General Terms and Conditions

1.1 Scope

These General Terms and Conditions ("GTC") apply to all consulting, development, automation, training, and related services provided by Fognini Tech ("Provider", "we", "us"), unless a signed contract (e.g. Statement of Work (SOW), Master Services Agreement (MSA)) expressly provides otherwise.

1.2 Precedence

In the event of conflict, the following order of precedence applies: (1) signed SOW, (2) signed MSA, (3) these GTC, (4) other referenced documents. Individually negotiated terms prevail over these GTC in all cases.

1.3 Incorporation

These GTC are incorporated by signing a SOW, MSA, or proposal referencing them. Unusual terms or terms substantially deviating from statutory default rules (Ungewöhnlichkeitsregel) apply only insofar as they were brought to the Client's attention in a reasonable manner before contract formation.

1.4 Definitions

"Confidential Information" means all information designated as confidential by a party or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure, including technical, business, financial, and operational information.

"Deliverable" means any work product, software, documentation, or other material to be delivered by the Provider under a SOW.

"Intellectual Property" means patents, copyrights, trademarks, trade secrets, know-how, and all other intellectual property rights.

"Provider Materials" means tools, methodologies, templates, frameworks, and pre-existing materials owned by the Provider.

"Services" means the services described in a SOW or proposal.

"Trade Secrets" (Geschäftsgeheimnisse) means information qualifying for trade secret protection under Art. 6 UCA (Bundesgesetz gegen den unlauteren Wettbewerb, SR 241).

"Personal Data" (Personendaten) means any information relating to an identified or identifiable natural person (Art. 5(a) FADP (Datenschutzgesetz, SR 235.1)). Where the GDPR applies, this corresponds to "personal data" within the meaning of Art. 4(1) GDPR.

"Commissioned Data Processing" (Auftragsbearbeitung) means the processing of Personal Data by the Provider on behalf of the Client within the meaning of Art. 9 FADP and Art. 28 GDPR respectively.

We classify our services into the following categories, which determine the applicable warranty and liability regime. The classification is specified in each SOW.

(a) Technical Solutions (Work Contract / Werkvertrag): Software development, AI agents, technical systems, and other services with a defined, measurable technical deliverable. Governed by Art. 363–379 CO (Obligationenrecht, SR 220). The defect warranty provisions of Section 10 apply.

(b) Consulting and Project Services (Mandate / Auftrag): Consulting, strategy development, assessments, workshops, training delivery, coaching sessions, and comparable services in which the Provider contributes its professional expertise. Governed by Art. 394–406 CO. The defect warranty (Section 10.2) does not apply; the obligation is one of professional care (Sorgfaltspflicht) under Art. 398(2) CO. Specific competency improvements, implementation of recommendations, and measurable business outcomes are not owed results. Consulting and project services may be agreed on a time-and-materials or fixed-price basis. A fixed-price arrangement does not alter the contract classification, it is a remuneration model, not a work contract (Werkvertrag). The agreed work products (e.g. strategy documents, assessment reports, training materials) represent the documented service, not a "work" (Werk) within the meaning of Art. 363 CO.

(c) Mixed Services: Services combining elements of both categories. The applicable regime is determined per component in the SOW. Where the SOW does not specify, components with a defined technical deliverable (software, systems) are governed by the work contract provisions; all other components are governed by the mandate provisions.

Scope, deliverables, and timelines are set out in the applicable SOW. Changes to scope, timeline, assumptions, or dependencies require the written agreement of both parties by way of change request and may affect prices and timelines.

A deliverable from technical solutions (Section 2(a)) is deemed accepted at the earliest of: (i) written acceptance, (ii) ten (10) business days after delivery without a reasoned written rejection, or (iii) use in a production environment. The Client's right to notify defects not discoverable at the time of acceptance without delay upon discovery (Art. 370(3) CO) is reserved. For consulting and project services (Section 2(b)), the handover of work products constitutes confirmation of service delivery, not acceptance within the meaning of Art. 370 CO.

We deliver services with the professional care and diligence expected of a qualified professional (Art. 364(1) and Art. 398(2) CO respectively).

