Terms of Service

General Terms and Conditions pursuant to Sections 305 et seq. of the German Civil Code (BGB)

Kunnus – EU CRA Compliance Platform
Think Ahead Technologies GmbH

§ 1 Scope and Subject Matter

(1) These General Terms and Conditions (hereinafter “Terms”) apply to all contracts between Think Ahead Technologies GmbH, Sophienstraße 32, 70178 Stuttgart, Germany, registered in the Commercial Register of the Local Court of Stuttgart, HRB 794174 (hereinafter “Provider”) and the customer (hereinafter “Customer”) regarding the use of the web-based Software-as-a-Service platform “Kunnus” (hereinafter “Platform”).

(2) The Platform supports companies in complying with the requirements of Regulation (EU) 2024/2847 of the European Parliament and of the Council (Cyber Resilience Act, hereinafter “CRA”) and includes, in particular, functions for product management, SBOM management, vulnerability management, security controls, evidence management, and compliance reporting.

(3) These Terms apply exclusively. Deviating, conflicting, or supplementary general terms and conditions of the Customer shall only become part of the contract if and to the extent that the Provider has expressly agreed to their validity in writing.

(4) The Platform is intended exclusively for entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). By entering into the contract, the Customer confirms that the Platform is used exclusively in the context of their commercial or independent professional activity.

§ 2 Contract Formation and Registration

(1) The presentation of the Platform and its services on the Provider's website does not constitute a binding offer, but an invitation to submit an offer (invitatio ad offerendum).

(2) By registering on the Platform and selecting a service package, the Customer submits a binding offer to conclude a usage contract. The contract is concluded when the Provider accepts the offer by sending a confirmation email or by activating access to the Platform.

(3) During registration, the Customer must provide truthful and complete information. The Customer is obligated to keep their data up to date. Registration requires the provision of the first and last name of the natural person using the account.

(4) As part of registration, the Customer creates an organization. This organization forms the multi-tenant framework for using the Platform. The Customer may create and manage additional users within their organization.

§ 3 Scope of Services

(1) The Provider makes the Platform available to the Customer as Software-as-a-Service (SaaS) via the Internet. The specific scope of services is determined by the applicable service description and the selected service package.

(2) The Platform includes, in particular, the following functional areas:

• Product Management: Inventory, classification, and hierarchical management of products with digital elements
• Component Library: Management of reusable components with product mapping
• SBOM Management: Import, storage, and analysis of Software Bills of Materials in common formats (CycloneDX, SPDX)
• Security Controls: Management of security measures and their mapping to products and requirement frameworks
• Evidence Management: Documentation and linking of evidence to controls and products
• Compliance Assessment: Assessment and tracking of compliance status
• Vulnerability Management: Detection, assessment, and tracking of vulnerabilities
• Reporting: Generation of self-assessment reports (declarations of conformity) and compliance dashboards
• Vendor Assessment: Assessment and tracking of supplier compliance

(3) The Provider is entitled to further develop the Platform and expand its functionality. The Provider will not unilaterally restrict the contractually agreed functionality unless this is mandatory for technical or legal reasons. In such a case, the Customer will be informed in a timely manner.

(4) The Provider renders its services subject to the availability of third-party services, insofar as these are required for the provision of services (e.g., hosting providers, databases, authentication services).

§ 4 Availability and Maintenance

(1) The Provider shall endeavor to ensure an availability of the Platform of 99.5% on an annual average, measured by the uptime of the production system. Excluded from this are periods of planned maintenance work and disruptions beyond the Provider's sphere of influence (force majeure, hosting provider outages, third-party network disruptions).

(2) Planned maintenance work will be announced with a notice period of at least 48 hours via email or through the Platform. Maintenance windows will, where possible, be scheduled during off-peak hours (Saturday/Sunday, 02:00–06:00 CET/CEST).

(3) In the event of disruptions, the Provider will immediately begin remediation and inform the Customer of the status. Severe disruptions that materially impair the use of the Platform will be treated with priority.

