Business-to-Business — applicable exclusively between SOTHURA SAFE GmbH (i.G.) and commercial users · Stand: April 2026 · Version: 2026-04-v1
SOTHURA SAFE is a software-as-a-service platform (hereinafter "platform") for professional insurance intermediaries and related intermediaries registered in a cantonal commercial register or in the intermediary register of the Swiss Financial Market Supervisory Authority (FINMA), with their registered office in Switzerland or the EEA. It provides tools for client management, policy analysis, document organisation, consultation logging and AI-supported analyses. The platform in no case replaces users' own substantive judgement, regulatory responsibility or duties of care.
1.1 These General Terms and Conditions (hereinafter "Terms") govern all legal relationships between SOTHURA SAFE GmbH (in formation), Wassergasse 5, 4573 Lohn-Ammannsegg, Switzerland (hereinafter "provider"), and the customers of the platform (hereinafter "customer"). Only legal entities, sole proprietorships or intermediaries entered in a professional register and acting commercially can be customers.
1.2 The platform is aimed exclusively at undertakings within the meaning of Art. 1 para. 2 and Art. 2 para. 2 CO. There is no consumer relationship. The provisions of the Package Travel Act, of the Consumer Credit Act (KKG) and consumer-protection rights of withdrawal do not apply.
1.3 Conflicting, deviating or supplementary terms of the customer do not become part of the contract — even if known — unless the provider has expressly agreed to their applicability in writing.
1.4 The provider may agree differing arrangements with individual customers under a separate framework or enterprise agreement. In the event of conflicts, the order of precedence is: individual contractual provisions, then the data processing agreement (DPA), the SLA, the service description and finally these Terms.
1.5 Self-service vs. enterprise. These Terms form the B2B base contract for self-service operation up to and including ten active seats. For organisations from eleven seats and for customers with individual requirements (extended SLA, audit rights, individual key management, deviating liability, special regulatory duties, enterprise integrations), the provider concludes an individual framework agreement with a supplementary DPA, SLA and service description. The conditions agreed therein take precedence over these Terms (section 1.4).
2.1 The contract comes into effect when the provider activates the customer account or upon first use after acceptance of these Terms (click-wrap). The provider may refuse a registration without giving reasons.
2.2 The customer warrants that (i) all information provided is truthful, current and complete, (ii) the persons acting are authorised to represent the customer, (iii) all regulatory conditions for its intermediary activity are met (in particular Art. 40 ff. ISA, VBV professional standards from 1 January 2026), and (iv) it uses the platform only within the scope of its commercial activity.
2.3 The customer is fully responsible for all actions taken under its access credentials. Any suspicion of misuse must be reported to the provider without delay.
3.1 The provider makes the platform and selected functional modules available to the customer over the internet in accordance with the service description published in the rate catalogue. Functional details, capacities, storage limits and SLA parameters are set out in the current version of the service and rate description.
3.2 The provider is entitled to develop the platform technically, functionally and visually in the course of usual product development, to add individual features, to replace them with equivalent or superior ones, or to discontinue them. Material restrictions to the customer's detriment will be announced at least 30 days in advance and trigger an extraordinary right of termination.
3.3 Features marked as "beta", "preview", "experimental" or equivalent are provided without any warranty and are excluded from availability and liability commitments.
3.4 No advisory service. The provider does not provide legal, tax, financial or insurance advice. All analyses, comparisons, recommendations, simulations and AI outputs generated by the platform are purely decision and work support. Substantive and regulatory responsibility for any advice, recommendation or documentation vis-à-vis end clients lies exclusively with the customer.
4.1 For the term of the contract, the provider grants the customer a simple, non-transferable, non-sublicensable right to use the platform, limited to the agreed number of users and the agreed purpose.
4.2 The customer may use the platform exclusively for its own business purposes and to support its own end clients. Use on behalf of third parties, offering the platform as a service to third parties ("white-label" resale), embedding it in own products or making it available to competing providers is permitted only with the provider's written consent or under a plan expressly booked for that purpose.
4.3 In particular, the customer is prohibited from:
4.4 All rights to the platform, its source code, concepts, workflows, AI prompts, prompt architectures, model orchestrations, UI designs, documentation and all further developments remain exclusively with the provider or its licensors.
5.1 Ownership of data. The data brought into the platform by the customer (hereinafter "customer data"), including the data of its end clients, remains the property of, or within the disposal of, the customer. The provider does not acquire any rights in customer data, other than the right of use necessary to deliver the service.
