General Terms & Conditions

  • Last Revised : 9th Sep, 2021
§ 1 Scope of Application

BugShell GmbH is a private limited liability company under German law, located in Berlin, Germany. It is registered at the German Chamber of Commerce under Number HRB 232294 B (Berlin Charlottenburg).

These general Terms and Conditions (hereinafter referred to as „GTC“) apply to all agreements between BugShell GmbH, Köpenicker Straße 95, 10179 Berlin and the customer. BugShell GmbH rejects any Terms and Conditions used by the customer. Deviating, conflicting or supplementary General Terms and Conditions of the customer shall only become part of the contract if and insofar as BugShell GmbH has expressly agreed to their validity in writing in the respective order. These GTC are also intended to benefit any person employed or engaged by BugShell GmbH during the performance of an assignment.

§ 2 Placement of Orders

BugShell GmbH and the customer will attempt to precisely define the scope of the assignment before BugShell GmbH starts. If during the course of the assignment, the scope turns out to be bigger than expected, BugShell GmbH will report this to the customer and make a written offer for the additional work.

Communications other than the written offer do not form part of the agreement. This also holds true for tasks that come up during testing but were not part of the original agreement; additional work needs to be negotiated and added as a separate project.

All amounts in BugShell GmbH's offers are in Euro and excluding VAT and other applicable taxes according to German law, unless agreed otherwise.

For assignments where the parties agreed to an hourly fee BugShell GmbH will send an invoice after each month. For other assignments, BugShell GmbH will send an invoice after completion of the assignment, and at moments set out in the offer (if any). The customer must pay an invoice within 30 days from the invoice date.

BugShell GmbH may, prior to an assignment, agree on the payment of a deposit by the customer. BugShell GmbH will settle deposits with interim payments or the final invoice for the assignment.

If the payment is not received before the agreed term, the client will be deemed to be in default without prior notice. BugShell GmbH will then have the right to charge the statutory interest and any judicial and extrajudicial (collection) costs.

If the customer cancels or delays the assignment two weeks before the start, BugShell GmbH is entitled to charge the customer 50% of the agreed price. If the customer cancels or delays the assignment when it already started, BugShell GmbH is entitled to charge the customer 100% of the agreed price. BugShell GmbH is entitled to charge a pro rata percentage in the case of cancellation or delay shorter than two weeks before the start of the assignment (i.e. a cancellation one week before the assignment would entitle BugShell GmbH to charge 75% of the agreed price).

Any liability of BugShell GmbH resulting from or related to the performance of an assignment, shall be limited to the amount that is paid out in that specific case under an applicable indemnity insurance of BugShell GmbH, if any, increased by the amount of the applicable deductible which under that insurance shall be borne by BugShell GmbH. If no amount is paid out under an insurance, these damages are limited to the amount already paid for the assignment, with a maximum of € 10.000,-.

Each claim for damages shall expire after a period of one month from the day following the day on which the customer became aware or could reasonably be aware of the existence of the damages.

§ 3 Service description

The BugShell GmbH provides services in the form of penetration tests for the customer on the customer's request. A penetration test represents a controlled attempt to penetrate a computer or network system or a data processing process from the outside or inside in order to detect vulnerabilities in the systems (security check). For this purpose, similar, or the same techniques are used that would be used in a real attack on the system. The identification of the vulnerabilities enables the vulnerabilities to be corrected before they are exploited by a real intervention and third parties can gain unauthorized access to the system and sensitive data.

BugShell GmbH will make reasonable efforts to avoid disruption of the operations of the customer and damage to systems owned or operated by the customer, but it cannot guarantee that this will be avoided. The customer agrees to this. Bugshell GmbH is not obliged to restore the systems or recover any data it deleted or amended in the course of the assignment.

The customer will provide BugShell GmbH with all means necessary to allow BugShell GmbH to perform the agreed services.

The project management for the services to be rendered by BugShell GmbH is the responsibility of BugShell GmbH. The selection of the employees to be deployed by Bugshell is the responsibility of BugShell GmbH within the framework of the agreed qualification requirements. The customer shall be entitled to reject an employee selected by BugShell GmbH, if there are important personal reasons for not deploying him. In this case, BugShell GmbH is obliged to name another employee. BugShell GmbH shall be entitled to exchange its employees used for the provision of its services during the term of the respective Order, if this is necessary for operational reasons.

Regularly BugShell GmbH works with freelancers for the performance of its assignments. BugShell GmbH has the right to engage third parties, including freelancers, in the course of the performance of an assignment - always after consulting with the client.

BugShell GmbH wants to be able to use the expertise of its entire team to help with an assignment. This means that in the course of an assignment, it is possible that the persons performing the assignment will consult with and be advised by others in BugShell GmbH's team. These others will of course be bound by the same confidentiality obligations as the persons performing the assignment.

