Contract Documents – SaaS & IT Services (CH) – B2B & B2C

GTCSLADPA (GDPR + revFADP)Enterprise AddendumSecurity AnnexPricing ModelNegotiation Playbook

Content

Part A – General Terms and Conditions (GTC)
Part B – SLA (Service Level Agreement)
Part C – DPA (Data Processing Agreement)
Part D – Enterprise Addendum
Part E – Security Annex (TOMs compact)
Part F – Pricing Model & Billing
Part G – Negotiation Playbook (Redlines & Answers)

Part A – General Terms and Conditions (GTC)

Provider: handel gmbh, Limited Liability Company (llc), Grabenstrasse 15a, 6340 Baar, Switzerland, UID: CHE-339.453.650 ('Provider')

Customer: Contractual partner according to offer/order/registration ('Customer')

B2B = Customer acting in exercise of commercial/professional activity. B2C = Customer as consumer.

1. Scope

These GTC apply to all services of the Provider, in particular to (i) cloud-based Software-as-a-Service ('SaaS') as well as (ii) IT services (support, maintenance, consulting, project and on-site services). Deviating conditions of the Customer shall only apply if the Provider explicitly agrees to their validity in writing.

2. Conclusion of Contract

A contract is concluded by (a) online registration and activation of a subscription, (b) acceptance of an offer, (c) written or electronic order (email is sufficient), or (d) implied provision of services. The Provider may reject orders for objective reasons (e.g., misuse, compliance).

3. Description of Services

3.1 SaaS

The Provider makes the SaaS application handel-it Services available to the Customer for use via the Internet. The specific scope of functions results from the service description/plan (e.g., 'Basic/Pro/Enterprise').

Not owed are, in particular, the Customer's Internet/network connections, end devices, as well as third-party systems outside the Provider's sphere of influence.

3.2 Services

Services are generally provided as a service contract (duty of care, no guarantee of success), unless a contract for work (defined success/acceptance) is expressly agreed.

4. Availability, Maintenance & Changes (SaaS)

Target values and service credits are regulated in the SLA. Planned maintenance will be announced in advance if possible; security-critical changes may take place at short notice.

5. Customer's Obligations to Cooperate

The Customer is obliged to timely:

provide correct information, data, and contact persons,
grant necessary access/accounts/approvals,
communicate changes to systems, volumes, interfaces, or security requirements,
comply with security requirements (e.g., MFA, passwords, roles).

Additional efforts and delays resulting from missing/late cooperation shall be borne by the Customer and are subject to remuneration according to expenditure.

6. Prices, Billing & Payment

Prices result from the offer, price list, or online checkout. SaaS subscriptions are invoiced periodically in advance. Services are billed according to expenditure or as a lump sum.

Payment term: 30 days net (unless agreed otherwise)
Default: Default interest according to the Swiss Code of Obligations; Provider may suspend services in case of significant default
B2B: No right of retention or set-off, as far as legally permissible
B2C: Prices incl. VAT, if applicable; special consumer rights remain unaffected

7. Rights of Use & Intellectual Property

7.1 SaaS Use

The Customer receives a non-exclusive, non-transferable, time-limited right to use the SaaS to the extent of the contract. No claim to release of the source code.

7.2 Project Results

Pre-existing components, frameworks, tools, templates, and generic know-how remain the property of the Provider. Customer-specific results (e.g., configurations, documentation, customer-specific code) are granted to the Customer as a simple right of use for internal use, unless otherwise agreed. The Provider may reuse know-how, methods, and non-customer-specific parts.

8. Data, Data Protection & Cloud Subcontractors

Customer data remains the property of the Customer. The Provider processes personal data as a processor, as far as applicable. Details are regulated in the DPA. Hosting can take place via AWS and/or Microsoft Azure (EU/CH regions).

9. Warranty

The Provider operates the SaaS according to the state of the art, but does not guarantee absolute freedom from errors. Defects must be reported immediately.

B2B: Warranty is excluded to the extent permitted by law; priority is given to rectification.
B2C: Mandatory statutory warranty rights remain unaffected.

10. Liability

The Provider is liable for direct, contract-typical damages. Liability for indirect damages, consequential damages, lost profits, business interruption, and pure financial losses is excluded, to the extent permitted by law.

Liability Cap (Standard): maximum 12 months contract revenue, absolute maximum CHF 500,000 per contract year.

Unlimited: Intent, gross negligence, personal injury, as well as mandatory product liability (if applicable).

11. Term & Termination

SaaS subscriptions run according to the selected period (monthly/yearly) and renew automatically unless terminated in due time. Notice period: 30 days to the end of the period (unless agreed otherwise). Enterprise terms are regulated in the Enterprise Addendum.

12. Blocking, Misuse, Compliance

In case of misuse, security incidents, or legal violations, the Provider may temporarily block access as far as necessary to avert danger. The Customer is to be informed about blocking if possible.

