General Terms and Conditions
Note: This is a convenience translation. The German version is legally binding. In case of discrepancies, the German version shall prevail. → Deutsche Fassung
Gosign GmbH - AI Infrastructure, Agent Development & Software Development
Version 3.1 - As of: March 2026
§ 1 Scope and Subject Matter
These General Terms and Conditions (GTC) apply to all contracts between Gosign GmbH (hereinafter "Gosign") and its clients regarding the following service areas:
AI Enterprise Infrastructure & Agent Development: Services related to artificial intelligence in the enterprise environment, including planning and implementation of AI infrastructure, development of AI agents, integration of AI models, self-hosting solutions, FinOps strategies for cost optimization of AI workloads, and related consulting and development services.
Decision Layer & Governance Architecture: Development and implementation of a governance and control layer (Decision Layer) between AI agents and enterprise target systems, including rule-based decision control, Audit Trail documentation, Human-in-the-Loop architecture, and automated compliance evidence (Cert-Ready).
Software Development: Development of custom software solutions, web applications, and integrations, including the use of open-source frameworks and libraries. This encompasses conception, design, development, customization, integration, and documentation.
Hosting and Operations (optional): Hosting services and operational support optionally offered by Gosign. Regular operations of the solutions developed by Gosign are generally conducted within the client's infrastructure. Hosting by Gosign is an additional service that is separately agreed upon.
Enablement and Knowledge Transfer: Gosign pursues the objective of enabling the client to independently operate and further develop the provided solutions. Where agreed, the scope of services includes training, documentation, and a structured knowledge transfer designed to systematically reduce the client's dependency on Gosign.
Scope Limitation: Gosign provides technical services. The solutions developed by Gosign do not replace legal, tax, or HR advisory services. Substantive final decisions remain with the client. The client's systems (e.g., SAP, Workday, SuccessFactors, DATEV) remain the system of record; Gosign solutions integrate with these systems but do not replace them.
Client Base: These GTC are directed exclusively at entrepreneurs within the meaning of § 14 BGB (German Civil Code). For clients domiciled in the EU/EEA, these GTC apply directly. For clients outside the EU/EEA, they apply provided that the applicability of German law has been agreed. Gosign does not offer contracts to consumers.
Individual agreements and SLAs take precedence over these GTC. Deviating terms and conditions of the client shall not apply unless Gosign has expressly agreed to their applicability in writing.
§ 2 Definitions
The following terms are used in these GTC as defined below:
"Agent" means a software component that automatically executes or prepares tasks on behalf of the client based on AI models and rule sets (e.g., Document Agent, Workflow Agent, Knowledge Agent).
"Audit Trail" means the complete, chronological record of all Decision Records and events in the system.
"Auditor Portal" means a web-based interface through which authorized auditors (internal or external) can view the live status of all Controls and Evidence.
"Cert-Ready" means the property of a system architecture to meet the technical prerequisites for industry-standard certifications (e.g., ISO 27001, SOC 2, IDW PS 951) - without thereby owing or guaranteeing the certification itself.
"Component Manifest" means the overview appended to the proposal that assigns each material software component either as a client-specific work product (§ 7.1) or as a Platform Component (§ 7.2). Details are governed by § 7.2 para. 4.
"Control" means a technically implemented verification rule that ensures compliance with a specific compliance or governance standard (e.g., "No salary decision without four-eyes principle").
"Decision Layer" means the governance and control layer developed by Gosign that decomposes business processes into individual decisions and determines for each step whether a human decides, a rule set applies, or the AI acts autonomously.
"Decision Record" means the automatic, immutable documentation of a single decision within the Decision Layer, consisting of input data, applied rule/model version, confidence score, decision path, and result.
"Evidence" means an automatically generated proof that a Control was satisfied at a specific point in time.
"Human-in-the-Loop" means an architectural principle where certain decisions require human approval before execution. The classification of which decisions require human approval is jointly determined with the client during the project.
"Maintenance" means the optional annual maintenance contract for Platform Components, covering ongoing maintenance, security updates, and further development. Details are governed by § 7.7.
"Perpetual License" means the client's permanent right to use the respective delivered version of the Platform Components pursuant to § 7.2 para. 2. The right of use exists regardless of whether a maintenance contract is in place.
