General Terms and Conditions

These General Terms and Conditions apply to all contracts between KI-Quadrat Systemhaus GmbH ("Provider") and public authorities as well as companies ("Customer") regarding the use of software-as-a-service offerings, AI-supported data processing services, chat assistants, and other AI licensing models.

Any deviating terms of the Customer shall not apply unless they have been expressly acknowledged in writing by the Provider.

The Provider makes cloud-based software services and functions for automated and AI-supported data processing available to the Customer.

The services are provided exclusively for use via the internet; the source code is not transferred.

The Provider continuously develops the applications and may therefore add, modify, or remove functions, provided that the essential functionality is fundamentally maintained.

Provision of the contractually agreed SaaS and AI services.

Ensuring appropriate technical and organisational standards in accordance with Article 32 of the General Data Protection Regulation.

Compliance with the requirements of the European Union Artificial Intelligence Act insofar as the Provider operates an AI system within the meaning of that law.

The Provider shall render support services in accordance with the service-level model agreed between the parties.

Logging and traceability of relevant model decisions, to the extent technically possible.

The Provider documents the use of all relevant third-party providers and shall make this information available to the Customer upon request, insofar as legally permissible. Changes shall be communicated to the Customer with an appropriate notice period.

The Provider undertakes to comply with the principles of an artificial intelligence management system in accordance with ISO 42001. This includes in particular:

• the introduction and maintenance of a documented framework for the safe and responsible use of artificial intelligence,
• the regular assessment of risks arising from the operation or use of artificial intelligence,
• the monitoring of artificial intelligence outputs in order to identify possible malfunctions,
• the implementation of appropriate safeguards to reduce potential risks, and
• the continuous improvement of all processes related to the use of artificial intelligence.

Use of the Provider's services exclusively within the limits of the applicable legal provisions.

The Customer shall furthermore ensure that all uploaded data may also be processed lawfully.

No security-relevant interventions may be attempted or carried out (for example, penetration tests without the Provider's consent).

The Customer is responsible for the quality of the input data and acknowledges that AI models may also generate incomplete or incorrect responses.

The Customer is responsible for interactions with third-party software used by it.

If the Customer uses third-party providers, interfaces, or external software components, the Customer shall ensure that their use complies with the requirements of the General Data Protection Regulation, the provisions of the Artificial Intelligence Act, and the information security requirements pursuant to ISO 27001. The Provider assumes no responsibility for risks arising from the use of such external components.

The Customer shall receive a time-limited, non-transferable, non-exclusive right of use.

Passing on or sublicensing is not permitted without the Provider's written consent.

The Customer may use the services only for its own purposes.

The Provider informs the Customer that AI models deliver statistical and probability-based results.

The Provider shall provide essential information on:

• the purpose and operating principles of the artificial intelligence used,
• known model limitations,
• requirements for human oversight,
• risks of improper use.

The Customer shall ensure that the results of the artificial intelligence are also reviewed by qualified human professionals where misinterpretation could lead to risks for third parties.

The Provider shall regularly document significant model versions, training data sources (where permitted), and risk assessments.

The Provider shall ensure that AI systems are developed, operated, and monitored in accordance with ISO 42001. This includes:

• a description of the models used and their purpose,
• verification that the deployed models are suitable for the intended use,
• the definition of procedures to identify inaccurate outputs or malfunctions at an early stage,
• the use of control measures to verify whether AI-supported responses are factually accurate, traceable, and safe to use,
• the documentation of all relevant procedures required for the operation or traceability of artificial intelligence.

The Provider undertakes to implement technical and organisational measures so that AI systems remain understandable, controllable, and monitorable by humans at all times. The Provider shall ensure that:

• AI responses can be presented in a traceable manner,
• human intervention for control purposes is possible at any time,
• AI applications do not make sole decisions with legal effect unless this has been expressly agreed,
• AI systems are automatically monitored or shut down in the event of unusual or undesirable behaviour.

