General Terms and Conditions

In these Terms:

“Affiliate”

means, in relation to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party.

“Campaign”

means a time-limited security awareness programme delivered to the Customer and its authorised Users through the Service.

“Customer Data”

means all data, content, and materials submitted to, stored in, or otherwise made available to SafeHabits by or on behalf of the Customer in connection with the Service, including personal data relating to Users.

“DPA”

means the data processing agreement entered into between the parties, where applicable, governing the processing of personal data by SafeHabits on behalf of the Customer.

“Order Form”

means any order form, quotation, proposal, statement of work, purchase order, or invoice issued or accepted by the parties that references these Terms.

“Output Data”

means reports, statistics, certificates, CSV exports, dashboards, summaries, and other outputs generated through the Service from Customer Data or User activity.

“Service”

means the SafeHabits security awareness service, including the web application, training content, habit blocks, questionnaires, tracking, reporting, and related services as described in the applicable Order Form.

“User”

means an employee, contractor, board member, manager, or other individual authorised by the Customer to access or participate in the Service.

2.1 These Terms apply to all Services provided by SafeHabits unless otherwise expressly agreed in writing.

2.2 If there is any conflict between the contractual documents, the order of precedence is:

1. the applicable Order Form;
2. the DPA, with respect to personal data processing only;
3. these Terms.

2.3 Any Customer purchase order terms or other standard terms are rejected and do not apply unless expressly accepted by SafeHabits in writing.

3.1 SafeHabits will provide the Service as described in the applicable Order Form.

3.2 Unless otherwise agreed in the Order Form, the Service may include:

• configuration of a Campaign for the Customer;
• access to the SafeHabits web application for authorised Users;
• security awareness modules and habit blocks;
• understanding checks, progress tracking, and completion records;
• generation of Output Data, including certificates and campaign reporting.

3.3 The exact scope, number of Users, languages, features, implementation assumptions, Campaign duration, and pricing will be set out in the Order Form.

3.4 SafeHabits may provide the Service remotely and is not required to perform activities on the Customer's premises unless expressly agreed in writing.

3.5 SafeHabits may update, improve, or modify the Service from time to time, provided such changes do not materially reduce the core functionality purchased by the Customer during an active Campaign.

4.1 Subject to these Terms and payment of applicable fees, SafeHabits grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the applicable term to permit authorised Users to access and use the Service for the Customer's internal business purposes.

4.2 The Customer may use Output Data for its internal business, governance, compliance, audit, and training purposes.

4.3 The Customer must not, and must ensure that its Users do not:

• access or use the Service for unlawful, harmful, fraudulent, or misleading purposes;
• copy, modify, adapt, translate, or create derivative works of the Service, except as expressly permitted by law;
• reverse engineer, decompile, disassemble, or otherwise attempt to discover source code, underlying ideas, algorithms, or trade secrets of the Service, except to the limited extent expressly permitted by mandatory law;
• interfere with or disrupt the integrity, security, or performance of the Service;
• bypass user limits, access restrictions, or authentication mechanisms;
• use the Service to build a competing product or service;
• share credentials or access links except as expressly authorised by SafeHabits.

5.1 The Customer is responsible for:

• providing accurate and up-to-date information necessary for SafeHabits to provide the Service;
• obtaining and maintaining all internal approvals, notices, and legal bases necessary to provide Customer Data to SafeHabits and to enable Users to participate in the Campaign;
• ensuring that its use of the Service and its Users' use of the Service comply with applicable law and internal policies;
• selecting which Users participate in a Campaign and how the Customer acts on any Output Data.

5.2 The Customer remains solely responsible for its own governance, compliance, legal, regulatory, and information security obligations, including obligations arising under frameworks, standards, or sectoral rules such as NIS2, ISO 27001, or NIST CSF.

6.1 The Customer will pay the fees specified in the applicable Order Form or invoice.

6.2 Unless otherwise stated, all fees:

• are stated in euros (EUR); and
• exclude VAT and any other applicable taxes, duties, or levies.

6.3 The Customer is responsible for all applicable taxes, excluding taxes based on SafeHabits' net income.

6.4 Payment terms are net 10 days from the invoice date unless otherwise stated in the Order Form.

6.5 Except as expressly stated in these Terms or required by law, fees are non-cancellable and non-refundable.

6.6 If the Customer fails to pay undisputed amounts when due, SafeHabits may:

• charge default interest and reasonable recovery costs to the extent permitted by applicable law; and
• suspend access to the Service on written notice if overdue amounts remain unpaid for at least 10 days after a payment reminder.

