Terms of Service

1.1 These Terms of Service apply to all services provided by QRTrust (Sebastian Drabent, hereinafter "Provider") through the websites qrtrust.de, qrtrust.eu, qrtrust.at, qrtrust.ch, and qrtrust.nl as well as associated applications and APIs (hereinafter "Services"). 1.2 The Services are available to both consumers and businesses. For businesses, the special provisions in Section 11 apply additionally. 1.3 The Services constitute exclusively an INFORMATION SERVICE. The Provider does NOT provide consulting services in the sense of IT security consulting, legal advice, or other professional advice. The information provided serves only as non-binding guidance. 1.4 Any deviating, conflicting, or supplementary terms and conditions of the user shall only become part of the contract if and to the extent that the Provider has expressly agreed to their validity in writing.

2.1 QRTrust provides an automated information service that, upon user request, retrieves and displays data from publicly accessible sources and third-party databases. 2.2 The Services may include the following functions, subject to availability: • Querying URLs against public phishing and malware databases • Displaying domain information from public sources • Automated evaluation and display of retrieved data • Storage of document metadata for document verification • Interfaces (APIs) for automated queries 2.3 IMPORTANT CLARIFICATION: The displayed results are NOT security assessments, recommendations, or evaluations by the Provider, but merely an automated display of third-party data. The Provider does NOT provide any own assessment of the safety or danger of URLs. 2.4 Functions marked as "BETA", "EXPERIMENTAL", or "AI-powered" are in the development phase. For these functions, the Provider assumes no warranty for functionality, availability, or result quality. 2.5 The Provider does not owe any specific success. In particular, the Provider does NOT owe the detection of threats, the prevention of damages, or the accuracy of the displayed information.

3.1 FUNDAMENTAL DISCLAIMER: All information, data, analyses, and displays provided through the Services are provided "AS IS" and "AS AVAILABLE" without any warranty. 3.2 The Provider expressly assumes NO warranty for: • The accuracy, completeness, timeliness, or reliability of the displayed information • The detection of threats of any kind • The absence of erroneous or misleading information • The availability, functionality, or error-free operation of the Services • The suitability of the Services for a particular purpose • Compatibility with user systems 3.3 The user acknowledges that: • The Services technically cannot provide complete security • Malware and phishing sites may not be detected • Legitimate websites may be incorrectly classified as dangerous • Third-party data sources may contain errors • Time delays between the occurrence of a threat and its capture in databases are unavoidable 3.4 Use of the Services and the displayed information is exclusively at the user's own risk. The user is solely responsible for all decisions made based on the Services.

4.1 UNLIMITED LIABILITY: The Provider is liable without limitation only: a) for intent and gross negligence, b) for damages resulting from injury to life, body, or health, c) under the provisions of the Product Liability Act, d) within the scope of a guarantee expressly and in writing assumed by the Provider. 4.2 LIMITED LIABILITY FOR CARDINAL OBLIGATIONS: In case of simple negligent breach of obligations whose fulfillment enables the proper execution of the contract and on whose compliance the user may regularly rely (cardinal obligations), the Provider's liability is limited to compensation for the foreseeable, typically occurring damage. 4.3 EXCLUSION OF LIABILITY: Otherwise, the Provider's liability – regardless of legal grounds – is excluded. This applies in particular to: a) Damages from undetected or untimely detected threats (phishing, malware, fraud, etc.) b) Damages from erroneous or misleading information from third-party sources c) Damages from false alarms (false positives) d) Damages from unavailability or malfunction of the Services e) Lost profits, lost savings, and indirect damages f) Damages from data loss g) Damages from acts or omissions of third parties h) Damages from force majeure, cyberattacks on the Provider, technical failures, or governmental measures i) Damages arising from non-compliance with user obligations 4.4 LIABILITY CAP FOR BUSINESSES: The Provider's total liability towards businesses for all damages arising from or in connection with the contractual relationship – except in cases under 4.1 – is limited to EUR 1,000.00 (one thousand euros), but in any case not more than the fees paid by the user in the last 12 months. 4.5 The above limitations and exclusions of liability apply equally to the personal liability of the Provider's legal representatives, employees, and vicarious agents.

5.1 The user is obligated to: a) Use the Services only for lawful purposes b) Not engage in abusive, excessive, or automated use without an API license c) Not use the Services to circumvent security measures d) Not provide false, misleading, or unlawful information e) Keep access credentials confidential 5.2 DUTIES (Cooperation Obligations): a) The user must critically review and verify information received through the Services through own measures b) The user must NOT use the Services as the sole basis for security-relevant decisions c) The user must maintain appropriate own security measures (antivirus, firewalls, backups, etc.) d) The user must minimize damages that may arise from use of the Services through appropriate measures (duty to mitigate damages) 5.3 CONTRIBUTORY NEGLIGENCE: If the user breaches the above duties, any contributory negligence of the user shall be taken into account in accordance with applicable law when calculating damages. Breach of material duties may lead to complete exclusion of liability. 5.4 In case of violations of these obligations, the Provider reserves the right to restrict or block access to the Services immediately and without prior notice.

