General Terms and Conditions
Document applicable to all Luxgap services, platforms, products, subscriptions and deliverables. Last updated on May 8, 2026.
These General Terms and Conditions (the "GT&Cs") govern all contractual relationships between Luxgap Sàrl (RCS Luxembourg B 281 826, 2 rue de l'École, L-8376 Kahler — hereinafter "Luxgap") and any client accepting an offer, quote, order, subscription or service provided by Luxgap (hereinafter the "Client").
These GTCs apply to all services, platforms, products, subscriptions, tools and deliverables provided by Luxgap unless expressly agreed otherwise in writing.
The specific scope, price, duration and conditions of each engagement are set out in the relevant quote, order form, statement of work, mandate, subscription page or other contractual document accepted by the Client.
By accepting a quote, signing a document, confirming an order, clicking an acceptance button or using a Luxgap service or platform, the Client accepts these GTCs without reservation.
In the event of conflict, any specific written agreement signed by both parties prevails over these GTCs, and any accepted quote or order form prevails only for the specific commercial and operational terms expressly stated therein.
ARTICLE 1 — Services
1.1. Luxgap provides professional services in the fields of cybersecurity, data protection, regulatory compliance, governance, risk management, artificial intelligence, training and related digital services.
1.2. The Services provided to the Client are strictly limited to those expressly described in the quote, order form, statement of work, mandate, subscription page or specific agreement accepted by the Client.
1.3. Depending on the engagement, the Services may include, without limitation, advisory services, external DPO or CISO mandates, compliance support, whistleblowing support, monitoring services, managed security services, audits, assessments, training, AI-related services, Microsoft 365 security services and other related services offered by Luxgap.
1.4. Luxgap may use technical tools, automated systems, software, third-party technologies, cloud services, scanners, connectors, AI systems or external technical providers where useful or necessary for the performance of the Services. Luxgap remains responsible for the Services under the conditions set out in these GTCs.
1.5. Unless expressly agreed otherwise in writing, commercial materials, website content, presentations, demonstrations, discussions, technical descriptions or proposals are provided for information purposes only and do not extend or modify the contractual scope of the Services.
1.6 Any service, task, deliverable, integration, configuration, support, development, analysis or intervention not expressly included in the accepted contractual document is excluded from the Services and may be subject to a separate quote or additional fees.
ARTICLE 2 — Luxgap obligations
2.1. Luxgap provides the Services independently, in its capacity as a professional service provider, in accordance with the scope expressly agreed with the Client.
2.2. Luxgap Services are subject to a best-effort obligation, not a result obligation. Luxgap implements all the reasonable diligence of a specialised provider.
2.3. Luxgap provides advice, recommendations, analyses, support, documentation, tools and operational assistance. Luxgap does not replace the Client’s management bodies, internal decision-makers, employees, legal counsel, statutory bodies or regulated professionals.
2.4. The Client remains solely responsible for its organisation, operations, systems, compliance, security posture, internal decisions, risk acceptance, implementation of recommendations and compliance with applicable laws and regulations.
2.5. Luxgap is not a law firm and does not provide legal representation or regulated legal advice. Any legal, regulatory or compliance-related input provided by Luxgap is given from an operational, technical, governance, risk management or data protection practice perspective. The Client remains responsible for obtaining independent legal advice where required.
2.6. Luxgap may refuse, suspend or discontinue any instruction, task, action or service that Luxgap reasonably considers to be unlawful, unethical, technically unsafe, disproportionate, outside the agreed scope, or likely to increase legal, regulatory, operational, cybersecurity or reputational risk.
2.7. Where Luxgap identifies material risks, weaknesses, non-compliance, security issues or operational concerns within the agreed scope of the Services, Luxgap will inform the Client within a reasonable time and may issue recommendations. Luxgap is not responsible for the Client’s failure to act upon such information or recommendations.
ARTICLE 3 — Client obligations
3.1. The Client undertakes to support Luxgap in the execution of the Services by providing the resources and documents required (data access, designation of a point of contact, validation of deliverables).
