General terms and conditions

These general terms and conditions are issued by:

Aspida BV, a private limited company, with registered office at Pathoekeweg 9B 012B, 8000 Bruges, with company number BE 0790.857.331,

Hereinafter: "Aspida",

The services of Aspida are exclusively aimed at businesses (B2B),

Hereinafter: "Client",

This Master Services Agreement (hereinafter: "MSA") serves as a framework agreement and describes the general terms and conditions applicable to every collaboration between Aspida and the Client for the purpose of providing specific services (hereinafter: "Services"). The specific description of the individual contractual assignment(s) for which Aspida is engaged is set out in one or more Sub-agreements (hereinafter: "Sub-agreement").

In the event of conflicts between the MSA and the specifically concluded Sub-agreements for the delivery of specific Goods or Services, the Sub-agreements shall take precedence to the extent they relate to the specifically agreed Services.

The Client accepts that the contractual relationship is entirely governed by the MSA, the applicable Sub-agreements and any annexes, and consequently waives any other conditions.

All price proposals, quotes or offers from Aspida are always entirely non-binding, unless expressly stated otherwise. Unless otherwise indicated, price proposals have a validity period of fifteen (15) calendar days.

An agreement between Aspida and the Client is only concluded after Aspida has confirmed the assignment in writing or electronically, even if the Client has previously accepted a price proposal.

Aspida acts as a professional IT and cybersecurity service provider and makes every effort to carry out the Services correctly and in accordance with accepted practices. The Client understands, however, that Aspida does not in any case commit to a specific result or guarantee, unless expressly agreed otherwise in the MSA or a Sub-agreement.

If Aspida commits to performing specific Services within a certain timeframe, such timeframes are always subject to (1) the timely payment of any (advance) invoices and (2) the Client’s cooperation. Moreover, all timeframes are always indicative and not to be considered as an essential obligation, unless expressly agreed otherwise in the MSA or a Sub-agreement.

The Client acknowledges that their cooperation is necessary to enable proper performance of the Services. They will therefore provide all information as requested by Aspida and as is otherwise reasonably necessary for the performance of the Services. The Client is solely responsible for the completeness and accuracy of this information.

If the MSA is performed on behalf of two or more natural or legal persons, these persons are each individually and jointly liable for the full fulfillment of the obligations arising from the MSA.

Aspida is entitled to subcontract the performance of the Services in whole or in part to subcontractors or external suppliers. Aspida has a general approval from the Client to designate an external party (e.g. hosting providers, software providers, security partners) of its own choice. In that case, the conditions of the external party apply in full, including any service levels and user restrictions formulated therein. The Client may obtain a copy of the relevant conditions upon first request.

The Client understands that Aspida is an independent service provider and will always be free to make its services available to any other company. Aspida is not bound by any obligation of exclusivity or non-competition in this regard.

For the performance of the Services, it may be necessary for Aspida (whether through its employees or subcontractors) to gain access to the Client’s IT, OT, or network components, including security equipment, configurations, log files, server environments, cloud environments and other digital or physical resources related to the operation of the client’s infrastructure. The Client grants Aspida all necessary access rights, accounts, permissions and information reasonably required to perform the Services. The Client is responsible for the validity, completeness and security of such access rights.

For work in OT environments, additional safety and change procedures apply. The Client must make available in advance all necessary test environments, emergency procedures and fallback options. Aspida may refuse or postpone work if it cannot be carried out safely or if testing facilities are unavailable. The Client acknowledges that changes within OT infrastructures carry an increased risk of production impact and that Aspida bears no liability for this, except in cases of intent or gross negligence.

Aspida will take all reasonable measures to ensure the security, integrity and confidentiality of the Client’s systems. The Client acknowledges that certain activities, such as updates, testing, configuration changes or incident response, may temporarily affect the availability of systems, and this cannot be considered a fault or negligence on the part of Aspida.

Aspida will deliver hardware products to the address specified by the Client. If delivery is not possible due to the Client or a third party designated by them, travel costs and services on a time-and-materials basis will be charged. Transfer of ownership takes place in accordance with Article 11.

