General terms
General Terms and Conditions
Mason Pete Dynamics B.V.
Breestraat 101, 1941 EG Beverwijk, the Netherlands
Chamber of Commerce (KvK): 93861524
Version: June 2026
Article 1. Definitions
1.1 In these General Terms and Conditions, the following terms have the following meanings:
a. Contractor: Mason Pete Dynamics B.V., having its registered office in Beverwijk (1941 EG) at Breestraat 101, registered with the Dutch Chamber of Commerce (Handelsregister) under number 93861524.
b. Client: the business party that enters into an agreement with the Contractor or negotiates to that end.
c. Parties: the Contractor and the Client jointly.
d. Master Agreement: the agreement for services, quotation, order confirmation or other written arrangement in which the project-specific commercial, technical and operational agreements between the Parties are laid down.
e. General Terms and Conditions: these general terms and conditions of the Contractor.
f. Project Documents: all documents in which the engagement is further elaborated, including a statement of work, project plan, schedule, reporting protocol, pentest authorisation letter, rules of engagement, security protocol, technical scope description or other annexes.
g. Data Processing Agreement: the agreement in which the Parties lay down arrangements concerning the processing of personal data within the meaning of Article 28 GDPR.
h. Services: all work to be performed by the Contractor, including consultancy, strategic advice, Microsoft Dynamics 365 services, IT services, cybersecurity advice, risk analyses, security assessments, penetration tests, physical security tests, process optimisation, digital transformation, reports, workshops and related work.
i. Scope: the boundaries of the engagement as agreed in writing, including work, systems, locations, networks, accounts, IP addresses, applications, time windows, methods, limitations, deliverables, dependencies, contact persons and exclusions.
j. Deliverables: the specifically agreed results to be delivered, including reports, advice, analyses, presentations, configuration proposals, roadmaps, risk analyses, lists of findings and recommendations.
k. Work Products: all materials developed or delivered by the Contractor in the context of the engagement, including Deliverables, reports, advice, documentation, presentations, scripts, templates, models, configuration proposals, methodologies and other materials.
l. Pentest: a technical or physical test, agreed in writing in advance, aimed at identifying vulnerabilities in systems, processes, networks, applications, buildings, access security or organisational security measures.
m. Rules of Engagement: the document in which the operational ground rules for a Pentest are laid down, including permitted and prohibited test methods, test windows, emergency contacts, escalation procedure, stop criteria, reporting arrangements and limitations.
n. Pentest Authorisation Letter: the written document in which the Client grants the Contractor permission to perform a Pentest within the Scope set out therein.
o. Vulnerability Information: information about security flaws, misconfigurations, attack paths, evidence, screenshots, logs, exploit results, access possibilities, password hashes, technical findings or other information that could be misused for unauthorised access or disruption.
p. In Writing / Written: communication by letter, e-mail, electronically signed document or other durable and reproducible means of electronic communication.
Article 2. Applicability and order of precedence
2.1 These General Terms and Conditions apply to all quotations, Master Agreements, Project Documents, Services and other legal relationships between the Parties.
2.2 The applicability of any general terms, purchasing conditions or other conditions of the Client is expressly rejected, unless the Contractor has expressly accepted such conditions in writing.
2.3 Deviations from these General Terms and Conditions are valid only if agreed between the Parties in writing. A deviation applies exclusively to the specific engagement for which it was agreed.
2.4 In the event of conflict between contract documents, the following order of precedence applies:
a. for matters of privacy law: first the Data Processing Agreement, then the Master Agreement, then these General Terms and Conditions;
b. for the performance of Pentests: first the Pentest Authorisation Letter and the Rules of Engagement, then the statement of work, then the Master Agreement, then these General Terms and Conditions;
c. for commercial and project-specific arrangements: first the statement of work or the order confirmation, then the Master Agreement, then these General Terms and Conditions;
d. for general legal matters: these General Terms and Conditions, unless expressly deviated from in writing.
2.5 Project Documents form part of the agreement only if they have been accepted in writing by the Parties or confirmed in writing by the Contractor without the Client having raised a substantiated objection within a reasonable period.
2.6 If any provision of these General Terms and Conditions is void or annulled, the remaining provisions remain in full force. In that event, the Parties will agree on a replacement provision that reflects the purpose and intent of the original provision as closely as possible.
Article 3. Quotations and formation of the agreement
3.1 All quotations of the Contractor are without obligation, unless expressly stated otherwise in the quotation.
3.2 A quotation is valid for thirty (30) days from its date, unless a different period of validity is stated in the quotation.
