Lutra Security GmbH ("Lutra Security" or “we”) regulates the contractual relationship between us and our customer (the “customer”) with these General Terms and Conditions ("GTC"). Lutra Security and the customer are also referred to jointly as “parties” or individually as “party”.
- Lutra Security is a specialized provider of information security services, including general IT security consulting and so-called penetration tests ("pen tests"). With the help of such tests, companies can identify potential vulnerabilities and security gaps in their own IT systems and eliminate them before they can be exploited by unauthorized third parties.
- In accordance with these GTC, the customer wishes to have his systems examined by Lutra Security either in general or in previously defined areas and for specific vulnerabilities, or wishes further services within the scope of IT security consulting, as specified in more detail in the order form.
- The services offered by Lutra Security sometimes serve very specific purposes and have a narrowly defined scope. Unless expressly agreed with the customer, such a specific service - such as a pen test - does not replace general IT security consulting or even ongoing monitoring of the IT systems by the customer.
For the conclusion of the Contract (as defined below) as well as for the use of the contractual services (as defined below), these GTC in their respective valid version shall apply exclusively, unless otherwise agreed in writing between the parties. Conflicting, deviating or supplementary conditions (in particular general terms and conditions) of the customer do not apply, unless Lutra Security expressly agrees to them in writing in individual cases by its managing directors in a number authorized to represent Lutra Security. These GTC also apply in the event that Lutra Security provides the contractual services in the knowledge of conflicting or deviating conditions of the customer.
In the event of a conflict or contradiction between the provisions of these GTC and an agreement made in the order form, the provisions of the order form shall take precedence. Likewise, the provisions made in the separately concluded data processing agreement shall take precedence over these GTC.
The services offered by Lutra Security are aimed exclusively at entrepreneurs within the meaning of § 14 BGB.
2. Conclusion of Contract and Contractual Services
With the confirmation of an order by Lutra Security in text form, a contract with the customer is concluded with the content of the respective order form and these GTC ("contract").
Subject matter of the Contract are the services by Lutra Security described in more detail in the order form, such as the simulation of attacks on IT systems and networks of the customer or general IT services ("contractual services").
Services not expressly agreed upon in the order form shall not be included in the contractual services. In particular, in the event of a pen test to be performed, Lutra Security shall not be obliged to successfully or completely identify vulnerabilities in the customer’s IT security, to eliminate them or to carry out a general assessment of the customer’s IT security.
We point out that the knowledge gained through the contractual services regarding the IT security of the customer’s systems has no predictive value with regard to the future security of the customer’s IT systems.
Insofar as the contractual services involve the performance of a pen test, this test shall be limited to the IT systems and/or IP addresses (ranges) of the customer conclusively designated in the order form. The IT systems or IP addresses (ranges) not expressly designated in the order form are not the subject of the contractual services.
3. Implementation of the Contractual Services
Lutra Security shall perform the contractual services with the due care of a prudent businessman, taking into account the current state of the art. The contractual services shall have the scope specified in Clause 2.3.
Lutra Security shall impose a written obligation of confidentiality on the personnel involved in the contractual services prior to their deployment with respect to all information and documents related to the contractual services and their implementation.
Lutra Security will only download data from the tested systems of the customer and take screenshots or otherwise archive them, insofar as this is necessary for the documentation of the respective vulnerability or for the implementation of the contractual services. After completion of the respective contractual services, Lutra Security will immediately delete this data, unless the parties agree otherwise in the order form or insofar as the storage of the data is necessary or useful for a repetition of the contractual services ordered by the customer (in particular renewed performance of a pen test).
If a final report has been agreed upon in the order form as an additional service, Lutra Security shall make this final report available to the customer after full receipt of the remuneration agreed upon for the contractual services. The customer may use this report in unchanged form for his own purposes.
4. Consent and Participation of the Customer
By concluding the Contract, the customer agrees to the performance of the contractual services and, if applicable, to the associated access to stored data or data of the customer in the process of transmission. In particular, the customer authorizes Lutra Security to analyze the IT systems and/or IP addresses (ranges) specified in the order form, to penetrate them by bypassing any protective mechanisms and to carry out attacks under simulated real conditions.
If the technical details for the performance of the contractual services to be rendered are not conclusively described in the order form or if certain measures or IT systems are not expressly excluded, it shall be at Lutra Security’s discretion to assess and apply the measures required to achieve the agreed purposes. Unless otherwise agreed in the order form, the customer grants Lutra Security in particular the right to contact employees and contractors of the customer, possibly under false pretenses, in order to obtain data, in particular access data. For this purpose, Lutra Security may use trademarks registered and protected by the customer, such as the company logo.