6.7 The Customer may not withhold, offset, or deduct amounts unless required by law or finally determined by a competent court.

7.1 These Terms begin when the Customer first accepts them and continue until all Order Forms have expired or been terminated.

7.2 Each Order Form remains in effect for the term stated in that Order Form unless terminated earlier under these Terms.

7.3 Either party may terminate these Terms or an affected Order Form with immediate effect by written notice if the other party:

• materially breaches these Terms and fails to cure that breach within 30 days after written notice; or
• becomes insolvent, enters liquidation, or becomes subject to bankruptcy or similar proceedings.

7.4 SafeHabits may suspend the Service immediately if necessary to:

• protect the security or integrity of the Service;
• prevent unlawful activity or material harm;
• respond to a legal or regulatory requirement; or
• address a serious breach of these Terms by the Customer or its Users.

7.5 On expiry or termination of an Order Form:

• the Customer's and Users' access rights for the affected Service will end;
• SafeHabits will, on written request made within 30 days, provide the Customer with available Output Data in a reasonable export format;
• thereafter, SafeHabits may delete or anonymise Customer Data in accordance with its retention practices and legal obligations.

8.1 Each party will comply with applicable data protection laws.

8.2 To the extent SafeHabits processes personal data on behalf of the Customer as processor, the parties will enter into a DPA. That DPA forms part of the contractual framework between the parties.

8.3 The Customer instructs SafeHabits to process personal data only as necessary to provide the Service, generate Output Data, provide support, maintain security, and comply with applicable law, as further described in the DPA.

8.4 The Customer acknowledges that the Service is designed to minimise personal data where reasonably possible, but that Customer Data may include identifiers such as names, email addresses, job roles, completion data, and related usage metadata.

8.5 SafeHabits will not use Customer Data to market directly to Users unless expressly agreed by the Customer and permitted by applicable law.

9.1 SafeHabits will implement and maintain appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

9.2 Such measures may include, where appropriate:

• secure hosting arrangements;
• encryption in transit;
• logical access controls and role-based access restrictions;
• tenant separation measures;
• backup and recovery procedures;
• restricted administrative access.

9.3 SafeHabits may update its security measures from time to time, provided such updates do not materially diminish the overall security of the Service.

9.4 In the event of a personal data breach affecting Customer Data processed by SafeHabits on behalf of the Customer, SafeHabits will notify the Customer without undue delay in accordance with the DPA and applicable law.

10.1 Each party may receive Confidential Information from the other party in connection with the Service.

10.2 “Confidential Information” means non-public information disclosed by or on behalf of one party to the other that is identified as confidential or that should reasonably be understood to be confidential, including business plans, pricing, technical information, Customer Data, security information, and non-public product information.

10.3 The receiving party will:

• use Confidential Information only for purposes of performing or exercising rights under these Terms; and
• protect it using at least reasonable care.

10.4 The confidentiality obligations do not apply to information that the receiving party can show:

• was already lawfully known to it without confidentiality obligation;
• becomes publicly available without breach of these Terms;
• is lawfully received from a third party without restriction; or
• is independently developed without use of the disclosing party's Confidential Information.

10.5 A party may disclose Confidential Information where required by law, regulation, or court order, provided it gives prior notice where legally permitted.

11.1 SafeHabits and its licensors retain all right, title, and interest in and to:

• the Service;
• the software, interfaces, designs, methodologies, and know-how underlying the Service;
• the training content, questionnaires, templates, visuals, and related materials;
• all improvements, modifications, and derivative works of the foregoing.

11.2 Except for the limited rights expressly granted in these Terms, no rights are granted to the Customer by implication, estoppel, or otherwise.

11.3 The Customer retains all right, title, and interest in and to Customer Data.

11.4 The Customer grants SafeHabits a non-exclusive, worldwide right during the applicable term to host, use, process, transmit, reproduce, and otherwise handle Customer Data solely as necessary to provide, secure, support, and improve the Service in accordance with these Terms, the DPA, and applicable law.

11.5 SafeHabits may use aggregated and de-identified information derived from use of the Service for lawful business purposes, including analytics, benchmarking, service improvement, and planning, provided such information does not identify the Customer or any individual.

12.1 The Service is intended to support the Customer's security awareness, governance, training, and evidence-generation activities.

