Introduction
Welcome to Skarpaa. By continued usage of our Information Security Management System (ISMS) Operations services (the "Service"), you agree to the Terms and Conditions outlined in this document.
Please read this document carefully.
Definitions
Client
Refers to the entity or individual using Skarpaa' ISMS services.
Confidential Information
Any information not already publicly disclosed or classified as public exchanged between Skarpaa and the Client.
Contract
The agreement between the Client and Skarpaa.
Data
Refers to any data, including GDPR data, provided by the Client to Skarpaa in connection with using the Service.
Skarpaa
Refers to Skarpaa, the company providing the ISMS operations services.
Intellectual Property (IP)
Refers to all proprietary technology, products, methodologies, designs, and content provided and developed by Skarpaa in providing the Service.
Outcome
Refers to the content generated by applying the Product to the client data, such as reports, compliance documentation, audit findings, and other work products provided or produced by Skarpaa as part of the Service
Product
Refers to the policies, procedures, security assessments, risk analyses, and training materials, provided by Skarpaa as part of the service.
Security Incident
Any unauthorized access, data breach, malware infection, denial-of-service attack, misconfiguration, or other event compromising the confidentiality, integrity, or availability of the client's information systems, and which may cause damage to the Client.
Service
Refers to the Information Security operations provided by Skarpaa.
3. Skarpaa Services and Fees
3.1 Services
Skarpaa provides consultancy and other services in the areas of information security and compliance, using the Skarpaa platform. The scope of service is limited to the items listed in the service description as specified in the Contract. Skarpaa does not owe the
performance of any other service items listed in the service description. In connection with the performance of the Services, Skarpaa does not accept any responsibility for any particular outcome or result.
3.2 Fees
The Client shall pay any one-off fee set out in the Contract at the commencement of the Service.
Monthly fees must be paid upon the agreed commencement of the Service provision for the remainder of the month on a pro-rata basis. Thereafter, these fees must be paid monthly in advance. Where the fee must be calculated for parts of a calendar month, it will be calculated on a pro-rata basis for each half-month or part thereof.
4. Data Use
4.1 Operational Use
By engaging Skarpaa to deliver the service, the Client agrees that Skarpaa may use the Client’s Data as necessary to deliver the Service in compliance with information security standards.
4.2 Service Improvement and Enhancement
Skarpaa may use anonymized and aggregated Data solely to improve, enhance, and develop its Services. The Data will not be shared with any other party, except as technically needed to store and process the Data. Such Data will be used strictly in compliance with privacy laws and will not identify any Client-specific information unless explicitly authorized.
5. Intellectual Property Rights
5.1 Ownership of Product
All Intellectual Property (IP) developed or derived by Skarpaa during the provision of the Service, including but not limited to software, methodologies, tools, policies, and processes, remains the exclusive property of Skarpaa. The Client agrees not to claim ownership or any rights over Skarpaa's IP.
The Client shall not modify, distribute, sublicense, reverse-engineer, or attempt to extract the documentation or source code of any Skarpaa-developed technology, templates, content, or methodologies, except as explicitly permitted in these Terms and Conditions.
5.2 License to Use Product
The Client is granted a limited, non-transferable, non-exclusive, non-derivative license to use the deliverables from the Service for internal business purposes only while adhering to these Terms and Conditions.
5.3 Ownership of Data
Any Data provided by the Client to Skarpaa as part of performing the service, remains the full ownership of the Client.
The Client represents and warrants that it has the legal right to provide any data shared with Skarpaa and that such data does not violate any applicable law, contract, or third-party rights.
5.4 License to Use Data
Skarpaa is granted a limited, non-transferable, non-exclusive, non-derivative license to use the Data from the client solely for the purpose of providing the agreed services.
5.5 Ownership of Outcome
The intellectual property (IP) of all outcomes generated by either the client or Skarpaa through the product processing of the client's data and used to document compliance, including but not limited to reports, meeting minutes, and logs, generated by either the Client or Skarpaa as part of performing the service, remains the client's IP.
5.6 License to Use Outcome
Skarpaa is granted a limited, non-transferable, non-exclusive, non-derivative license to use the Outcome from the client solely for the purpose of providing and improving the agreed Services.
5. Confidentiality
5.1 Use and Disclosure Restrictions
Both Skarpaa and the Client agree to maintain the confidentiality of all Confidential Information. This includes but is not limited to, business processes, security policies, risk assessments, audit reports, proprietary methodologies, technical data, and any other sensitive information.