3.3 An agreement is formed once the Client accepts the quotation, order confirmation or Master Agreement in writing, or once the Contractor commences performance of the work at the Client's request.
3.4 The Contractor is not bound by obvious errors, clerical errors, programming errors, calculation errors or other inaccuracies in quotations, order confirmations, Project Documents or other communications.
3.5 If the engagement is performed in phases, the Contractor may make the commencement of a subsequent phase conditional upon written approval of the preceding phase, the availability of necessary information and payment of outstanding invoices.
3.6 Oral commitments, estimates or expectations bind the Contractor only if and to the extent confirmed by the Contractor in writing.
Article 4. Nature of the engagement
4.1 The legal relationship between the Parties qualifies, where applicable, as an agreement for services (overeenkomst van opdracht) within the meaning of Article 7:400 of the Dutch Civil Code.
4.2 The Contractor performs the Services independently and according to its own professional judgement, with due observance of the agreed Scope, the Project Documents and reasonable instructions from the Client.
4.3 Unless expressly agreed otherwise in writing, all obligations of the Contractor qualify as best-efforts obligations (inspanningsverplichtingen) and not as obligations of result.
4.4 The Contractor does not guarantee that advice, analyses, configurations, Pentests, security assessments or other Services will lead to specific commercial, financial, technical, organisational or security outcomes.
4.5 The engagement does not create an employment contract, agency agreement, partnership, company, joint venture or any other form of cooperation between the Parties.
Article 5. Performance of the Services
5.1 The Contractor will perform the Services with the care that may be expected of a professional and reasonably acting IT, consultancy and cybersecurity service provider.
5.2 The Contractor determines the manner in which the Services are performed, unless the Parties have made express written arrangements in this respect.
5.3 The Contractor may have work performed in whole or in part by employees, auxiliary persons, subcontractors or other third parties, provided that the Contractor remains responsible for the coordination of the engagement.
5.4 The Contractor may use its own methodologies, templates, tools, scripts, software, frameworks, checklists and working methods in performing the Services.
5.5 The Client acknowledges that IT, cybersecurity and transformation projects depend on technical, organisational and human factors, including existing system configurations, software versions, cloud environments, third-party suppliers, user behaviour, internal decision-making, available information, risk appetite, priorities and budgets of the Client.
5.6 The Contractor is not responsible for shortcomings, delays or limitations resulting from circumstances beyond its control, including failures at cloud providers, software vendors, hosting parties, network providers, security vendors, hardware suppliers or other third parties.
Article 6. Obligations of the Client
6.1 The Client will provide in good time all information, documentation, access, accounts, authorisations, test environments, contact persons, systems, facilities and decisions that the Contractor reasonably requires for the performance of the engagement.
6.2 The Client warrants the accuracy, completeness, currency and lawfulness of all information, data, instructions and authorisations provided to the Contractor.
6.3 The Client remains responsible at all times for:
a. internal decision-making;
b. implementation of advice;
c. management of systems, processes and accounts;
d. monitoring and logging;
e. incident response;
f. continuity measures;
g. back-ups and recovery procedures;
h. access management;
i. compliance with laws and regulations;
j. communication with employees, suppliers and other third parties;
k. obtaining the required consents and authorisations;
l. assessing business risks.
6.4 If the Client provides insufficient or late cooperation, the Contractor may adjust the schedule, suspend work and charge additional work or waiting time as additional work.
6.5 The Client ensures that employees, suppliers, administrators, hosting parties, cloud providers, landlords and other relevant third parties are informed in good time and are available to the extent necessary for the correct and lawful performance of the engagement.
6.6 The Client is responsible for making and verifying up-to-date back-ups before the Contractor performs work that may affect systems, configurations, data or continuity.
Article 7. Scope, assumptions and exclusions
7.1 The Scope of the engagement is determined by the Master Agreement and the applicable Project Documents.
7.2 Work, systems, locations, applications, accounts, IP addresses, domains, networks, physical spaces, test methods or deliverables that are not expressly included in writing fall outside the Scope.
7.3 If during performance it becomes apparent that the Scope is unclear, incomplete or technically incorrect, the Parties will clarify the Scope in writing before the Contractor performs work that could reasonably fall outside the original engagement.
7.4 The Contractor is not obliged to perform work outside the agreed Scope.
7.5 The Client accepts that systems, vulnerabilities, processes, locations or risks falling outside the Scope are not examined or assessed by the Contractor.
7.6 If the Client offers information, systems, locations or accounts outside the agreed Scope, this does not automatically lead to an extension of the Scope.