We design services with regard to relevant regulatory frameworks (including the EU AI Act, Cyber Resilience Act, GDPR/FADP, ISO/IEC 42001, NIST AI RMF). However, we are not a certified compliance auditor or legal adviser. Our services do not constitute legal advice, regulatory certification, or binding compliance opinions. The distinction between "designing with regard to regulatory requirements" (which we do) and "certifying compliance" (which we do not) is material. Formal compliance certification requires independent, qualified review by the Client. Compliance outcomes depend on factors outside our control, including the Client's own implementation, regulatory interpretation, and evolving legal requirements.

5.1 Fees

Fees are set out in the applicable SOW. Our standard rates are CHF 2,000 per day and CHF 250 per hour, unless otherwise agreed.

5.2 Payment Schedule

For fixed-price engagements, unless the SOW provides otherwise: 50% on engagement confirmation, 50% on acceptance or delivery. We are not obliged to commence services before the first instalment has been received.

5.3 Payment Terms

Invoices are payable within twenty (20) days net. Late payments incur default interest at 5% per annum under Art. 104(1) CO, plus reasonable collection costs.

5.4 Right to Withhold Performance

We may suspend services on fourteen (14) days' written notice if undisputed invoices remain unpaid for more than thirty (30) days (cf. Art. 82 CO, defence of non-performance (Einrede des nicht erfüllten Vertrages)). Suspension does not release the Client from the obligation to pay for services already rendered.

5.5 Set-Off

The Client may only set off undisputed or legally established counterclaims.

5.6 Value Added Tax

All amounts are exclusive of VAT. We are currently not registered for Swiss VAT. Should registration become required, VAT will be added from the registration date.

6.1 Pre-Existing Property

Each party retains its pre-existing intellectual property. Provider Materials remain our property.

6.2 Generic Work Products

Generic, reusable work products created during an engagement, including templates, methodologies, architecture patterns, and process descriptions without client-specific Confidential Information, become Provider Materials. The Client receives a non-exclusive, perpetual licence for its internal business purposes.

6.3 Client-Specific Work Products, Default Rule

Intellectual property in client-specific work products remains with the Provider unless an assignment is expressly agreed in the SOW. Where no assignment is agreed, the Client receives a non-exclusive, perpetual licence to use the client-specific work products for its internal business purposes. Where an assignment is agreed, the terms set out in the SOW apply, including scope, timing, and formal requirements. The assignment becomes effective only upon full payment. Provider Materials, third-party components, and generic components are excluded from any assignment; the Client receives a non-exclusive, perpetual licence for its internal business purposes in respect of such components.

6.4 AI-Assisted Work Products

Where work products are created using AI tools, the provisions of this Section apply regardless of whether and to what extent the outputs qualify for copyright protection. The parties agree that the contractual allocation of rights applies even where individual components of the work products do not attract copyright protection due to the absence of human creative authorship.

6.5 Pre-Contractual Work Products

Proposals, estimates, concepts, and pre-contractual work products remain the property of the Provider (cf. Art. 5 UCA). Their use by the Client without authorisation is not permitted.

7.1 Principle

Each party shall treat the other party's Confidential Information in strict confidence and use it solely for the engagement.

7.2 Exceptions

The confidentiality obligation does not apply to information that: (a) was publicly known at the time of disclosure or becomes publicly known without fault of the receiving party; (b) was demonstrably known to the receiving party before disclosure; (c) was lawfully received from a third party without confidentiality obligation; (d) was independently developed by the receiving party without using Confidential Information; or (e) must be disclosed by law, official order, or court order, in which case the disclosing party shall be notified in advance where possible.

7.3 Duration

Confidentiality obligations survive for five (5) years after termination of the engagement. For Trade Secrets, the obligations apply indefinitely for as long as trade secret protection under Art. 6 UCA persists.

8.1 Data Protection, General

Both parties shall comply with applicable data protection laws, in particular the Swiss Federal Act on Data Protection (FADP, SR 235.1) and, where applicable to the processing, the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). Personal Data shall be collected only for specified purposes discernible to the data subject and processed only in a manner compatible with those purposes (Art. 6(3) FADP). Personal Data shall be destroyed or anonymised as soon as it is no longer required for the purpose of processing (Art. 6(4) FADP).

8.2 Commissioned Data Processing

Where we process Personal Data on behalf of the Client (Art. 9 FADP), the following principles apply:

(a) A data processing agreement meeting the requirements of Art. 9 FADP and, where applicable, Art. 28 GDPR shall be concluded before any processing of Personal Data begins.

