1. Parties & Subject Matter

By (i) completing the online order via Stripe (checkout with checkbox) and/or (ii) confirming in the first-login gate by an administrator designated by the Customer (clickwrap), a contract is concluded between VistaSys AG (“Provider”) and the legal entity identified in the ordering process and/or tenant profile (“Customer”). A handwritten signature is not required.

2. Definitions

“Service” means Attenda (SaaS) as described in the Documentation. “Documentation” means the then-current functional and usage description. “Users” are persons authorized by the Customer (seats). “Agreement” means this MSA including the Order, DPA, ToU, and applicable Policies.

“Customer Data” means all data processed in the Service by the Customer or its Users. “Availability” has the meaning set out in the SLA.

3. Services & Service Description

The Provider makes the Service available in accordance with the Documentation. Updates/upgrades are at the Provider’s discretion; material changes are communicated pursuant to Sec. 13. Access is via Microsoft Entra ID (SSO). The Customer manages assignments/roles (seats).

4. Term & Renewal

4.1 Term

The subscription term starts on the Effective Date and runs for one (1) month. The subscription automatically renews for successive one-month periods unless either party terminates before the end of the then-current billing period. Termination of the subscription is effected via the Portal.

4.2 Trial Period

The Customer may use the Software free of charge for a one-month trial from the contract start date. All other provisions of this Agreement apply during the trial. The Customer may switch to a paid subscription at any time to continue using the Software after the trial.

5. Fees, Billing & Taxes

5.1 Prepayment by Credit Card (Stripe)

All subscription fees are due in advance and collected by Stripe via credit card. The Customer grants the Provider a recurring debit authorization for the initial term and all renewal periods at the then-applicable fees.

5.2 Provisioning & License Validity

Provisioning/renewal of access occurs only after successful payment. If the charge cannot be captured or is reversed/chargebacked, the license is not valid; the Provider may immediately suspend access (see Sec. 12) and will notify the Customer.

5.3 Payment Details & Receipts

Invoices/receipts are provided electronically by Stripe and/or the Provider. The Customer keeps a valid credit card and billing details current. Currency: CHF (unless agreed otherwise); prices exclude VAT.

5.4 Price Changes

Adjustments at renewal with at least 30 days’ prior notice; the Customer may object up to 10 days before the effective date and terminate at the end of the current term.

5.5 Refunds

Unless mandatory law provides otherwise: fees are non-refundable (except pro rata where the Customer terminates for cause due to the Provider’s unremedied material breach).

6. Service Levels, Maintenance & Support

Availability target: 99.5% per month; maintenance windows excluded. Planned maintenance is announced at least 72 hours in advance (emergencies excluded). Support hours: Mon–Fri 08:00–17:00 CET via support@vistasys.ch.

7. Data Protection, Security & Sub-processors

Roles: Customer = Controller; Provider = Processor under the DPA. Processing follows the Privacy Policy (Attenda section).

Location/Region: primary processing in Azure Switzerland North. Retention: log/telemetry 30 days, backups 30 days.

Sub-processors: currently Microsoft (Azure) for infrastructure/platform (compute/storage/network) in Switzerland North. Changes per the published sub-processor list with prior notice and right to object under the DPA.

Payment processing (Stripe). Credit-card payments are processed via Stripe. Stripe processes payment/billing data as the Provider’s service provider; the Provider does not store full credit-card numbers. Stripe’s processing is subject to Stripe’s terms and privacy notices.

Security (TOMs). Encryption in transit (TLS) and at rest, RBAC/least privilege, monitoring/alerting, vulnerability management, and incident response including notifications.

8. Acceptable Use (AUP)

Prohibited, in particular: violations of law; malware; circumvention of security controls; unauthorized automation/scraping; DDoS/overload; reverse engineering (except as required by law); credential sharing; use beyond purchased licenses/seats. The Provider may investigate violations and suspend access under Sec. 12.

9. Customer Data, Export & Deletion

Customer Data remains owned/controlled by the Customer. The Customer is responsible for lawfulness, content, and user administration.

Export: During the term and for 10 days after termination, the Provider offers common export formats.
Deletion: After the export window, Customer Data is deleted from production systems; backups expire after 30 days at the latest. A deletion confirmation is provided on request.

10. Intellectual Property & Usage Rights

All rights in Attenda remain with the Provider or its licensors. The Customer receives a non-exclusive, non-transferable right to use the Service during the contract term in accordance with this Agreement. No sublicensing. The Provider may use Feedback royalty-free to improve the product (without disclosing Customer secrets).

11. Confidentiality

Both parties treat non-public information as confidential, use it solely to perform the Agreement, and protect it appropriately. Statutory disclosure/retention obligations remain reserved.

12. Suspension & Emergency Measures

The Provider may temporarily suspend access to the extent necessary if (a) a security risk exists, (b) a legal violation occurs, (c) there is a material breach of the Agreement/ToU, or (d) payment cannot be successfully charged or a chargeback occurs.

13. Changes to the Service & Contract Documents

The Provider may further develop the Service and add/modify or discontinue features, provided core functionality is not materially degraded or a reasonable alternative is provided. Material adverse changes will be announced with reasonable advance notice.

Changes to the MSA/ToU/DPA take effect with 30 days’ prior notice; the Customer has a special termination right effective on the change date if the change materially adversely affects it.

14. Warranty, Indemnities & Liability

The Service is provided in line with industry standards; the Provider will remedy material defects within a reasonable time or provide workarounds.

Liability cap: The Provider’s aggregate liability is limited to the fees paid by the Customer in the last three (3) months prior to the event giving rise to liability. Excluded are indirect/consequential damages, loss of profit, and data loss, except in cases of willful misconduct/gross negligence or where mandatory law applies.

15. Export Control & Compliance

The parties comply with export-control, sanctions, and anti-corruption laws. No use in prohibited sectors/regions.

16. Audits & Evidence (Data Protection/Security)

The Provider will provide reasonable evidence (e.g., security control attestations, pen-test summaries) or audit rights under the DPA, while preserving security and confidentiality.

17. Termination & Effects of Termination

Ordinary termination pursuant to Sec. 4. Extraordinary termination for cause is possible. Upon termination, all access ends; data return/deletion per Sec. 9 and the DPA. Any outstanding fees remain due.

18. Order of Precedence

In the event of conflict: MSA > DPA > ToU > Order/Offer > Documentation/Policies.

19. Governing Law & Venue

This Agreement is governed by Swiss law, excluding its conflict-of-laws rules (incl. PILA/IPRG) and the CISG. Exclusive venue is Aarau (AG), Switzerland, unless mandatory law provides otherwise.

20. Notices

Informal notices (e.g., email) to the contacts designated in the Agreement/Order.

21. Miscellaneous

Severability; written form required for amendments/waivers; no side agreements. Assignment only with the other party’s consent (except group reorganizations). Sub-processing per Sec. 7.

Version September 2025