Article 8. Changes and additional work
8.1 Additional work exists where the Contractor performs or is required to perform work falling outside the agreed Scope, or where the engagement changes due to additional requirements, changed circumstances, third-party dependencies, incomplete information, changed priorities or additional instructions from the Client.
8.2 Additional work is, as far as possible, recorded in writing in advance, including the nature of the work and the consequences for schedule, costs and deliverables.
8.3 The Contractor is not obliged to perform additional work before the Parties have reached agreement on the terms thereof.
8.4 If immediate performance is reasonably necessary to prevent or limit damage, security risks, continuity problems or legal risks, the Contractor may perform the necessary work and charge for it at the agreed or customary rates.
8.5 Additional work may affect previously agreed deadlines, schedules, capacity, costs and deliverables.
Article 9. Planning, deadlines and dependencies
9.1 All deadlines and schedules are indicative, unless it has been expressly agreed in writing that a deadline is a strict deadline (fatale termijn).
9.2 Exceeding a deadline does not place the Contractor in default and does not entitle the Client to damages, suspension or termination, unless the Parties have expressly agreed otherwise in writing.
9.3 The Contractor will inform the Client in good time if it foresees that a schedule will change materially.
9.4 Planning and performance also depend on the timely availability of information, authorisations, systems, contact persons, suppliers, test windows, maintenance windows and decision-making by the Client.
9.5 If a delay arises due to circumstances on the part of the Client or third parties, the Contractor may adjust the schedule and charge reasonable additional costs.
Article 10. Deliverables, delivery and acceptance
10.1 The Contractor delivers the agreed Deliverables as set out in the Master Agreement or Project Documents.
10.2 Deliverables are prepared on the basis of the agreed Scope, the available information, the Contractor's professional judgement and the state of the art at the time of performance.
10.3 The Client will review a Deliverable within [number] business days of receipt.
10.4 If the Client does not raise a written and substantiated objection within this period, the Deliverable is deemed accepted.
10.5 Rejection is possible only if the Deliverable deviates materially from the specifications agreed in writing.
10.6 Minor deviations, editorial comments, subjective preferences, changed insights or findings resulting from subsequently changed circumstances do not constitute grounds for rejection.
10.7 If a Deliverable is justifiably rejected, the Contractor will be given a reasonable period to remedy the shortcoming.
10.8 Acceptance of a Deliverable is without prejudice to any confidentiality, use, security and privacy obligations.
Article 11. Consultancy and strategic advice
11.1 The Contractor's advice is based on the information available at the time of advising, the Client's context, professional insights and the state of the art.
11.2 The Contractor provides strategic, organisational, technical or operational recommendations, but does not take board, management or business decisions on behalf of the Client.
11.3 The Client remains responsible for assessing whether advice is appropriate within its organisation, risk appetite, compliance obligations, budgets, operational reality and internal decision-making.
11.4 The Contractor does not guarantee that advice will lead to specific commercial, financial, operational, organisational or security outcomes.
11.5 If the Client implements advice only partially, in modified form or with delay, this may affect its effectiveness. The Contractor is not liable for this.
Article 12. Microsoft Dynamics 365 and IT services
12.1 The Contractor advises and supports the Client in the analysis, configuration, use, adoption and optimisation of Microsoft Dynamics 365, including Dynamics CE, CRM processes and related business software.
12.2 In doing so, the Contractor acts as an independent advisor and not as a primary software vendor, hosting party, cloud provider or licence supplier, unless expressly agreed otherwise in writing.
12.3 Licences, cloud environments, updates, availability, security and functionality of Microsoft or other vendors are governed by the terms of those respective vendors.
12.4 The Client is responsible for entering into, managing and complying with the licence terms of Microsoft and other third parties, unless agreed otherwise in writing.
12.5 The Contractor does not guarantee that third-party software will function without errors, be available without interruption, continue to meet the Client's future requirements or remain compatible with future versions, updates, integrations or configurations.
12.6 Where the Contractor provides configuration, optimisation or implementation support, delivery takes place on the basis of the specifications agreed in writing.
12.7 The Client remains responsible for tenant management, user rights, data quality, internal processes, test data, acceptance, authorisations, security settings and compliance with third-party terms.
Article 13. Cybersecurity work
13.1 Cybersecurity work may consist of risk analyses, security assessments, maturity assessments, configuration reviews, threat analyses, policy advice, technical reviews, physical security assessments, Pentests, reports and recommendations.
