LetzSecure logo LetzSecure
Log in

Terms and Conditions of Use (SaaS)

Last Updated: December 26, 2025

1. Preamble and Parties

These Terms and Conditions ("Terms") constitute a binding legal agreement between Connektik SARL-S, a company incorporated under the laws of Luxembourg, having its registered office at 21, rue Charles Rausch, L-7247 Helmsange, Luxembourg ("LetzSecure", "we", "us", or "our"), and the legal entity or individual agreeing to these Terms ("Customer", "you", or "your").

By creating an account, subscribing to, or using the LetzSecure platform (the "Service"), you expressly acknowledge and agree to be bound by these Terms. If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have the authority to bind such entity.

Contact Information

  • Email: [email protected]
  • Registered Address: 21, rue Charles Rausch, L-7247 Helmsange, Luxembourg

2. Definitions

  • "Authorized Users" means employees, agents, or contractors of the Customer authorized to use the Service.
  • "Confidential Information" means non-public information disclosed by either party that is designated as confidential or should reasonably be understood to be confidential.
  • "Customer Data" means all electronic data, information, and material (including Personal Data) submitted by the Customer to the Service.
  • "Simulated Phishing Campaigns" means the authorized transmission of simulated malicious emails or communications initiated by the Service to Authorized Users for training purposes.

3. Access and Use of Services

3.1 License Grant

Subject to your compliance with these Terms and payment of applicable fees, LetzSecure grants you a limited, non-exclusive, non-transferable, revocable right to access and use the Service solely for your internal business purposes (specifically, security awareness training and phishing simulation).

3.2 Authorization for Simulated Phishing (Critical Authorization)

The nature of the Service involves sending simulated cyber-attacks to your Authorized Users. You expressly authorize LetzSecure to send emails and other communications to your Authorized Users that may mimic identity theft, ransomware, or other vectors ("Simulations").

You warrant and represent that:

  • You own the domain names and email addresses provided to us for Simulations.
  • You have obtained all necessary consents from Authorized Users (employees/contractors) to subject them to such monitoring and training, where required by applicable labor or privacy laws.
  • You will not use the Service to target any domain, server, or email address that you do not own or have explicit written authorization to test.

Indemnification: You agree to indemnify, defend, and hold harmless Connektik SARL-S from any third-party claims, damages, or legal actions arising specifically from your lack of authority to test specific domains or email addresses.

3.3 Acceptable Use

You shall not:

  • Reverse engineer, decompile, or disassemble the Service.
  • Use the Service to send unsolicited spam or for any illegal purpose outside the scope of authorized training.
  • Resell, sublicense, or distribute the Service to third parties without our prior written consent.

4. Subscription, Payment, and Renewal

4.1 Subscription Plans

The Service is billed in advance on a recurring basis according to the plan selected:

Monthly Subscription

  • Billed on a month-to-month basis.
  • You may cancel at any time. If cancelled, the subscription will not renew at the end of the current billing month, but you retain access until that period expires.
  • No refunds are provided for partial months.

Yearly Subscription

  • Billed annually in advance.
  • You may cancel the renewal at any time. If cancelled, the subscription will not renew at the end of the annual term.
  • Payments for the yearly plan are non-refundable; cancelling during the active year does not entitle you to a pro-rated refund.

4.2 Pricing and Taxes

  • Pricing Display: All prices displayed are exclusive of taxes (net prices) unless explicitly stated otherwise.
  • Tax Collection: Applicable taxes (including VAT) will be calculated and added at checkout based on your billing location and status. We use Stripe to process payments and calculate applicable taxes automatically.
  • EU VAT Handling: If you are a business located in the EU (outside Luxembourg), you are responsible for providing a valid VAT ID at purchase to facilitate reverse charge (0% VAT), where applicable.
  • Payment Responsibility: You are responsible for paying all fees and applicable taxes associated with your use of the Service.

5. Data Protection (GDPR)

5.1 Roles of the Parties

To the extent Customer Data contains Personal Data (as defined by the EU General Data Protection Regulation 2016/679 - "GDPR"), the parties acknowledge that Customer is the Data Controller and LetzSecure is the Data Processor.

5.2 Data Sovereignty and Location

We are committed to keeping your data within the EU/EEA. Your data is stored on secure servers located in:

  • Primary: Finland
  • Secondary/Backup: Germany and Luxembourg

5.3 Data Processing Agreement (DPA)

To the extent that LetzSecure processes Personal Data on your behalf, the terms of the Data Processing Agreement (DPA) set forth in Annex 1 shall apply and are hereby incorporated by reference.

6. Security and Compliance

6.1 Security Measures

LetzSecure implements industry-standard technical and organizational measures to protect Customer Data against unauthorized access, disclosure, or loss, including:

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Application Security: Our platform is built on a secure framework that enforces protection against top web vulnerabilities (OWASP Top 10), including built-in defenses against SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
  • Access Control: Access to production data is restricted to authorized personnel on a strict need-to-know basis and secured via Multi-Factor Authentication (MFA).
  • Backups: We perform regular automated backups of Customer Data to secure servers in Germany to ensure data availability and redundancy.

