General Terms and Conditions

1. Scope and Contract Formation

These GTC apply to all services provided by MilesGuard, unless expressly deviating provisions are agreed in an individual contract or SOW. Deviating GTC of the client do not apply, even if MilesGuard does not expressly object to them.

A contract is formed by signature of a SOW by both parties or by written order confirmation from MilesGuard. The SOW defines the scope, timeline, deliverables and compensation of the respective engagement.

MilesGuard's cybersecurity services are subject, depending on the type of service, to the provisions of mandate law (Art. 394 et seq. CO) or contract for work and services (Art. 363 et seq. CO). The SOW specifies which contract type applies to the respective service.

2. Limitation of Liability

MilesGuard's total liability arising from an engagement is limited to the simple annual contract value of the respective SOW. This applies to all claims, regardless of legal basis.

MilesGuard is not liable for indirect damages, consequential damages, lost profits or data loss, to the extent permitted by law.

These limitations of liability do not apply in cases of intent or gross negligence (Art. 100 CO). Liability for personal injury also remains unrestricted.

3. Confidentiality

Both parties undertake to keep confidential information of the respective other party secret and to use it only for contract performance. This obligation applies indefinitely beyond contract termination.

Confidential information includes in particular: technical documentation, security reports, vulnerability analyses, trade secrets, client data and all information exchanged in the course of the collaboration that is not publicly accessible.

MilesGuard necessarily gains access to sensitive systems and data of the client in the course of security audits and penetration tests. Both parties acknowledge this special position of trust and treat all findings obtained with the utmost care.

4. Data Protection

MilesGuard processes personal data in accordance with the Swiss Federal Act on Data Protection (nDSG).

Insofar as MilesGuard processes personal data of the client in the course of service delivery, the parties shall conclude a separate data processing agreement (DPA) as an annex to the SOW. The DPA governs the nature, purpose and scope of data processing as well as the technical and organisational measures.

Details on data processing on this website can be found in our Privacy Policy.

5. Warranty and Scope of Services

MilesGuard provides its services with the diligence of a qualified provider in the field of cybersecurity. We employ recognised methods and current tools.

For services subject to mandate law (e.g. penetration tests, security consulting), MilesGuard owes diligent performance, not however a specific result. A penetration test cannot by its nature guarantee that all vulnerabilities of a system will be found.

Reports, documentation and other written deliverables constitute work products. MilesGuard warrants that these are professionally correct and complete within the agreed scope. The client reviews deliverables within 14 days of receipt and reports any defects in writing.

MilesGuard is not liable for damages arising from independent implementation of recommendations without consultation or from delayed measures on the client's part.

6. Security Testing and Rules of Engagement

For penetration tests, red team operations and attack simulations, the rules of engagement defined in the SOW apply additionally. The client authorises MilesGuard in writing to conduct the agreed tests on the defined target systems. This authorisation is a prerequisite for immunity from criminal liability for the tests (Art. 143bis SCC).

The client ensures that they are authorised to have tests conducted on the named systems. For third-party systems (e.g. cloud providers, hosting), the client obtains the required permission themselves.

The client acknowledges that security tests within the agreed scope may cause disruptions to system availability. MilesGuard is not liable for such disruptions, provided they occur within the framework of the agreed testing methodology.

7. Ongoing Services

CISO as a Service is a consulting service under mandate law (Art. 394 et seq. CO). The nature and scope of the role (advisory, operational or formally responsible) are defined in the SOW. Even when assuming a formal CISO role, the overall corporate responsibility for information security remains with the client. The client decides on budget, risk acceptance and implementation of recommendations.

The client indemnifies MilesGuard and its deployed personnel from personal liability, insofar as damages are not attributable to intent or gross negligence. Where a formal CISO role is assumed, the client undertakes to include the deployed person in their D&O insurance or ensure equivalent coverage.

The SOW governs at minimum: responsibility matrix (decision vs. advisory), reporting obligations (nDSG Art. 24, ISG Art. 74b), escalation paths and documentation requirements.

SIEM deployments and ongoing operations are governed by the SOW. Availability, response times and escalation paths are defined in a Service Level Agreement (SLA) as an annex to the SOW. SLAs govern at minimum: availability, response times, escalation paths and maintenance windows.

Training and workshops are mandate services. Training materials remain the property of MilesGuard, unless otherwise agreed in the SOW. The client receives a non-exclusive licence for internal use.

8. Client Cooperation Obligations

The client provides MilesGuard in a timely manner with all access, information and contact persons required for service delivery.

Delays attributable to insufficient client cooperation extend agreed deadlines accordingly. Additional effort due to insufficient cooperation is compensated on a time-and-materials basis.

9. Compensation and Payment

Compensation is based on the fixed price or time-and-materials rate agreed in the SOW. Expenses are listed separately and charged at actual cost.

Invoices are payable within 30 days of the invoice date. In the event of late payment, MilesGuard is entitled to charge default interest of 5% p.a. pursuant to Art. 104 CO.

For project engagements, MilesGuard may require an advance payment of up to 50% of the engagement value. For ongoing mandates (e.g. CISO as a Service, SIEM operation), the billing method is specified in the SOW.

10. Intellectual Property

Reports, documentation and project-specific results transfer to the client's ownership upon full payment.

MilesGuard's own tools, methods, frameworks and generic know-how remain the intellectual property of MilesGuard. The client receives no licence to internal tools.

For web design and development: individually created designs, content and code transfer to the client upon full payment. Pre-existing libraries, templates and reusable components remain with MilesGuard. The client receives a perpetual, non-exclusive licence for the agreed purpose. Open-source components are subject to their respective licences.

MilesGuard may name the client as a reference (company name and type of service). The client may object to reference naming in writing at any time.

11. Jurisdiction and Applicable Law

These GTC and all disputes arising from or in connection with them are subject exclusively to Swiss law, excluding conflict of laws provisions and the UN Convention on Contracts for the International Sale of Goods (CISG).

The exclusive place of jurisdiction for all disputes is St. Gallen, Switzerland. MilesGuard reserves the right to also sue the client at the client's domicile.

12. Termination

Mandates under mandate law may be terminated by either party at any time (Art. 404 CO). In this case, the client compensates services rendered up to termination and any unavoidable expenses.

Contracts for work (e.g. ongoing report creation) may be terminated without notice by either party for good cause. Good cause includes in particular material breach of contract, payment default exceeding 30 days or insolvency of a party.

For ordinary termination of ongoing framework agreements, a notice period of 30 days to the end of the month applies, unless otherwise agreed in the SOW.