The Client, or a designated third party, must carry out a thorough inspection upon delivery. Non-conformity or visible defects must be reported in writing to Aspida no later than two (2) business days after delivery. In the absence of such notification, the delivery shall be deemed to be in conformity.

The Client benefits from a warranty against hidden defects for one (1) year after delivery, provided that the delivery has been fully paid and the defect is reported in writing within five (5) calendar days of discovery, with a clear description of the alleged hidden defect. This warranty does not apply to damage caused by wear and tear, misuse, improper installation or modifications by the Client or third parties. Aspida’s warranty is always limited to free repair or replacement of the product, unless repair or replacement is impossible, excessive or unreasonably delayed. The compensation can never exceed the invoiced value of the delivered product. Notwithstanding the foregoing, Aspida’s warranty is, where applicable, limited to and dependent on the warranty conditions as granted by the manufacturer or supplier.

Security awareness services may include, among other things, providing licences for an awareness platform; carrying out automated and/or manual phishing simulations; organising training courses and workshops for employees, management or specific departments; providing advice, documentation or recommendations on cyber-safe behaviour. The specific scope of the awareness activities is determined in the relevant quote or Sub-agreement.

For awareness services involving software licences (such as a phishing simulation platform), the licence conditions of the relevant software supplier apply in addition to the provisions of this MSA. The Client undertakes to use the licences only in accordance with their purpose and the applicable terms of use.

If Aspida provides physical or digital training, education or workshops, the Client is responsible for the attendance of participants, providing a suitable space (for physical sessions) and the necessary technical conditions. The content of the training is intended for awareness and education; Aspida does not guarantee that these training courses will completely prevent all security risks or human errors at the Client. Training courses fall, where applicable, under the SME portfolio scheme; the Client is solely responsible for the correct application and administrative follow-up thereof.

If Aspida provides phishing simulations, the Client gives permission to send simulated phishing emails on behalf of the Client to employees, management or other specified target groups. The Client is responsible for internal communication about the use of phishing simulations, including transparency to employees where legally required. Aspida is not liable for damage arising from employees’ responses to simulated phishing emails.

Aspida may provide reports concerning, among other things, click behaviour or interactions with phishing simulations; scores or progress in awareness training; recommendations for additional security measures or training. Reports are always provided ‘as is’ and are based on the available data within the awareness platform or the evaluation method used. Aspida provides no guarantee as to the completeness, accuracy or suitability of these reports for the Client’s decisions.

The parties agree on a compensation scheme in the Sub-agreement(s) in exchange for the performance of the respective Services. All amounts are exclusive of VAT unless otherwise stated.

The agreed prices do not take into account requirements, wishes, preconditions or expectations that do not fall within the scope of the Services as described in a Sub-agreement, or that were not, or not fully, or insufficiently clearly communicated to Aspida at the time of entering into the relevant Sub-agreement (hereinafter: "Additional Work").

If a performance is required or must be carried out that qualifies as Additional Work, the Additional Work will be additionally charged on a time-and-materials basis at Aspida’s current rates at that time. Each commenced period of fifteen (15) minutes is invoiced as fifteen (15) minutes. For on-site interventions, a minimum of one (1) working hour is always charged, unless otherwise agreed. Travel costs and other additional costs (such as parking fees or specific materials) may be additionally charged to the Client. Aspida may request payment of one or more advance invoices before Additional Work is carried out. Aspida is entitled to refuse requests to carry out Additional Work.

All prices may be indexed annually at the initiative of Aspida according to the following formula:

Pn = Po * (0.2 + 0.8 * Ln/Lo)

Where:

• Pn equals the new indexed price;
• Po equals the originally agreed price on the date of signing the Agreement;
• Ln equals the reference wage cost index “Agoria Digital” as published by Agoria vzw at the time of calculating Pn;
• Lo equals the reference wage cost index “Agoria Digital” as published by Agoria vzw on the date of signing the Agreement.

If Aspida wishes to apply the aforementioned price revision clause, it must notify the Client in writing with a notice period of at least 30 days.

