Terms and Conditions

Gosign GmbH – AI Infrastructure, Agent Engineering & Software Development
Version 2.0 – 25 October 2025

This is a courtesy translation of the German original. The legally binding version is available at gosign.de/de/agb/. In case of discrepancies, the German version shall prevail.

↓ Download as PDF (German original)

1. Scope and Subject Matter

These General Terms and Conditions (GTC) apply to all contracts between Gosign GmbH (hereinafter "Gosign") and its clients for the following service areas:

AI Enterprise Infrastructure & Agent Engineering: Services related to artificial intelligence in enterprise environments, including planning and implementation of AI infrastructure, development of AI agents, integration of AI models, self-hosting solutions, FinOps strategies for optimising AI workloads, and related consulting and development services.

Decision Layer & Governance Architecture: Development and implementation of a governance and control layer (Decision Layer) between AI agents and enterprise target systems, including rule-based decision routing, Audit Trail documentation, Human-in-the-Loop architecture and automated compliance evidence generation (Cert-Ready).

Software Development: Development of individual software solutions, web applications and integrations, including with the use of open-source frameworks and libraries. This encompasses conception, design, development, customisation, integration and documentation.

Hosting and Operations (optional): Optional hosting services and operational support offered by Gosign. Solutions developed by Gosign are designed to operate in the client's own infrastructure as the standard model. Hosting by Gosign is an additional service agreed upon separately.

Enablement and Knowledge Transfer: Gosign aims to enable the client to independently operate and further develop the delivered solutions. Where agreed, the scope of services includes training, documentation and a structured knowledge transfer designed to systematically reduce the client's dependency on Gosign.

Delimitation: Gosign provides technical services. Solutions developed by Gosign do not replace legal, tax or HR professional advice. Professional final decisions remain with the client. The client's systems (e.g. SAP, Workday, SuccessFactors, DATEV) remain the System of Record; Gosign solutions integrate with these systems but do not replace them.

Client base: These GTC are directed exclusively at entrepreneurs within the meaning of §14 BGB (German Civil Code). They apply directly to clients based in the EU/EEA. For clients outside the EU/EEA, they apply where the applicability of German law has been agreed. Gosign does not enter into contracts with consumers.

Individual agreements and SLAs take precedence over these GTC. Deviating conditions of the client do not apply unless Gosign has expressly agreed to them in writing.

2. Definitions

The following terms are used in these GTC as defined below:

"Agent" means a software component that, based on AI models and rule sets, automatically executes or prepares tasks on behalf of the client (e.g. Document Agent, Workflow Agent, Knowledge Agent).

"Decision Layer" means the governance and control layer developed by Gosign that decomposes business processes into individual decision steps and determines for each step whether a human decides, a rule set applies, or the AI acts autonomously.

"Decision Record" means the automatic, immutable documentation of an individual decision within the Decision Layer, consisting of input data, applied rule/model version, confidence score, decision path and result.

"Human-in-the-Loop" means an architectural principle whereby certain decisions require human approval before execution. The classification of which decisions require human approval is determined jointly with the client during the project.

"Control" means a technically implemented verification rule that ensures a specific compliance or governance standard is met (e.g. "No salary decision without four-eyes principle").

"Evidence" means an automatically generated proof that a Control was fulfilled at a specific point in time.

"Audit Trail" means the complete, chronological record of all Decision Records and events in the system.

"Auditor Portal" means a web-based interface through which authorised auditors (internal or external) can view the live status of all Controls and Evidence.

"Cert-Ready" means the property of a system architecture meeting the technical prerequisites for industry-standard certifications (e.g. ISO 27001, SOC 2, IDW PS 951) – without thereby owing or guaranteeing a certification itself.

"Source Code Transfer" means the transfer of exclusive usage rights to the software components individually developed for the client, including source code, prompts, rule sets, configurations and documentation.

"System of Record" means the client's authoritative system for master and transactional data (e.g. SAP, Workday, SuccessFactors, DATEV). Gosign solutions integrate with the System of Record but do not replace it.

3. Formation of Contract

Offers and orders: The presentation of services by Gosign does not constitute a binding contractual offer. A contract is formed through the client's order and acceptance by Gosign within 14 calendar days.

A contract is only concluded when Gosign confirms the order in text form or begins performance.

Framework agreement and project phases: The contract may be concluded as a framework agreement with individually commissioned project phases. Each phase can be commissioned separately, without obligation to commission subsequent phases.

Contract types per phase: Discovery phases (analysis, consulting, process mapping) are performed as service contracts (Dienstvertrag); the obligation is to provide the consulting service, not to achieve a specific result. Build phases (development, implementation, Proof of Concept) are performed as contracts for work (Werkvertrag) with acceptance, unless agreed otherwise. Scale and support phases are performed as service contracts; optional Service Level Agreements (SLAs) apply additionally.

