Skip to main content

Terms and Conditions for Securosys CloudHSM

Edition: June 2026

1. Definitions

  1. Whenever used in this Agreement with an initial capital letter, the terms quoted and defined in this Section 1, whether used in singular or plural, shall have the meanings specified below.
TermDefinition
“Affiliate”It means, with respect to an entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity or its successor entity, but only for so long as such control exists.
“Agreement”It means the Order Form, this document, and any further appendices.
“Appendix”It means any document appended to, and thereby explicitly forming an integral part of this Agreement.
“Appendix I”Appendix I to Terms and Conditions Securosys CloudHSM, Service Level and Support Services – HSMaaS / TSBaaS / RESTaaS
“Appendix II”Appendix II to Terms and Conditions Securosys CloudHSM, Service Description – HSMaaS / TSBaaS / RESTaaS
“Applicable Regulatory Requirements”It means the laws, regulations, delegated or implementing acts, and supervisory or technical guidance that are legally binding on Securosys and directly apply to Securosys in its provision of the Service from Switzerland and from any EU/EEA Member State or other jurisdiction in which Securosys actively operates a Securosys-controlled service site, and that are limited to ICT security, operational resilience, cybersecurity, ICT outsourcing, data protection and the Use of AI in ICT systems. By way of example, and only where they meet the foregoing conditions, Applicable Regulatory Requirements include DORA, NIS2, the EU Cyber Resilience Act (CRA) and the EU AI Act, in each case as in force on the effective date of this Agreement and as subsequently addressed through Sections 6.6 and 12.11.
“Competent Authority”It means any national, EU or other supervisory or governmental authority that has jurisdiction over Securosys, the Subscriber or the Service under Applicable Regulatory Requirements.
“Critical or Important Function”It means a function, process, or service that the Subscriber identifies in writing as critical, important or equivalently significant under Applicable Regulatory Requirements in relation to its Use of the Service.
“Documentation”It means the description of the Platform accessible at https://docs.securosys.com & https://support.securosys.com, the applicable Service Level and Support Services Appendix, the applicable Service Description, the product-specific supplement, and Securosys policies made available to the Subscriber, including, where made available for the Service, security or vulnerability-disclosure information, a current list of Material Subcontractors, and regulatory-information materials. The Documentation comprises additional information and terms for the Use of the Platform. Unilateral changes to this Documentation shall neither materially reduce the quality or quantity of the Platform, or the Service nor add material obligations to the Subscriber.
“ICT-related incident”It means an event or series of linked events unplanned by the Subscriber or Securosys that has, or may have, an adverse impact on the security of the network and information systems supporting the Service.
“Licensed Material”It means Platform and Documentation.
“Material Subcontractor”It means any subcontractor whose services materially support the delivery, security, resilience, continuity, or regulatory compliance of the Service.
“Order Form”It means an Order Form declaring the Subscriber’s will to purchase goods or subscribe to services Securosys is offering. Among other things, an Order Form specifies the number of items or subscriptions ordered, the subscription term, and applicable fees.
“Platform”It means the combination of Software and physical hardware provided by Securosys to the Subscriber via the Internet.
“Security Vulnerability”It means a weakness, misconfiguration, or defect that could be exploited to compromise confidentiality, integrity, or availability of the Service or the Subscriber’s integration with the Service.
“Software”It means computer programs, computer program changes, computer program enhancements, provided in object code, and/or any Documentation related thereto provided by Securosys.
“Support Hourly Base Rate” (HBR)It means the rate at which support will be invoiced to the Subscriber for support services consisting of answering questions and solving or bypassing known problems, or problems not caused by the Securosys Service.
“Use” or “Service”It means the complete or partial, momentary, or permanent booting, importing, storing, transmitting, transforming, displaying, running, and playing of the Software and/or accessing of the Platform.

2. Scope

  1. The scope of this Agreement is to define the terms and conditions for the remote connection to, and Use of, the Services and Platforms operated by Securosys under the CloudHSM brand, including shared or dedicated HSMaaS, TSBaaS and related Services.

3. Structure and Precedence

  1. The Parties agree on the following structure of documents constituting this Agreement:
    1. The Order Form and its appendices
    2. This document, the Terms and Conditions for Securosys CloudHSM
    3. The applicable Service Level and Support Services Appendix I for the respective Service
    4. The applicable Service Description Appendix II for the respective Service
  2. In case of a conflict between the terms of these documents, the Order Form prevails over the terms stipulated in its appendices, and the Order Form and its appendices prevail over the terms of the documents in (b) - (d). Omitted terms in a document are completed by the terms of the subordinate document. In case of a conflict between this document and/or documents (c) and (d), the terms of the earlier document shall prevail over those of the later document.
  3. Any general terms and conditions of the Subscriber are explicitly waived.