The Provider shall ensure that data used for artificial intelligence is reviewed regularly. This includes:

• the assessment of data quality,
• verification that data is suitable for the intended purpose,
• the minimisation of possible hallucinations,
• documentation of the origin of the data used, insofar as legally permissible.

The Provider shall establish procedures for the identification, assessment, and handling of incidents that may arise from AI systems. The Provider undertakes to:

• investigate incidents without undue delay,
• inform affected Customers without undue delay,
• take suitable measures to avoid recurrence,
• document incidents and evaluate them at regular intervals.

The Provider shall process personal data exclusively on behalf of the Customer in accordance with Article 28 of the General Data Protection Regulation.

A separate data processing agreement forms part of the overall contract.

The Provider shall only engage subcontractors in relevant areas affecting data security with the prior consent of the Customer.

The Provider stores data exclusively in certified data centres within the European Union and/or the European Economic Area.

The Customer remains the controller within the meaning of the General Data Protection Regulation.

Processing or use of third-party providers

The Provider is entitled to use third-party providers, technical service providers, and subcontractors for the provision of its services, provided that the requirements of the General Data Protection Regulation, the European Union Artificial Intelligence Act, and relevant security standards (in particular ISO 27001, ISO 27017, and ISO 27018) are complied with.

All third-party providers are reviewed by the Provider prior to use with regard to technical, organisational, and contractual security measures. The Provider shall ensure that the third-party providers engaged guarantee an appropriate level of protection pursuant to Article 28 and Article 32 of the General Data Protection Regulation.

Sub-processors shall only be used with the Customer's prior written consent where the respective processing concerns material personal data. The Provider shall inform the Customer of relevant changes in the list of sub-processors used.

The Provider shall ensure that binding contractual arrangements exist with all third-party providers and sub-processors that maintain at least the level of data protection assured by the Provider and do not place the Customer at a disadvantage.

If a third-party provider is used outside the European Economic Area, this shall occur only on the basis of the legal requirements, in particular:

• an adequacy decision of the European Commission, or
• the use of standard contractual clauses supplemented by suitable technical and organisational measures.

The Customer bears responsibility for the use of third-party software or technical integrations introduced or commissioned by the Customer itself. The Provider shall not be liable for disruptions, incompatibilities, or damage caused by unauthorised third-party software or third-party software introduced by the Customer itself.

The Provider shall ensure that the processing of personal data in AI systems is carried out in accordance with the provisions of the General Data Protection Regulation and the guidelines of ISO 42001. This includes, among other things:

• the separation of personal data from training data, where technically possible,
• the protection of data against unauthorised access,
• the implementation of deletion concepts that also include AI systems.

The Provider guarantees availability of 99% as a monthly average, excluding maintenance windows.

Maintenance work shall be announced at least 24 hours in advance, except in emergencies.

The Provider may deploy updates provided that no material restrictions arise.

Use of the services is based on a licensing model (monthly or annual).

Price adjustments are possible with a notice period of 60 days.

In the event of late payment, the Provider may temporarily or permanently block services.

The Provider shall be liable only in cases of intent and gross negligence.

No warranty is assumed for the accuracy, completeness, or suitability of AI responses.

Liability for indirect damages, lost profits, or data loss is excluded to the extent permitted by law.

Total liability is limited to the fees paid in the last contractual year.

Contracts have a minimum term of 12 months unless otherwise agreed.

Notice period: 3 months to the end of each calendar quarter.

The right to extraordinary termination shall remain unaffected.

Both parties undertake to maintain confidentiality with regard to all non-public information, including after the end of the contract.

The Provider shall inform the Customer in due time of relevant changes to the artificial intelligence management system that may affect security, quality, transparency, or monitoring. Upon request, the Provider shall provide the Customer with suitable evidence of compliance with ISO 42001 principles.

Austrian law as amended from time to time shall apply.

The place of jurisdiction shall be the court having subject-matter jurisdiction at the Provider's registered office.

Amendments to these General Terms and Conditions must be made in writing. This version is dated December 1, 2025.