5.2 Data processing. Where the provider processes personal data on behalf of the customer, it acts as a data processor under Art. 9 revDSG and Art. 28 GDPR. The details are governed by the data processing agreement (DPA), which forms an integral part of this contract.
5.3 Aggregated data. The provider may use customer data in anonymised and aggregated form — without any traceability back to the customer or individuals — to improve the platform, for statistical analysis and for market research. No training of generative AI models on identifiable customer data takes place; corresponding clauses are contractually excluded with sub-processors.
5.4 Feedback. Where the customer provides feedback, suggestions for improvement or ideas, the customer grants the provider an irrevocable, worldwide, royalty-free, simple right to use, implement and further develop them, unlimited in time and content. There is no claim to the surrender of development results.
5.5 Data export and return. The customer may export its customer data at any time in a common machine-readable format (e.g. JSON, CSV). After the contract ends, customer data remains available for export for 30 days. Thereafter it is deleted within 90 days, unless statutory or regulatory retention obligations preclude deletion; any such retention is in restricted form.
6.1 The platform uses generative and analytical artificial intelligence, in particular for document extraction, policy comparisons, risk analyses and advisory support.
6.2 Before transmission to AI services, personal data is automatically pseudonymised (in particular AHV number, names, IBAN, addresses, dates of birth). The provider uses exclusively language models operated in European data centres (Belgium region); the specific AI sub-processors are listed on the sub-processors page. Training of the third-party models used on customer data is contractually excluded.
6.3 No warranty for AI outputs. AI outputs may be incomplete, inaccurate, outdated or factually incorrect ("hallucinations"). The customer must independently review, plausibility-check and — where necessary — verify all AI outputs against primary sources before using them vis-à-vis end clients. Any liability of the provider for the accuracy, completeness or timeliness of AI-generated content is excluded to the extent permitted by law.
6.4 The customer may not use AI outputs as the sole basis for binding advice, recommendations, documentation under Art. 45 ISA or information duties under Art. 3 VVG (Insurance Contract Act) without applying its own substantive assessment.
7.1 The prices published in the rate catalogue at the time of order apply. All prices are in Swiss francs (CHF) plus statutory value-added tax, where applicable.
7.2 Invoicing takes place periodically in advance (monthly or annually, depending on the chosen billing model). Payments are due net within 30 days of the invoice date.
7.3 In the event of late payment, the provider is entitled — without further notice — to charge default interest of 5% p.a. (Art. 104 CO) and a flat handling fee of CHF 50 per reminder. In the event of default of more than 30 days, the provider may temporarily suspend access to the platform; in the event of default of more than 60 days, it is entitled to terminate the contract extraordinarily. Collection costs are borne by the customer.
7.4 Price adjustments. The provider may adjust prices at the end of a contract period with at least 60 days' notice. If the price increase exceeds the Swiss Consumer Price Index over the period since the last adjustment by more than 10%, the customer has an extraordinary right to terminate effective on the date the price adjustment takes effect.
7.5 Set-off and retention. The customer may set off claims by the provider only against undisputed or legally established counterclaims. Rights of retention exist only where they arise from the same contractual relationship.
8.1 The provider commits to a target availability of the productive platform of 99.5% on a monthly average, measured against the productive system outside scheduled maintenance windows.
8.2 The following are not counted towards availability, in particular: (i) scheduled maintenance windows announced at least 48 hours in advance, (ii) emergency maintenance to address security risks, (iii) outages due to force majeure (section 11), (iv) outages at sub-processors or internet backbones for which the provider is not responsible, (v) disruptions caused by the customer, third parties within the customer's sphere of influence or the customer's end-device equipment.
8.3 Further service levels, penalties or credits can only be agreed in an individual SLA.
9.1 The provider operates the platform in line with the state of the art (in particular AES-256 at rest, TLS 1.2+ in transit, self-managed HSM key encryption, least privilege, RBAC, tenant isolation, audit-proof audit logs; see security page).
9.2 Security incidents. The provider informs the customer without undue delay, and at the latest within 72 hours of becoming aware, of security incidents affecting customer data, and supports the customer in fulfilling its notification duties under Art. 24 revDSG and Art. 33/34 GDPR.
9.3 Audit. Upon written request, the customer is granted access once a year to current reports of recognised audit bodies (e.g. SOC 2 Type II, ISO 27001) of the provider's central sub-processors and to the provider's own reports, where available. A direct on-site audit right exists only where there is documented cause and at the customer's expense after prior written agreement; a mere control interest is not sufficient.
