Terms of Use

The Terms of Use apply to your use of fortControl.

Version: 1.3
Valid from: November 1, 2023

1. Definitions
1.1. Security management is an instrument (organization, processes, technology) for ensuring security in the selected subject area (e.g. cyber security).
1.2. fortControl (hereinafter: FORTCONTROL) is a Software-as-a-Service (SaaS) operated by FortIT AG,which its customers can use to carry out or support their security management in selected areas.
1.3. A user is a natural person who accesses and uses FORTCONTROL. Users may be employees, representatives, consultants, contractors or agents of the customer who are authorized by the customer to use FORTCONTROL and who have been provided with access data for this purpose by or on behalfof the customer.

2. Description of the service
2.1. Security management is an essential part of the overall risk management of a company or organization. An effective security management system actively manages security risks through a systematic approachto risk identification, assessment, communication and handling. Typical examples of such risk-based management systems are information security management and business continuity management.
2.2. The object of this usage agreement is the use of the FORTCONTROL software application provided by FortIT, whereby the customer can access the software application online via the Internet in the sense of "Software-as-a-Service" and have the customer's application-related data stored on servers of FortIT or a service provider of FortIT. This FortIT offer is hereinafter referred to in its entirety as FORTCONTROL.
2.3. The mutually owed services with regard to the provision and use of FORTCONTROL arise from thefollowing:
• this usage agreement (incl. addendum on order data processing by FortIT);
• the General Terms and Conditions of FortIT;
• the countersigned offer or the individual contract signed by the customer, which refers to this usageagreement;
• the applicable functional description for FORTCONTROL, which is either attached to the individual contract or available in the currently valid version in FORTCONTROL or on the FortIT websites;
• the additional user guidelines (Acceptable Use Policy), which can be called up directly in FORTCONTROL for the information of users;
• the additional user data protection provisions, which are available directly in FORTCONTROL for the information of users;
• the General Data Protection Provisions of FortIT.
2.4. All of the aforementioned documents are to be understood as an integral part of this agreement. The term "usage contract" therefore also includes all of the documents listed above in addition to thiscontract.

3. Scope of FORTCONTROL
3.1. FORTCONTROL offers users the opportunity to efficiently set up and operate an individual security management system. This includes the following services in particular (not exhaustive):
• Recording the objectives, scope, stakeholders, tasks and guidelines of security management.
• Systematic recording of protected objects.
• Identification and assessment of hazards.
• Conducting assessment to evaluate maturity and risks within the scope.•      Definition and mapping of corresponding measures.
• Definition of awareness measures.
• Carrying out or recording audits.
3.2.The customer is solely responsible for any damage that occurs in the context of security management. Civil or criminal proceedings against FortIT are excluded in this case.
3.3. During the term of the contract, the customer may use FORTCONTROL in accordance with the functional description and within the framework of this license agreement.
3.4. FortIT shall perform its services in good faith and with due care and in accordance with generally accepted and customary industry standards. However, 100% availability of the application part of FORTCONTROL and the infrastructure used for operation cannot be realized technically. However, FortIT endeavors to keep FORTCONTROL highly available on a "best effort" basis with the means at its disposal and within theframework of economic efficiency. FortIT does, however, reserve the right to suspend FORTCONTROL for maintenance reasons and thus to temporarily restrict or suspend availability in part or in full. FortIT endeavors to carry out scheduled maintenance work outside office hours (i.e. Monday to Friday in a window between 8 p.m. and 7 a.m. CET) or at weekends wherever possible and to announce this accordingly. Onthe other hand, FortIT can carry out maintenance work that cannot be postponed at any time – such work shallalso be announced to the customer in advance if possible.
3.5. During the term of the contract, FortIT shall keep FORTCONTROL up to date and useful with regard to the technical and organizational framework conditions, but it cannot guarantee that FORTCONTROL will be free of faults. FortIT continuously monitors the functionality of FORTCONTROL and eliminates, within the scope of technical possibilities, any malfunctions with respect to operation or application discovered byitself or reported by the customer on a "best effort" basis. FortIT is free to address malfunctions that do notsignificantly restrict the use or functionalities of FORTCONTROL for the customer not immediately but in one ofthe subsequent releases of FORTCONTROL.
3.6. There is no entitlement for individual customers to a specific configuration of FORTCONTROL or to the retention of functions accessible via it. FortIT has the right to adapt FORTCONTROL and thefunctionalities and content offered under it at any time in order to maintain the quality standard, but also with regard to technical or economic developments.

4. Support
4.1. For information on the use of FORTCONTROL and for reporting any faults and malfunctions (support), FortIT operates a helpdesk that the customer can contact by telephone (hotline) and e-mail. The support desk is available to the customer Monday to Friday (excluding public holidays at FortIT'sheadquarters) between 9 a.m. and 5 p.m. CET. The access number for the hotline is communicated tothe customer separately or is indicated on the FortIT website.
4.2. FortIT's support services are aimed at diagnosing and analyzing reported faults or malfunctions and rectifying them or maintaining the availability of FORTCONTROL. Other services such as implementation support, consulting and the implementation of customer- specific requests are notincluded in the support.