4. Provision

  1. The Service is provided by remote access, i.e., Internet.
  2. The contractual Services are delivered from Securosys to the Subscriber at the outgoing router interface of Securosys’ data center or as specifically described in the description of the Service. the Subscriber’s access to the Internet, network connection, as well as provision and maintenance of the necessary hardware and Software, are not subject to this Agreement.
  3. Securosys shall provide the Subscriber with the necessary login credentials for remote access and the Licensed Material.
  4. Unless stipulated otherwise in this Agreement, Securosys shall provide the Software and Documentation in their latest version which is released by Securosys to its Subscribers.
  5. For parts of the Services and where reasonably necessary for audit, assurance or regulatory purposes, Securosys grants the Subscriber an audit and access right, subject to reasonable notice and to confidentiality, security and tenant-segregation safeguards. Securosys may satisfy such requests through available assurance reports, pooled audits, controlled evidence reviews or other reasonable alternatives where an individual audit would affect the rights, confidentiality or security of other subscribers. The Subscriber shall bear the reasonable internal and external costs of any individual audit requested by the Subscriber, including time spent, travel expenses and subcontractor costs, unless otherwise agreed in writing.
  6. Right to make copies. The audit and access right under Section 4.5 includes the rights of the Subscriber, and of any auditor or Competent Authority acting on the Subscriber's behalf under equivalent confidentiality obligations, to take reasonable copies of Documentation relevant to the audit purpose. Such copies shall be (a) treated as Securosys' Confidential Information under Section 12, (b) limited to what is reasonably necessary, (c) subject to redaction by Securosys to protect other subscribers, personal data of Securosys personnel, cryptographic keys and credentials, and bona-fide trade secrets, and (d) returned or securely destroyed upon Securosys' written request after the audit, except where retention is required under Applicable Regulatory Requirements. The audit and access right include reasonable copies of Documentation relevant to the audit purpose under equivalent confidentiality obligations and subject to redaction, confidentiality and security safeguards. Securosys may satisfy a copy request through extracts or virtual review session or other reasonable alternatives and may decline copies whose release would compromise the security of the Service for other subscribers, breach legal privilege or violate applicable law. The reasonable internal and external costs of preparing copies, redactions and alternative formats are borne by the Subscriber in accordance with Section 4.5.
  7. The Service is provided from the Service locations specified in the Service Description applicable to the Service selected in the Order Form. Securosys will notify the Subscriber within a reasonable period before any material change to the Service locations or jurisdictional profile relevant to the Service, unless shorter notice is required for urgent security, legal or operational reasons. Unless otherwise agreed in writing, new active sites for country-specific Service offerings will remain within the advertised country or jurisdictional profile stated in the applicable Service Description.

5. Ownership and License

  1. Securosys shall retain sole ownership of the Licensed Material. The intellectual property rights pertaining to the Licensed Material shall vest in Securosys. Securosys shall own all rights in developments, translations, changes and updates/upgrades of the Licensed Material and any copies made thereof, as well as any disassembly of the Software and copies thereof.
  2. Securosys grants the Subscriber a non-exclusive, non-transferable, worldwide license, for the term of this Agreement and subject to payment of the applicable fees under this Agreement, to Use the Licensed Material in accordance with this Agreement.
  3. The license granted to the Subscriber in Section 5.2 is limited to the Use of the Licensed Material within the Subscriber’s organization and the Subscriber’s Affiliates. This license shall not include the right to sub-license, sell, lease, transfer or otherwise grant third parties’ access to the Platform and/or Licensed Material in parts or in whole without Securosys’ written Agreement. However, the Subscriber is allowed to allow its and its Affiliates’ third-party Service providers (e.g., IT outsourcing providers or freelancers) access to the Platform and/or Licensed Material to the extent these third-party Service providers Use this access to the Platform and/or Licensed Material only for the Subscriber or the Subscriber's Affiliates (i.e., not any other of their clients), and the Subscriber is responsible for their acts and omissions as it were its own acts or omissions. The Subscriber shall ensure that any such third-party Service providers are contractually bound to security, confidentiality and operational resilience obligations no less protective than those set out in this Agreement and, where applicable, the Applicable Regulatory Requirements.

6. Terms and Termination

  1. This Agreement becomes effective upon delivery of the credentials to the Subscriber according to Section 4.3 above.

  2. The term of the Agreement, unless specified otherwise in the Order Form, is at minimum twelve (12) months and, unless terminated, the Agreement is automatically extended by successive periods of twelve (12) months. The Subscriber may terminate this Agreement, or any relevant Appendix, by mail with a three (3) months’ notice period to the end of the current Agreement term. Securosys may terminate this Agreement, or any relevant Appendix, by mail with a six (6) months’ notice period to the end of the then-current Agreement term. The ordinary notice periods set out in this Section 6.2 are subject to the special termination rights under Sections 6.3, 6.4, 6.5 and 6.6. Shorter notice periods are possible against an additional fee. There shall be no refund for one-time license fees; recurring license fees (subscription fees) are due until the effective date of termination (i.e., the expiration of the notice period), unless the Subscriber terminates this Agreement due to breach of contract by Securosys or pursuant to Section 6.6 due to Securosys changes.