§ 5 Customer Obligations

(1) The Customer is obligated to:

• use the Platform only within the scope of the contractual agreements and applicable laws;
• keep their access credentials (particularly passwords) confidential and protect them from access by unauthorized third parties;
• inform the Provider immediately if there is a suspicion that access credentials have been misused;
• not upload unlawful content or engage in unlawful activities when using the Platform;
• acknowledge that the Provider performs regular data backups (every four hours);
• manage users within their organization independently, particularly the assignment and revocation of roles and permissions.

(2) The Customer ensures that all users to whom they grant access to the Platform comply with the provisions of these Terms. The Customer is liable for violations by their users as if they were their own.

(3) User accounts must be set up as personalized accounts, each assigned to a single, identifiable natural person. The use of functional, group, or shared accounts (e.g., “info@”, “compliance@”, “team@”) is not permitted.

(4) The Customer shall ensure that access credentials are not shared among multiple persons. If a person responsible for a personalized user account leaves the organization, the Customer is obligated to deactivate the respective account and create a new account for the succeeding person. Access to data associated with the former account remains available to the Customer at the organization level.

(5) The Customer is solely responsible for the accuracy and completeness of the data entered into the Platform. This applies in particular to product classifications, security assessments, and compliance information. The Platform does not replace professional advice, and its use does not relieve the Customer of their legal obligations under the CRA or other applicable regulations.

(6) The Customer may not use the Platform in a manner that could impair the integrity, performance, or availability of the Platform. In particular, it is prohibited to:

• perform automated access to the Platform beyond the intended use of the provided API;
• decompile, disassemble, or otherwise determine the source code of the Platform, unless mandatorily permitted under Section 69e of the German Copyright Act (UrhG);
• make the Platform available to third parties for use, unless expressly permitted (e.g., auditor access, Trust & Security Center).

§ 6 Usage Rights and Intellectual Property

(1) For the duration of the contract, the Provider grants the Customer a simple, non-transferable, non-sublicensable right to use the Platform within the scope of the contractual agreements. All other rights remain with the Provider.

(2) All rights to the Platform, including the source code, databases, algorithms, user interface, and related documentation, belong exclusively to the Provider. The Customer does not acquire any ownership rights to the Platform or parts thereof.

(3) The data entered or uploaded by the Customer into the Platform (in particular product data, SBOMs, evidence, compliance data) remains the property of the Customer. The Customer grants the Provider a simple right of use for such data, to the extent necessary for the provision of the contractual services.

(4) The Provider is entitled to use anonymized and aggregated usage data for the improvement of the Platform, for statistical evaluations, and for benchmarking purposes, provided that any inference to the Customer or their data is excluded.

§ 7 Remuneration and Payment Terms

(1) Remuneration is based on the service package selected by the Customer and the Provider's applicable price list. All prices are net prices plus the applicable statutory value-added tax.

(2) Unless otherwise agreed, remuneration is invoiced monthly or annually in advance. Invoices are transmitted in electronic form.

(3) Invoices are due within 14 days of the invoice date without deduction, unless a different arrangement has been made.

(4) The Provider is entitled to change the prices with a notice period of at least six (6) weeks before the end of the respective billing period. In the event of a price increase of more than 5%, the Customer has the right to terminate the contract with four (4) weeks' notice to the effective date of the price increase. If the Customer does not exercise this right of termination, the price change is deemed accepted.

(5) If the Customer is in default of payment, the Provider is entitled to charge default interest at the rate of 9 percentage points above the base rate pursuant to Section 288(2) BGB. The right to claim further damages caused by default remains unaffected.

(6) If the Customer is in payment default for more than 30 days, the Provider is entitled to temporarily suspend access to the Platform after prior written notice. The obligation to pay remuneration continues during the suspension.

§ 8 Data Protection

(1) The Provider processes personal data of the Customer and their users in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TDDDG).

(2) Insofar as the Provider processes personal data on behalf of the Customer, the parties shall conclude a separate Data Processing Agreement (DPA) pursuant to Article 28 GDPR. The DPA is attached as an annex to these Terms or will be provided to the Customer upon contract conclusion.

(3) Details on data processing, in particular the nature, scope, and purpose of processing personal data and the rights of data subjects, are set out in the Provider's privacy policy.

(4) The Customer, as the data controller, is responsible for ensuring that the processing of personal data via the Platform complies with applicable data protection regulations. This includes, in particular, obtaining any required consents and informing data subjects.