13. Confidentiality

Both parties treat confidential information as confidential indefinitely. Exceptions: generally known, lawfully received, or legal disclosure obligations.

14. Changes to GTC

The Provider may adjust GTC. Significant changes will be announced. B2B: Objection within 30 days, otherwise changes are deemed accepted. B2C: Changes only for objective reasons; in case of significant change, there is a special right of termination.

15. Final Provisions

Applicable law: Switzerland. Place of jurisdiction: Canton of Zug (B2C: mandatory places of jurisdiction remain reserved). Should individual provisions be invalid, the contract remains effective in other respects (Severability Clause).

Part B – SLA (Service Level Agreement)

Annex to the GTC – applies unless contractually agreed otherwise.

1. Definitions

Availability: Share of time in which the SaaS is productively usable (excluding exclusion times).
Maintenance Window: announced time windows for updates/maintenance.
Service Credits: Credits on future fees (no cash payout).

2. Target Availability

Standard (SME): 99.5 % annual average

Enterprise (optional): 99.7 % to 99.9 % per contract

3. Exclusions (not counted)

Planned maintenance windows
Outages due to force majeure
Outages/Incidents at AWS or Azure outside the Provider's control
Customer or third-party fault (network, identity provider, misconfiguration)
Misuse, attacks, blocking for danger aversion

4. Support Times

Profile	Support Times	Channel
Standard (SME)	Mo–Fr 08:00–18:00 (CH), excluding holidays	Ticket/Email, optional Phone
Enterprise (optional)	24/7 or extended times per contract	Ticket + Hotline + Escalation

5. Priorities & Reaction Times

Priority	Description	Reaction (Standard)	Reaction (Enterprise optional)
P1 Critical	Productive system not usable	≤ 4 hrs	≤ 1–2 hrs
P2 High	Essential function severely restricted	≤ 8 hrs	≤ 4 hrs
P3 Medium	Impairment without standstill	≤ 2 BD	≤ 1 BD
P4 Low	Questions, changes, improvement	planned	planned

6. Service Credits

Availability	Credit (Monthly Fee)
< 99.5 %	5 %
< 99.0 %	10 %
< 98.0 %	20 %

Maximum 20 % per billing month. Service credits are the exclusive remedy for availability breaches, as far as legally permissible.

7. Cooperation

The Customer provides necessary information within a reasonable period (for P1 as immediately as possible). Delays caused by lack of customer cooperation inhibit SLA deadlines accordingly.

Part C – DPA (Data Processing Agreement)

GDPR + revFADP – Annex to the GTC / Main Contract

1. Parties & Roles

Controller: Customer

Processor: handel gmbh, Grabenstrasse 15a, 6340 Baar, Switzerland

2. Subject, Duration, Instructions

Subject is the processing of personal data within the scope of SaaS and IT services. Duration corresponds to the contract term. The Provider processes data exclusively on documented instruction of the Customer, except where legally required.

3. Nature and Purpose of Processing

Hosting, operation and provision of the SaaS
Support, maintenance, incident analysis
Backups/Restore according to service description
Security Monitoring/Logging (minimal required)

4. Categories of Data Subjects / Data

Depending on use: Employees, end customers, partners; data categories according to customer inputs and system data (logs).

5. TOMs (Brief Description)

The Provider implements appropriate technical and organizational measures, in particular:

Access control (RBAC), MFA where possible
Transport encryption (TLS), encryption of data at rest if available/configured
Patch and Vulnerability Management
Backups, recovery processes, monitoring
Tenant Isolation according to architecture

6. Subcontractors / Cloud Providers

Approved Subcontractors: Amazon Web Services (AWS), Microsoft Azure

Regions: Switzerland and/or EU (depending on configuration/contract)

Further subcontractors: Information before use; Customer may object for important reasons. Objection may lead to termination of contract if performance is impossible without subcontractor.

7. Third Country Transfers

If transfers outside CH/EU occur exceptionally, this is done only on the basis of appropriate guarantees (e.g., SCC, additional measures), according to GDPR/revFADP.

8. Assistance with Data Subject Rights

The Provider supports the Customer appropriately with access, rectification, deletion, restriction, and portability, as far as possible within the systems.

9. Notification of Data Breaches

The Provider reports relevant data breaches to the Customer immediately, at the latest within 72 hours after becoming aware (provided information is available), and supports analysis.

10. Deletion / Return after End of Contract

After end of contract: Export/return as agreed; subsequently deletion after reasonable period, unless legal retention obligations oppose.

11. Audit & Evidence

B2B/Enterprise: Audit max. 1x per year, after prior notice, during business hours, without disruption. Alternatively, certificates/attestations of cloud providers and Provider evidence may be accepted.

12. Liability

The liability regulation of the main contract/GTC applies, as far as legally permissible.