  3. Either party may terminate this Agreement for cause by written notice if the other party is notified in writing of a material breach of this Agreement and fails to remedy such breach within thirty (30) days following such notice. If Securosys’ certifications (e.g., ISO 27001) or the agreed certifications of its data center are revoked or not extended, the Subscriber has the right to terminate this Agreement for cause. Securosys shall proactively inform the Subscriber of such changes in the certification status.

  4. Either party may terminate the Agreement immediately if:

    1. the other party files or has filed against it a petition for voluntary or involuntary bankruptcy or pursuant to any other insolvency law or is adjudicated bankrupt;
    2. the other party makes or seeks to make a general assignment for the benefit of its creditors or applies for, or consents to, the appointment of a trustee, receiver, or custodian for a substantial part of its property;
    3. continued performance of the Agreement would be unlawful for the terminating party, or a mandatory exit, suspension or termination is required by a binding order of a Competent Authority.

    The Subscriber may further terminate this Agreement immediately, or on any shorter period required under Applicable Regulatory Requirements, only to the extent reasonably necessary for the Subscriber to comply with Applicable Regulatory Requirements, and where the relevant issue cannot reasonably be cured, mitigated or otherwise addressed through proportionate alternative measures within a commercially reasonable period, if: (a) Securosys commits a significant breach of Applicable Regulatory Requirements or of this Agreement relevant to the Service, and such breach materially affects the Subscriber’s lawful or compliant Use of the Service; (b) documented and material weaknesses in Securosys’ overall ICT risk management, information security, operational resilience or compliance posture relating to the Service make continuation of the arrangement no longer reasonably permissible for the Subscriber under Applicable Regulatory Requirements; (c) a Competent Authority informs the Subscriber in writing, or otherwise requires, that it can no longer effectively supervise, inspect or audit the arrangement because of the structure, Service locations, subcontracting chain or other circumstances relating to the Service; (d) a material change to a Material Subcontractor or to Service locations materially adversely affects the Subscriber’s compliance obligations or the regulatory suitability of the Service, and the matter is not resolved within a reasonable period after the Subscriber’s reasoned objection. In case of a termination by the Subscriber under this paragraph, Securosys will refund any prepaid recurring fees on a pro rata basis for the period after the effective termination date. Except as required by non-waivable law, such refund is the Subscriber’s sole monetary remedy for such termination and Section 11 remains unaffected.

  5. Although Securosys may offer the Service temporarily free-of-charge, Securosys may cease any free-of-charge access to the Platform at any time.

  6. The features of the Platform and the Securosys policies may be enhanced and may be adapted by Securosys to reflect technical advances and to allow for the Platform’s continuing compliance with applicable mandatory law (whereas such enhancements/adaptation shall not materially reduce the quality or quantity of the Platform or the Service nor add material obligations to the Subscriber) (“Continuous Modification”). Securosys will provide information about Continuous Modifications within a reasonable period of notice (in general 6 weeks before the change is scheduled to take effect). This change notice will be issued by email. In the event that a change may negatively affect the justified interests of the Subscriber so that the Subscriber can no longer reasonably be expected to adhere to the Agreements in the Order Form, the Subscriber may terminate the affected cloud Service in writing with a notice period of one month until one month after the announced change became effective.

  7. Upon termination of this Agreement, the Subscriber’s remote access right to the Platform and the Subscriber’s right to the Use of the Licensed Material shall cease without undue delay. The Subscriber shall entirely and irrevocably delete the Documentation and any copies thereof, in part or whole, as well as all login credentials for the remote access, unless they are necessary for tax or other legal reasons, to prove potential claims against Securosys, or are included in regular IT backup systems. In the latter event, they remain subject to confidentiality and must be deleted in the regular backup cycles. The Subscriber shall inform Securosys, upon Securosys’ written request, about such deletion. If the Subscriber does not comply with this deletion obligation or if the Subscriber accesses the Platform and/or uses the Licensed Material after termination of the Agreement, Securosys shall be entitled to continue invoicing any recurring fees. If the Subscriber’s migration to a replacement provider cannot be completed on schedule, Securosys shall continue to provide the Services under this Agreement in the existing scope and at the defined Service Levels in return for payment of reasonable consideration until such time as the migration work is completed ("Transitional Period").The remuneration paid by the Subscriber for the Services prior to the termination or expiration of this Agreement shall be deemed reasonable consideration for a period of three months. Following that period, and every six months thereafter, the Parties shall renegotiate the remuneration. Upon the Subscriber’s written request made before deletion under Section 6.8, and subject to the technical capabilities of the subscribed Service and the applicable Service Description, Securosys will reasonably assist the Subscriber in exporting or transferring the Subscriber’s HSM partition data and, where technically supported and permitted by key configuration and policy, exportable key material using supported formats or transfer mechanisms. The Subscriber acknowledges that certain key configurations, including non-exportable keys or specific partition settings, may limit portability.