If this has been agreed in the order form, the customer grants the employees of Lutra Security commissioned with the implementation of the contractual services the right to enter the rooms, buildings and land used by the customer - even bypassing any security measures such as locking and alarm systems. If the customer is not the sole owner of these rooms, buildings or properties, he is obliged to obtain the permission of the owner.
The customer confirms that the contractual services agreed in the order form are to be performed on the customer’s own systems. Insofar as the contractual services are not to be performed on the customer’s systems, the customer warrants to inform the owner of the systems in advance about the performance of the contractual services and - insofar as necessary - to obtain the consent in due time and to submit it upon Lutra Security’s request. Lutra Security is not obliged to verify the ownership of the systems of the customer.
The customer shall ensure that the provision of the contractual services by Lutra Security does not infringe any rights of third parties, in particular with regard to intellectual property, personal rights and data protection law. Insofar as necessary, the customer shall also inform the third parties concerned in this respect, obtain the relevant consents and submit these to Lutra Security upon request. This applies in particular if the customer has permitted his employees the private use of e-mails and mobile end devices and if the provision of the contractual services makes it possible for Lutra Security to gain access to this data of the employees.
Lutra Security recommends the customer to anonymize or pseudonymize personal data, if possible, which are on his IT systems to be tested, prior to the performance of the contractual services by Lutra Security.
The customer shall appoint a responsible contact person for the performance of the contractual services as well as a deputy contact person for Lutra Security. The customer shall ensure that the contact person(s) or deputy(s) are available at any time at short notice for coordination with Lutra Security. He or she shall also provide Lutra Security in good time with all information required for the performance of the contractual services, including - insofar as agreed - access data, and - insofar as agreed - set up access rights.
The customer acknowledges that the performance of the contractual services may, as specified, lead to system hazards, network loads, failures of the customer’s IT systems and data losses. The customer shall therefore be responsible for creating a complete backup of his data prior to the commencement of the contractual services and at regular intervals of no less than three (3) business days during the term of the Contract and also to take all other necessary security measures to protect against data losses and other damage to IT systems. The safety measures taken by the customer, including the backup, must enable the customer to perform a complete recovery of the data, networks and systems potentially affected by the contractual services. Upon Lutra Security’s request, the customer shall confirm the proper data backup in text form.
The customer agrees that Lutra Security - if security vulnerabilities in the third-party software used by the customer become known in the course of the performance of the contractual services - will first report such security vulnerability to the developer(s) of this third-party software within the scope of a Responsible Disclosure. This notification will not contain any information on the basis of which the customer can be identified. Lutra Security will grant the developer(s) a reasonable period of time to remedy the security vulnerability and will publish this security vulnerability after expiration of the period of time.
5. Remuneration and terms of payment
Lutra Security shall receive an effort-based remuneration from the customer for the performance of the contractual services in accordance with the agreement made in the order form.
The remuneration shall be invoiced after the execution of the contractual services and shall be paid to the account of Lutra Security indicated on the order form within fourteen (14) days after receipt of the invoice by the customer.
All prices are understood to be net plus statutory value-added tax.
The customer agrees that Lutra Security may use unencrypted e-mail (using an e-mail address provided by the customer) as a means of sending invoices and payment reminders.
In addition to the remuneration, the customer shall reimburse Lutra Security for the following expenses which are necessary and reasonable for the performance of the contractual services and for which we provide proper evidence:
- Travel expenses
- Accommodation expenses
- Expenses according to the maximum tax rates
All costs for expenses are agreed with the customer in advance.
If the Contract is terminated prematurely by one of the parties as set out in Clause 7.2, the customer shall reimburse Lutra Security for the remuneration which has become due up to that point in time or, insofar as such remuneration has not been agreed for the services rendered, for the reasonable expenses (at most up to the amount of the remuneration agreed for the contractual services), whereby the customer shall be entitled to prove that Lutra Security has incurred no or significantly lower expenses.
If the Parties agree in the order form on a specific period for the performance of the contractual services (the “performance period”), and if the performance period is either postponed, cancelled in whole or in part at the customer’s request, or if the customer does not provide the information and access data required for the performance of the contractual services in due time despite being requested to do so (the “change in performance”), Lutra Security reserves the right to claim damages in accordance with the following provisions:
If the change in performance of the respective Contractual Service takes place more than three weeks before the agreed performance period, the customer shall only owe reimbursement of expenses for the services provided up to the time the termination becomes effective in accordance with Section 5.6.