6.2 Internal Assessments

We conduct regular internal security assessments and vulnerability scans of our infrastructure to identify and remediate potential threats. (Note: While we adhere to high security standards, we do not currently engage third-party auditors for SOC 2 or ISO certification.)

6.3 Service Availability

We will use commercially reasonable efforts to make the Service available 24 hours a day, 7 days a week, excluding planned downtime (with advance notice) and force majeure events.

7. Confidentiality

7.1 Protection

Each party (the "Receiving Party") agrees to protect the Confidential Information of the other party (the "Disclosing Party") with the same degree of care that it uses to protect its own confidential information of like kind (but not less than reasonable care).

7.2 Non-Disclosure

The Receiving Party shall not use or disclose any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party’s prior written permission. This obligation survives termination for three (3) years.

8. Intellectual Property

All rights, title, and interest in and to the Service, including its "look and feel," training and educational content, simulation templates, underlying code, and algorithms, remain the exclusive property of Connektik SARL-S. You retain all rights to your Customer Data.

9. Limitation of Liability

9.1 Disclaimer

The Service is provided "AS IS" and "AS AVAILABLE." We do not warrant that the Service will be uninterrupted or error-free. You acknowledge that our Simulations are designed to test human behavior and we do not guarantee your organization will be immune to real-world cyberattacks after using our Service.

9.2 Liability Cap

To the maximum extent permitted by applicable law, the aggregate liability of Connektik SARL-S arising out of or related to this Agreement, whether in contract, tort, or otherwise, shall not exceed the total amount paid by you to us in the twelve (12) months preceding the incident.

9.3 Exclusion of Consequential Damages

In no event shall either party be liable for any indirect, incidental, special, or consequential damages, including loss of profits, revenue, or business interruption, however caused.

10. Governing Law and Jurisdiction

These Terms shall be governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg. Any dispute arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of Luxembourg City.

Annex 1: Data Processing Agreement (DPA)

GDPR

1. Scope and Definitions

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Connektik SARL-S ("Processor") and the Customer ("Controller").

  • "Personal Data" includes names, email addresses, job titles, and behavioral data (e.g., interactions with simulated phishing emails) of the Customer's Authorized Users.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, transmission, and erasure.

2. Details of Processing

  • Subject Matter: The provision of security awareness training and phishing simulation services.
  • Duration: The term of the main Agreement plus the period required to delete backup data (up to 30 days post-termination).
  • Nature and Purpose: The Processor will process Personal Data solely to deliver the Service, including sending simulated emails, tracking user interactions (opens, clicks, reports), processing payments, and generating training reports.
  • Categories of Data Subjects: Employees, contractors, and agents of the Controller.

3. Obligations of the Processor

The Processor agrees to:

  • Instructions: Process Personal Data only on documented instructions from the Controller (which are deemed to be these Terms), unless required by EU or Member State law.
  • Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest (AES-256).
  • Data Erasure: Upon termination of the Service, delete or return all Personal Data to the Controller, unless EU or Member State law requires storage of the Personal Data.

4. Sub-processors

  • Authorization: The Controller grants the Processor a general authorization to engage third-party sub-processors to support the delivery of the Service.
  • Current List: The specific Sub-processors currently authorized by the Controller are listed in Appendix A to this DPA.
  • Notification of Changes: The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors (e.g., via email or an update to the Privacy Policy), giving the Controller the opportunity to object.

5. Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights (e.g., Right of Access, Rectification, Erasure, Portability) under the GDPR.

6. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable prior notice and confidentiality undertakings.

7. Data Breaches

In the event of a Personal Data Breach (as defined in the GDPR), the Processor shall notify the Controller without undue delay (and in any event within 72 hours of becoming aware of the breach). The notification shall describe the nature of the breach, the likely consequences, and the measures taken to address it.

8. International Transfers

The Processor shall not transfer Personal Data to any country outside the European Economic Area (EEA) unless such transfer is governed by an adequacy decision (such as the EU-US Data Privacy Framework) or appropriate safeguards (such as Standard Contractual Clauses) are in place.

Appendix A to DPA: List of Authorized Sub-processors

The Controller authorizes the engagement of the following Sub-processors:

Sub-Processor Description of Processing Location of Data
Cloud Infrastructure Provider Hosting of application servers, databases, and backups. Finland (Primary), Germany (Backup)
Mailgun Technologies Delivery of transactional emails and simulated phishing campaigns. European Union
Featurebase (Linear Loop, Inc.) Collection of user feedback, changelog, and feature requests. European Union (Mainly Germany)
Stripe, Inc. Payment processing and tax calculation. USA / Global (DPF / SCCs)

If something feels unclear, email us at [email protected].