Aspida is at all times entitled to invoice the Services at times it determines. This may for example be by way of advance payment before the Services commence, or according to a certain periodicity it determines itself (e.g. monthly, per quarter, after completion of a specific milestone, etc.), or after delivery of the Services. Invoicing of the Services according to a certain periodicity does not mean that Aspida commits to maintaining that periodicity throughout the collaboration.

The Client is obliged to pay all amounts due within thirty (30) calendar days of receipt of the corresponding invoice from Aspida, unless a different payment term is agreed or stated on the invoice.

In the event of late or non-payment of any amount due:

• Aspida is entitled to suspend all Services until the date of full payment, regardless of whether the Services fall within the same project or within a different set of Services that are separate from the invoice or invoices that remain unpaid.
• Aspida is automatically entitled to compensation of 10% of the amount owed (with a minimum of €100.00) as well as contractual late payment interest at the rate determined in accordance with the Act of 2 August 2002 on combating late payment in commercial transactions.

In the event of invoice dispute, this must be notified to Aspida by registered mail or email within eight (8) days of the invoice date. In the absence of dispute, the invoice, as well as the invoiced Services, shall be deemed to have been tacitly and comprehensively accepted. Separately, payment of an invoice is automatically considered acceptance thereof.

In the event that the contractual relationship has ended and/or in the event of insolvency of the Client, Aspida may apply set-off between all mutual certain claims with the Client, regardless of the time at which the relevant claims are due.

Late payment of an invoice results in the immediate enforceability of all other outstanding invoices, even if the due dates of these invoices have not yet expired.

The submission by Aspida of a bank statement or other document from its accounting records is sufficient to determine the amount of its claim against the Client and to provide evidence thereof.

“Confidential Information” means all information that the parties consider confidential, either because the parties have designated such information as confidential or proprietary, or because the information should reasonably be considered confidential given the nature of the information or the circumstances. Confidential Information includes, but is not limited to, internal know-how, source and object code, databases, preparatory material, business plans and strategies, analyses, reports, advice, personnel data, financial information, and all information that is more generally to be considered a “trade secret” in accordance with EU Directive 2016/943.

The parties may gain knowledge of each other’s Confidential Information, to which rights belong entirely to the respective parties.

The party receiving Confidential Information undertakes to:

• keep the Confidential Information strictly confidential and not to disclose the Confidential Information, directly or indirectly, in any way, in whole or in part, without the prior written consent of the party that disclosed it;
• not to use or distribute any Confidential Information, directly or indirectly, in any way, for any purpose other than within the framework of the MSA or the relevant Sub-agreement, unless the recipient is expressly authorised to do so in writing by the disclosing party;
• not to use the Confidential Information, directly or indirectly, in any way, for the purpose of obtaining a commercial advantage over the disclosing party or its competitors;
• to keep the Confidential Information secure, in accordance with the instructions of the disclosing party and in any case in such a way that unauthorised access by third parties is avoided as much as reasonably possible;
• upon first request by the disclosing party, and in any case upon termination of the MSA or a Sub-agreement, to return all materials and documents handed over by the disclosing party within the framework of the MSA or the relevant Sub-agreement, and to destroy any digital copy still in the receiving party’s possession. This includes all information carriers containing Confidential Information.
• upon first request by the disclosing party, and in any case upon termination of the MSA or a Sub-agreement, to return to the disclosing party all materials and documents that the receiving party has compiled based on Confidential Information, and to destroy any digital copy still on the receiving party’s own devices.
• to include, where the receiving party in turn engages third parties acting for or employed by the receiving party and with the consent of the disclosing party having access to the Confidential Information, a confidentiality obligation in the employment or cooperation agreement with those third parties that has a similar scope to that referred to in this article, to the extent permitted by applicable law. The receiving party is in that case fully liable to the disclosing party in the event of an unauthorised disclosure or use by such third parties.