13.2 Cybersecurity work always constitutes a point-in-time assessment within the agreed Scope.
13.3 The Contractor does not guarantee that all vulnerabilities, threats, attack paths, configuration errors or security risks will be identified.
13.4 The Client remains responsible for taking security measures, monitoring, logging, follow-up of findings, patch management, incident response, remediation measures and risk treatment.
13.5 The Contractor is not responsible for security incidents occurring before, during or after performance of the Services, unless there is an attributable failure by the Contractor within the agreed Scope.
13.6 The Client acknowledges that cybersecurity investigations may entail inherent risks, including temporary disruption, detection by security systems, logging, account lockouts or exposure of existing vulnerabilities.
Article 14. Technical pentests
14.1 Technical Pentests are performed exclusively on the basis of a Scope agreed in writing in advance and a valid authorisation.
14.2 The Scope states at least, where relevant:
a. systems;
b. applications;
c. domains;
d. IP addresses;
e. networks;
f. accounts;
g. test environments;
h. permitted test methods;
i. excluded test methods;
j. test windows;
k. emergency contacts;
l. escalation procedure;
m. stop criteria.
14.3 The Contractor may apply only those test methods that fall within the agreed Scope and authorisation.
14.4 Methods that could lead to disproportionate disruption, data loss, damage, denial of service, social engineering, phishing, use of malware or physical access testing are permitted only if expressly agreed in writing.
14.5 If during a Pentest indications arise of serious vulnerabilities, active compromise, data breaches, disproportionate disruption or legal uncertainty, the Contractor may interrupt the work and inform the Client.
14.6 The Client is responsible for taking precautionary measures, including back-ups, monitoring, test windows, internal communication and the availability of emergency contacts.
Article 15. Physical security tests
15.1 Physical security tests are performed only if expressly agreed in writing and covered in advance by a valid authorisation.
15.2 The Scope of a physical security test states at least:
a. locations;
b. rooms and areas;
c. permitted time windows;
d. permitted methods;
e. excluded actions;
f. contact persons;
g. emergency procedure;
h. identification procedure;
i. instructions in the event of confrontation with staff, security personnel or emergency services.
15.3 The Client warrants that it is authorised to have the physical security test performed and that the necessary consents have been obtained from landlords, building owners, security companies, co-occupants, suppliers or other third parties.
15.4 The Contractor will not perform any actions that may reasonably be regarded as disproportionate, hazardous or outside the agreed Scope, unless expressly agreed in writing and covered by a valid authorisation.
15.5 The Contractor may immediately interrupt or terminate a physical security test in the event of danger, escalation, threat, intervention by third parties, doubt about authorisation or legal uncertainty.
Article 16. Pentest authorisation and Rules of Engagement
16.1 Pentest work is performed exclusively after a prior written Scope, a valid authorisation and established Rules of Engagement.
16.2 The Client warrants that it is authorised to have the Pentest performed and that all necessary consents of third parties, including hosting parties, cloud providers, suppliers, landlords, building owners, administrators and security companies, have been obtained in advance.
16.3 The Pentest Authorisation Letter and the Rules of Engagement state at least:
a. the identity of the Client;
b. the identity of the Contractor;
c. the authorised test objects;
d. the permitted test methods;
e. the excluded test methods;
f. the test period;
g. emergency contacts;
h. escalation procedure;
i. stop criteria;
j. reporting arrangements;
k. arrangements concerning evidence;
l. arrangements concerning personal data;
m. limitations and preconditions.
16.4 The Contractor may immediately interrupt or terminate the Pentest in the event of danger, disproportionate disruption, legal uncertainty, doubt about authorisation, missing third-party consent or risk of damage outside the Scope.
16.5 The Client indemnifies the Contractor against third-party claims arising from incorrect, incomplete or missing authorisations, unless there is intent or deliberate recklessness on the part of the Contractor's management.
Article 17. Reports, Vulnerability Information and evidence
17.1 Reports and findings are prepared on the basis of the agreed Scope, the available information and the situation at the time of performance.
17.2 Reports do not constitute a guarantee, certification or declaration that systems, processes, locations or organisations are completely secure.
17.3 Vulnerability Information is treated by the Parties as strictly confidential.
17.4 The Client may use reports exclusively internally for security, risk assessment, decision-making, compliance and follow-up of findings.
17.5 Disclosure of reports or Vulnerability Information to third parties is permitted only with the Contractor's prior written consent, unless disclosure is required by law or necessary for follow-up by a directly involved supplier.
17.6 If the Client provides reports or findings to third parties, the Client will ensure that the Scope, date, context, limitations, assumptions and disclaimers are provided in full.