"Platform Components" (Plattform-Komponenten) means the reusable technical core of Gosign solutions, in particular the Decision Engine, the Rules Engine Framework, the Audit Trail architecture, and orchestration modules. Details are governed by § 7.2 para. 1.
"Source Code Transfer" (Quellcode-Transfer) means the transfer of the exclusive right of use to the software components individually developed for the client, including source code, prompts, rule sets, configurations, and documentation.
"Software Bill of Materials (SBOM)" means the overview of all open-source components used in the solution and their licenses pursuant to § 7.4.
"System of Record" means the client's leading system for master and transactional data (e.g., SAP, Workday, SuccessFactors, DATEV). Gosign solutions integrate with the System of Record but do not replace it.
"Permitted Third Parties" (Zulässige Dritte) means the recipients exhaustively listed in § 7.1 para. 3 to whom the client may transfer work products and Platform Components without separate consent from Gosign.
§ 3 Conclusion of Contract
Proposal and Order: The presentation of services by Gosign does not generally constitute a binding offer. The contract is concluded upon the client's order and acceptance by Gosign within 14 calendar days.
A contract is only formed when Gosign confirms the order in text form or commences execution.
Framework Agreement and Service Phases: The contract may be concluded as a framework agreement with individually commissioned service phases. Each phase may be commissioned separately without obligation to commission subsequent phases.
Contract Types per Phase: Discovery phases (analysis, consulting, process documentation) are performed as service contracts (Dienstvertrag); what is owed is the advisory service, not a specific result. Build phases (development, implementation, proof of concept) are performed as contracts for work and services (Werkvertrag) with acceptance, unless otherwise agreed. Scale and Support phases are performed as service contracts; optional Service Level Agreements (SLA) apply supplementarily.
Contracts may be concluded in writing, electronically, or in text form. Gosign stores the contract text and these GTC.
§ 4 Services by Gosign
Gosign performs the contractually agreed services professionally and with the diligence of a prudent businessperson (Sorgfalt eines ordentlichen Kaufmanns). Gosign is entitled to employ qualified staff, vicarious agents, or subcontractors.
Place of Performance: Services are generally provided remotely. Gosign employs staff at various locations and ensures compliance with the agreed security and data protection standards regardless of the place of performance. On-site deployments are separately agreed.
Project Coordination: Both parties designate contact persons. Gosign provides regular updates on project progress.
Deadlines and Time Limits: Deadlines and time limits are only binding if expressly agreed as such. In the event of delays not attributable to Gosign, deadlines shall be reasonably extended.
Change Requests: Changes to the scope of services require a written agreement on additional costs and timelines.
Proof of Concept (PoC): Where a PoC is agreed, the success criteria defined in the proposal shall apply. A PoC serves to validate technical feasibility. The work products created during the PoC become the property of the client upon full payment, unless otherwise agreed.
Partial Deliveries: Gosign is entitled to provide reasonable partial deliveries.
4.1 Acceptance of Work Products
The client shall review work products within 14 calendar days and either declare acceptance or report defects. If no response is received, the work shall be deemed accepted, provided the client was informed of this consequence. Immaterial defects do not entitle the client to refuse acceptance.
§ 5 Client's Cooperation Obligations (Mitwirkungspflichten)
The client shall provide all necessary documents, information, data, and access in a timely manner.
The client shall designate a qualified contact person with decision-making authority.
Technical Infrastructure: Where services are performed on the client's systems, the client shall provide the infrastructure. Gosign shall inform the client of the system requirements.
Testing and Acceptance: The client shall actively participate, document errors, and not unreasonably delay approvals.
Maintenance and Data Backup: The client shall independently and promptly install security updates, unless a maintenance contract with Gosign is in place. Regular backups are the client's responsibility.
Lawfulness: The client is responsible for the lawfulness of all content and data provided and shall indemnify Gosign against third-party claims.
Delays and additional costs caused by the client's breach of cooperation obligations shall be borne by the client.
§ 6 Special Provisions for AI Infrastructure & Agent Development
6.1 Scope of Services
The scope of services is defined in the proposal and may include: integration and customization of AI models, development of AI agents, implementation of the Decision Layer, AI infrastructure consulting, FinOps, security and compliance concepts, training.