§ 9 Confidentiality

(1) The parties undertake to treat all confidential information of the other party obtained in the course of the contractual relationship as confidential and to use it only for the performance of the contract.

(2) Confidential information within the meaning of these Terms includes all information that is marked as confidential or whose confidential nature is apparent from the circumstances. This includes, in particular:

• trade secrets, technical information, and know-how;
• data entered by the Customer into the Platform, in particular product data, SBOMs, vulnerability information, and compliance data;
• information about the security architecture and vulnerabilities of the Customer's products.

(3) The confidentiality obligation does not apply to information that:

• was already publicly known at the time of communication or subsequently becomes publicly known without fault of the receiving party;
• was already known to the receiving party prior to communication;
• is communicated to the receiving party by a third party without breach of a confidentiality obligation;
• must be disclosed due to legal obligations or official/judicial orders.

(4) The confidentiality obligation shall survive the termination of the contractual relationship for a period of three (3) years.

§ 10 Warranty

(1) The Provider warrants that the Platform substantially corresponds to the functions described in the service description. Insignificant deviations that do not materially impair the usability of the Platform do not give rise to warranty claims.

(2) The Customer shall report defects immediately upon discovery pursuant to Section 377 of the German Commercial Code (HGB) in a comprehensible form, describing the symptoms that occurred, the circumstances of occurrence, and possible effects. If the Customer fails to report defects without undue delay, the service shall be deemed approved; the assertion of warranty claims shall be excluded in such case, unless the defect was not discoverable upon examination.

(3) In the event of a defect, the Provider is entitled, at its own discretion, to provide cure by repair (elimination of the defect) or replacement (provision of a defect-free version). If cure fails after a reasonable period, the Customer has the right to reduction or, in the case of material defects, to extraordinary termination.

(4) The Provider does not warrant that the use of the Platform will lead to full compliance with the CRA or other regulations. The Platform is a tool to support the Customer's compliance processes. Responsibility for compliance with regulatory requirements remains with the Customer.

(5) Warranty claims expire within twelve (12) months of provision of the respective service, to the extent permitted by law.

§ 11 Liability

(1) The Provider is liable without limitation:

• in cases of intent and gross negligence;
• for damages arising from injury to life, body, or health;
• under the provisions of the German Product Liability Act;
• to the extent of any guarantee assumed by the Provider.

(2) In the event of slightly negligent breach of a material contractual obligation (cardinal obligation), the Provider's liability is limited to foreseeable, contract-typical damages. Material contractual obligations are those whose fulfillment is essential for the proper performance of the contract and on whose compliance the Customer may regularly rely.

(3) In the case of paragraph 2, the Provider's liability per damaging event is limited to the amount of the remuneration paid by the Customer in the twelve (12) months prior to the event causing the damage.

(4) Beyond the above, the Provider's liability for damages caused by slight negligence is excluded.

(5) The above limitations of liability also apply in favor of the Provider's legal representatives, vicarious agents, and employees.

(6) The Provider is not liable for damages resulting from the Customer:

• entering incorrect, incomplete, or outdated data into the Platform;
• using the Platform contrary to the documentation or recommendations of the Provider;
• failing to take their own data backup precautions where reasonable, despite the Provider performing regular data backups;
• relying exclusively on the Platform for compliance with regulatory obligations without conducting their own professional reviews.

§ 12 Indemnification and Intellectual Property Protection

(1) The Customer indemnifies the Provider against all third-party claims arising from unlawful use of the Platform by the Customer or their users, or arising from data protection violations or disputes in connection with content entered by the Customer.

(2) The Customer shall bear the reasonable costs of the Provider's necessary legal defense, including all court and attorney fees at statutory rates. This does not apply to the extent that the claim is based on fault of the Provider.

(3) In the event of third-party claims against the Provider, the Customer is obligated to provide the Provider immediately, truthfully, and completely with all information necessary for the review of the claims and a defense.