  8. Upon termination, the Subscriber’s HSM key data (partition) is deleted by Securosys in accordance with the written cancellation order by the Subscriber. Any data in backups are kept confidential and will be deleted in the regular backup cycles. Upon reasonable written request, Securosys will confirm completion of deletion after the applicable backup cycle.

7. Remuneration

  1. The fees according to the Order Form are due by the Subscriber in advance after submittal of proper invoice by Securosys (including – if provided by the Subscriber in due time before the time of the invoice – a purchase order number).
  2. The fee is due by the Subscriber irrespective of the Subscriber activity.
  3. Unless stipulated otherwise in the Agreement, all amounts exclude the applicable VAT. VAT shall be added to the invoice by Securosys and is due by the Subscriber.
  4. In case of default of payment by the Subscriber with due and undisputed amounts equaling at least three (3) months’ payments (whereas the Subscriber shall dispute amounts only in good faith) and after two reminders with a grace period of ten (10) days each, Securosys has the right to block the Subscriber’s access to the Service.
  5. The Subscriber shall be liable for any interest on overdue payments under this Agreement commencing on the date such payment becomes due. The annual interest rate shall be five per cent (5%) per year.
  6. The recurring fee agreed in the Order Form applies to the initial subscription term agreed therein. The fee applicable for any renewal term shall correspond to the fee for the preceding term unless Securosys adjusts the recurring fee by giving the Subscriber at least three (3) months’ written notice before the start of the renewal term. If the Subscriber does not agree to the adjusted fee, the Subscriber may terminate the affected cloud Service or this Agreement with effect as of the end of the then-current term by giving written notice before the renewal term begins. If the Subscriber does not so terminate before the renewal term begins, the adjusted fee shall apply for the renewal term.
  7. Payment of the Service fee is due as follows:
    1. In advance on a yearly basis or
    2. In advance for the complete committed subscription duration or
    3. In advance for the complete committed subscription duration if the subscription period is less than one year
  8. Invoicing is generally performed once per calendar year or once for the full subscription commitment period. Standard subscription payments are expected to be made through the payment methods supported by Securosys SA. If the Subscriber requests invoicing more frequently than once per year, where payment is processed via invoice rather than an automated online payment method supported by Securosys SA, or if additional administrative intervention by the Securosys SA accounting department is required, including payment reminders, collection activities, special billing arrangements, customer-specific administrative processing, purchase-order administration, or activities performed outside Securosys standard systems and processes, Securosys SA may charge a service fee of CHF 150.00 per invoice or administrative intervention, or the actual cost incurred if higher. This service fee is independent of, and in addition to, any other financial obligations of the Subscriber under this Agreement.