The proposal specifies which Platform Components (§ 7.2) are used and includes a Component Manifest as an appendix.
6.2 Three-Tier Architecture and Responsibilities
The AI solutions developed by Gosign distinguish three processing tiers with different responsibilities:
(a) Analysis (AI Model): The language model analyzes data and generates recommendations. AI models produce probabilistic results; Gosign owes the professional integration and configuration of the model, not the substantive accuracy of each individual output.
(b) Decision (Decision Layer): The Decision Layer applies defined rule sets, thresholds, and approval processes to the analysis results. Gosign owes the correct implementation of the agreed decision logic. Errors in the rule implementation constitute software defects and are subject to warranty.
(c) Execution (Integration/Tool): The results are transmitted to the client's target systems (e.g., SAP, DATEV, Workday). Gosign owes the correct technical integration. Errors in the client's target system are the client's responsibility.
6.3 Human-in-the-Loop
For decisions classified as high-risk (particularly personnel decisions, salary decisions, decisions subject to co-determination (Mitbestimmung)), Human-in-the-Loop is the default, unless expressly agreed otherwise. The classification of which decisions require human approval is jointly determined during the project and configured in the Decision Layer. The client remains responsible for substantive final decisions.
6.4 Model Agnosticism
Gosign uses AI models from various providers (model-agnostic approach). The selection is made in coordination with the client. Gosign shall inform the client of planned model changes. Should a provider discontinue its service, Gosign shall promptly propose an equivalent alternative model. Gosign shall not be liable for the availability or discontinuation of third-party services.
6.5 Bias Monitoring
Where agreed, Gosign implements mechanisms for the detection and documentation of systematic biases (Bias Monitoring). Regular monitoring during ongoing operations is the client's responsibility, unless a maintenance contract is in place.
6.6 Use of Data for AI
The client remains the owner and controller of all data provided to Gosign. Gosign uses such data exclusively for the performance of the contract. The client ensures it holds the necessary rights. Where external AI models or APIs are used, this occurs only under conditions that exclude the use of client data for model training, unless the client has expressly approved otherwise.
6.7 FinOps and Usage-Based Costs
Usage-based third-party costs (API fees, GPU compute time) are borne by the client, unless otherwise agreed. Gosign shall inform the client in advance of the cost structure and provide transparent usage reports.
6.8 Regulatory Requirements
Gosign addresses the requirements of Regulation (EU) 2024/1689 (EU AI Act) as technical architectural principles (Readiness). The legal compliance assessment for the specific use case is the responsibility of the client and its legal advisors. Gosign shall support the client in implementing regulatory requirements upon request, provided this is commissioned.
6.9 Indemnification
The use of the AI systems is the client's sole responsibility. The client shall indemnify Gosign against third-party claims arising from abusive or unlawful use.
§ 7 Rights of Use, Intellectual Property, and Source Code Access
7.1 Rights of Use to Client-Specific Work Products
Upon full payment, the client receives a permanent, geographically unrestricted, non-exclusive right of use to the following client-specific work products:
(a) Client-specific configurations (rule sets, decision tables, policies, routing rules, client-specific data models, decision matrices)
(b) Prompts and prompt templates developed for the client and designated as client-specific in the Component Manifest
(c) Client-specific integrations and adapters according to the Component Manifest (e.g., client-specific SAP connectors, API connectors, UI texts)
(d) Technical documentation of the client-specific solution
(e) Client data and configurations in all formats
The assignment to § 7.1 or § 7.2 is determined by the Component Manifest pursuant to § 7.2 para. 4.
The right of use includes the right to modify and further develop for the client's own business operations.
Transfer to third parties or sublicensing requires the prior written consent of Gosign. No consent is required for transfer to Permitted Third Parties (Zulässige Dritte). Permitted Third Parties are:
(i) Affiliated companies of the client within the meaning of §§ 15 et seq. AktG (German Stock Corporation Act) or under comparable foreign corporate law (group companies, subsidiaries, shared service units)
(ii) IT service providers and data processors of the client acting under confidentiality obligations and purpose limitation
(iii) Auditors, internal audit, and regulatory authorities within the scope of statutory or contractual audit obligations
(iv) Legal successors of the client in the event of restructuring, merger, or asset deal, provided the transfer occurs in connection with a transfer of the business unit in which the solution is deployed, and the legal successor assumes the obligations under § 7; transfer to direct competitors of Gosign is excluded
The client shall ensure that Permitted Third Parties maintain at least equivalent protection and confidentiality obligations.