12.2 The Service may assist the Customer in documenting or evidencing selected activities relevant to compliance, audits, internal governance, or control frameworks.

12.3 However, SafeHabits does not provide legal advice, regulatory certification, or a guarantee of compliance.

12.4 The Customer acknowledges that use of the Service alone does not guarantee:

• compliance with any law, regulation, or standard;
• successful completion of any audit or assessment;
• prevention of security incidents, phishing success, data breaches, or regulatory action.

13.1 SafeHabits warrants that it will provide the Service with reasonable skill and care and in material conformity with the applicable Order Form.

13.2 The Customer's exclusive remedy for breach of Section 13.1 is for SafeHabits to use commercially reasonable efforts to correct the affected non-conformity.

13.3 Except as expressly stated in these Terms, the Service is provided “as is” and “as available”.

13.4 To the fullest extent permitted by law, SafeHabits disclaims all other warranties, conditions, and representations, whether express, implied, statutory, or otherwise, including any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.

14.1 Nothing in these Terms excludes or limits liability for:

• fraud or fraudulent misrepresentation;
• death or personal injury caused by negligence;
• wilful misconduct;
• any liability that cannot be excluded or limited by applicable law.

14.2 Subject to Section 14.1, neither party will be liable for any:

• indirect, incidental, special, punitive, or consequential loss; or
• loss of profits, revenue, business opportunity, goodwill, or anticipated savings.

14.3 Subject to Section 14.1, SafeHabits will not be liable for loss or corruption of data except to the extent caused by its breach of these Terms or applicable law.

14.4 Subject to Sections 14.1 to 14.3, SafeHabits' total aggregate liability arising out of or in connection with these Terms, all Order Forms, and the Service will not exceed the total fees paid or payable by the Customer to SafeHabits under the affected Order Form during the 12 months preceding the event giving rise to the claim.

15.1 SafeHabits may use subcontractors and subprocessors in connection with the Service.

15.2 SafeHabits remains responsible for the performance of its subcontractors to the extent required under these Terms and the DPA.

16.1 SafeHabits may not use the Customer's name, logo, or trademarks in public marketing materials, case studies, or on its website without the Customer's prior written consent, unless otherwise stated in the applicable Order Form.

17.1 SafeHabits may make reasonable changes to the Service from time to time to improve functionality, security, compliance, usability, or performance.

17.2 SafeHabits may update these Terms from time to time.

17.3 For active paid Campaigns, if SafeHabits makes a material adverse change to these Terms, it will notify the Customer. The updated Terms will apply from the stated effective date unless the Customer objects in writing before that date, in which case the previously agreed Terms will continue to apply until the end of the then-current Order Form term, unless the change is required by law, security necessity, or regulatory obligation.

Neither party will be liable for delay or failure to perform obligations under these Terms, except payment obligations, to the extent caused by events beyond its reasonable control, including natural disasters, war, terrorism, civil unrest, labour disputes, internet or telecommunications failures, denial-of-service attacks, or failures of critical third-party infrastructure.

19.1 These Terms and any non-contractual disputes or claims arising out of or in connection with them are governed by the laws of the Czech Republic, excluding conflict-of-laws rules.

19.2 The courts of the Czech Republic will have exclusive jurisdiction over disputes arising out of or in connection with these Terms, and the court of first instance with territorial jurisdiction under applicable procedural law will apply, unless the parties agree otherwise in the Order Form.

20.1 Entire Agreement. These Terms, together with each Order Form and the DPA, constitute the entire agreement between the parties relating to the Service and supersede all prior or contemporaneous agreements on that subject.

20.2 Severability. If any provision of these Terms is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

20.3 No Waiver. A failure or delay in exercising any right under these Terms is not a waiver of that right.

20.4 Assignment. Neither party may assign these Terms without the other party's prior written consent, except that SafeHabits may assign them in connection with a merger, acquisition, reorganisation, or sale of substantially all of its assets or business relating to the Service.

20.5 Independent Contractors. The parties are independent contractors. These Terms do not create a partnership, agency, fiduciary, or employment relationship.

20.6 Notices. Notices under these Terms must be in writing and sent by email or other agreed written means to the contact details set out in the applicable Order Form, and will be deemed received on confirmed delivery or, if no confirmation is available, on the next business day after sending.

20.7 Survival. Sections relating to fees, confidentiality, intellectual property, data protection, liability, governing law, and any provisions that by their nature should survive, will survive termination or expiry.