8. The Subscriber’s Obligations

  1. The Subscriber shall be responsible and accountable for the selection, provision, installation, implementation, system requirements, Use and maintenance of the necessary hardware, Software and network Services for:
    1. the remote access up to the router interface of Securosys’ data center, and
    2. the Use of the Licensed Material.
  2. Backups outside the Platform (i.e. the HSM cluster) of HSM partition data (e.g. key objects) are the sole responsibility of the Subscriber. The Subscriber is responsible for keeping such backups safeguarded.
  3. The Subscriber may only Use the Platform if not prohibited by applicable law, including applicable embargoes, sanctions, or denied-party restrictions administered or imposed by Switzerland, the European Union, the United Nations, the United Kingdom, or the United States, in each case to the extent applicable to Securosys, the Service, or the Subscriber’s Use of the Service. The Subscriber may not contract for any Services from Securosys if the Subscriber is located in, organized under the laws of, or ordinarily resident in a country or territory subject to such restrictions, or if the Subscriber is listed on any applicable sanctions or denied-party list.
  4. The Subscriber shall protect its own login, identification and authentication credentials, and those of its users, for remote access to the servers of Securosys from access by unauthorized third parties and shall not disclose any such credentials to any unauthorized third parties. The Subscriber shall inform Securosys without undue delay if there are indications that an unauthorized third party has obtained access to the login, identification, or authentication credentials, or if such credentials could be misused.
  5. The Subscriber shall be responsible and accountable for obtaining any consent required from any person whose personal data is processed by the Subscriber in connection with the Use of the Platform, to the extent such consent is required under applicable data protection law.
  6. The Subscriber shall not, nor allow others to, misuse the Platform. The Subscriber shall not transmit, or allow others to transmit, any data, content and/or information that is illegal or that infringes copyrights and/or other intellectual property rights of third parties to the servers of Securosys. The Subscriber shall remain responsible for its own data and content, and for the data and content of its users.
  7. The Subscriber shall refrain from retrieving information or data by unauthorized access or by access to an unauthorized third party. Any penetration testing or similar security testing involving the Service is subject to Section 8.14.
  8. Prior to any submission of data, content and/or information (other than key data in HSM) via e-mail or to support portal by the Subscriber, and/or by end users of the Subscriber, the Subscriber represents that all such data, content and/or information has been scanned with state-of-the-art anti-virus programs.
  9. If the data, content and/or information transferred by the Subscriber infringe third-party rights, harm the Platform, or are in any other way in breach of this Agreement, then Securosys may disable such data, content and/or information in part or in whole. In such event, the Subscriber shall either provide or acquire the necessary rights to access such data, content and/or information, or change such data, content and/or information in a way that is non-infringing, or delete such data, content and/or information from the Platform. If the Subscriber does not comply with this request, Securosys shall be entitled, for objects other than keys, to delete the data, content and/or information and/or terminate the Agreement for cause without notice. The right to claim damages remains reserved.
  10. By subscribing to the Service, the Subscriber acknowledges that personal data (name, e-mail, phone, position) of registered support users and contact details for surveys of the Subscriber satisfaction are collected and processed for the purpose of interaction under this Agreement. The Subscriber shall not transfer any sensitive or special-category personal data to Securosys. The Subscriber may request deletion of personal data. In such cases, personal data will be anonymized to preserve, for operational reasons, the ticket flow on the support portal.
  11. The Subscriber shall implement and maintain appropriate information security and digital operational resilience measures for its own systems that connect to, consume, or depend on the Service, including secure configuration, patch management, access control, monitoring, and business continuity/backup arrangements.
  12. The Subscriber shall maintain an up-to-date primary and secondary 24/7 security contact point (e-mail and phone) and keep contact details in the support portal and/or Order Form current; changes must be communicated without undue delay. The Subscriber shall ensure that at least one registered support user receives Service update and maintenance announcements.
  13. The Subscriber shall notify Securosys without undue delay via support ticket and, where applicable, the security contact channel of any suspected or confirmed ICT-related incident or Security Vulnerability that may affect the Service or the Subscriber’s credentials, including indications of denial-of-service or distributed denial-of-service activity.
  14. The Subscriber shall not perform load or stress testing, scanning, penetration testing against shared components, or any denial-of-service or resilience simulation against the Service without prior written coordination and approval by Securosys. Any regulatory or resilience testing involving the Service, including threat-led exercises, business continuity tests or exit/migration tests, shall be coordinated in advance and may be subject to reasonable safeguards, scope limitations and cost arrangements. Securosys shall not unreasonably withhold or delay approval where such testing is legally required, limited to the Subscriber-dedicated components or otherwise can be performed without undue risk to shared components or other subscribers.
  15. The Subscriber remains responsible for compliance with all laws and regulations applicable to its own Use of the Service, including requirements applicable to any systems, applications, outsourcing arrangements or AI-enabled processes into which the Service is integrated. The Subscriber shall follow Securosys’ documented security instructions for integrations.

9. Warranty of Services

  1. Securosys warrants the Service as described in the applicable Service Level and Support Services appendix and the applicable Service Description.
  2. Securosys actively monitors the market regarding security vulnerabilities and threats to its Licensed Material that become known and maintains a vulnerability-management process for the Service and for delivered Software components. If such vulnerabilities or threats become known, Securosys takes the necessary measures without undue delay to remedy such vulnerabilities and prevent security threats. Securosys further proactively informs the Subscriber of such vulnerabilities or threats as soon as they become known, so that the Subscriber can assess the corresponding risk, and will promptly provide the Subscriber with the measures taken to prevent them, in particular bug fixes, updates and other remediation measures, without additional cost. For any Software components delivered to the Subscriber (including client-side providers/tools), the Subscriber remains responsible for deploying updates and mitigation guidance in its own environment. Securosys will support coordinated vulnerability disclosure for Security Vulnerabilities affecting the Service or delivered Software in accordance with the Documentation.
  3. Subject to delivery of the Licensed Material without warranty (i.e., trial versions, free-of-charge Platform access), Securosys warrants that the Platform meets the specification in the Documentation at the time of conclusion of this Agreement.
  4. The Subscriber undertakes to test the Licensed Material prior to any productive Use. The Subscriber acknowledges and agrees that after termination of this Agreement any remote access to the servers of Securosys cease. Securosys will delete data, content and information transmitted to the Service after termination of this Agreement upon written cancellation order. In case the Subscriber does not provide a cancellation order, Securosys will send two reminders with a grace period of ten (10) days each before deleting the data. Securosys may charge reasonable fees for the storage of the Subscriber’s data, content and information beyond the termination of the Agreement.
  5. If, after release of new Software, the Subscriber detects and informs Securosys in writing by means of a support ticket of a programming error in the Software, or if Securosys otherwise becomes aware of such error, Securosys shall correct such programming error within a reasonable period. Such correction may, in Securosys’ sole discretion, consist of debugging, instructions to avoid the programming error (whereas such workaround shall only be a temporary solution and does not relieve Securosys from its obligation to fix the error), or provision of new Software that is error free but still complies with all contractually agreed requirements. If despite two (2) rounds of efforts by Securosys the programming error cannot be corrected and if the usability of the Software compared to the Documentation is severely impaired or impossible, then the Subscriber shall set another grace period to correct the programming error, upon which unsuccessful expiry the Subscriber may terminate the Agreement. The remuneration shall then be reimbursed by Securosys to the Subscriber from the moment of the error reporting until the end of the prepaid Subscription period, after which the Subscriber shall have no access anymore to the Licensed Material.
  6. This warranty shall be voided if the Subscriber misuses the Licensed Material or modifies the Licensed Material without authorization and such modification causes or contributes to the error.
  7. This warranty shall be void to the extent that Securosys is not responsible for the programming error.