(b) We process Personal Data exclusively in accordance with the Client's instructions and only in a manner in which the Client itself would be permitted to process the data (Art. 9(1)(a) FADP).

(c) We ensure that persons entrusted with the processing are bound by confidentiality.

(d) We transfer the processing to a third party only with the Client's prior consent (Art. 9(3) FADP; Art. 28(2) GDPR). The general provisions on the use of subcontractors (Section 13) apply in addition but do not replace the specific consent requirement for sub-processing of Personal Data.

(e) We support the Client in fulfilling its obligations towards data subjects (right of access Art. 25 FADP, right to data portability Art. 28 FADP; Art. 15–22 GDPR) to the extent reasonable.

(f) Upon completion of the commissioned processing, we return or delete Personal Data at the Client's election, unless a statutory retention obligation applies.

8.3 Data Classification

The Client must notify us in writing of the data classification (Personal Data, sensitive personal data within the meaning of Art. 5(c) FADP, regulated data, confidentiality level) before the engagement commences. Failure to do so releases the Provider from liability for damages arising from the application of a protection level not commensurate with the actual risk profile. The Provider's general data security obligation under Section 8.5 and Art. 8 FADP applies irrespective of the classification.

8.4 Use of AI Tools

We use only AI tools that meet recognised security standards (SOC 2 Type II, ISO/IEC 27001, ISO/IEC 42001, or equivalent), configured with data retention disabled and no model training on inputs (Art. 7 FADP, data protection by design and by default). The specific tools and permitted data uses are set out in the SOW.

Publicly available information and general project information may be processed without separate consent. Confidential Information requires SOW authorisation. Personal Data requires explicit SOW authorisation plus a data processing agreement.

8.5 Data Security

The Provider shall ensure appropriate data security through suitable technical and organisational measures for all processing of Personal Data, irrespective of the service category (Art. 8(1) and (2) FADP; Art. 32 GDPR). The measures take into account the nature and scope of the processing, the risk to data subjects, and the current state of the art.

For technical solutions, we additionally apply the OWASP Top 10 as a guidance framework, calibrated to the project risk profile. We do not store secrets in source code, encrypt data in transit (TLS/HTTPS), perform dependency checks for known vulnerabilities, and document all third-party components (Software Bill of Materials). Additional security measures may be agreed in the SOW.

8.6 Data Breach Notification

We notify the Client of data security breaches (Art. 5(h) FADP) affecting the Client's Personal Data as soon as possible after becoming aware of the breach (Art. 24(3) FADP). The notification includes at minimum the nature of the breach, the affected data categories, the measures taken or proposed, and a contact person for enquiries. The Client remains responsible for notification to the FDPIC (Art. 24(1) FADP) and informing data subjects (Art. 24(4) FADP). We support the Client in this to the extent reasonable.

8.7 Cross-Border Data Transfers

Where the Provider discloses Personal Data to countries for which no adequacy decision of the Federal Council exists (Art. 16(1) FADP), the Provider ensures that appropriate safeguards within the meaning of Art. 16(2) FADP are in place, in particular through standard data protection clauses or contractual data protection clauses. The sub-processors used and their locations are specified in the SOW or data processing agreement. For processing subject to the GDPR, the requirements of Art. 44–49 GDPR apply.

The Provider informs the Client of material changes to locations or sub-processors that result in cross-border data transfers.

8.8 Responsibility After Delivery

After acceptance and delivery, responsibility for secure operation lies with the Client, including patching, dependency updates, security monitoring, and access management. We may offer support as a separate service.

8.9 Data Retention and Deletion

After an engagement, we retain technical deliverables for a six-month support period to facilitate follow-up support and bug fixing. Personal Data is deleted or returned to the Client within thirty (30) days after termination of the engagement, unless a statutory retention obligation applies (Art. 6(4) FADP). Provider Materials containing no Personal Data are retained indefinitely. Records required by law (Art. 958f CO: 10 years) remain subject to continuing confidentiality. The Client may request early deletion or return of Personal Data at any time.

We may use AI development tools to enhance productivity. All AI-generated outputs undergo human review before delivery. We remain responsible for the quality of all deliverables under Section 10, regardless of AI tool usage.