3.2. In the performance of this Contract, Luxgap will rely on the documents, information and data provided by the Client, or any mandated third party, as applicable. The Client warrants the accuracy and timeliness of the information transmitted.
3.3. Specific to monitoring: for Luxgap Vigil / Sentinel / Aware Services, the Client undertakes to provide the list of domains to be monitored, the relevant business keywords and the notification e-mail addresses. The Client warrants that it holds sufficient rights to monitor said domains (ownership or explicit authorisation).
3.4. Specific to LuxApps: for HRIS Services (FXP/MySafeBox), the Client undertakes to comply with its own GDPR obligations towards its employees (information, legal basis, processing register) and to designate an authorised HR administrator to manage user accounts.
3.5. If the Client fails to provide the information, access, documents, decisions or validations required for the performance of the Services, or provides them late, Luxgap’s deadlines and obligations shall be suspended or extended accordingly. Luxgap shall not be liable for any delay, omission or consequence resulting from such failure or late provision.
3.6. The Client shall not use, request or instruct Luxgap to use the Services for any unlawful, fraudulent, abusive, offensive, intrusive or unauthorised purpose, including unlawful surveillance, unauthorised access, circumvention of security measures, or any activity contrary to applicable laws or regulations.
ARTICLE 4 — Pricing and payment
4.1. The prices applicable to the Services are those set out in the quote, order form, subscription page, statement of work, mandate or specific agreement accepted by the Client.
4.2. Unless expressly stated otherwise, all prices are quoted in euros and exclusive of VAT. Applicable VAT and any other taxes, duties or charges shall be added where required by law.
4.3. The invoicing terms applicable to each Service, including billing frequency, billing period, milestones, advance payments or subscription terms, are set out in the relevant quote, order form, subscription page, statement of work, mandate or specific agreement.
4.4. One-off Services are invoiced by Luxgap on the basis of the relevant invoice issued for those Services, unless specific invoicing milestones or advance payment terms have been agreed in writing.
4.5. Recurring fees, subscription fees, mandate fees and other periodic prices may be indexed from the start date of the relevant engagement in accordance with the Luxembourg salary index, unless expressly agreed otherwise in writing.
4.6. All invoices are payable within thirty (30) days from their date of issue, unless a different payment term is expressly stated in the relevant invoice or agreed in writing.
4.7. In the event of late payment, Luxgap may apply late payment interest and compensation in accordance with the Luxembourg law of 18 April 2004 on payment terms and late payment interest, without prejudice to any other rights or remedies available to Luxgap.
4.8. In the event of non-payment on the due date, Luxgap may, after prior notice to the Client, suspend all or part of the Services, including access to any Luxgap platform, tool, account, report, deliverable, support service or subscription, until full payment of the outstanding amounts.
4.9. Suspension of the Services for non-payment does not suspend or reduce the Client’s payment obligations. Luxgap shall not be liable for any consequence resulting from such suspension.
4.10. Any dispute relating to an invoice must be notified to Luxgap in writing within fifteen (15) days from the date of issue of the invoice. Failing such notification, the invoice shall be deemed accepted by the Client, without prejudice to mandatory legal rights.
ARTICLE 5 — Liability and indemnification
5.1. Luxgap’s liability may only be incurred in respect of proven direct damage caused by a breach by Luxgap of its contractual obligations under the agreed Services.
5.2. Luxgap shall not be liable for any indirect, intangible, incidental, special, punitive or consequential damage, including loss of profit, loss of revenue, loss of business, loss of opportunity, loss of goodwill, loss of reputation, loss of data, business interruption, third-party claims, or any administrative, regulatory or criminal sanction imposed on the Client.
5.3. Luxgap shall not be liable for any damage, delay, omission, non-compliance, incident or loss resulting from the Client’s acts or omissions, including inaccurate, incomplete or late information, delayed decisions, lack of access, defective systems, inadequate internal resources, failure to validate, failure to act, failure to follow recommendations, or instructions given by the Client.