10. Warranty of Title

  1. To the best of its knowledge, Securosys represents and warrants that Licensed Material (including its Documentation) does not infringe the rights of any third party.
  2. In the event of a third-party right infringement claim against the Licensed Material, Securosys shall defend the Subscriber against such claim at its expense and pay all costs, damages, and attorney’s fees up to an amount that a court finally awards or that are included in a settlement approved by Securosys (further damages are reimbursed capped on the limitation of liability according to Section 11), provided that the Subscriber:
    1. without undue delay notifies Securosys in writing by registered mail of the claim; and
    2. allows Securosys to control, and reasonably cooperates with Securosys in, the defense and any related settlement negotiations.
  3. If such a third-party claim is made, or appears likely to be made, the Subscriber agrees to permit Securosys to enable the Subscriber to continue to Use the Licensed Material or to modify it or to replace it with Licensed Material that is at least functionally equivalent but non-infringing. If Securosys determines that none of these alternatives is reasonably available, the Subscriber agrees to return the Licensed Material to Securosys on written request. Securosys shall then issue the Subscriber a credit equal to the amount paid by the Subscriber for the Licensed Material for the current contract year.
  4. This remedy is Securosys’ entire obligation to the Subscriber regarding any infringement claim.
  5. To the extent the modification of the Platform by the Subscriber causes infringement, the indemnification above shall be void.

11. LIMITATION OF LIABILITY

  1. CIRCUMSTANCES MAY ARISE WHERE, BECAUSE OF A DEFAULT BY SECUROSYS IN PERFORMANCE OF ITS OBLIGATIONS UNDER THIS AGREEMENT OR OTHER LIABILITY, THE SUBSCRIBER IS ENTITLED TO RECOVER DAMAGES FROM SECUROSYS. REGARDLESS OF THE BASIS ON WHICH THE SUBSCRIBER IS ENTITLED TO CLAIM DAMAGES FROM SECUROSYS, AND EXCEPT AS EXPRESSLY REQUIRED BY LAW WITHOUT THE POSSIBILITY OF CONTRACTUAL WAIVER, SECUROSYS’ ENTIRE LIABILITY FOR ALL CLAIMS IN THE AGGREGATE FOR THE TERM OF THIS AGREEMENT ARISING FROM OR RELATED TO THE SOFTWARE OR SERVICE OR OTHERWISE ARISING UNDER THIS AGREEMENT SHALL NOT EXCEED THE AMOUNT OF 100% PAYMENTS PAID BY THE SUBSCRIBER TO SECUROSYS FOR THE CURRENT CONTRACT YEAR.
  2. THE LIMIT IN SECTION 11.1 ALSO APPLIES TO ANY OF SECUROSYS’ SUBCONTRACTORS. IT IS THE MAXIMUM FOR WHICH SECUROSYS, AND ITS SUBCONTRACTORS ARE COLLECTIVELY LIABLE.
  3. SECUROSYS’ LIABILITY FOR DAMAGES CAUSED:
    1. BY WILLFUL MISCONDUCT
    2. BY GROSS NEGLIGENCE
    3. TO LIFE, LIMB OR HEALTH AS WELL AS
    4. UNDER THE LAWS OF PRODUCT LIABILITY AND
    5. FOR GUARANTEES GIVEN REMAIN UNAFFECTED.
  4. THE LIMITATION OF LIABILITY IN THIS SECTION 11 APPLIES ACCORDINGLY TO THE SUBSCRIBER AND ITS AFFILIATES.
  5. EXCEPT AS EXPRESSLY REQUIRED BY LAW WITHOUT THE POSSIBILITY OF CONTRACTUAL WAIVER, UNDER NO CIRCUMSTANCES ARE SECUROSYS OR ITS SUBCONTRACTORS LIABLE FOR ANY OF THE FOLLOWING EVEN IF INFORMED OF THEIR POSSIBILITY:
    1. LOSS OF, OR DAMAGE TO DATA;
    2. SPECIAL, INCIDENTAL, EXEMPLARY, INDIRECT, OR CONSEQUENTIAL DAMAGES; OR
    3. LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR ANTICIPATED SAVINGS.