Each party shall use the Confidential Information solely for the purpose of fulfilling its obligations under this Agreement. Neither party shall disclose, publish, or otherwise make available the other party’s Confidential Information to any third party without prior written consent, except as required by law or to fulfill contractual obligations (e.g., using subcontractors bound by similar confidentiality terms).
5.2 Exceptions
Confidential Information does not include information that:
- Was already known to the receiving party before disclosure, without obligation of confidentiality.
- Becomes publicly available through no fault of the receiving party.
- Is independently developed by the receiving party without reference to the disclosed information.
- Is required to be disclosed by law, regulation, or court order, provided that the disclosing party is given prior notice (if legally permitted) to contest or limit such disclosure.
5.3 Survival
The obligations of confidentiality shall remain in effect for five (5) years after termination of the Service unless otherwise agreed in writing.
5.4 Publicity and Collaboration Disclosure
Skarpaa and the Client may publicly disclose the existence of their collaboration, including the Client’s use of Skarpaa’s Services, in marketing materials, case studies, presentations, or press releases.
Each party may use the other’s name and logo solely for reference purposes in client or partner listings, websites, and promotional materials. Any use beyond reference (e.g., joint marketing campaigns) requires prior written approval from the other party.
The Client may opt out of public disclosure by providing a written request to Skarpaa. Upon receiving such a request, Skarpaa shall cease public references to the collaboration within 30 days (except where legally or contractually required).
5.5 Data Deletion Upon Termination
Upon termination or expiration of the Service Contract for any reason, the Service Provider shall, upon written request from the Customer, delete or irreversibly anonymize all Customer Data stored or processed in connection with the Services, including any copies, within 30 days of the effective termination date, except to the extent retention is required by applicable law or necessary for the establishment, exercise, or defense of legal claims. Any retained Customer Data shall remain subject to the confidentiality and data protection obligations of this Agreement.
6. Liability
6.1 Client Responsibility; No Guarantee
6.1.1 The Client acknowledges and agrees that Skarpaa provides advisory, operational support, and compliance management services in relation to information security and the operation of an information security management system (“ISMS”), including assistance with policies, procedures, documentation, and controls.
6.1.2 Skarpaa does not provide a guarantee, warranty, or assurance that the Client’s systems, networks, data, personnel, suppliers, or operations will be secure, compliant, breach-free, uninterrupted, or resistant to Security Incidents, cyber threats, or other information security-related events.
6.1.3 The Client remains solely and fully responsible for:
(a) the security of its systems, networks, devices, software, configurations, data, and operations;
(b) selecting, implementing, operating, monitoring, testing, and maintaining security measures and controls (including any controls recommended or documented within the ISMS);
(c) conducting risk assessments, determining risk acceptance, and deciding whether and how to treat risks;
(d) compliance with all laws, regulations, standards, and contractual obligations applicable to the Client; and
(e) preventing, detecting, responding to, and recovering from Security Incidents (including incident response, containment, remediation, and communication obligations).
6.2 Exclusion of Liability
6.2.1 To the maximum extent permitted by applicable law, Skarpaa shall have no liability to the Client (whether in contract, tort (including negligence), breach of statutory duty, misrepresentation, restitution, or otherwise) for any loss, damage, cost, or expense arising out of or in connection with:
(a) any Security Incident, cyberattack, data breach, malicious code, or unauthorized access;
(b) the Client’s failure to implement, maintain, or follow any security measures, controls, recommendations, or ISMS procedures (whether prepared by Skarpaa or otherwise);
(c) any decisions made by the Client regarding risk acceptance, prioritization, or remediation;
(d) the Client’s systems, infrastructure, third-party services, suppliers, or personnel; or
(e) any outcome related to audits, certifications, regulatory assessments, or third-party evaluations (including ISO 27001 or similar), including any failure to achieve or maintain certification.
6.2.2 In any event, and to the maximum extent permitted by law, Skarpaa shall not be liable for:
(a) indirect, consequential, special, incidental, or punitive damages;
(b) loss of profit, loss of revenue, loss of business, loss of goodwill, loss of opportunity, or loss of anticipated savings;
(c) loss, corruption, or unavailability of data;
(d) costs of incident response, forensic investigation, remediation, system restoration, business interruption, or crisis management; or
(e) claims brought by any third party against the Client (including regulators, customers, employees, suppliers, or other stakeholders), including fines, penalties, and administrative sanctions.
6.3 Ordinary / Minor Negligence; Foreseeable Damages Only
6.3.1 Without prejudice to Section 6.2, in case Skarpaa is found liable for ordinary or minor negligence, Skarpaa shall only be liable for typical and reasonably foreseeable damages that are a direct result of Skarpaa’s proven breach of a material obligation under this Agreement.