The Client acknowledges that AI systems have inherent characteristics beyond our control, including probabilistic outputs, model changes by third-party providers, unforeseen behaviour on untested inputs, and performance variations due to data drift. We are not liable for damages arising from these inherent characteristics, provided we exercised professional care in creation and configuration.

10.1 Standard of Care

We deliver all services with the professional care and diligence expected of a qualified professional (Art. 364(1) CO for work contract services, Art. 398(2) CO for consulting and project services).

10.2 Technical Solutions

For technical solutions (Section 2(a)), the statutory defect rights under Art. 367–371 CO apply. Defects must be inspected and notified without delay after delivery (Art. 367 CO). Acceptance under Section 3 constitutes inspection within the meaning of Art. 370 CO. Additional warranty obligations or voluntary rectification periods may be agreed in the SOW.

10.3 Consulting and Project Services

For consulting and project services (Section 2(b)), we owe the duty of care under Art. 398(2) CO, but no specific result. Specific competency improvements, implementation of recommendations, and measurable business outcomes are not owed results.

10.4 General Disclaimer

Except as expressly provided in this Section, by law, or in the applicable SOW, we make no further warranties. In particular, we do not warrant that deliverables are error-free or will achieve specific business outcomes.

11.1 Exclusion of Indirect Damages

Neither party shall be liable for indirect, incidental, consequential, punitive, or special damages, including lost profits, revenue, data, or business opportunities, unless the damage was caused by wilful intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit).

11.2 Limitation of Liability

Our total liability for direct damages arising from an engagement is limited to the fees actually paid for the engagement in question.

11.3 Mandatory Liability

Nothing in these GTC limits or excludes liability for:

(a) death or personal injury caused by negligence;

(b) fraud or fraudulent misrepresentation;

(c) wilful intent or gross negligence under Art. 100(1) CO;

(d) any other liability that cannot be limited or excluded by law.

11.4 Limitation Periods

The statutory limitation periods (Art. 127 et seq. CO) apply without modification. Contractual shortening of limitation periods is excluded under Art. 129 CO.

The Client shall provide us with timely access to information, systems, and personnel, ensure that it has the rights to the data and materials provided, make timely decisions, and designate a contact person with decision-making authority.

The Client warrants that the use of the materials provided does not infringe third-party rights and shall indemnify us against third-party claims arising from a breach of this warranty, including reasonable legal costs. This indemnification obligation does not apply insofar as the third-party claim is attributable to wilful intent or gross negligence on the part of the Provider (Art. 100(1) CO).

We may engage vetted subcontractors under equivalent confidentiality and quality obligations and shall inform the Client of the use of material subcontractors. For consulting and project services (Section 2(b)) where the Client demonstrably expects personal performance by the principal, the engagement of subcontractors for substantive advisory services requires the Client's prior consent.

We remain liable to the Client for the performance of subcontractors under Art. 101 CO.

14.1 Termination for Material Breach

Either party may terminate for material breach that is not remedied within fourteen (14) days of written notice.

14.2 Termination of Consulting and Project Services (Mandate)

For consulting and project services (Section 2(b)), either party may terminate at any time (Art. 404(1) CO). Termination at an inopportune juncture (zur Unzeit) obliges the terminating party to compensate the other for resulting damage (Art. 404(2) CO), including non-recoverable costs, subcontractor commitments, and demonstrable lost revenue from declined alternative engagements.

14.3 Termination of Technical Solutions (Work Contract)

(a) By the Client: The Client may terminate technical solutions (Section 2(a)) at any time against payment for work already performed and full indemnification of the Provider (Art. 377 CO).

(b) By the Provider: The Provider may terminate technical solutions on thirty (30) days' written notice. Where the Provider terminates without good cause, the Client is entitled to compensation for damages arising from non-performance.

14.4 Termination of Mixed Services

For mixed services (Section 2(c)), the applicable termination provisions apply per component in accordance with the classification in the SOW.

14.5 Effect of Termination

On termination, the Client shall pay for services rendered and expenses incurred. The Provider shall prepare a statement within fourteen (14) days of termination covering services rendered up to the termination date and expenses properly incurred in the execution of the engagement (Art. 402(1) CO; for work contract services Art. 377 CO), including non-refundable third-party costs (AI usage costs, project-specific tool licences, subcontractor commitments). Advance payments are set off against these claims. Any surplus is refunded within thirty (30) days. Where the claims exceed the advance payment, the balance is payable within thirty (30) days.