If BugShell GmbH in the course of an assignment finds a vulnerability which might affect the customer, it will report this to the customer. If a vulnerability might affect third parties as well, BugShell GmbH retains the right to disclose this vulnerability also to others than the customer. It will only do so after having given the customer a reasonable amount of time to take measures minimising the impact of the vulnerability, in line with responsible disclosure best practices.

BugShell GmbH does not (and can not) give guarantees that something is fully secure. BugShell GmbH instead has an obligation to make reasonable efforts to perform the agreed services.

BugShell GmbH will make reasonable efforts to perform the assignment in accordance with the planning set out in the offer (if any). If BugShell GmbH expects it will not meet the planning, it will let the customer know without delay. BugShell GmbH is not automatically deemed to be in default if it does not meet the planning.

If BugShell GmbH in the course of an assignment finds indicators of compromise, such as malware signatures and IP addresses, it will report this to the customer. BugShell GmbH retains the right to also publish this information in a publicly accessible database. It will do so only after it has given the customer the opportunity to object to the publication of data in case it would negatively impact the customer.

BugShell GmbH retains any intellectual property rights in products developed for an assignment, such as software and reports.

§ 4 Duties of the Customer

By using BugShell GmbH services, the Customer confirms that the penetration test will or should be performed on the Customer's own system. Insofar as the test is not performed on the customer's own system, the customer confirms with the use of the services that he has the full and unrestricted right to perform the test on the specified system.

The customer also warrants that it has the legal authority to give this permission.

The customer must prove to Bugshell that he has all unrestricted rights to commission the penetration test. Furthermore the customer has to prove to Bugshell that he has all access rights to the system.

It is the responsibility of the Customer to fully back up all systems and related data to be tested during the penetration test prior to the execution of the order by BugShell GmbH.

Furthermore the customer must take all necessary security measures, including those that go beyond a backup, before using the service in order to be able to restore the systems and data to their original state after the penetration test if necessary.

The customer is obliged to provide BugShell GmbH with the necessary information, taking into account the nature of the agreed penetration test.

BugShell GmbH will inform the customer in advance which information is required.

BugShell GmbH performance of the service will not commence until all required information has been provided by the customer.

The customer is obligated to inform all affected third parties and third-party providers about the execution of the test and to obtain approvals.

Taking into account the type of penetration test agreed upon, the customer is obliged to provide BugShell GmbH with the necessary information. These may be, in particular, providers and hosters of various services and devices.

The customer is expressly informed that the penetration test may cause damage to the existing system.

Under certain circumstances, these can only be remedied by restoring the system or by extensive other measures.

If agreed, employees and contractors of BugShell GmbH assigned to perform the penetration test have the right to enter rooms, buildings and land used by the customer, also bypassing security measures such as locking and alarm systems. If the customer is not the sole owner of such rooms, buildings or land, the customer agrees to obtain permission from the owner(s).

The customer undertakes not to pass on any data to third parties outside of the contract and must observe the provisions of the Federal Data Protection Act (BDSG).

§ 5 Liability

BugShell GmbH is not obliged to check whether the customer has the full and unrestricted rights to the system.

Bugshell is only liable for damages of the customer, if they have been caused by intentional or grossly negligent actions.

BugShell GmbH is not liable if a person associated with BugShell GmbH acts contrary to any confidentiality or non-compete obligation vis-à-vis the customer or a third party, this person might have agreed to in another engagement.

The customer shall indemnify BugShell GmbH and any person employed or engaged by BugShell GmbH for any claims of third parties which are in any way related to the activities of BugShell GmbH and any person employed or engaged by BugShell GmbH for the customer.

Should a third party lodge a claim against BugShell GmbH or any of the consultants it engaged or employed as a result of the performance of the assignment for the customer, then the customer will co- operate fully with BugShell GmbH in defending against this claim, including by providing to BugShell GmbH any evidence it has which relates to this claim.

Should the public prosecutor initiate an investigation or criminal proceedings against Bugshell GmbH or any of the consultants it engaged or employed as a result of the performance of the assignment for the customer, then the customer will also co-operate fully with BugShell GmbH in defending against this investigation or proceedings, including by providing any evidence it has which relates to this investigation or these proceedings.

The customer shall reimburse to BugShell GmbH and any person employed or engaged by BugShell GmbH all costs of legal defence and all damages in relation to these claims, investigations or proceedings. This provision does not apply to the extent a claim, investigation or proceeding is the result of the intent or recklessness of BugShell GmbH or a person employed or engaged by BugShell GmbH.

In the case of force majeure as a result of which BugShell GmbH cannot reasonably be expected to perform the assignment, the performance will be suspended. Situations of force majeure include cases where means, such as soft- and hardware, which are prescribed by the customer, do not function well. The agreement may be terminated by either party if a situation of force majeure has continued longer than 90 days. The customer will then have to pay the amount for the work already performed pro rata.

§ 6 Jurisdictional agreement

German law applies to the legal relationship between BugShell GmbH and its customers. Any dispute between BugShell GmbH and a customer will be resolved in the first instance exclusively by the District Court of Berlin, Germany.

Print