§ 7.1 takes precedence over the general assignment provision in § 19 insofar as the transfer to Permitted Third Parties or legal successors is concerned.
The client has full access to the source code of all components operated in its environment - including Platform Components pursuant to § 7.2 - no later than deployment of the solution in its infrastructure, or otherwise no later than acceptance or full payment. Access means readable, not intentionally obfuscated source code in a repository maintained in the client's environment or as a code export (at least after each productive release and upon request within 10 business days) including build instructions and dependency lockfiles. Additional code exports outside of regular releases are provided free of charge up to twice per quarter; exports beyond this are compensated based on effort.
7.2 Gosign Platform Components
Gosign uses its own Platform Components in development. Platform Components are the reusable technical core, in particular the Decision Engine, the Rules Engine Framework, the Audit Trail architecture, and orchestration modules (hereinafter "Platform Components"). The exclusive intellectual property and right of use to these Platform Components remains with Gosign.
The client receives a permanent right of use to the respective delivered version of the Platform Components (Perpetual License). This right of use is non-exclusive and includes the operation, configuration, and integration into the client's systems for its own business operations. The right of use exists regardless of whether a maintenance contract is in place. The transfer rules from § 7.1 (including Permitted Third Parties and the flow-down obligation) apply accordingly.
From deployment (or with acceptance/payment pursuant to § 7.1), the client has full access to the source code of all Platform Components operated in its infrastructure. Gosign provides complete technical documentation including build instructions. The source code shall not be intentionally rendered unreadable (no obfuscation, no intentional impediment to readability). The encryption of source code at rest and in transit for integrity protection is not affected by this provision.
The Platform Components are identified in the proposal in a Component Manifest. The Component Manifest lists at a minimum all material Platform Components and assigns each component to either § 7.1 (client-specific) or § 7.2 (platform). The Component Manifest is authoritative for the assignment. Changes to the Component Manifest require text form and shall be agreed as an addendum to the proposal or in a Change Request. Components not listed in the Manifest shall be deemed client-specific within the meaning of § 7.1, unless they are open-source or third-party components or are already deployed as Platform Components in other client projects; clarification by addendum remains possible.
The source code of the Platform Components is confidential information and a trade secret of Gosign within the meaning of § 14. The client may inspect the source code, use it for the contractual purpose, and transfer it to Permitted Third Parties pursuant to § 7.1 in compliance with the flow-down obligation. Any use, transfer, or exploitation beyond this is prohibited. The client shall protect the source code of the Platform Components with at least the same care as its own trade secrets.
The client shall not use Platform Components, including source code and know-how derived therefrom, to develop, market, or provide a product or service competing with Gosign or to productize for third parties.
7.3 Source Code Escrow
At the client's request, Gosign shall deposit the complete source code of all Platform Components, including build instructions, dependency lockfiles, and deployment documentation, with an independent escrow service provider. The costs of the deposit are borne by the client, unless otherwise agreed in the proposal.
At the time of contract conclusion, Gosign grants the client all rights of use to the Platform Components subject to the condition precedent of the respective release event, including the right to modify, further develop, and independently operate them. The condition precedent is triggered in the following cases:
(a) Filing for insolvency by Gosign (opening or rejection for lack of assets)
(b) Discontinuation of Product Support: Gosign fails to provide security updates for the deployed Platform Components within 90 calendar days of becoming aware of a critical vulnerability without offering an equivalent successor solution within this period, or officially declares the component end-of-life. A critical vulnerability within the meaning of this clause is a security flaw rated as high or critical according to internationally recognized standards (in particular CVSS). Further criteria may be agreed in the escrow agreement. An equivalent successor solution covers at least the essential core functions of the replaced component and ensures a comparable security level. Further requirements may be agreed in the escrow agreement.
(c) Material breach of contract by Gosign that is not remedied within 60 calendar days despite written notice setting a deadline.
The technical details of the deposit, updating, and release are governed by a separate escrow agreement between Gosign, the client, and the escrow service provider. This includes in particular: deposit scope (repository, keys, build chain, documentation, dependencies), update frequency, release conditions, the client's right of inspection, and release mechanics.