Contracts may be concluded in writing, electronically or in text form. Gosign retains the contract text and these GTC.

4. Services by Gosign

Gosign performs the contractually agreed services professionally and with the diligence of a prudent businessman. Gosign is entitled to employ qualified staff, vicarious agents or subcontractors.

Place of performance: Services are generally provided remotely. Gosign deploys staff at various locations and ensures compliance with agreed security and data protection standards regardless of location. On-site deployments are agreed separately.

Project coordination: Both parties appoint contact persons. Gosign provides regular updates on project progress.

Deadlines: Deadlines are only binding if expressly agreed as such. Delays not attributable to Gosign extend deadlines accordingly.

Change requests: Changes to the scope of services require a written agreement on additional costs and timelines.

Proof of Concept (PoC): Where a PoC is agreed, the success criteria defined in the proposal apply. A PoC serves to validate technical feasibility. Work products created during the PoC transfer to the client upon full payment, unless agreed otherwise.

Partial deliveries: Gosign is entitled to provide reasonable partial deliveries.

Acceptance of Work

The client reviews work deliverables within 14 calendar days and either declares acceptance or reports defects. Without response, the deliverable is deemed accepted, provided the client was informed of this consequence. Minor defects do not entitle the client to refuse acceptance.

5. Client Obligations

The client provides all required documents, information, data and access credentials in a timely manner.

The client appoints a qualified contact person with decision-making authority.

Technical infrastructure: Where services are performed on the client's systems, the client provides the infrastructure. Gosign advises on system requirements.

Testing and acceptance: The client participates actively, documents errors and does not unreasonably delay approvals.

Maintenance and data backup: The client independently and promptly installs security updates unless a maintenance contract with Gosign is in place. Regular backups are the client's responsibility.

Lawfulness: The client is responsible for the lawfulness of all content and data provided and indemnifies Gosign against third-party claims.

Delays and additional effort resulting from breach of client obligations are at the client's expense.

6. Special Provisions for AI Infrastructure & Agent Engineering

6.1 Scope of Services

The scope of services is defined in the proposal and may include: integration and customisation of AI models, development of AI agents, implementation of the Decision Layer, AI infrastructure consulting, FinOps, security and compliance concepts, training.

6.2 Three-Tier Architecture and Responsibilities

AI solutions developed by Gosign distinguish three processing tiers with different responsibilities:

(a) Analysis (AI model): The language model analyses data and generates suggestions. AI models produce probabilistic results; Gosign owes the proper integration and configuration of the model, not the substantive accuracy of every individual output.

(b) Decision (Decision Layer): The Decision Layer applies defined rule sets, thresholds and approval processes to the analysis results. Gosign owes the correct implementation of the agreed decision logic. Errors in rule implementation are software defects subject to warranty.

(c) Execution (integration/tool): Results are transmitted to the client's target systems (e.g. SAP, DATEV, Workday). Gosign owes correct technical integration. Errors in the client's target system are the client's responsibility.

6.3 Human-in-the-Loop

For decisions classified as high-risk (in particular personnel decisions, salary decisions, decisions subject to co-determination), Human-in-the-Loop is the default unless expressly agreed otherwise. The classification of which decisions require human approval is determined jointly and configured in the Decision Layer. The client remains responsible for professional final decisions.

6.4 Model-Agnostic Approach

Gosign deploys AI models from various providers (model-agnostic approach). Selection is made in consultation with the client. Gosign informs the client of planned model changes. Should a provider discontinue its service, Gosign will promptly propose an equivalent alternative. Gosign is not liable for the availability or discontinuation of third-party services.

6.5 Bias Monitoring

Where agreed, Gosign implements mechanisms for detecting and documenting systematic biases (Bias Monitoring). Ongoing review during operation is the client's responsibility unless a maintenance contract is in place.

6.6 Use of Data for AI

The client remains the owner and controller of all data provided to Gosign. Gosign uses such data exclusively for contract fulfilment. The client ensures it holds the necessary rights.

6.7 FinOps and Usage-Based Costs

Usage-based third-party costs (API fees, GPU compute time) are borne by the client unless agreed otherwise. Gosign provides advance information on cost structures and transparent usage reports.

6.8 Regulatory Requirements

Gosign addresses the requirements of Regulation (EU) 2024/1689 (EU AI Act) as technical architectural principles (Readiness). The legal compliance assessment for the specific deployment context lies with the client and its legal advisors. Gosign supports the client in implementing regulatory requirements where commissioned to do so.