5. Right of use, access and intellectual property rights
5.1. FortIT (a) provides the customer with defined storage space on cloud storage operated by FortIT or asubcontractor; (b) grants the customer the non-exclusive, non-transferable and non-sublicensable right to use FORTCONTROL as intended, limited to the term of the contract. The customer's aforementioned right of use is subject to the timely payment of the applicable usage fees.
5.2. The right of use includes the right to provide users with access data and to grant them the roles and rightsprovided for in FORTCONTROL (e.g. customer administrator rights, read rights, etc.).
5.3. The customer is not entitled to make FORTCONTROL available or accessible to third parties outsidetheir own company, either in whole or only with regard to certain partial aspects, and whether for a fee or freeof charge.
5.4. Access to FORTCONTROL is encrypted via the Internet. Users can be authorized by the customer in FORTCONTROL and assigned roles.
5.5. The customer undertakes to ensure that the users authorized by them do not disclose their access data to any unauthorized persons and store it carefully and adequately protected against access by thirdparties.
5.6. FortIT rejects any liability for losses incurred by the customer due to the misuse or loss of the access data provided to the respective users or chosen by them (e.g. user identification, password).
5.7. The software application on which FORTCONTROL is based is protected by copyright. All rights tothis software application lie with FortIT itself and/or contractual partners of FortIT.

6. Obligations of the customer
6.1. The customer shall support FortIT with the preparation and provision of its services to the extent reasonable, necessary and expedient and shall provide FortIT with all reasonably required services, information, material resources and rights at their own expense and risk.
6.2. The customer is responsible for ensuring that the technical requirements necessary on their side for access to FORTCONTROL exist and are maintained. The technical requirements regarding the connection to and use of FORTCONTROL are based on the issued system requirements.

7. Obligation to refrain from unauthorized/ avoid potentially harmful use (Acceptable Use)
7.1. The customer is responsible for ensuring that the use of FORTCONTROL by the users authorized bythem (a) does not violate the provisions of this usage agreement, the rights of third parties (e.g. copyrights,other intellectual property rights, rights to claim of all kinds, property rights and other rights in rem as well aspersonal rights), statutory provisions and/or morality; (b) in no way impairs the functionality of FORTCONTROL and/or the underlying infrastructure negatively and to the detriment of FortIT, other users or other thirdparties.
7.2. The customer is responsible for the content of the information (data in any form) that they or their users record, store, transmit, process and/or make available in FORTCONTROL.
7.3. The customer is obliged to ensure that their users check data and information for viruses or other harmful software routines before transmission and storage in FORTCONTROL and use state-of-the-art protection programs for this purpose.

8. Using the control sets
8.1. When selecting predefined control sets based on copyright-protected standards, users must specify in FORTCONTROL whether they (or the customer) have a license for the respective standard.
8.2. The customer guarantees that, within the scope of this service, they shall only use those control sets available in FORTCONTROL that are either copyright-free or for which the customer themselves has a corresponding license.

9. General handling of data
9.1. FortIT is obliged to take suitable precautions against loss, compromise and unauthorized access by thirdparties with regard to the data stored on FORTCONTROL by the customer or their users.
9.2. FortIT is entitled to irrevocably delete all data stored in FORTCONTROL within the scope of the contractual relationship after 90 days from termination of the contract without prior warning.
9.3. The customer alone remains entitled to the data stored in FORTCONTROL by the customer or theirusers. The customer may therefore ask FortIT to deliver individual pieces of data or all data to themselves atany time (within the scope of the waiting period in accordance with the above section, even after termination ofthe contract), insofar as this is not already possible via the user front end. Unless otherwise agreed, the data is delivered by means of a database export.

10. Data protection and order processing
10.1. Both parties must comply with the applicable data protection and security regulations. Theaddendum on order data processing by FortIT applies to the contractual processing of personal data byFortIT for the customer.
10.2. The customer shall be responsible for all notifications, consents and/or authorizations required inconnection with the provision of personal data by the customer and the processing of personal databy FortIT in the context of the provision of FORTCONTROL.
10.3. In order to process the contractual relationship, FortIT collects and processes the necessary information about the customer and the users authorized by the customer (customer ID, user details and usage data) as the controller within the meaning of the applicable data protection laws. FortIT treats thisdata confidentially.
10.4. FortIT is entitled to evaluate the data obtained through the use of FORTCONTROL by the customer ortheir users (tracking data, behavior patterns, etc.) as well as the data stored by the customer in FORTCONTROL and to use it to improve the platform. FortIT may also use this data in aggregated formto create anonymous profiles and benchmark data that do not allow the customer or users to be identified. Theanonymous profiles and benchmark data may be used for comparisons that may be made available to the customer and third parties (including other FortIT customers) for benchmarking, information and riskmanagement purposes.
10.5. In addition, FortIT may (i) compile statistical and other information relating to the performance, operationand use of FORTCONTROL and (ii) use data from FORTCONTROL in aggregate form for security and operational management, for the creation of statistical analyses, and for research and development purposes (clauses (i) and (ii) are collectively referred to as "service analyses"). FortIT may make service analyses publicly available; however, service analyses will not contain any data uploaded by the customer, personal data or confidential information in a form that could be used to identify thecustomer, users or other persons. FortIT holds all intellectual property rights to the service analyses.

11. Contract conclusion
11.1. Demo access: The contract between FortIT and the customer comes into effect with the registration of an account and the acceptance of this usage agreement that thereby takes place. The contract hasno minimum term.
11.2. Paid access: The contract between FortIT and the customer is concluded with the written acceptance of a corresponding offer or by signing a separate contract. The minimum term is specified in the contractor offer.
11.3. The contract can be terminated at the end of the term without giving reasons.

12. Suspension of access
12.1. FortIT reserves the right to suspend access to FORTCONTROL in its entirety or for individual userswithout prior notice or to restrict access to certain functions if
• the customer or individual users authorized by the customer repeatedly violate this usage agreement;
• the unimpaired operation of FORTCONTROL is jeopardized due to circumstances within thecustomer's sphere of risk;
• the customer is in arrears with the payment of the fees due.
12.2. In the event of such a suspension, FortIT is not obliged to waive the collection of fees for the period of the suspension and is also generally not liable for the consequences of a suspension.

13. Final provisions
13.1. FortIT may amend this usage agreement. The version of the usage agreement available online applies in each case.