(1) Subject of the Agreement The contractor undertakes to provide the services ordered in the respective individual contract to the client. These may include the following areas: • Operation and management of a Security Operation Center (SOC). • Consulting services to improve IT security. • Conducting penetration tests to identify security vulnerabilities. • Implementation and support of an Information Security Management System (ISMS). • Provision and execution of Managed Security Services (MSS), including monitoring, management, and optimization of the client's IT security infrastructure. The exact scope of services will be defined and specified in individual orders (see § 2). Unless expressly regulated otherwise, the contractor will perform its services as work services within the meaning of § 631 BGB. The contractor reserves the right to offer and provide additional cybersecurity services under this agreement. The provision of such additional services will take place after prior written agreement between the parties and may lead to an adjustment of the remuneration if necessary. (2) Individual Orders and Service Description The specific services to be provided by the contractor will be defined in individual engagements based on this framework agreement. Each individual order includes: • A detailed service description. • The timeframe for service delivery. • The remuneration for the respective services. The contractor undertakes to perform all agreed services in accordance with recognized IT security standards and legal requirements. (3) Duties of the Contractor The contractor is obliged to provide the agreed services properly, taking into account current security standards (e.g., ISO 27001, BSI Basic Protection). Security incidents must be reported to the client without delay. The contractor ensures that the report is made in an understandable and comprehensible form. The contractor undertakes to take all necessary technical and organizational measures to protect itself from cyberattacks that could also affect the client. This includes, but is not limited to, regular security updates, firewalls, intrusion detection systems, and routine security reviews. If the contractor itself becomes the target of a cyberattack that could potentially also impact the security of the client’s IT infrastructure, the contractor undertakes to inform the client immediately. The contractor will provide the client with all relevant information necessary to assess the risk and initiate necessary protective measures. Upon termination of this agreement or an individual order, the contractor undertakes to return all data, documentation, and other work results obtained or created in the course of fulfilling the contract to the client in a standard, readable format. If requested by the client, the data will also be delivered in a specific structure, provided this is technically feasible. The contractor undertakes to delete all data from its systems and backups after complete handover, unless legal retention obligations exist. Upon request by the client, the contractor is obliged to confirm the deletion in writing. The contractor guarantees the confidentiality of the data and information entrusted to it in accordance with § 6. (4) Duties of the Client The client undertakes to provide the contractor with all necessary access to IT systems and relevant information required for the delivery of services. The client ensures that their IT infrastructure meets the necessary technical requirements to enable proper service delivery by the contractor. The client is obliged to actively cooperate in the handling of security incidents and to provide the contractor with all necessary information. (5) Remuneration The remuneration for the services provided by the contractor is based on the hourly rates listed in Appendix 1, which are a part of this contract as the Rate Card. The Rate Card contains the applicable hourly rates for various service categories and positions. The contractor offers the client the possibility to agree on fixed prices in accordance with the hourly rates specified in the Rate Card when concluding a longer-term contract. During this term, the agreed prices remain fixed and are not subject to increase. The contractor is entitled to adjust the hourly rates specified in the Rate Card for the first time one year after the contract start and thereafter annually. The adjustment of hourly rates must be announced in writing at least four weeks before taking effect. Invoices must be paid by the client without deduction within 30 days of receipt unless otherwise agreed. All prices are exclusive of applicable VAT. Additional services not agreed upon within the framework of an individual order will be invoiced separately. Travel and accommodation expenses as well as other costs incurred in connection with the provision of services will be billed separately to the client and are based on the rates specified in the Rate Card or the actual costs incurred. (6) Confidentiality and Data Protection Both parties undertake to treat all confidential information received within the context of this agreement strictly confidential and use it exclusively for fulfilling contractual obligations. This obligation remains effective for five years after the termination of the contract. Confidential information may only be disclosed to employees or subcontractors directly involved in fulfilling the contract and who are also bound by confidentiality. The contractor undertakes to comply with data protection regulations, particularly the General Data Protection Regulation (GDPR). The processing of personal data takes place solely within the scope of the agreed services and according to the client’s instructions. The contractor implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the processed data. (7) Liability and Warranty The contractor is only liable for damages caused by intentional or grossly negligent conduct. For slight negligence, the contractor is only liable for breaches of essential contractual obligations, with liability in such cases limited to typical foreseeable damage. The contractor makes every effort to secure the client’s IT infrastructure to the best of their ability, based on current security standards. However, complete security cannot be guaranteed due to the ever-changing threat landscape. (8) Contract Duration and Termination This framework agreement enters into force upon signing and remains valid indefinitely. Either party may terminate the contract with a three-month notice period in writing. The right to extraordinary termination for good cause remains unaffected. Good cause includes repeated breaches of essential contractual obligations despite written notice. (9) Subcontractors The contractor is entitled to use subcontractors to fulfill its contractual obligations but must inform the client in writing beforehand and obtain consent. The client may only refuse consent for good cause. The contractor ensures that subcontractors adhere to the same confidentiality and data protection regulations that apply to the contractor. Regardless of subcontractor involvement, the contractor remains fully responsible for fulfilling contractual obligations to the client. The contractor is liable for all actions or omissions of subcontractors as if they were their own. (10) Dispute Resolution All disputes arising from this contract shall, where legally permissible, be subject to the jurisdiction of the contractor’s registered office. Before going to court, the parties shall attempt to resolve the dispute through mediation. (11) Amendments and Additions to the Agreement Amendments or additions to this framework agreement must be made in writing and signed by both parties. (12) Final Provisions Should individual provisions of this agreement be invalid, the rest of the contract remains valid. The invalid provision shall be replaced by a regulation that comes closest to the economic purpose of the invalid provision. Only German law applies, excluding the UN Convention on Contracts for the International Sale of Goods.