Part D – Enterprise Addendum

Applies only if explicitly designated and agreed as 'Enterprise' in the contract.

1. Term & Termination

Minimum Term: 12–36 months (according to contract)
Notice Period: 3–6 months to end of term
Renewal: annual, unless terminated

2. Increased SLAs (optional)

Optional adjustment per contract: Target availability 99.7–99.9 %, shorter reaction times, 24/7 support.

3. Liability Options

Standard cap remains, unless agreed otherwise in writing. Optional: higher cap for surcharge / higher service package / insurance.

4. Security & Compliance

Extended security documentation (e.g., policies, architecture overview, incident response process)
Right to audit as described in DPA, alternatively evidence (e.g., cloud provider attestations)

5. Escrow (optional)

Source code escrow only for critical systems and separate agreement (trigger: insolvency, permanent cessation of service).

6. Change Management

For customer-specific adjustments: Change requests, effort estimation, approval, prioritization; documentation in ticket/project tool.

Part E – Security Annex (TOMs compact)

1. Basic Principles

Least Privilege / Role-Based Access Control (RBAC)
Defense-in-Depth
Secure-by-Default (where possible)
Logging & Monitoring according to necessity

2. Identity & Access

MFA for admin accounts
Strong password rules / SSO if agreed
Provisioning/Deprovisioning processes

3. Cryptography

TLS for data in transit
Encryption of data at rest, if available/activated (e.g., Cloud KMS)
Key Management in AWS/Azure (KMS/Key Vault) depending on setup

4. Secure SDLC

Code Reviews & Branch Protection
Dependency/SCA scans (where implemented)
Vulnerability Management & Patch Processes

5. Operation, Logging, Monitoring

Monitoring (Uptime, Performance, Error Rates)
Logging with access protection; Log retention according to policy/contract
Incident Response Process incl. communication

6. Backup & Recovery

Backups according to service description
Recovery on best effort basis, unless RTO/RPO contractually assured

7. Penetration Tests (optional)

For Enterprise optional: periodic pen tests by third parties by agreement (scope, time window, rules).

8. Customer Obligations (Security)

Protection of credentials, activate MFA, assign roles correctly
Device security / Endpoint Protection
No unauthorized security tests without approval

Part F – Pricing Model & Billing

1. SaaS Subscriptions

Examples (replace/adjust):

Plan	Billing	Included	Limits
Basic	monthly/yearly	Core functions	e.g., Users/Storage/API Calls
Pro	monthly/yearly	Advanced Features	higher limits
Enterprise	yearly	SSO, Audit, 24/7 optional	contractual

2. Usage-based Fees (optional)

e.g., per user, per tenant, per GB storage, per 1,000 API calls, per transaction
Overages are billed according to price list

3. Services

Service	Billing	Example
Consulting/Engineering	time & material	CHF/EUR [X]/h
Project lump sum	fixed price	according to Statement of Work
On-site assignment	time & material + expenses	Travel time/expenses per policy
On-Call / 24/7	Retainer + assignment	Enterprise optional

4. Expenses & Travel Time

Travel time and expenses may be charged, unless explicitly included in the price. Expenses according to expenditure (train/flight/hotel) according to receipts or lump sums, if agreed.

5. Price Changes

Price lists may be adjusted. For ongoing subscriptions, a notice period applies (e.g., 30–90 days). B2C: special right of termination in case of price increase.

Part G – Negotiation Playbook (Redlines & Answers)

Goal: Close quickly (SME) and scale controlled (Enterprise), without incalculable risks.

1. 'Non-negotiable' (your red lines)

No unlimited damages; liability must remain capped.
No liability for indirect damages / lost profits.
No automatic full IP transfer (source code remains with Provider).
No guaranteed freedom from errors; SLA via credits, not via penalties.
No unannounced customer audits without framework (time, scope, frequency).

2. 'Good Negotiation Levers' (give vs. take)

Customer Demand	Your Counteroffer	Why Good
Higher liability cap	Cap ↑ only for Price ↑ / Enterprise package / Insurance	Risk is paid for
99.9 % SLA	Premium SLA + defined exclusions + Credits	Calculable
Audit right 'anytime'	1x/year, notice, scope & NDA	Operationally feasible
Source code	Escrow with clear triggers	Trust without IP loss

3. Standard Answers (Copy/Paste)

Liability: 'We can increase the cap if we price the risk (Premium package/Insurance). Without cap we cannot deliver.'

Unlimited Warranty: 'SaaS is an ongoing operation. We guarantee state-of-the-art and an SLA with credits, but no absolute freedom from errors.'

Audit: 'We enable audits plannable (1x/year, notice, scope). Alternatively, we deliver evidence from cloud providers and our security docu.'

4. Deal Check (Enterprise)

SLA level and support times clear?
Cap + exclusions clear?
DPA signed, subcontractors accepted?
Roles/SSO/MFA requirements documented?
Change process & pricing written?