5.4. Luxgap does not guarantee that the Services will prevent all vulnerabilities, incidents, breaches, cyberattacks, data leaks, non-compliance, claims, investigations, sanctions, losses or damage affecting the Client.
5.5. In all cases, Luxgap’s total cumulative liability, for all claims, damages and causes of action combined, shall not exceed the total amount excluding VAT actually paid by the Client to Luxgap for the Services concerned during the twelve (12) months preceding the event giving rise to the claim.
5.6. Where the relevant Service has been provided for less than twelve (12) months, Luxgap’s total cumulative liability shall not exceed the total amount excluding VAT actually paid by the Client for the Services concerned up to the date of the event giving rise to the claim.
5.7. Specific limits to Dark Web monitoring: Luxgap does not guarantee detection completeness. The Dark Web being by nature dynamic and fragmented, some leaks may never be detected by the queried sources. Luxgap is not liable for damages arising from a data leak not detected by its scanners.
5.8. Any claim against Luxgap must be notified in writing within six (6) months from the date on which the Client became aware, or should reasonably have become aware, of the event giving rise to the claim. Failing such notification, the claim shall be time-barred to the fullest extent permitted by applicable law.
ARTICLE 6 — Confidentiality
6.1. Each party undertakes to keep strictly confidential all non-public information received from the other party in connection with the negotiation, conclusion or performance of the contractual relationship, whether communicated orally, in writing, electronically, technically or by any other means.
6.2. Confidential information includes, without limitation, business, financial, contractual, technical, operational, organisational, legal, regulatory, cybersecurity, personal data, systems, processes, incidents, vulnerabilities, credentials, reports, methods, tools, models, pricing, deliverables and know-how relating to either party.
6.3. The Client undertakes not to disclose, reproduce, share, publish or make available to any third party, without Luxgap’s prior written consent, Luxgap’s methods, tools, models, reports, analyses, recommendations, deliverables, negotiated prices, commercial conditions or internal documentation.
6.4. The confidentiality obligation shall not apply to information that the receiving party can demonstrate:
- was lawfully known to it before disclosure;
- was publicly available at the time of disclosure;
- becomes publicly available without breach of these GTCs; or
- was lawfully received from a third party without confidentiality restriction.
6.5. Each party may disclose confidential information only to the extent strictly required by applicable law, a competent court, a supervisory authority or another public authority. Where legally permitted, the receiving party shall inform the disclosing party before such disclosure.
6.6. The confidentiality obligations set out in this Article shall remain in force for as long as the relevant information remains non-public and confidential.
6.7. Luxgap may identify the Client as a commercial reference, including by using the Client’s name, logo and a general description of the Services provided, unless the Client expressly objects in writing.
6.8. The obligations under this Article shall survive the termination or expiry of the contractual relationship for any reason.
ARTICLE 7 — Term and termination
7.1. The term, renewal conditions and termination conditions applicable to the Services are those set out in the quote, order form, statement of work, mandate, subscription page, service agreement or any other specific contractual document accepted by the Client.
7.2. Where no specific term is agreed, the contractual relationship shall remain in force for the duration necessary to perform the agreed Services.
7.3. Where no specific termination conditions are agreed for recurring Services, subscriptions or mandates, either party may terminate the relevant Service by giving thirty (30) days’ prior written notice to the other party.
7.4. Termination of one Service shall not affect any other Service, subscription, mandate, order or agreement in force between the parties, unless expressly stated otherwise in writing.
7.5. Either party may terminate the relevant contractual relationship with immediate effect if the other party commits a material breach of its contractual obligations and fails to remedy such breach within fifteen (15) days following written notice requiring it to do so.
7.6. Luxgap may suspend or terminate all or part of the Services with immediate effect, without liability, in the event of non-payment, unlawful use of the Services, breach of confidentiality, security risk, abusive conduct, fraudulent conduct, persistent lack of cooperation, or any instruction or situation falling within Article 2.7.