9.4 Responsible disclosure. Security researchers may report vulnerabilities to security@sothura.ch. Unauthorised penetration tests, exploitation of identified vulnerabilities beyond what is necessary to report them, public disclosure before remediation and the harvesting of third-party customer data are not permitted and will be prosecuted under criminal law.
10.1 The provider warrants that the platform substantially complies with the current service description and is operated with industry-standard care. Any further express or implied warranty is excluded to the extent permitted by law, in particular for uninterrupted availability, freedom from defects, completeness, suitability for a particular purpose, compatibility with the customer's IT environment and the accuracy of third-party, market and AI data (Art. 199 CO).
10.2 The customer notifies defects in writing, in a comprehensible form and without delay, at the latest within 10 working days of becoming aware. The provider remedies justifiably notified defects within a reasonable period through rectification or a workaround; reduction and rescission are excluded.
10.3 Non-binding statements from marketing, demos and roadmaps do not constitute a warranty within the meaning of Art. 197 CO. The written service description at the time of contract conclusion is binding.
11.1 Slight negligence. The provider's liability for slight negligence is excluded to the extent permitted by law (Art. 100 para. 2 CO).
11.2 Auxiliary persons. Liability for auxiliary persons (in particular cloud and AI providers, integration partners, freelancers) is fully excluded under Art. 101 para. 2 CO.
11.3 Intent and gross negligence. Otherwise, the provider is liable to the extent mandatorily required by law (Art. 100 para. 1 CO) for the specifically demonstrated, direct and contractually typical foreseeable damage.
11.4 Exclusion of certain categories of damage. In any case, the provider is not liable for indirect damage, consequential damage, lost profits, missed savings, production or operational outages, reputational and image damage, data losses that can be avoided through appropriate export and backup behaviour by the customer, third-party claims and regulatory fines and sanctions.
11.5 Liability cap. Where liability exists, it is capped, for all events of a calendar year combined, at the net consideration paid by the customer to the provider in the 12 months prior to the event giving rise to the damage (excluding one-off setup, training and third-party fees).
11.6 No liability for advisory results and supervisory duties. The platform is a work and analysis tool. The provider is not liable for the regulatory, substantive, tax or civil-law correctness of advice, recommendations, offers, risk analyses or advisory documentation that the customer provides to end clients, insurers or authorities, even where these are based on platform or AI outputs. The platform replaces neither insurance intermediation under Art. 40 ff. ISA nor the information, advisory and documentation duties under Art. 3 VVG and Art. 45 ISA. These duties remain entirely with the customer.
11.7 AI outputs. The provider is not liable for the accuracy, completeness or timeliness of AI-generated content. The customer reviews AI outputs independently before using them vis-à-vis end clients.
11.8 Third-party services and force majeure. No liability exists for the content, functionality or availability of integrated third-party services (e.g. Microsoft 365 or comparable office and collaboration platforms, insurer interfaces, policy-term/tariff databases) or for damage caused by force majeure, third-party cyber attacks, internet outages or official orders.
11.9 Contributory fault. Where the customer is at fault — in particular by failing to notify defects, lacking backup behaviour, omitting substantive review of AI outputs or insufficient end-device security — any liability is reduced accordingly (Art. 44 CO).
11.10 Limitation period. Claims against the provider become time-barred 12 months after the customer becomes aware, and at the latest three years after the event triggering the damage, unless mandatory law provides for longer periods.
11.11 Extension. The liability provisions of this section 11 also apply to the benefit of the management, employees, agents and auxiliary persons of the provider (Art. 112 CO).
12.1 The customer indemnifies the provider against third-party claims arising from the fact that
12.2 The indemnification covers reasonable legal defence and litigation costs. The provider informs the customer without delay of any claims and grants the customer participation in the defence.
12.3 Independence. The provider is an independent contracting party. The contract does not create an employment, agency, mandate or brokerage relationship. The provider does not broker insurance within the meaning of Art. 40 ff. ISA and does not act in the name of the customer.
Neither party is liable for failure to perform due to force majeure. Force majeure includes in particular war, terrorist attacks, civil unrest, official orders, pandemics, labour disputes, nationwide power, internet or DNS outages, large-scale cyber attacks on critical infrastructure, natural disasters and disruptions at non-replaceable sub-processors, to the extent that the affected party is not responsible for these events and cannot avoid them with reasonable effort. If a force majeure event lasts longer than 60 days, either party may terminate the contract extraordinarily.