7.4 Open-Source Components
Gosign uses open-source software where possible. The client's rights to open-source components are governed by the respective license terms (e.g., MIT, Apache, GPL). Gosign shall provide the client with an overview of the open-source components used and their licenses (Software Bill of Materials). The client undertakes to comply with these license terms. Where custom code builds upon open-source components and may thereby be subject to their license terms, Gosign shall inform the client accordingly.
Gosign shall not use components under copyleft licenses (in particular GPL, AGPL) unless they are expressly identified in the proposal and approved by the client.
7.5 Reusable Components and Tenant Isolation
Gosign continuously develops Platform Components and uses them in projects for various clients. Client-specific configurations, trade secrets, and data do not flow into other projects.
The technical architecture ensures, in accordance with the state of the art, through tenant isolation that client data remains strictly separated. This includes in particular the separation at the level of data, logs, prompt histories, storage, and tenant-specific keys. Gosign shall document the isolation architecture upon request.
7.6 Limited Right of Use (Alternative for Pure Software Projects)
Where the proposal neither employs Platform Components nor agrees upon a Component Manifest (particularly in pure software development projects without Decision Layer deployment), the client receives a permanent, geographically unrestricted, non-exclusive right of use to the individual developments. The right of use includes the right to modify and further develop for the client's own business operations. The transfer rules pursuant to § 7.1 para. 3 (including Permitted Third Parties and the flow-down obligation) apply accordingly.
7.7 License Fees and Maintenance
No ongoing license fees apply to client-specific work products (§ 7.1).
For Gosign Platform Components (§ 7.2): The right of use to the delivered version (Perpetual License) is covered by the compensation agreed in the proposal. Additional ongoing fees are only payable if expressly stated in the proposal.
An annual maintenance contract (Maintenance) may be agreed for ongoing maintenance, security updates, and further development of the Platform Components. The type, scope, response times, and amount of maintenance fees are transparently set out in the respective proposal.
If the client terminates the maintenance contract, the right of use to the last delivered version remains fully in effect. The client will then no longer receive further updates, security patches, or technical support for the Platform Components. Gosign recommends entering into a source code escrow agreement pursuant to § 7.3 in this case.
Without express agreement in the proposal, no ongoing fees apply.
7.8 Client Modifications to Platform Components
The client has the right to modify Platform Components for its own business operations. Gosign shall, where possible, provide documented extension points that allow changes without modifying the platform core.
If the client makes modifications to Platform Components outside the documented extension points, the warranty and support entitlement for the affected parts shall lapse until (a) the modifications are reversed or (b) Gosign conducts a chargeable analysis and confirms compatibility.
The client shall cooperate to a reasonable extent to ensure that Gosign's security updates can be applied even where client modifications exist. If the client refuses the required cooperation or if its modifications block the installation of a security update, Gosign is entitled to suspend support for the affected components until the blockage is resolved. A blockage exists when the update cannot be applied with reasonable effort because client-side changes outside the extension points impair compatibility.
The client's security obligations pursuant to § 9 remain unaffected by modifications.
7.9 Client Contributions to Platform Components
Where provided for in the proposal or a separate agreement, the client may submit bug fixes, improvement suggestions, or extensions for Platform Components ("Contributions").
The client grants Gosign a simple, non-exclusive, temporally and geographically unrestricted right of use to such Contributions, insofar as the Contributions relate to Platform Components and do not contain the client's trade secrets or client-specific configurations. Gosign may incorporate such Contributions into the Platform Components and make them available to all clients.
This clause does not impose any obligation on the client to submit Contributions.
7.10 Handover
The handover of work products (including source code repository, documentation, Component Manifest, configurations, and Software Bill of Materials) takes place no later than upon acceptance of the last project phase and full payment. Gosign shall actively support the handover and grant the client full access.
§ 8 Hosting and Operations
Regular operations of the solutions developed by Gosign are conducted within the client's infrastructure. Hosting by Gosign is an optional additional service. If the client uses hosting, the following conditions apply:
Managed Services in Client Infrastructure: Where Gosign operates the solution in the client's cloud environment, the hosting provisions apply accordingly. Responsibility for the base infrastructure remains with the client. Gosign is responsible for the application layer.