6.3.2 The Client agrees that typical and reasonably foreseeable damages shall not include any losses relating to Security Incidents, cyber threats, or compliance outcomes except where directly caused by Skarpaa in breach of this Agreement and not otherwise excluded herein.
6.4 Non-Excludable Liability (Mandatory Carve-outs)
6.4.1 Nothing in this Agreement shall exclude or limit Skarpaa’s liability for:
(i) death or personal injury caused by Skarpaa’s negligence;
(ii) fraud or fraudulent misrepresentation;
(iii) gross negligence or willful misconduct, to the extent such limitation is prohibited under applicable law; or
(iv) any other liability that cannot be excluded or limited under applicable law.
6.5 No Assumption of Client Obligations
6.5.1 The Parties agree that nothing in this Agreement constitutes an assumption by Skarpaa of the Client’s duties, obligations, or liabilities regarding information security, compliance, risk management, incident response, business continuity, or regulatory obligations.
6.5.2 The Client acknowledges that Skarpaa is not a managed security operations provider (SOC) unless expressly agreed in writing, and Skarpaa does not monitor or defend the Client’s systems unless explicitly stated in the applicable Statement of Work.
6.6 Indemnity by Client
6.6.1 To the maximum extent permitted by applicable law, the Client shall defend, indemnify, and hold harmless Skarpaa, its directors, officers, employees, and subcontractors against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or in connection with:
(a) any Security Incident affecting the Client;
(b) the Client’s failure to implement or maintain appropriate security controls;
(c) the Client’s breach of law, regulation, or third-party obligations;
(d) any claim by a third party (including regulators, customers, employees, or partners) related to the Client’s security posture, data handling, or compliance status; and/or
(e) the Client’s use of the Services, reliance on any deliverables, or decisions made based on the Services, except to the extent finally determined to have been directly caused by Skarpaa’s fraud or fraudulent misrepresentation.
6.7 Insurance Recommendation; Client Duty to Insure
6.7.1 Skarpaa strongly recommends that the Client obtain and maintain appropriate cybersecurity and/or technology errors and omissions insurance (and, where relevant, business interruption coverage) sufficient to cover losses arising from Security Incidents, including damages and recovery costs.
6.7.2 The Client acknowledges that insurance is the Client’s responsibility, and that Skarpaa shall not be liable for any losses that could have been mitigated or covered by appropriate insurance.
7. Amendments
Skarpaa reserves the right to amend these Terms and Conditions at any time. Clients will be notified of changes through direct contact to the client's point of contact, and continued use of the Service after any amendments constitute acceptance of such amendments.
If the Client does not agree to the updated Terms and Conditions, they may terminate the Service within 30 days of notice without penalty.
8. Data Privacy and GDPR Compliance
8.1 Data Protection and Processing
Skarpaa is committed to complying with the General Data Protection Regulation (GDPR) and all relevant EU and German data protection laws. Any personal Data provided by the Client will be processed solely for the purpose of delivering and improving the Service, as described in these Terms and Conditions, and in accordance with applicable legal requirements.
8.2 Role as Data Processor
For personal Data provided by the Client, Skarpaa acts as a data processor under GDPR. The Client remains the data controller and retains all associated rights and responsibilities. Skarpaa will only process personal data in accordance with the Skarpaa documented instructions unless otherwise required by law.
8.3 Data Subject Rights
Skarpaa will assist the Client in fulfilling their obligations related to data subject rights, including requests for access, correction, erasure, restriction, portability, and objection, as required under GDPR.
8.4 Data Transfers
Skarpaa ensures that personal data is processed within the European Economic Area (EEA). Any data transfers outside the EEA will comply with GDPR safeguards, such as standard contractual clauses or equivalent mechanisms.
8.5 Data Security
Skarpaa will implement appropriate technical and organizational measures to ensure the security of personal data, including measures to prevent unauthorized access, disclosure, alteration, or destruction.
8.6 Data Breach Notification
In the event of a personal data breach, Skarpaa will notify the Client without undue delay, providing all relevant information to allow the Client to comply with their GDPR obligations.
8.7 Data Retention
Skarpaa will retain personal data only as long as necessary to fulfill the purposes of the Service or as required by applicable law. Upon termination of the Service, personal data will be deleted or returned to the Client, as per their instructions.
8.8 Sub-processors
Skarpaa may engage third-party sub-processors to assist in the delivery and improvement of the Service. Skarpaa ensures that all sub-processors are bound by GDPR-compliant data processing agreements and meet the same data protection standards.