If the change of performance takes place less than three weeks before the agreed performance period, the customer owes 25% of the remuneration specified in the order form for the respective Contractual Service.
If the change of performance takes place less than two weeks before the agreed performance period, the customer owes 50% of the remuneration specified in the order form for the respective Contractual Service.
If the change of performance takes place less than one week before the agreed performance period, the customer owes 75% of the remuneration specified in the order form for the respective Contractual Service.
If the change of performance takes place less than three days before the agreed period of performance, the customer owes 90% of the remuneration specified in the order form for the respective Contractual Service.
If the parties agree on a preliminary discussion prior to the actual performance of the contractual services, this preliminary discussion - unless otherwise agreed in the order form - shall not be taken into account when determining the performance period and the resulting graduation of the claims for damages.
In all cases specified in this Clause 5.7, the customer is entitled to prove that Lutra Security has incurred no damage or only a significantly lower damage. In addition, Lutra Security must allow itself to be credited with the value of that which Lutra Security has saved in expenses as a result of the change in performance or has acquired or maliciously refrained from acquiring through the provision of contractual services elsewhere.
Lutra Security is liable to the customer without limitation in case of intent, gross negligence and injury to life, body or health.
Notwithstanding the cases of unlimited liability according to 6.1, Lutra Security is liable to the customer in case of slightly negligent breach of duty only in case of violation of essential contractual obligations, i.e. obligations whose fulfillment makes the proper execution of the Contract possible in the first place or whose violation endangers the achievement of the purpose of the Contract and on whose compliance the customer may regularly rely, however, limited to the damage foreseeable at the time of conclusion of the Contract and typical for the Contract.
The above limitations of liability shall not apply within the scope of guarantees assumed in writing or with regard to liability under the Product Liability Act.
Liability of Lutra Security for damages of the customer resulting from loss of data is excluded to the extent that the damage is based on the customer’s failure to perform data backups within his area of responsibility as described in Clause 4.4 and thus to ensure that lost data can be restored with reasonable effort.
Claims for damages by the customer shall become statute-barred within one (1) year of the customer’s knowledge or grossly negligent lack of knowledge of the circumstances giving rise to the claim, but no later than one (1) year after the end of the year in which the claim arose. This shall not apply in the case of intent, gross negligence, damage resulting from injury to life, body or health and claims under the Product Liability Act.
Insofar as third parties assert claims for damages against Lutra Security, which are due to the fact that the customer has not fulfilled his contractual obligations - in particular those mentioned in Clause 4 - the customer shall indemnify Lutra Security against these claims for damages including reasonable attorney’s fees and costs.
Clause 6 shall also apply in favor of employees, representatives and bodies of Lutra Security.
7. Entry into force, termination
The Contract comes into force with the confirmation of the order by Lutra Security and ends with the complete execution of the Contract, unless it is terminated prematurely. The duration of the Contract execution is agreed in the order form.
Either party may terminate the Contract with four (4) weeks’ notice. The right to extraordinary termination of the Contract for good cause remains unaffected.
Any termination must be in writing to be effective.
8. Confidentiality and data protection
Lutra Security undertakes to keep confidential any information obtained in the course of the execution of the Contract.
Insofar as Lutra Security processes personal data on behalf of the customer in the course of the execution of the Contract, the provisions of the separately agreed data processing agreement shall apply.
9. Applicable law and jurisdiction
This Contract as well as all claims, rights and obligations arising from or in connection with this Contract shall be governed by the laws of the Federal Republic of Germany. The UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.
If the customer is a merchant within the meaning of the German Commercial Code, a legal entity under public law or a special fund under public law, the Regional Court of Munich I shall have exclusive jurisdiction for all disputes arising from and in connection with the Contract.
10. Final provisions
Should individual provisions of this Contract be invalid or unenforceable, this shall not affect the validity of the remaining provisions.
The transfer of the Contract or individual rights or obligations hereunder by the customer to third parties requires the prior written consent of Lutra Security. § 354a HGB remains unaffected.
Offsetting by the customer is only permitted with an undisputed or legally established claim. The same shall apply to the assertion of rights of retention, whereby the counterclaim must also be based on the same contractual relationship. A previously effectively agreed retention of title shall remain unaffected by this.
Changes and additions to the Contract must be made in writing.
Unless otherwise agreed in writing, all notices, consents, or agreements under this Agreement shall be sent by mail or email to the other party in accordance with the terms of this Agreement or to such other address as may be provided by such party for such purposes.
General Terms and Conditions as of May 2022