to the extent that we (i) are obliged to ensure that the Awareness Building Services comply with the applicable law, in particular if the applicable legal situation changes, (ii) have to comply with a court judgment or an official decision directed against us and/or (iii) have to adapt the Awareness Building Services due to mandatory security-related aspects. At no time will the change in performance restrict our fulfillment of the main contractual obligations.

  2. In cases other than those specified in Section 15.3, we shall notify the customer in advance of any changes to the GTC. If the customer does not object to their validity within four (4) weeks of notification, the amendments shall be deemed accepted with effect for the future. If the customer objects to the changes, the contractual relationship shall continue in its previous form. We shall draw the customer's attention to the effect of silence in the notification.

  3. Should a provision in these GTC or the contract concluded under these GTC be or become invalid, this shall not affect the validity of all other provisions.

  4. These GTC and contracts concluded hereunder with the customer shall be governed by German law to the exclusion of the UN Convention on Contracts for the International Sale of Goods.