Each party shall return or destroy the other party's Confidential Information on request. The Provider shall deliver to the Client all paid work products, including work in progress, to the extent paid for.

14.6 Survival

The following provisions survive termination: Section 5 (outstanding fees), 6 (Intellectual Property), 7 (Confidentiality), 8.9 (Data Retention and Deletion), 10–11 (Warranty and Liability), 16 (Non-Solicitation), 17 (Dispute Resolution and Governing Law).

15.1 Handover on Incapacity

In the event of permanent incapacity, loss of capacity to act, or death of the principal (Art. 405(1) CO for mandate services, Art. 379 CO for work contract services), the principal's representative or heir shall ensure orderly handover of ongoing engagements, including access to systems, deliverables, and documentation, within thirty (30) days. The statutory duty to continue business where the Client's interests are at risk (Art. 405(2) CO) is reserved. The Client may in such case terminate the engagement without liability and against payment for services rendered.

15.2 Organisational Measures

The Provider maintains appropriate business continuity measures, including documented processes, accessible code repositories, and project documentation.

During an engagement and for twelve (12) months thereafter, neither party shall directly solicit employees of the other party who were materially involved in the engagement. This prohibition does not apply to hiring through general job postings not specifically targeting the other party's employees.

17.1 Negotiation

Before initiating legal proceedings, the parties undertake to seek resolution through direct negotiation at management level within thirty (30) days.

17.2 Governing Law

These GTC are governed exclusively by the substantive law of Switzerland, excluding conflict of laws rules (PILA / IPRG).

17.3 Jurisdiction

The exclusive place of jurisdiction is Kreuzlingen, Canton of Thurgau, Switzerland, unless mandatory law prescribes a different jurisdiction.

17.4 Language

These GTC are drafted in the German language. The German version is authoritative.

18.1 Relief from Liability

Neither party shall be liable for non-performance or delay caused by events beyond reasonable control, including natural disasters, war, government action, failures of essential hosting infrastructure, and cyber-attacks.

18.2 Exceptions

Force majeure does not include: (a) failures of AI tools or productivity software for which alternatives exist; (b) financial difficulties or insolvency; (c) labour disputes affecting only the affected party.

18.3 Obligations of the Affected Party

The affected party shall notify the other party in writing without delay, take reasonable measures to mitigate damage, and resume performance without delay once the impediment ceases.

18.4 Extended Events

If a force majeure event continues for more than sixty (60) days, either party may terminate the affected engagement without liability, against payment for services rendered to date.

19.1 Assignment by the Client

The Client may not assign or transfer its rights and obligations under these GTC without the Provider's prior written consent.

19.2 Assignment of Claims

The assignment of claims under Art. 164 CO is reserved for both parties. Assignment requires written form (Art. 165 CO).

19.3 Transfer to Successor Entity

The transfer of the contractual position to a successor entity (e.g. on change of legal form) requires the Client's written consent.

20.1 General

These GTC and related documents may be executed electronically.

20.2 Signature Types

We accept:

(a) Qualified electronic signatures (ZertES), which are equivalent to handwritten signatures under Art. 14(2bis) CO;

(b) Advanced electronic signatures (e.g. DocuSign, Adobe Sign, PandaDoc);

(c) Written email confirmation from a contractually agreed email address for engagements that do not require written form.

For agreements that require written form by law (in particular IP assignments in the SOW), a qualified or advanced electronic signature or handwritten signature is required as a minimum.

20.3 Counterparts

Documents may be executed in multiple counterparts, each of which shall constitute an original.

Should any provision of these GTC be or become wholly or partially invalid or unenforceable, the remaining provisions shall remain in full force and effect (Art. 20(2) CO). The invalid provision shall be replaced by a valid provision that most closely approximates the economic purpose of the invalid provision. This applies in particular to provisions that contravene mandatory law, the mandatory statutory rule takes their place.

Amendments and supplements to these GTC require written form. This also applies to a waiver of this written form requirement.

These GTC, together with the applicable SOW, MSA (where applicable), and any data processing agreements, constitute the entire agreement between the parties regarding the engagement. They supersede all prior oral or written arrangements, representations, and agreements on the same subject matter.

For questions about these GTC, please visit https://www.fognini.tech/contact.