17.7 The Contractor is not liable for damage arising from reports, findings or Vulnerability Information being provided incompletely, out of context or to unauthorised third parties.
17.8 The Contractor may report serious vulnerabilities on an interim basis if immediate follow-up is reasonably necessary.
Article 18. Retention and destruction of reports and evidence
18.1 The Contractor retains reports, working files and evidence no longer than necessary for performance, quality control, accountability, invoicing, dispute resolution or statutory obligations.
18.2 Unless agreed otherwise in writing, the Contractor retains reports for [period] after delivery.
18.3 Vulnerability Information, raw test data, screenshots, logs, exploit results and other sensitive evidence are retained no longer than reasonably necessary.
18.4 The Client may request earlier destruction of evidence in writing, unless the Contractor has a legitimate interest in retention.
18.5 After expiry of the retention period, the Contractor may delete or anonymise reports, evidence and working files.
Article 19. Intellectual property and rights of use
19.1 All intellectual property rights in Work Products, including reports, advice, analyses, documentation, presentations, configuration proposals, scripts, templates, models, methodologies, checklists, frameworks and other materials, vest exclusively in the Contractor or its licensors, unless agreed otherwise in writing.
19.2 Upon payment in full, the Client acquires a non-exclusive, non-transferable and non-sublicensable right to use the Work Products, exclusively for internal use within its own organisation and exclusively for the purpose for which the Work Products were provided.
19.3 The Client may not publish, reproduce, modify, sell, rent out, sublicense, commercially exploit or provide Work Products to third parties, unless expressly permitted in writing or necessary for internal use within the agreed engagement.
19.4 The right of use does not include the right to use the Contractor's underlying source files, raw data, scripts, tooling, templates, models, exploit code, test files or internal working documents, unless agreed otherwise in writing.
19.5 The Contractor retains the right to freely use general knowledge, experience, ideas, concepts, methodologies, lessons learned, know-how and non-client-specific components acquired or developed in the performance of the engagement.
19.6 The Client retains all rights in the data, documentation, systems, configurations, business information and other materials provided by it.
19.7 If the Client acts in breach of this article, the Contractor may suspend or terminate the right of use, without prejudice to its right to damages.
Article 20. Materials, tools, scripts and methodologies
20.1 The Contractor may use its own tools, scripts, software, frameworks, scanning methodologies, checklists, templates and working methods, or those developed by third parties, in performing the Services.
20.2 Unless agreed otherwise in writing, these materials are not transferred to the Client.
20.3 If the Contractor provides scripts, configurations or technical tools to the Client, these are provided “as is”, unless agreed otherwise in writing.
20.4 The Client is responsible for testing, assessing and safely applying scripts, configurations or tools provided to it within its own environment.
20.5 The Contractor is not obliged to provide source code, raw test files, exploit code, internal documentation, templates or underlying methodologies.
20.6 Third-party software or tools are governed by the licence terms of the relevant third party.
Article 21. Confidentiality
21.1 The Parties undertake to keep confidential all confidential information they receive from each other in the context of the agreement.
21.2 Confidential information includes in any event business information, technical information, security information, Vulnerability Information, reports, personal data, source code, configurations, access credentials, financial information, commercial information and information whose confidential nature is reasonably apparent.
21.3 The Parties use confidential information exclusively for the performance of the agreement.
21.4 The Parties take appropriate measures to protect confidential information against unauthorised access, disclosure, loss or misuse.
21.5 The confidentiality obligation does not apply to information that:
a. was already public without breach of a confidentiality obligation;
b. was lawfully obtained from a third party without a confidentiality obligation;
c. was independently developed without use of confidential information;
d. must be disclosed pursuant to law, a court order or a decision of a competent supervisory authority.
21.6 If a Party is legally required to disclose confidential information, it will inform the other Party in advance, unless this is prohibited by law.
21.7 The confidentiality obligation remains in force for five (5) years after termination of the agreement. For Vulnerability Information, personal data, trade secrets and information for which continued confidentiality is reasonably necessary, the confidentiality obligation applies for as long as the confidential nature continues.
Article 22. Privacy and personal data
22.1 Prior to and during performance of the engagement, the Parties assess their respective roles under the GDPR.
22.2 To the extent the Contractor processes personal data on behalf of the Client, the Client qualifies as controller and the Contractor as processor within the meaning of the GDPR.
22.3 In the case referred to in Article 22.2, the Parties will enter into a Data Processing Agreement. The Data Processing Agreement prevails exclusively for matters relating to the processing of personal data.