12. Confidentiality and Data Protection

  1. Both Parties undertake to protect the other party’s Confidential Information acquired in connection with performance of this Agreement as confidential to the same extent that they protect their own Confidential Information, and at least with the care of a prudent businessperson. Confidential Information of the other party may only be shared with or disclosed to third parties who are under obligations of confidentiality substantially similar to those in this Section 12 and only to the extent necessary to enable the receiving party to exercise its rights or perform its obligations under the Agreement. Any reproduction of any Confidential Information of the other party shall contain all confidential or proprietary notices or legends which appear on the original, to the extent technically feasible.

  2. Section 12.1 above shall not apply to any Confidential Information that:

    1. is independently developed by the receiving party without reference to the disclosing party's Confidential Information;
    2. is generally available to the public without a breach of the Agreement by the receiving party or is lawfully received free of restriction from a third party having the right to furnish such Confidential Information;
    3. at the time of disclosure, was known to the receiving party free of confidentiality restrictions;
    4. the disclosing party agrees in writing is free of confidentiality restrictions; or
    5. is required to be disclosed due to the laws of the relevant jurisdiction of such party or other applicable law, including in respect of any government authority, or pursuant to any order of a court or judgment.

    In the latter case, the receiving party shall without undue delay inform the disclosing party, to the extent allowed by law, and shall take all reasonable efforts to defend such disclosure.

  3. Securosys undertakes to comply with the provisions of the applicable data protection legislation (i.e. Swiss data protection law and GDPR) and with the latest technical and organizational standards generally accepted in professional circles. Securosys may collect, process and use personal data only within the scope of this contract and in accordance with the instructions of the Subscriber, to the extent applicable.

  4. If a data subject asserts any data protection claims (e.g. for information, correction, or deletion) against Securosys, Securosys shall support the Subscriber by forwarding the request to the Subscriber.

  5. To the extent, and only to the extent, Securosys processes personal data on behalf of The Subscriber as processor in connection with the Service, the Parties shall enter into a separate data processing Agreement or applicable appendix before the Subscriber transfers the relevant personal data to Securosys for such processing. The Subscriber is responsible for assessing whether its Use of the Service requires such processor arrangement and for notifying Securosys in due time. Absent such processing and such separate arrangement, this Agreement does not by itself characterize any aspect of the Service as processor activity.

  6. In the event of a material ICT-related incident affecting the Service, Securosys will provide reasonable assistance and cooperation to the Subscriber to mitigate, manage and resolve the incident and to support the Subscriber’s own regulatory reporting obligations. Such assistance is included in the Service to the extent it concerns Securosys’ standard incident handling, which includes initial triage, reasonable incident communications, and a post-incident summary or report as defined in Appendix I. Any materially extended or extraordinary Services may be provided as pre-agreed Service packages or Services and are subject to prior Agreement on scope and fees or to pre-agreed Service packages or Services set out in the Order Form or applicable Service Description.

  7. When engaging subcontractors, Securosys will ensure that the relevant contractual arrangements are in writing and contain confidentiality, security and, where applicable, regulatory cooperation obligations consistent with this Agreement. Securosys remain responsible for the acts and omissions of such subcontractors as if they were their own. Securosys will maintain, as part of the Documentation, a reasonably current list of Material Subcontractors supporting the Service and will provide reasonable prior notice of any material change to such Material Subcontractors.

  8. The Subscriber acknowledges that Securosys may be required to disclose certain information relating to the Service, incidents, security measures, subcontractors or Service locations to Competent Authorities under Applicable Regulatory Requirements. Where legally permissible, Securosys will inform the Subscriber of such disclosure.

  9. Upon reasonable request and subject to mutual Agreement on scope, timing and costs, Securosys may participate in the Subscriber’s ICT security, business continuity or operational resilience coordination activities to the extent they relate specifically to the Service.

  10. Where required by Applicable Regulatory Requirements, the Parties will agree in good faith on additional contractual provisions (for example information formats, reporting cadences, register-of-information data, subcontractor notices or exit-support measures) in the Order Form or an addendum, without materially reducing the protections already granted to the Subscriber.

13. Regulatory Requirements and Shared Responsibility

  1. Shared responsibility model. Securosys is responsible for the security and resilience of the Service components under its control, including CloudHSM infrastructure and operations. The Subscriber is responsible for the security, resilience and lawful Use of its own environment, applications, networks and processes that connect to or depend on the Service, including key lifecycle governance, access management and secure configuration of client-side components. Detailed Service description and sub-contractor list including locations are provided in Service Description or further referenced Documentation.
  2. Regulatory information and criticality notices. The Subscriber shall provide Securosys with accurate and up-to-date information reasonably necessary for Service delivery and regulatory cooperation, such as nominated contacts, regulated status, criticality classification and incident points of contact. Detailed Service descriptions, Service locations and the current list of Material Subcontractors for the Service are provided in the applicable Service Description and/or referenced Documentation. Upon reasonable request, and subject to confidentiality and the rights of other The Subscribers, Securosys will provide information reasonably available to it that the Subscriber may require for its register of information or equivalent regulatory inventory, including LEI or equivalent identifier, Service category, Service locations and Material Subcontractor information relevant to the Service. Where the Subscriber notifies Securosys that the Service supports a Critical or Important Function, the Parties will cooperate in good faith on any proportionate supplementary measures or addenda reasonably required under Applicable Regulatory Requirements.
  3. Threat-led and resilience testing. Where the Subscriber is subject to legally required resilience testing, including penetration testing, Securosys will reasonably participate in and enable such testing to the extent related to the Service, subject to reasonable notice, confidentiality and security safeguards, the protection of other The Subscribers and shared components, and agreed scope, test windows and fees.