(4) The Provider shall indemnify the Customer against all third-party claims based on the allegation that the contractual use of the Platform infringes third-party intellectual property rights or copyrights within the European Union. This is subject to the Customer promptly notifying the Provider of any such claims, granting the Provider sole control over the defense and any settlement negotiations, and reasonably cooperating in the defense. The indemnification obligation does not apply to the extent that the infringement is caused by the Customer's non-contractual use of the Platform, modifications to the Platform initiated by the Customer, or the combination of the Platform with products or services not provided by the Provider.

§ 13 Contract Term and Termination

(1) The contract is concluded for an indefinite period unless the parties have agreed on a different term.

(2) Either party may terminate the contract with three (3) months' notice to the end of the respective billing period.

(3) For contracts with a fixed minimum term, the contract is automatically renewed for the same period after expiration of the minimum term, unless terminated with three (3) months' notice to the end of the respective term.

(4) The right to extraordinary termination for good cause remains unaffected. Good cause exists in particular if:

• a party materially breaches contractual obligations despite written warning and a reasonable grace period;
• insolvency proceedings are opened against a party's assets or the opening is rejected due to insufficient assets;
• the Customer misuses the Platform or violates material provisions of these Terms.

(5) Any termination must be in text form (Section 126b BGB). Termination may be sent by email to the other party's email address specified in the contract.

§ 14 Consequences of Contract Termination

(1) Upon termination of the contract, the Customer's right to use the Platform ends. The Provider will deactivate access for the Customer and their users.

(2) The Customer has the right to export their data entered into the Platform within a period of thirty (30) days after termination of the contract in a machine-readable standard format (CSV, JSON). The Provider supports the export within the scope of the Platform's available export functions.

(3) After expiration of the period specified in paragraph 2, the Provider is entitled to irrevocably delete all customer-related data, unless statutory retention obligations require otherwise.

(4) The provisions of §§ 9 (Confidentiality), 11 (Liability), 12 (Indemnification and Intellectual Property Protection), and 16 (Governing Law) shall survive the termination of the contract.

§ 15 Changes to these Terms

(1) The Provider is entitled to amend these Terms with effect for the future, insofar as the amendment is reasonable for the Customer, taking into account the Provider's interests. This is particularly the case for amendments that:

• are necessary to adapt to changed legal situations or case law;
• serve to adapt to changed technical conditions;
• relate to new features or services that do not cause disadvantages for the Customer;
• are of an editorial nature.

(2) The Provider will inform the Customer of the changes in text form at least six (6) weeks before the effective date. If the Customer does not object to the changes within four (4) weeks of receiving the change notification, the amended Terms are deemed accepted. The Provider will specifically draw the Customer's attention in the change notification to the right to object, the deadline, and the legal consequence of silence.

(3) If the Customer objects to the changes, the Provider is entitled to terminate the contract with three (3) months' notice to the end of the current billing period.

§ 16 Governing Law and Jurisdiction

(1) The laws of the Federal Republic of Germany apply, excluding the UN Convention on Contracts for the International Sale of Goods (CISG) and the conflict of laws rules of private international law.

(2) The exclusive place of jurisdiction for all disputes arising from or in connection with these Terms and the contractual relationship is the Provider's registered office, insofar as the Customer is a merchant, a legal entity under public law, or a special fund under public law.

(3) Notwithstanding the above paragraph, the mandatory jurisdiction rules of Regulation (EU) No. 1215/2012 (Brussels Ia Regulation) shall apply.

(4) The German version of these Terms (Part A) is the sole legally binding version. The English translation (Part B) is provided for informational purposes only and has no legal effect. In the event of any discrepancy between the German and English versions, the German version shall prevail.

§ 17 Final Provisions

(1) Should individual provisions of these Terms be or become wholly or partially invalid or unenforceable, the validity of the remaining provisions shall not be affected (severability clause). The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes as close as possible to the economic purpose of the invalid or unenforceable provision.

(2) Ancillary agreements, supplements, and amendments require text form. This also applies to the waiver of this text form requirement.

(3) The Customer may only transfer rights and obligations under this contract to third parties with the prior written consent of the Provider. Section 354a of the German Commercial Code (HGB) remains unaffected.

(4) The Provider is entitled to engage subcontractors to fulfill its contractual obligations. In the case of commissioned processing of personal data, the provisions of the separate DPA apply.