This article does not apply to information that the recipient proves:

• is generally available to the public; or
• was lawfully in their possession or known to them before they received it; or
• was lawfully and without restriction made known to them by a third party; or
• was independently developed without use of the disclosing party’s Confidential Information; or
• must be disclosed by law or by court order, without this meaning that such information, if it concerns Confidential Information, thereby loses its confidential character.

The provisions of this article remain fully in force and apply both for the duration of the MSA and for a period of five years after its termination.

The confidentiality obligations as described in this article will not be affected by any change in the existence or composition of a party, such as bankruptcy, takeover, merger, etc.

The parties acknowledge that the performance of the Services may involve Aspida having sight of or access to personal data contained in the Client’s systems, log files or infrastructure. In that case, Aspida always acts as a processor within the meaning of applicable privacy legislation, unless Aspida processes personal data for its own purposes (e.g. invoicing, client management), in which case Aspida acts as a controller. When Aspida processes personal data as a processor, the rights and obligations of both parties are governed by a separate Data Processing Agreement, which forms an integral part of the MSA. In the event of conflicts between the MSA and the Data Processing Agreement, the Data Processing Agreement shall take precedence.

“Intellectual Property Rights” means all acquired and future intellectual property rights, including but not limited to copyrights, trademarks, trade names, design and model rights, databases, patents, know-how, trade secrets, all applications for protection or registration of the aforementioned rights and all extensions and renewals thereof existing anywhere in the world, and all other intellectual property rights protected by applicable law.

The Intellectual Property Rights relating to all works developed by or owned by Aspida, including proprietary software applications, developed source and object code, customisations, designs, visual elements, texts, methodologies, processes and other creations (hereinafter: “Works”), belong entirely and exclusively to Aspida.

In respect of the (parts of the) Works made available to the Client, the Client obtains a non-exclusive, worldwide, non-transferable and non-sublicensable right to use the Works in accordance with the purpose for which the Works were made available to the Client, unless expressly agreed otherwise.

The right to use the Works does not in any case include the right to:

• modify, translate, communicate to the public or decompile the Works in whole or in part, without the written consent of Aspida, except to the extent permitted under applicable mandatory law;
• use the Works to store or distribute content that is defamatory, threatening, offensive, vulgar or inappropriate, that promotes violence or discrimination against a group or individual, or that is otherwise contrary to applicable law;
• use the Works to store or distribute content containing malware, spyware, viruses or similar malicious applications;
• use the Works to store or distribute content that infringes the Intellectual Property Rights, trade secrets, privacy rights or other rights of third parties;
• attempt to modify the privacy-friendly settings of the Works.

Any established unlawful use of the Works automatically grants Aspida the right, without prior notice, to either definitively terminate or temporarily suspend the right of use until the Client has declared in writing that it will cease the unlawful use. This applies without prejudice to any other possible actions as described in the MSA or the Sub-agreements.

Aspida may make software licences from third-party suppliers available to the Client. The Client acknowledges that the licence conditions of the relevant supplier apply in full. Licences are granted for a renewable term of one (1) or five (5) years, unless otherwise indicated. The licence period commences on the date the Client gains access to the software. Unless a party notifies in writing or electronically at least two (2) months before the expiry of the current licence period of the wish to terminate it, the licence is automatically renewed for the same duration as the initial period, unless otherwise indicated.

If Aspida, in the context of the Services, delivers equipment to the Client such as computers, servers, laptops, network devices, peripheral equipment, etc. (hereinafter: “Goods”), the ownership of the Goods remains with Aspida, even after delivery. Unless otherwise agreed, the delivery of Goods is considered a sale of Goods, in which case ownership only passes to the Client upon full payment of the purchase price for the sold Goods. Notwithstanding the foregoing, the risk in respect of the Goods passes from the moment of delivery of the Goods to the Client or a carrier designated by the Client.

The Client undertakes, for the entire duration of the MSA and for two (2) years after its termination, regardless of the reason for termination, to refrain from, directly or indirectly, soliciting employees, self-employed workers or suppliers of Aspida or inducing them to end or modify their relationship with Aspida, or from employing or working with them themselves, whether or not through an employment agreement.