Data Center: Hosting takes place in Germany or the EU, unless otherwise agreed. The client's preferences shall be communicated at contract conclusion.
Availability: Without SLA, no guarantee of minimum availability. Gosign strives for high availability.
Maintenance Windows: Planned maintenance outside business hours with prior notice.
Data Backup: Daily backup, 7-day rolling backup, unless otherwise agreed.
Transition and Exit: After termination of hosting services, Gosign shall support the client for up to 90 days with migration (Transition). The Transition is compensated based on effort. All client data is fully exportable in common formats.
§ 9 Security, Maintenance, and Updates
Mandatory Security Updates: Gosign may perform security-relevant updates without the client's prior consent if delay would jeopardize security. The client will be informed subsequently.
Duty to Tolerate: The client may not refuse security updates. The security and integrity of the system take priority.
Refusal: In the event of refusal of a security measure, Gosign may suspend services. Claims by the client for resulting damages are excluded.
Optional Updates: Non-security-relevant updates only upon agreement.
Penetration Testing: The client may, upon prior notice (at least 14 calendar days), have security audits or penetration tests conducted, provided confidentiality is ensured. Details may be governed in the SLA.
Incident Response: In the event of a security incident affecting the availability, integrity, or confidentiality of client data or systems, Gosign shall inform the client without undue delay, no later than within 24 hours of becoming aware, and take immediate containment measures. The initial notification and containment measures are part of the contractual services. Additional services (in particular forensic analysis, root cause investigation, and preparation of a detailed incident report) are compensated based on effort, unless the incident is attributable to Gosign's fault. Where Gosign is responsible for the incident, all analysis and remediation measures are provided to the client free of charge.
§ 10 Compensation and Payment Terms
Prices are set out in the proposal, plus statutory VAT.
Invoicing on a time-and-materials or fixed-price basis as agreed.
Incidental and travel expenses only upon prior agreement.
Payment Term: 14 calendar days, unless otherwise agreed. Deviating payment terms may be individually agreed. Default interest: 9 percentage points above the base interest rate (§ 288 para. 2 BGB).
Milestone-based installment payments for longer projects.
Set-off only against undisputed or legally established counterclaims.
§ 11 Liability
Unlimited: In cases of intent, gross negligence, injury to life, body, or health, guarantee, and product liability.
Cardinal Obligations (Kardinalpflichten): In cases of ordinary negligence, limited to the typically foreseeable damage.
Liability Cap: Gosign's liability for damages arising from the breach of cardinal obligations (Kardinalpflichten) is limited per claim to the amount of the net compensation agreed in the affected individual contract. Gosign's total liability under a contractual relationship is limited to twice the annual net compensation. Deviating liability caps may be agreed in the individual contract.
Indirect damages, consequential damages, and lost profits: Excluded except in cases of intent, gross negligence, or breach of cardinal obligations (Kardinalpflichten).
Data Loss: Liability limited to the recovery effort from the client's proper backups.
AI Results: No liability for decisions based on AI outputs, provided Gosign has not breached cardinal obligations (Kardinalpflichten) (see § 6.2).
Insurance: Gosign maintains market-standard professional and business liability insurance. Proof upon request.
Limitation Period: Two years, not applicable in cases of intent, gross negligence, or personal injury.
§ 12 Defect Claims (Warranty)
Warranty Period: 12 months from acceptance for defects in quality and title (Sach- und Rechtsmängel).
Defects shall be reported without undue delay in text form. Supplementary performance through repair or replacement delivery.
Failure after two attempts: price reduction or rescission.
No warranty for immaterial deviations or disruptions caused by the client.
Errors in open-source or third-party software do not constitute a defect in Gosign's services, provided they were correctly integrated.
The warranty for Platform Components is subject to the limitations pursuant to § 7.8 (client modifications).
For continuing obligations: statutory provisions for service/lease agreements.
§ 13 Data Protection and Data Processing
Both parties comply with GDPR (DSGVO), BDSG (German Federal Data Protection Act), and other applicable data protection laws.
Where the client processes data subject to the Brazilian LGPD or other international data protection laws, Gosign shall support compliance.
Gosign acts as a data processor (Art. 28 GDPR). The parties shall conclude a Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag).