22.4 The Client warrants the lawfulness of the processing, including the existence of a valid legal basis, the accuracy of instructions, informing data subjects and compliance with its other obligations as controller.
22.5 The Contractor processes personal data only to the extent necessary for performance of the engagement and in accordance with the Client's written instructions, unless legislation requires otherwise.
22.6 In cybersecurity work and Pentests, the Contractor may incidentally gain access to personal data not foreseen in advance. The Contractor will avoid and minimise such data as far as possible and process it only to the extent necessary for verification, evidence, reporting or performance of the engagement.
22.7 The specific processing operations, categories of personal data, categories of data subjects, purposes, retention periods, security measures and any sub-processors are laid down in the processing specification annexed to the Data Processing Agreement.
22.8 If the Parties have not entered into a Data Processing Agreement while the Contractor processes personal data on behalf of the Client, the Parties will enter into one before commencing or continuing that processing.
Article 23. Security and security incidents
23.1 The Contractor takes appropriate technical and organisational measures to protect confidential information, Work Products, Vulnerability Information and personal data.
23.2 The security measures are aligned with the nature of the engagement, the nature of the information, the state of the art, the costs of implementation and the risks reasonably to be expected.
23.3 The Contractor does not guarantee that security measures can prevent every form of unauthorised access, loss, misuse, impairment or disruption under all circumstances.
23.4 The Client remains responsible for the security of its own systems, networks, accounts, authorisations, monitoring, logging, back-ups, recovery procedures and continuity measures.
23.5 If during performance of the engagement the Contractor identifies a serious security risk, security incident or possible compromise, it will inform the Client within a reasonable period.
23.6 In the event of a personal data breach, the data breach procedure set out in the Data Processing Agreement applies.
23.7 The Contractor may suspend work or take emergency measures if continuation could reasonably lead to damage, disruption, security risks, legal risks or breach of laws and regulations.
Article 24. Subcontractors and third parties
24.1 The Contractor may use employees, self-employed professionals, subcontractors, suppliers and other auxiliary persons in performing the engagement.
24.2 The Contractor remains responsible for the coordination of the work performed under its responsibility.
24.3 If a third party processes personal data on behalf of the Client, that third party qualifies as a sub-processor to the extent provided for in the Data Processing Agreement.
24.4 The Client is responsible for the timely availability, cooperation and instruction of third parties engaged by the Client.
24.5 The Contractor is not liable for shortcomings, delays or damage caused by third parties engaged by the Client or for whom the Client is responsible.
Article 25. Dependencies on third-party suppliers and platforms
25.1 The Services may depend on products, services, licences, cloud environments, infrastructure, APIs, software, security systems or platforms of third parties, including Microsoft, hosting parties, cloud providers, network providers and software vendors.
25.2 The Client is responsible for entering into, managing and complying with agreements and licence terms with these third parties, unless agreed otherwise in writing.
25.3 The Contractor is not responsible for changes, failures, limitations, price changes, terminations, security incidents, data loss or availability problems at third parties.
25.4 If a third party changes its terms, functionality, APIs, security settings, licensing model or availability, this may affect the engagement. Any additional work will be regarded as additional work.
25.5 The Contractor is not obliged to guarantee the operation of third-party products or services.
Article 26. Rates, invoicing and payment
26.1 The Client owes the agreed fees as set out in the Master Agreement, quotation, order confirmation or applicable Project Documents.
26.2 Unless agreed otherwise in writing, all amounts are exclusive of VAT and other government levies.
26.3 Work is performed on a time-and-materials basis at the agreed rates, unless a fixed price has been agreed in writing.
26.4 Fixed prices relate exclusively to the Scope agreed in writing. Work outside the Scope is charged as additional work.
26.5 Invoices must be paid within thirty (30) days of the invoice date, unless agreed otherwise in writing.
26.6 The Client is not entitled to suspend, set off or withhold payment, unless the claim has been acknowledged by the Contractor in writing or irrevocably established in legal proceedings.
26.7 In the event of late payment, the Client is in default by operation of law and owes statutory commercial interest within the meaning of Article 6:119a of the Dutch Civil Code.
26.8 All reasonable extrajudicial and judicial costs incurred by the Contractor in collecting amounts due are for the Client's account.
26.9 The Contractor may index or adjust its rates annually. If a rate change is material, the Contractor will inform the Client in advance.
Article 27. Suspension
27.1 The Contractor may suspend its obligations if the Client fails to perform its obligations, including payment obligations, cooperation obligations, information obligations or authorisation obligations.