14. General Provisions

  1. All notices for default under, or termination of, this Agreement shall be sent by registered mail to the Party’s addresses according to the Order Form.
  2. Each Party is an independent contractor and shall independently establish prices and terms for its Services and/or products. Neither Party is, nor will claim to be, a legal representative of the other Party. This Agreement does not create a joint venture, employment relationship or agency relationship between the Parties.
  3. Except as expressly provided in this Agreement, neither Party grants the other Party, whether directly or by implication or otherwise, any patent, copyright, trademark, trade secret, know-how, or other intellectual property right. No Party shall remove or alter any symbols or legends indicating any intellectual property right. The usage of the Subscriber's brand and name in marketing material requires the Subscriber's prior written consent.
  4. Except as explicitly provided in this Agreement, neither Party may assign, or otherwise transfer, its rights or delegate its obligations under this Agreement without the prior written consent of the other Party. Any attempt to do so shall be void. However, the assignment of this Agreement, in whole or in part, to an Affiliate does not require the consent of the other Party. Securosys is also permitted to assign its rights to payments under this Agreement without obtaining the contracting Party’s consent.
  5. Neither Party shall be liable for any failure or delay in the performance of its obligations under this Agreement if such failure or delay is due to a force majeure event, such as without limitation, acts of God, fire, flood, natural catastrophe, power surges, acts of any government or of any civil or military authority, national emergencies, riots, vandalism, terrorism, war, insurrection, strikes, or any occurrence beyond the reasonable control of such Party. Securosys shall take all commercially reasonable efforts to prevent and remedy the effects of a force majeure event. If a force majeure event prevents one party from the performance of its contractual obligations for more than thirty (30) Business Days, the other party has the right to terminate the Agreement for cause. Securosys shall refund any fees for the remaining term on a pro rata basis.
  6. To the extent permitted by applicable law, except for claims arising out of Sections 5, 7 and/or 8, neither Party may bring an action arising out of this Agreement, regardless of form, more than one (1) year after the cause of action has accrued.
  7. Any rights and obligations, which by their nature survive and continue after the expiration or termination of this Agreement, shall survive, and continue, and shall bind the Parties and their successors and assigns, until such obligations are fulfilled.
  8. This Agreement may only be amended by a writing signed by authorized representatives of the Parties.
  9. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the validity, legality and enforceability of the remaining provisions will in no way be affected or impaired as long as the intent of the parties can be preserved. In such cases, both Parties undertake to replace the invalid, illegal or unenforceable provision with another valid, legal, and enforceable regulation. The same principle applies to open terms or omissions.
  10. This Agreement shall be governed by and construed in accordance with the laws applicable to the Securosys entity identified in the applicable Order Form as the contracting party for the Services, excluding its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods of 11 April 1980 (CISG; SR 0.221.211.1) shall not apply.
  11. FOR THE SUBSCRIBERS CONTRACTING WITH SECUROSYS INC., USA, ANY DISPUTE, CONTROVERSY, OR CLAIM ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL BE FINALLY RESOLVED BY BINDING ARBITRATION. ARBITRATION SHALL BE CONDUCTED IN ACCORDANCE WITH THE RULES OF THE AMERICAN ARBITRATION ASSOCIATION (AAA) IN FORCE AT THE TIME OF THE DISPUTE. THE SEAT OF ARBITRATION SHALL BE SANTA CLARA COUNTY, CALIFORNIA, USA. THE ARBITRAL AWARD SHALL BE FINAL AND BINDING, AND JUDGMENT THEREON MAY BE ENTERED IN ANY COURT OF COMPETENT JURISDICTION. THE PARTIES EXPRESSLY WAIVE ANY RIGHT TO BRING PROCEEDINGS BEFORE COURTS, EXCEPT FOR ENFORCEMENT OF THE ARBITRAL AWARD.
  12. For all other contracting Securosys entities, any dispute arising out of or in connection with this Agreement shall be submitted to and finally decided by the competent courts having jurisdiction at the place specified in the table below.
The Subscriber’s country of incorporationContracting entityGoverning lawExclusive Place of jurisdiction
SwitzerlandSecurosys SA, SwitzerlandSwiss lawZurich, Switzerland
GermanySecurosys GmbH, GermanyGerman lawMunich, Germany
United States of AmericaSecurosys Inc., USALaws of California, USASanta Clara County, California, USA
Any other countrySecurosys SA, SwitzerlandSwiss lawZurich, Switzerland
Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?