Gosign also accepts DPAs provided by the client, provided they are GDPR-compliant.
Gosign implements appropriate technical and organizational measures (Art. 32 GDPR).
Sub-processors with general consent, provided they are contractually obligated to an equivalent level of data protection.
Data Residency: Upon request, contractual assurance that data processing occurs exclusively in Germany or a specified EU/EEA member state. For AI API calls to third countries, prior information and - where possible - European endpoints.
In the event of a data breach: immediate notification and cooperation with reporting obligations.
§ 14 Confidentiality
Both parties treat confidential information as strictly confidential.
Exceptions: Publicly known, previously known, independently developed, statutory obligation.
Disclosure: Only on a need-to-know basis to employees subject to confidentiality obligations.
Standard of Protection: Both parties protect confidential information at least as they protect their own trade secrets, but in any event through appropriate technical and organizational measures in accordance with the state of the art.
Duration: 5 years after termination of the contract. For information designated as trade secrets (in particular pursuant to § 7.2 para. 5), the confidentiality obligation continues beyond the term of the contract.
Return and Destruction: Upon request, no later than upon termination of the contract.
Reference Use: Gosign may use the client's name and logo as a reference only with the client's prior written approval.
§ 15 Contract Term and Termination
15.1 Project contracts end upon acceptance of the last deliverable and full payment.
15.2 Continuing obligations: minimum term of 12 months. Thereafter, automatic renewal for 12-month periods, terminable with 3 months' notice before the end of the term.
15.2a For maintenance contracts pursuant to § 7.7 (Maintenance), the provisions for continuing obligations under para. 2 apply accordingly, unless different terms and notice periods are agreed in the maintenance contract.
15.3 Extraordinary termination for cause: (a) material breach of duty after a 30-day grace period; (b) insolvency; (c) persistent refusal of updates (§ 9); (d) unlawful system use.
15.4 Consequences of termination: Return/deletion of all client data. Transition pursuant to § 8. Acquired rights of use continue in effect upon full payment.
§ 16 Compliance, Certifications, and Co-Determination (Mitbestimmung)
16.1 Cert-Ready: Gosign designs its solutions to meet the technical prerequisites for industry-standard certifications (Cert-Ready by Design). Specifically, this means: Controls are implemented as first-class data objects in the system, Evidence is automatically generated, the Audit Trail is complete and exportable, and access via an Auditor Portal is provided. The attainment of a specific certificate is not an owed deliverable and requires a separate agreement between the client, auditor, and Gosign.
16.2 Works Council (Betriebsrat) and Co-Determination (Mitbestimmung): Where AI solutions are deployed in areas subject to co-determination (§ 87 para. 1 no. 6 BetrVG, German Works Constitution Act), Gosign supports the preparation of documentation and information materials for the works council (Betriebsrat). The formal involvement of the works council and the conclusion of works agreements (Betriebsvereinbarungen) are the client's responsibility. The architecture of the Decision Layer is designed to represent works agreements as configurable, technically enforceable rules.
16.3 Sanctions Compliance: Gosign warrants that it does not maintain business relationships with sanctioned persons, entities, or states.
16.4 Sustainability: Gosign considers energy efficiency aspects in infrastructure selection. Information available upon request.
§ 17 Export Control
The client shall comply with export and sanctions regulations. Gosign shall inform of export-controlled components. Performance is subject to the proviso that no statutory impediments exist.
§ 18 Force Majeure
No liability for non-performance due to force majeure (natural disasters, war, pandemics, industrial action, governmental measures, large-scale infrastructure failures). Immediate notification. Deadlines shall be extended accordingly. Right of rescission after 3 months.
§ 19 Final Provisions
Applicable Law: German law, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).
Place of Jurisdiction: Hamburg (for merchants and legal entities).
Contract Language: German. English versions serve international cooperation; in case of doubt, the German version prevails.
Versioning: These GTC bear a version number and effective date. Current version at gosign.de/de/agb/.
Amendments in text form. GTC amendments with 6 weeks' notice; objection period 4 weeks.
Assignment: Assignment only with written consent. The transfer to Permitted Third Parties and legal successors pursuant to § 7.1 para. 3 remains unaffected.
Severability clause. Precedence of individual agreements.