27.2 The Contractor may also suspend work if, in its professional judgement, continuation could lead to damage, security risks, legal risks, disproportionate disruption or breach of laws and regulations.
27.3 Suspension does not affect the Client's payment obligations for work already performed.
27.4 The Contractor is not liable for damage arising from lawful suspension.
Article 28. Liability
28.1 The Contractor's total liability for an attributable failure, unlawful act or any other legal ground is limited to compensation for direct damage.
28.2 The Contractor's total liability is limited to the amount paid out in the relevant case under the Contractor's liability insurance, plus the applicable excess (deductible).
28.3 If for any reason no insurance payment is made, total liability is limited to the lower of the following amounts:
a. the total fees paid by the Client for the relevant engagement in the twelve (12) months preceding the event causing the damage; or
b. [liability cap amount].
28.4 Direct damage means exclusively:
a. reasonable costs of establishing the cause and extent of the damage;
b. reasonable costs of preventing or limiting damage;
c. reasonable costs of remedying the failure, to the extent attributable to the Contractor;
d. reasonable costs of substitute services, to the extent necessary and reasonable.
28.5 The Contractor is not liable for indirect damage, consequential damage, loss of profit, missed savings, reputational damage, loss of goodwill, business interruption, loss of or damage to data, reduced availability, damage caused by security incidents, damage caused by third-party failures or damage caused by use of reports outside the agreed context.
28.6 The Contractor is not liable for damage arising from:
a. incorrect, incomplete or late information from the Client;
b. missing or incorrect authorisations;
c. changes made by the Client or third parties;
d. inadequate back-ups;
e. insufficient monitoring or logging;
f. vulnerabilities falling outside the Scope;
g. failure to follow up advice, or delayed follow-up;
h. third-party software, cloud environments or infrastructure;
i. use of Work Products for purposes other than agreed.
28.7 The limitations of liability do not apply to damage resulting from intent or deliberate recklessness on the part of the Contractor's management.
28.8 Any claim for damages lapses twelve (12) months after the Client became aware, or could reasonably have been aware, of the damage and the party liable for it.
Article 29. Indemnities
29.1 The Client indemnifies the Contractor against third-party claims arising from or relating to:
a. incorrect, incomplete or unlawful instructions from the Client;
b. missing, incorrect or inadequate authorisations;
c. unlawful processing or disclosure of personal data;
d. infringement of third-party rights by materials provided by the Client;
e. use of Work Products outside the agreed purposes or context;
f. acts or omissions of third parties engaged by the Client;
g. breach of laws and regulations by the Client.
29.2 The indemnity also covers reasonable costs of legal assistance, investigation, defence and damage limitation.
29.3 The Contractor will inform the Client as soon as possible of any claim for which indemnification is sought.
Article 30. Penalty clauses
30.1 The Client owes no contractual penalty unless a penalty clause has been expressly agreed between the Parties in writing.
30.2 If the Parties agree a penalty clause, payment of the penalty is without prejudice to the right to performance, termination and additional damages, unless agreed otherwise in writing.
30.3 An agreed penalty must be reasonable and proportionate to the nature of the obligation, the seriousness of the breach and the foreseeable damage.
Article 31. Insurance
31.1 During the term of the agreement, the Contractor will maintain professional indemnity or business liability insurance appropriate to the nature and scale of its services.
31.2 At the Client's request, the Contractor will provide reasonable confirmation of the existence of the insurance, to the extent this does not contain confidential policy terms or commercially sensitive information.
31.3 The existence of insurance does not constitute an acknowledgement of liability and does not extend the Contractor's liability.
31.4 The Client is responsible for taking out its own appropriate insurance, including cyber insurance, business interruption insurance and other relevant insurance.
Article 32. Force majeure
32.1 Force majeure means any circumstance beyond the Contractor's reasonable control that temporarily or permanently prevents performance or makes it more onerous.
32.2 Force majeure includes: failures at cloud providers, hosting parties, network providers or software vendors, cyberattacks, malware, ransomware, DDoS attacks, power failures, internet failures, government measures, pandemics, war, terrorism, strikes, illness of key personnel, supplier problems and third-party failures.
32.3 During force majeure, the Contractor's obligations are suspended.
32.4 If force majeure continues for more than sixty (60) days, the Parties may terminate the agreement in writing in respect of the part that cannot be performed.
32.5 The Client remains obliged to pay for work already performed and costs already incurred.
Article 33. Term and termination
33.1 The agreement is entered into for the term set out in the Master Agreement or Project Documents.
33.2 If no term has been agreed, the agreement ends upon completion of the agreed engagement.
33.3 Ongoing services may be terminated by either Party in writing subject to a notice period of [period], unless agreed otherwise in writing.