14.1 Unless otherwise agreed, the contract runs for an indefinite term. It can be terminated ordinarily at any time at the end of the current billing period, with a notice period of 30 days, in text form.
14.2 The right to extraordinary termination for cause is reserved for both parties. For the provider, cause exists in particular in the event of (i) payment default of more than 60 days, (ii) breach of the use obligations under section 4, (iii) suspicion of misuse, fraud or activity prohibited under regulatory law, (iv) substantiated security concerns, (v) the opening of insolvency or bankruptcy proceedings against the customer's assets.
14.3 Terminations require at least text form (email is sufficient). In the case of extraordinary termination for cause attributable to the customer, the provider's claim to the fees owed up to the regular end of the contract remains intact.
14.4 After termination, the provisions on data return and deletion under section 5.5 apply.
The provider is entitled to engage sub-processors (e.g. cloud infrastructure, AI services, email delivery, monitoring) to operate the platform. The current list is published on the website (/en-ch/subprozessoren). The provider informs about planned changes or additions; the customer may raise reasoned objections within 30 days. In the case of legitimate data-protection or security-related objections, the customer has a special right of termination if the provider does not offer an equivalent alternative.
16.1 Both parties treat all information received in the course of the business relationship that is marked or evidently confidential as strictly confidential, use it exclusively to perform the contract and protect it in line with the state of the art.
16.2 The confidentiality obligation does not apply to information which (i) is already publicly known, (ii) was developed independently without access to the confidential information, (iii) was lawfully obtained from third parties, or (iv) must be disclosed under mandatory statutory or official orders, in which case the affected party must inform the other party without delay, to the extent legally permitted.
16.3 The confidentiality obligation continues for five years after the contract ends. Trade secrets within the meaning of Art. 162 CC and Art. 6 UCA remain protected without time limit.
The provider may refer to the customer — in neutral form, with the company name and logo only — in customer lists, pitches and on the website. Any further use (case studies, quotes, figures) requires the customer's prior written consent. The customer may revoke the reference right at any time with effect for the future.
18.1 The customer may transfer rights and obligations under this contract to third parties only with the provider's written consent.
18.2 The provider may transfer rights and obligations under this contract — in particular in the context of restructurings, mergers, demergers, asset deals or share deals (change of control) — to group companies or legal successors without separate consent, provided that the performance of the contractual obligations is ensured.
The customer warrants that (i) it is not on a sanctions list of Switzerland, the EU, the US or the UN, (ii) it is not under the control of a sanctioned person or organisation, and (iii) it does not use the platform, directly or indirectly, in, from or for the benefit of a comprehensively sanctioned territory. A breach entitles the provider to immediate extraordinary termination.
The provider may amend these Terms at any time with at least 30 days' notice. The changes will be communicated to the customer in text form (email or in-app notice). If the customer does not object within the notice period, the changes are deemed approved. In the event of objection, the contractual relationship ends on the planned effective date of the change; services rendered up to that point are billed pro rata.
21.1 Written form. Amendments and additions to this contract require text form. The same applies to the waiver of this text-form requirement.
21.2 Severability clause. Should individual provisions of this contract be or become invalid, ineffective or unenforceable in whole or in part, the validity of the remaining provisions shall remain unaffected. The parties shall replace the affected provision by mutual agreement with an effective provision that comes closest to the economic purpose of the original. The same applies to gaps in the provisions.
21.3 Entire agreement. These Terms, together with the rate catalogue, the service description, the DPA and any individual framework agreement, constitute the entire agreement between the parties and supersede all prior oral or written arrangements regarding the subject matter of the contract.
21.4 Notices. Notices are sent to the contact details last communicated. The customer must promptly update changes to its contact details.
22.1 This contract and all claims arising from or in connection with it are governed exclusively by Swiss law, to the exclusion of conflict-of-laws rules and to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods (CISG/Vienna Sales Convention).
22.2 The exclusive place of jurisdiction for all disputes is the registered office of the provider (currently 4573 Lohn-Ammannsegg, competent: District Court Bucheggberg-Wasseramt / Cantonal Court of Solothurn). The provider is also entitled to bring proceedings against the customer at the customer's general place of jurisdiction.
22.3 To the extent the Lugano Convention applies to the contractual relationship, the foregoing jurisdiction agreement constitutes an agreement under Art. 23 LugC.