In the event of non-compliance by the Client with the preceding paragraph, the Client owes Aspida compensation determined as follows:

• In the event of (attempted) solicitation of an employee: compensation equal to six months’ gross salary of the employee based on the average of the last twelve payslips of the employee in question.
• In the event of (attempted) solicitation of a self-employed worker: compensation equal to the amount invoiced by the self-employed worker to Aspida in the twelve months preceding the first attempt at solicitation, with a minimum of €25,000.

Aspida disclaims all express or implied warranties, including but not limited to warranties of quality and fitness for a particular purpose not expressly agreed upon.

The Client expressly accepts that Aspida does not enter into any warranty or result obligation to prevent all possible security incidents, cyberattacks, data breaches, intrusions, malware infections or other forms of compromise. Aspida will make every reasonable and professional effort to this end, but cannot be held liable for the occurrence of such incidents, unless these are solely and directly attributable to intent or gross negligence on the part of Aspida.

If Aspida integrates or configures products, software or services from third-party suppliers (including Fortinet, Vectra or other security vendors), the performance, availability and functionality of these products are exclusively subject to the conditions, warranties and SLAs of the relevant suppliers. Aspida is not liable for shortcomings, security issues, downtime, errors or changes in these solutions.

Aspida is not liable for any damage resulting from the negligence, omission or non-compliance with a contractual provision by the Client, nor as a result of an extra-contractual fault or the breach of the general duty of care by the Client.

The statutory provisions regarding extra-contractual liability between the parties are, to the extent permitted by law, excluded.

The parties acknowledge that in the performance of the Agreement, they may use auxiliary persons (such as directors, employees, self-employed workers, suppliers (e.g. hosting partners) or subcontractors). These auxiliary persons always act under the responsibility of the party that appointed them. The statutory provisions on extra-contractual liability between the Client and an auxiliary person of Aspida are, to the extent permitted by law, excluded.

Unless expressly agreed otherwise, Aspida does not guarantee that the Works or any Service will always be uninterrupted or error-free. Aspida therefore does not commit to any guarantee to ensure a specific availability of the Works or the Services, nor to confirm and resolve reported problems within a specific period of receipt. Should problems arise with the availability or proper functioning of the Works or Services that are not related to problems with an external party, Aspida will nevertheless make maximum efforts to enable as optimal availability and as error-free a user experience as can reasonably be expected. In any case and where appropriate, Aspida will be free to determine what may be considered an appropriate solution or compensation for the Client in this regard.

The Client must use the items made available to them in accordance with the instructions, manuals or other documentation provided by Aspida, or that is reasonably customary or usual. Aspida is not liable for any damage resulting from incorrect use by the Client, including but not limited to damage resulting from unauthorised modifications to developed software, configuration changes made by the Client, or failure to comply with explicit instructions from Aspida.

Except in the case of intentional fault, Aspida is not liable for, nor obliged to compensate, immaterial, indirect or consequential damage including (but not limited to) loss of profit, turnover or income, administrative, personnel or other costs, damage due to economic standstill, damage due to loss of production, loss of missed savings or claims of third parties.

Notwithstanding the foregoing provisions, the total contractual and extra-contractual liability of Aspida for all damage occurring during the entire duration of the contractual collaboration is at all times limited to the amount invoiced by Aspida to the Client in the six (6) months preceding the facts for which Aspida’s liability is invoked. In no case shall Aspida’s liability for any type or category of damage exceed the amount that Aspida’s liability insurer is willing to cover. A series of related facts giving rise to liability on the part of Aspida are, for the purposes of this article, considered as a whole of events giving rise to the same dispute. In this case, the total liability for this whole of events on the part of Aspida shall not exceed the aforementioned amounts.

Nothing in this MSA shall be considered a limitation or exclusion of liability of any party in the event of intent, deceit, fraud or liability of that party for death or bodily injury.

Any claim by the Client for compensation against Aspida lapses by operation of law if it has not been brought before the competent court within a period of six (6) months after the facts on which the claim is based were known or could reasonably have been known to the Client.

The MSA is concluded for an indefinite period.