33.4 The Contractor may terminate the agreement in whole or in part with immediate effect if:
a. the Client is in material breach and fails to remedy the breach within a reasonable period;
b. the Client fails to meet its payment obligations;
c. the Client fails to provide the necessary cooperation, information or authorisations;
d. the Client gives unlawful instructions;
e. continuation would lead to legal, security or integrity risks;
f. bankruptcy or suspension of payments of the Client is applied for or declared;
g. the Client ceases or liquidates its business.
33.5 Termination does not affect payment obligations already incurred.
Article 34. Consequences of termination
34.1 Upon termination of the agreement, the Contractor will cease the work, unless the Parties agree a handover or wind-down period in writing.
34.2 The Client will pay for all work already performed, costs incurred, reserved capacity and reasonably necessary wind-down costs.
34.3 The Contractor is not obliged to provide source files, internal working documents, raw data, scripts, exploit code, templates or methodologies, unless agreed otherwise in writing.
34.4 The Client remains bound by the provisions on confidentiality, intellectual property, rights of use, privacy, liability, indemnities, payment and choice of forum.
34.5 Personal data are handled after termination in accordance with the Data Processing Agreement.
34.6 Reports, Vulnerability Information and evidence are retained or destroyed after termination in accordance with Article 18 and any Project Documents.
Article 35. Non-solicitation
35.1 During the term of the agreement and for twelve (12) months thereafter, the Client will not, directly or indirectly, employ or otherwise engage employees, self-employed professionals, subcontractors or other auxiliary persons of the Contractor who were involved in the performance of the engagement, without the Contractor's prior written consent.
35.2 In the event of a breach of Article 35.1, the Client owes the Contractor an immediately payable penalty of [amount] per breach, plus [amount] for each day the breach continues.
35.3 The Contractor retains the right to claim full damages instead of or in addition to the penalty, to the extent permitted by law.
35.4 This article does not apply if the person concerned responds to a general recruitment communication of the Client that is not specifically directed at him or her.
Article 36. Export control, sanctions and compliance
36.1 The Client warrants that the engagement, the information provided, systems, data, users, locations and intended applications do not conflict with applicable export control, sanctions, anti-corruption, cybersecurity or other compliance legislation.
36.2 The Client will not give the Contractor any instructions that could lead to a breach of applicable laws and regulations.
36.3 The Contractor may refuse, suspend or terminate performance if it reasonably suspects that performance could lead to a breach of laws or regulations, sanctions, export control restrictions or professional standards.
36.4 The Client indemnifies the Contractor against claims, fines, sanctions and costs arising from the Client's breach of this article.
Article 37. Amendment of these terms
37.1 The Contractor may amend these General Terms and Conditions.
37.2 Amended General Terms and Conditions apply to new agreements and to existing ongoing agreements after the Client has been notified thereof in writing.
37.3 If an amendment is materially detrimental to the Client, the Client may terminate the ongoing agreement with effect from the date on which the amendment takes effect, unless the amendment is necessary due to legislation, case law, security requirements or changes to third-party services.
37.4 Project-specific deviations continue to apply to the engagement for which they were agreed.
Article 38. Assignment of rights and obligations
38.1 The Client may not assign rights or obligations under the agreement to third parties without the Contractor's prior written consent.
38.2 The Contractor may assign rights and obligations under the agreement to a group company or legal successor in the context of a merger, demerger, restructuring or transfer of business.
38.3 To the extent necessary, the Client hereby cooperates in advance with an assignment as referred to in Article 38.2.
Article 39. Governing law and choice of forum
39.1 All quotations, agreements, Project Documents, Services and other legal relationships between the Parties are governed exclusively by Dutch law.
39.2 Disputes will be submitted exclusively to the competent court of the District Court of [court], unless mandatory law provides otherwise.
39.3 The Parties will endeavour to resolve disputes by mutual consultation before commencing legal proceedings, unless urgent circumstances prevent this.
Article 40. Final provisions
40.1 Amendments or additions to the agreement are valid only if agreed between the Parties in writing.
40.2 If any provision of the agreement or these General Terms and Conditions is void or annulled, the remaining provisions remain in full force.
40.3 In that event, the Parties will agree a valid replacement provision that reflects the purpose and intent of the original provision as closely as possible.
40.4 Failure by the Contractor to exercise a right or power does not constitute a waiver of that right.