6.9 Indemnity

Use of the AI systems is the client's own responsibility. The client indemnifies Gosign against third-party claims arising from misuse or unlawful use.

7. Usage Rights, Intellectual Property and Source Code Transfer

7.1 Source Code Transfer (Standard Model for AI Projects)

Where a Source Code Transfer is agreed in the proposal, Gosign transfers to the client upon full payment an exclusive, perpetual, geographically unrestricted and transferable right of use to the following work products:

(a) Source code (repository including version history)

(b) Prompts and prompt templates

(d) Configurations (workflows, policies, schemas, routing rules)

(e) Technical documentation

The right of use includes the right to modify, further develop and redistribute.

7.2 Reusable Components

Gosign retains a simple, non-exclusive right of use to generic, reusable modules, libraries and frameworks that are not client-specific and contain no client trade secrets. Gosign may use these components in other projects.

7.3 Limited Usage Right (Alternative)

Where no Source Code Transfer is agreed, the client receives a permanent, geographically unrestricted right of use limited to the contractual purpose. Transfer to third parties requires Gosign's consent.

7.4 Open-Source Components

Gosign uses open-source software where possible. The client's rights to open-source components are governed by the respective licence terms (e.g. MIT, Apache, GPL). Gosign provides the client with an overview of open-source components used and their licences. The client undertakes to comply with these licence terms. Where custom code builds on open-source components and may therefore be subject to their licence terms, Gosign will inform the client accordingly.

7.5 No Ongoing Licence Fees

Unless expressly agreed otherwise, no ongoing licence fees or usage-based charges to Gosign apply for software components developed and delivered to the client within the project.

7.6 Handover

Handover of work products (including source code repository, documentation, configurations) takes place no later than acceptance of the final project phase and full payment. Gosign will actively support the handover and grant the client full access.

8. Hosting and Operations

Solutions developed by Gosign are designed to operate in the client's infrastructure. Hosting by Gosign is an optional additional service. Where the client uses hosting, the following conditions apply:

Managed Services in client infrastructure: Where Gosign operates the solution in the client's cloud environment, the hosting provisions apply analogously. Responsibility for the base infrastructure remains with the client. Gosign is responsible for the application layer.

Data centre: Hosting takes place in Germany or the EU unless agreed otherwise. Client preferences must be communicated at the time of contract conclusion.

Availability: Without an SLA, no guarantee of minimum availability. Gosign strives for high availability.

Maintenance windows: Planned maintenance outside business hours with advance notice.

Data backup: Daily backup with 7-day rolling retention, unless agreed otherwise.

Transition and exit: Following termination of hosting services, Gosign supports the client for up to 90 days with migration (transition). Transition is charged on a time-and-materials basis. All client data is fully exportable in standard formats.

9. Security, Maintenance and Updates

Mandatory security updates: Gosign may install security-relevant updates without prior client consent where delay would jeopardise security. The client is informed afterwards.

Duty of tolerance: The client may not refuse security updates. System security and integrity take precedence.

Refusal: Where a security measure is refused, Gosign may suspend services. Client claims for resulting damages are excluded.

Optional updates: Non-security updates only by agreement.

Penetration testing: The client may conduct security audits or penetration tests with 14 calendar days' advance notice, provided confidentiality is ensured. Details may be governed by an SLA.

Incident response: In the event of a security incident affecting the availability, integrity or confidentiality of client data or systems, Gosign will inform the client without undue delay, no later than 24 hours after becoming aware, and will take immediate containment measures. The initial notification and immediate measures are part of the contractual service. Further services (in particular forensic analysis, root cause determination and preparation of a detailed incident report) are charged on a time-and-materials basis, unless the incident is attributable to Gosign. Where Gosign is responsible for the incident, all analysis and remediation measures are provided to the client free of charge.

10. Remuneration and Payment Terms

Prices are as stated in the proposal, plus applicable VAT.

Billing on a time-and-materials or fixed-price basis as agreed.

Ancillary and travel costs only upon prior agreement.

Payment term: 14 calendar days unless otherwise agreed. Individual payment terms may be agreed. Default interest: 9 percentage points above the base rate (§288 para. 2 BGB).

Milestone payments for longer projects as per the milestone plan.

Set-off only with undisputed or legally established counterclaims.

11. Liability

Unlimited: For intent, gross negligence, injury to life/body/health, guarantee, product liability.

Cardinal obligations: For slight negligence, limited to the typically foreseeable damage.

Liability cap: Gosign's liability for damages from breach of cardinal obligations is limited per incident to the net remuneration agreed in the affected individual contract. Gosign's total liability under a contractual relationship is limited to twice the annual net remuneration. Different liability caps may be agreed in individual contracts.