Either party may terminate the MSA at any time by written or electronic notification to the other party, subject to a notice period of three months. Notwithstanding the aforementioned notice period, the content of the MSA remains in force for the remaining duration of the Sub-agreements. If, in addition, different durations apply to specific services or products (e.g. licences for specific software), the aforementioned notice period of the MSA or the relevant Sub-agreements is also suspended until the durations for the relevant services or products have expired.

Aspida may unilaterally and without judicial intervention dissolve the MSA and/or one or more Sub-agreements in the event of a serious breach by the Client that is not remedied within fifteen (15) days after the Client has been notified in writing or electronically of the breach. This rectification period does not apply when any remedy is no longer possible or meaningful to restore trust between the parties, such as in the case of systematic non-payment of invoices, the Client’s use of the Works contrary to Article 10.4, a breach of Article 8 or Article 12. The dissolution pursuant to this article takes effect from the date of the corresponding written or electronic notification to the Client by Aspida.

The Client acknowledges that any change in its composition or condition, such as bankruptcy, liquidation, dissolution or the takeover of its actual control (e.g. through a change in the majority of the management body, or the takeover of the majority of the Client’s shares by a third party), automatically gives rise to the dissolution of the MSA and the Sub-agreements, unless Aspida expressly or tacitly waives this dissolution and pursues continued performance.

All parts of this MSA and the Sub-agreements which by their nature should remain in force after termination, also remain in force after termination, including but not limited to confidentiality obligations, non-solicitation obligations, limitations of liability, disclaimers of warranties and outstanding payment obligations.

After termination of the MSA or a Sub-agreement, Aspida will, where applicable, make an electronic copy of the Client’s data available ‘as is’. Aspida is then free to delete this data from its own storage media.

If necessary, Aspida will communicate to the Client the relevant technical specifications of the Services provided that are important for enabling a transfer of the subject matter of the Services to the Client’s management. Aspida can, upon request, provide assistance to realise the transfer according to either an agreed lump sum or on a time-and-materials basis at Aspida’s then-current rates.

The Client will indemnify Aspida against all claims from third parties arising from or resulting from the performance or termination of the MSA and/or the Sub-agreements and caused by the Client’s contractual non-performance, or by other conduct of the Client constituting an extra-contractual fault. This indemnification also covers all damage, costs and expenses (including reasonable legal fees) that Aspida would incur as a result of such claims.

If Aspida is prevented, on a permanent or temporary basis, from performing or continuing to perform the Services due to force majeure, Aspida is in no case liable for this. Moreover, in the event of permanent force majeure (including when the force majeure situation continues uninterrupted for three months), Aspida is entitled to terminate the MSA and/or the relevant Sub-agreement in whole or in part by means of written notice, without any obligation to pay compensation and without judicial intervention. Force majeure includes, without being limited to: war, natural disaster, fire, bankruptcy or dissolution of a supplier, failure of internet, electricity or telecommunications infrastructure not attributable to a shortcoming of Aspida, errors in third-party software, flooding, unexpected strikes or uprisings, terrorist attacks, hacking and cyberattacks, government intervention, pandemics and epidemics, etc.

The parties agree that the arrangement referred to in Article 5.74 of the Civil Code (change of circumstances) always applies.

The nullity, invalidity or unenforceability of any provision of the MSA or the Sub-agreements shall nonetheless have its maximum permitted effect and shall have no influence on the validity or enforceability of the other provisions. The null, invalid or unenforceable provision is replaced by operation of law by a valid and enforceable provision that is as closely aligned as possible, economically and legally, to the original provision.

The non-exercise of a contractual right by Aspida cannot be considered a waiver of that right.

The Client may not transfer its rights and obligations arising from the MSA and/or the Sub-agreements to a third party without the express written consent of Aspida.

Amendments to the MSA or to the Sub-agreements are only possible with the written and express agreement of both parties.

The MSA and the Sub-agreements are exclusively governed by Belgian law.

All disputes arising from the MSA or the Sub-agreements fall under the exclusive jurisdiction of the courts with territorial jurisdiction over the registered office of Aspida.