7.7. Termination or expiry of the contractual relationship shall not affect any rights or obligations accrued before the effective termination date, including payment obligations, confidentiality, liability limitations, intellectual property, data protection, audit trail, reversibility, archiving or any provision intended to survive termination.
7.8. All fees, costs, expenses and other amounts due for Services performed, subscriptions active, deliverables provided or commitments incurred up to the effective termination date shall remain payable by the Client.
7.9. Unless expressly agreed otherwise in writing, termination shall not entitle the Client to any refund of amounts already invoiced or paid.
ARTICLE 8 — Intellectual Property
8.1. Luxgap retains all intellectual property rights, title and interest in and to its methods, methodologies, know-how, tools, models, templates, frameworks, processes, procedures, software, platforms, scripts, documentation, standard materials, training materials, AI agents, configurations, technical components and any pre-existing or generally reusable materials used or developed in connection with the Services.
8.2. Unless expressly agreed otherwise in a specific written agreement, the Client does not acquire any ownership rights in Luxgap’s intellectual property by accepting these GTCs, ordering Services, receiving deliverables or paying invoices.
8.3. Subject to full payment of the relevant invoices, Luxgap grants the Client a non-exclusive, non-transferable, non-sublicensable licence to use the reports, analyses, recommendations, documents, training materials and other deliverables provided by Luxgap solely for the Client’s internal business purposes and within the scope for which they were delivered.
8.4. The Client may share Luxgap deliverables with its legal advisers, auditors, insurers, competent supervisory authorities, including the CNPD, or other public authorities, to the extent necessary for the Client’s internal governance, compliance, defence of its interests or fulfilment of legal or regulatory obligations.
8.5. Except as expressly permitted under these GTCs or agreed in writing by Luxgap, the Client shall not copy, modify, adapt, translate, publish, distribute, resell, sublicense, make available, commercialise, reuse outside the agreed scope, or create derivative works from Luxgap’s methods, materials, tools, models, documentation, reports, recommendations or deliverables.
8.6. Any intellectual property regime applicable to specific developments, integrations, configurations, software components, AI agents, client-specific technical work or bespoke deliverables shall be governed by the relevant quote, statement of work, service agreement or other specific written agreement accepted by the parties.
8.7. Any unauthorised use or disclosure of Luxgap’s intellectual property may result in the immediate suspension or termination of the relevant Services, without prejudice to any other rights or remedies available to Luxgap.
ARTICLE 9 — LuxApps services
9.1. This Article applies specifically to LuxApps services, including LuxApps FXP, LuxApps MySafeBox and any related modules, interfaces, portals, applications or functionalities provided by Luxgap under the LuxApps environment.
9.2. LuxApps is provided as a software-enabled service, SaaS or platform-based service. Unless expressly agreed otherwise in writing, the Client is granted only a limited right to access and use LuxApps for its internal business purposes and for the duration of the relevant LuxApps agreement.
9.3. No ownership right, source code right, intellectual property right or other proprietary right in LuxApps, its software, architecture, interfaces, modules, documentation, configurations or technical components is transferred to the Client.
9.4. Access to LuxApps is restricted to users authorised by the Client. The Client is responsible for managing user accounts, access rights, roles, permissions, authentication credentials and the timely deactivation of users who no longer require access.
9.5. The Client shall ensure that LuxApps is used only by authorised users, in accordance with the applicable contractual documentation, intended purpose, security instructions and applicable laws and regulations.
9.6. For LuxApps services involving employees, contractors, end users, clients or other data subjects, the Client remains responsible for complying with its own data protection, employment, payroll, HR, information and internal governance obligations, including information duties, legal basis, processing records, internal authorisations and employee communications, where applicable.
9.7. The Client is responsible for the legality, accuracy, completeness and quality of the data, documents, files, instructions and content uploaded, imported, processed or made available through LuxApps by the Client, its users or any third party acting on its behalf.
