Terms of Service

1. Scope (B2B) and contract formation

These Terms apply exclusively to business customers (entrepreneurs within the meaning of the Austrian Commercial Code, UGB). Consumers within the meaning of the Austrian Consumer Protection Act (KSchG) are excluded.

In case of conflicts between these Terms and individually agreed terms (e.g., offer, order confirmation, master agreement), the individually agreed terms shall prevail.

2. Definitions

For purposes of these Terms:

• "Customer": the company using the Service.
• "Admin": person(s) designated by the Customer with administrative rights in the Service.
• "Participants/Employees": individuals whose interactions are measured as part of campaigns (e.g., recipients of simulations).
• "Campaign": a Customer-configured phishing simulation including target group, content, and schedule.
• "Verified Domain": a domain (including enabled subdomains/hosts) for which the Customer proves control/authorization in the Service.
• "Customer Data": data stored in or processed through the Service by the Customer (e.g., configurations, lists, reports).
• "Employee Data": personal data of Participants/Employees provided by the Customer or generated during campaigns (e.g., email address, interaction data).
• "Service": the AutoPhish platform including related features, APIs, and content.
• "Plans/Subscription": the selected paid tier and billing period.

3. Service description

AutoPhish provides simulated phishing campaigns and related cybersecurity awareness tools. These are designed to train and test the awareness of employees by generating realistic phishing emails using AI models.

4. Availability, maintenance, and support

The Service is provided on an "as is" and "as available" basis. We do not guarantee uninterrupted or error-free availability.

Planned maintenance: generally every Sunday at 03:00 (Vienna time, CET/MEZ). During maintenance, the Service may be partially or fully unavailable.

Emergency maintenance may be required at any time (e.g., to address security issues). We aim for reasonable availability without any numeric uptime commitment.

5. Account registration, Admin accounts, and credentials

To access the Service, your company must create an account and provide required information, including a list of employee email addresses. You agree to provide accurate and complete information and to keep your account credentials secure.

The Customer is responsible for actions taken through its Admin and user accounts.

6. Permitted use and abuse

You agree to use the Service in compliance with all applicable laws and only for internal training and internal security testing for your own organization.

Phishing simulations may cause confusion or concern among Participants. You are responsible for internal communication, notices, and escalation paths so that your use is appropriate.

Verified Domain: If you add a domain as a "Verified Domain" in the Service, you expressly authorize AutoPhish to run simulated campaigns and automated security scans and checks against that Verified Domain (including enabled subdomains/hosts) for security assessment and reporting. You represent and warrant that you own or have the necessary rights and permissions to test those systems.

You must not use the Service to test or impact third parties without their explicit authorization. You may not:

• conduct unauthorized phishing tests, security scans, or other tests against third parties
• use the Service for malicious, unlawful, or fraudulent purposes (e.g., real credential harvesting outside a training context)
• deliver malware, exploits, or harmful payloads
• bypass or attempt to bypass usage limits, technical restrictions, or security mechanisms
• resell, sublicense, or offer the Service as a managed service without our prior written consent

In case of abuse, security incidents, or legal risk, we may limit access, stop campaigns, temporarily suspend accounts, or suspend the Service to the extent reasonably necessary.

7. Customer responsibilities

You are solely responsible for the lawful execution of your campaigns and for all content and recipient lists you provide to the Service. In particular, you are responsible for:

• obtaining internal approvals where required (e.g., works council)
• appropriate information and communication to Participants/Employees
• selecting and maintaining recipient lists and the legality of imported/uploaded data
• compliance with applicable laws and data protection requirements (including GDPR)

8. Privacy, roles, and DPA

For Employee Data, the Customer acts as data controller and AutoPhish processes such data as processor on behalf of the Customer.

The Service is subject to the Service Privacy Policy. In addition, a data processing agreement (DPA/AVV) applies. The DPA is part of the contractual relationship or is concluded separately. In case of conflict, the DPA prevails.

Data is generally processed within the EU/EEA unless explicitly agreed otherwise. Processing outside the EU/EEA will only take place with appropriate safeguards under the GDPR.

9. Plans, subscription, payment, and price changes

Access to the Service is provided on a subscription basis. Pricing, billing cycles, and payment methods are defined by the selected plan and/or your order. Failure to pay may result in suspension or termination of access.

We will announce price changes at least 3 months in advance (e.g., via email and/or in the Service). Price changes take effect thereafter. If you do not agree, you may terminate your subscription before the effective date (or by the end of the current billing period).

10. License, intellectual property, and reverse engineering

AutoPhish and/or its licensors retain all rights in and to the Service, including software, trademarks, designs, text, and other content.

We grant you a non-exclusive, non-transferable, revocable, time-limited license for the duration of the contract to use the Service solely for your internal business purposes (awareness/training and internal security testing) within the agreed scope.

You may not reverse engineer, decompile, or otherwise attempt to extract source code or underlying ideas to the extent permitted by law.

11. Disclaimer of warranties

The Service is provided on an "as is" and "as available" basis. To the maximum extent permitted by Austrian law, we disclaim all warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement.

Nothing in this section shall be construed to exclude or limit liability in a manner not permitted under applicable law, including in cases of gross negligence, willful misconduct, or personal injury.

12. Limitation of liability

To the maximum extent permitted by applicable Austrian law, AutoPhish's total aggregate liability for any claim arising out of or in connection with these Terms or the use of the Service shall not exceed the net fees paid by you for the Service in the six (6) months preceding the event giving rise to the claim.

AutoPhish shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits, business, data, or goodwill, arising from your use of or inability to use the Service.

AutoPhish shall not be liable for:

• Employee confusion, distress, or reactions to simulated phishing emails
• Disruptions to business operations caused by employee responses to simulations
• Your failure to notify employees or obtain consent (where required)

Nothing in these Terms shall limit or exclude AutoPhish's liability for death or personal injury, for damages caused by gross negligence or willful misconduct, or for any other liability that cannot be excluded under applicable law, including mandatory liability under the GDPR.

13. Indemnity

You will indemnify and hold AutoPhish harmless from third-party claims arising out of (i) your unauthorized use of the Service (e.g., testing systems without rights), (ii) unlawful content or data you provide to the Service, or (iii) your violations of applicable law, to the extent you are responsible.

14. Term, termination, and refunds

The contract runs for the selected billing period and renews automatically for successive billing periods unless terminated in time.

You may terminate your subscription at any time with effect at the end of the current billing period. The right to terminate for cause remains unaffected.

Fees are generally non-refundable except where required by mandatory law. If AutoPhish terminates without cause, your access will remain available until the end of the current billing period (currently until the end of the month).

15. Data after termination

After termination, we will provide a data export option for Customer Data for 30 days upon request, to the extent technically feasible.

After this period, we will delete or anonymize Customer Data unless legal retention obligations apply. Backups are overwritten according to our backup cycle.

16. Changes to these Terms

We may change these Terms from time to time. We will communicate changes via email and/or in the Service and state an effective date.

You may object to changes within 30 days of notice. If you object, you may terminate the contract before the effective date; otherwise, continued use after the effective date constitutes acceptance.

17. Governing law and jurisdiction

These Terms are governed by the laws of Austria, excluding its conflict of law rules. Exclusive venue is Vienna, Austria, to the extent permitted.