6.1 The user shall indemnify and hold harmless the Provider, its legal representatives, employees, and vicarious agents from all third-party claims arising from: a) unlawful use of the Services by the user, b) infringement of third-party rights by the user, c) unlawful content processed by the user through the Services, d) violations of these Terms by the user. The indemnification includes reimbursement of reasonable legal defense costs incurred by the Provider. 6.2 The indemnification obligation does not apply to the extent that the user is not responsible for the legal violation.

7.1 The Services use and aggregate data from external sources, in particular: • PhishTank and comparable phishing databases • Google Safe Browsing API • Public domain information services • Certificate Transparency Logs • Other publicly accessible security databases 7.2 The Provider has NO influence on the accuracy, completeness, timeliness, or availability of data provided by third parties. The display of this data is without any warranty and without verification by the Provider. 7.3 The URLs retrieved through the Services and their content are third-party content. The Provider: a) does not adopt these contents as its own, b) assumes no responsibility for their legality or accuracy, c) is not liable for damages arising from access to these contents. 7.4 The Provider is not obligated to verify third-party data for accuracy or to conduct own research. 7.5 In case of failure or changes to third-party services, the Provider may restrict the functionality of its own Services without prior notice.

8.1 The document verification services enable registered organizations to register documents and make their authenticity verifiable via QR codes. 8.2 LIMITED STATEMENT: Verification only confirms that a document with certain metadata was registered by a specific organization through QRTrust. Verification does NOT confirm: a) the substantive accuracy of the document, b) the legality of the document, c) the identity or legitimacy of the registering organization, d) the authenticity of signatures or seals. 8.3 The Provider does NOT verify the authorization of organizations to issue certain documents and is not liable for misuse of the Services by registered organizations. 8.4 The registering organization is solely responsible for the accuracy of the deposited document information.

9.1 The processing of personal data is carried out exclusively in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). 9.2 Details on data processing can be found in our Privacy Policy at qrtrust.de/privacy. 9.3 The user is responsible for ensuring that no personal data of third parties is processed through the Services without their consent.

10.1 The Provider endeavors to ensure high availability of the Services but does not owe any specific availability or uninterrupted operation. 10.2 The Provider is entitled to change, restrict, or discontinue the Services at any time without prior notice. For paid services, appropriate advance notice will be given. 10.3 There is no liability for interruptions due to maintenance work, updates, or security-related interruptions.

11.1 For businesses, the following provisions apply additionally: 11.2 LIABILITY CAP: The Provider's total liability is limited to EUR 1,000.00 (see 4.4). 11.3 LIMITATION PERIOD: Claims against the Provider shall – to the extent legally permissible – become time-barred one year after knowledge, but no later than two years after the claim arose. This does not apply to claims arising from intentional or grossly negligent conduct or claims for injury to life, body, or health. 11.4 BURDEN OF PROOF: The business bears the burden of proving that damage is based on a defect in the Services and that the Provider is responsible for this. 11.5 JURISDICTION: The exclusive place of jurisdiction for all disputes arising from or in connection with these Terms is Dortmund, Germany.

12.1 The Provider reserves the right to change these Terms at any time with effect for the future. 12.2 Changes will be published on the website. In case of material changes, registered users will be notified by email at least 4 weeks before the changes take effect. 12.3 If a user does not object to the changes in text form within 4 weeks of receipt of the change notification, the amended Terms shall be deemed approved. This legal consequence will be specifically noted in the change notification. 12.4 In case of objection, the Provider may terminate the contractual relationship at the time the changes take effect.

13.1 APPLICABLE LAW: The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG). For consumers, this choice of law only applies to the extent that it does not deprive the consumer of the protection afforded by mandatory provisions of the law of their country of residence. 13.2 JURISDICTION FOR CONSUMERS: For claims against the Provider, consumers may choose the court at the Provider's registered office or at their own domicile. 13.3 ONLINE DISPUTE RESOLUTION: The European Commission provides a platform for online dispute resolution (ODR): https://ec.europa.eu/consumers/odr. The Provider is neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board. 13.4 SEVERABILITY CLAUSE: Should individual provisions of these Terms be or become invalid, this shall not affect the validity of the remaining provisions. Instead of the invalid provision, the valid provision that comes closest to the economic purpose of the invalid provision shall be deemed agreed. The same applies to any regulatory gaps. 13.5 WRITTEN FORM: Amendments and additions to these Terms require text form. This also applies to the waiver of this written form requirement. No oral side agreements exist. 13.6 LANGUAGE: Only the German version of these Terms is authoritative. Translations serve only for information and have no legal binding effect. 13.7 CONTRACT TEXT: The contract text is not stored. The user can access and print these Terms at any time at qrtrust.de/terms.