9.8. LuxApps may include or interoperate with third-party systems, connectors, APIs, software, hosting services, payroll providers, identity providers, AI systems or other external technical services. Luxgap shall not be liable for unavailability, malfunction, data loss, delay, incompatibility or security incident caused by such third-party systems or services, except to the extent directly attributable to Luxgap under these GTCs.
9.9. Luxgap may update, maintain, adapt, correct, improve or modify LuxApps, including its interfaces, modules, functionalities and technical environment, provided that such changes do not materially reduce the essential functionalities expressly agreed with the Client.
9.10. The specific commercial, technical, functional, operational, billing, support, availability, reversibility, data retention, export, deletion and termination terms applicable to LuxApps are governed by the relevant LuxApps agreement, quote, order form, subscription page, statement of work or other specific contractual document accepted by the Client.
9.11. In the event of conflict between this Article and any specific LuxApps agreement or contractual document accepted by the Client, the specific LuxApps agreement or contractual document shall prevail for the LuxApps services concerned.
ARTICLE 10 — Applicable law and jurisdiction
10.1. These General Terms are governed by the law of the Grand Duchy of Luxembourg and shall be interpreted in accordance therewith.
10.2. Any disputes that may arise will be brought before the courts of Luxembourg, to which exclusive jurisdiction is granted.
ARTICLE 11 — Personal data protection
11.1. The processing of personal data in connection with the Services is governed by our privacy notice, which forms an integral part of these GTCs.
11.2. Where Luxgap acts as a GDPR processor (in particular for LuxApps HRIS Services where the Client remains the controller of its employee data), a Data Processing Agreement (DPA) compliant with art. 28 GDPR is annexed to the contract. Failing that, the standard Luxgap DPA (available on request) applies by default.
11.3. Where Luxgap acts as a controller (in particular for external DPO/CISO mandates or dark-web monitoring where Luxgap defines the purposes), Luxgap complies with its own GDPR obligations as described in the Privacy notice.
ARTICLE 12 — Miscellaneous
12.1. If any provision of these GTCs is held to be void or unenforceable, the remaining provisions shall remain in full force.
12.2. The failure by either party to require strict performance of a provision hereof shall not constitute a waiver of the right to invoke it later.
12.3. Modification of T&Cs: Luxgap reserves the right to modify these T&Cs at any time. The applicable version is the one in force on the date the quote is accepted. Contracts under execution remain governed by the version accepted upon signature.
12.4. Contractual hierarchy. In the event of conflict between these GTCs and a specific written agreement signed by both parties, the specific written agreement shall prevail. In the event of conflict between these GTCs and an accepted quote, order form, statement of work, mandate or subscription page, such document shall prevail only for the specific commercial, operational, technical or service-related terms expressly stated therein.
12.5. Force majeure. Neither party shall be liable for any failure or delay in performing its contractual obligations where such failure or delay results from an event beyond its reasonable control, which could not reasonably have been foreseen at the time of conclusion of the relevant contract and whose effects could not reasonably be avoided or overcome.
12.6. Force majeure events may include, without limitation, natural disasters, fire, flood, epidemic, pandemic, war, terrorism, civil unrest, strike or labour dispute not limited to the affected party’s own personnel, government action, legal or regulatory restriction, power outage, telecommunications failure, internet disruption, cloud provider outage, widespread cyberattack, failure of essential third-party infrastructure, or any other event meeting the conditions of force majeure under applicable Luxembourg law.
12.7. The party affected by a force majeure event shall inform the other party within a reasonable time, describe the expected impact on the performance of the Services and use reasonable efforts to mitigate the effects of the event. The affected obligations shall be suspended for the duration of the force majeure event.
12.8. Entire agreement. These GTCs, together with the relevant quote, order form, statement of work, mandate, subscription page, service agreement, DPA or any other contractual document accepted by the Client, constitute the contractual framework applicable to the Services concerned.
For any question regarding these T&Cs, write to dpo@luxgap.com.
2 rue de l'École, L-8376 Kahler, Luxembourg · Contact page · Data protection notice