Indirect damages, consequential damages and lost profits: Excluded except for intent, gross negligence or breach of cardinal obligations.

Data loss: Liability only for restoration effort from the client's proper backups.

AI outputs: No liability for decisions based on AI outputs, provided Gosign has not breached cardinal obligations (see §6.2).

Insurance: Gosign maintains customary professional and business liability insurance. Proof available on request.

Limitation: Two years; not applicable for intent, gross negligence or personal injury.

12. Defect Claims (Warranty)

Warranty period: 12 months from acceptance for defects in quality and title.

Defects must be reported in text form without undue delay. Remediation through repair or replacement.

Failure after two attempts: Reduction or rescission.

No warranty for insignificant deviations or disruptions caused by the client.

Errors in open-source or third-party software do not constitute a defect in Gosign's services, provided correctly integrated.

For ongoing service relationships: Statutory provisions for service/lease agreements apply.

13. Data Protection and Data Processing

Both parties comply with the GDPR (DSGVO), the German Federal Data Protection Act (BDSG) and other applicable data protection laws.

Where the client processes data subject to the Brazilian LGPD or other international data protection laws, Gosign supports compliance.

Gosign acts as data processor (Art. 28 GDPR). The parties will conclude a data processing agreement (DPA).

Gosign also accepts DPAs provided by the client, provided they comply with the GDPR.

Gosign implements appropriate technical and organisational measures (Art. 32 GDPR).

Sub-processors with general consent, provided contractually bound to an equivalent level of data protection.

Data Residency: Upon request, contractual assurance that data processing takes place exclusively in Germany or a specified EU/EEA member state. For AI API calls to third countries, advance notification and – where technically feasible – European endpoints.

In case of data breaches: Immediate notification and cooperation on reporting obligations.

14. Confidentiality

Both parties treat confidential information in strict confidence.

Exceptions: Publicly known, previously known, independently developed, statutory disclosure obligation.

Disclosure: Need-to-know only, to staff bound by confidentiality obligations.

Duration: 5 years after contract termination.

Return and destruction: Upon request, no later than contract termination.

Reference use: Gosign may use the client's name and logo as a reference only with the client's prior written consent.

15. Contract Duration and Termination

15.1 Project contracts end upon acceptance of the final deliverable and full payment.

15.2 Ongoing service relationships: Minimum term of 12 months. Thereafter, automatic renewal for 12-month periods, terminable with 3 months' notice to the end of the current term.

15.3 Extraordinary termination for: (a) material breach of obligation after a 30-day cure period; (b) insolvency; (c) persistent refusal of updates (§9); (d) unlawful system use.

15.4 Consequences of termination: Return/deletion of all client data. Transition per §8. Acquired usage rights survive after full payment.

16. Compliance, Certifications and Co-Determination

16.1 Cert-Ready: Gosign designs its solutions to meet the technical prerequisites for industry-standard certifications (Cert-Ready by Design). Specifically: Controls are implemented as first-class data objects, Evidence is generated automatically, the Audit Trail is complete and exportable, and access via an Auditor Portal is provided. Obtaining a specific certificate is not an owed deliverable and requires a separate agreement between client, auditor and Gosign.

16.2 Works council and co-determination: Where AI solutions are deployed in areas subject to co-determination under German law (§87 para. 1 no. 6 BetrVG – the German Works Constitution Act grants works councils co-determination rights regarding technical systems that monitor employee behaviour or performance), Gosign supports the preparation of documentation and information materials for the works council (Betriebsrat). The formal involvement of the works council and the conclusion of works agreements (Betriebsvereinbarungen) are the client's responsibility. The Decision Layer architecture is designed to implement works agreements as configurable, technically enforceable rules.

16.3 Sanctions compliance: Gosign confirms that it maintains no business relationships with sanctioned persons, entities or states.

16.4 Sustainability: Gosign considers energy efficiency in infrastructure selection. Information available on request.

17. Export Control

The client complies with export and sanctions regulations. Gosign flags export-controlled components. Performance is subject to the proviso that no legal obstacles exist.

18. Force Majeure

No liability for non-performance due to force majeure (natural disasters, war, pandemics, industrial action, government measures, large-scale infrastructure failures). Immediate notification required. Deadlines extend accordingly. Right of withdrawal after 3 months.

19. Final Provisions

Governing law: German law, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

Court of jurisdiction: Hamburg, Germany (for merchants and legal entities).

Contract language: German. English versions serve international cooperation; in case of doubt, the German version prevails.

Versioning: These GTC carry a version number and date. The current version is available at gosign.de/de/agb/.

Amendments in text form. GTC amendments with 6 weeks' advance notice; objection period 4 weeks.

Assignment only with written consent.

Severability clause. Precedence of individual agreements.