Terms & Conditions.

A. General provisions

I. Scope

1. These terms and conditions (T&C) apply to all offers, services, and contracts of GermanAI Defense GmbH (hereinafter “Provider”).
2. The T&C apply in particular to the following services:
   • Penetration testing
   • Security Operations Center (SOC) services
   • IT-security and ISMS consulting
   • Data-protection consulting
   • AI-based security analyses
3. These terms apply exclusively to entrepreneurs within the meaning of § 310 (1) BGB.
4. Conflicting or deviating terms of the customer are not accepted.

II. Contract content

1. Offers are subject to confirmation and non-binding.
2. A contract is concluded only through written confirmation.
3. The scope of services is determined exclusively by:
   • the offer
   • the statement of work
   • the order confirmation

III. Performance of services

1. Services are provided according to the state of the art and on a “best effort” basis.
2. Complete security of IT systems cannot be guaranteed.
3. The Provider is entitled to use third parties (e.g., freelancers) to perform the services.
4. AI is used in a supporting capacity. Results may be incomplete or incorrect.

IV. Customer cooperation obligations

1. The customer provides all required information, systems, and access.
2. The customer designates a contact person with decision-making authority.
3. The customer is responsible for regular data backups.
4. Delays due to missing cooperation are not the Provider’s responsibility.

V. Prices and remuneration

1. All prices are net plus statutory VAT.
2. Invoices are payable within 14 days.
3. In case of default, the statutory provisions apply (§ 288 BGB).
4. Services on a time-and-materials basis are billed monthly.

VI. Special provisions for security services

1. Penetration testing

• Tests may cause system impairments.
• The customer expressly agrees to this.
• Tests are performed exclusively within the agreed scope.

2. SOC services

• There is no guarantee that all attacks will be detected.
• Analysis is based on the available data and systems.

3. AI-based analyses

• AI may produce erroneous results.
• Decisions must not be made on an exclusively automated basis.

VII. Availability

1. Continuous availability is not guaranteed.
2. Maintenance and technical disruptions may occur.

VIII. Liability

1. The Provider is liable without limitation in cases of intent and gross negligence, and for damages to life, body, or health.
2. In cases of slight negligence, the Provider is only liable for breaches of essential contractual obligations (cardinal obligations).
3. Liability is limited to typical and foreseeable damages.
4. Maximum liability is, to the extent permitted by law, capped at the amount of the contractually agreed remuneration.
5. Liability for
   • lost profits,
   • indirect damages,
   • consequential damages
   is excluded.
6. There is no liability for whether
   • security vulnerabilities are fully identified,
   • attacks are prevented.
7. The Provider is not liable for damages caused by inadequate customer data backups.

IX. Data protection

1. Processing of personal data takes place in accordance with the GDPR.
2. Where necessary, a data-processing agreement (DPA) will be concluded.

X. Confidentiality

1. Both parties undertake to maintain confidentiality.
2. This also applies after termination of the contract.

XI. Term and termination

1. The contract term is set out in the respective contract.
2. Unless otherwise agreed, the notice period is 30 days.
3. The right to extraordinary termination remains unaffected.

XII. Final provisions

1. German law applies.
2. Place of jurisdiction is the Provider’s registered seat.
3. Should individual provisions be invalid, the remainder of the contract remains effective.

Version 01.01 · public · Date: 2026-03-01

Annex 1. Penetration Testing Services

Annex to the T&C of GermanAI Defense GmbH

1. Subject

1. This annex governs the performance of penetration tests by GermanAI Defense GmbH (hereinafter “Provider”).
2. The specific scope of the tests is defined in the respective offer or statement of work.

2. Authorization

1. The customer confirms that they
   • are the owner of the systems to be tested, or
   • are expressly authorized to perform the tests.
2. The customer expressly grants the Provider permission to actively test the agreed systems.
3. This permission includes in particular
   • the targeted exploitation of security vulnerabilities,
   • the simulation of attacks,
   • conducting technical security analyses.

3. Scope of tests

1. The Provider performs tests exclusively within the agreed scope.
2. Systems outside the scope are not tested.
3. Changes to the scope require written agreement.

4. Type of tests

1. Penetration tests may involve active interventions in systems.
2. Depending on the agreement, the following test types may be performed:
   • Blackbox
   • Greybox
   • Whitebox
3. The Provider is entitled to use both automated and manual testing procedures.

5. Risks and side effects

1. The customer is aware that penetration tests may lead to the following effects:
   • System outages
   • Performance degradation
   • Data loss or data alterations
   • Service interruptions
2. The customer expressly accepts these risks.
3. The Provider takes measures to minimize risks but cannot fully exclude them.

6. Customer cooperation obligations

The customer commits in particular to:

• Ensuring backups before tests begin
• Providing points of contact
• Informing the Provider about critical systems
• Defining testing windows (e.g., outside business hours)

7. Liability disclaimer / limitation

1. The Provider is not liable for damages resulting from agreed and authorized testing activities, unless they are based on intent or gross negligence.
2. In particular, there is no liability for
   • system outages,
   • business interruptions,
   • data losses,
   • consequential damages.
3. The customer acknowledges that the targeted exploitation of vulnerabilities is part of the test.

8. Test period

1. The test is performed within the agreed period.
2. The Provider is entitled to perform tests outside regular business hours, if so agreed.

9. Documentation and reporting

1. After the test concludes, the customer receives a report with
   • identified vulnerabilities,
   • risk assessment,
   • action recommendations.
2. The report is intended exclusively for internal security purposes.

10. Confidentiality

1. All information obtained during the test is treated confidentially.
2. Disclosure to third parties only takes place with the customer’s consent or based on legal obligations.

11. Responsible Disclosure

1. The Provider undertakes to report discovered vulnerabilities exclusively to the customer.
2. Publication only occurs after prior written consent from the customer.

12. Final provisions

1. This annex is part of the T&C of GermanAI Defense GmbH.
2. In case of conflicts, the provisions of this annex take precedence over the general T&C.

Version 01.01 · public · Date: 2026-03-01