Version 2.2 – March 2026
These General Terms and Conditions of Service (hereinafter "Terms") govern the contractual relationship between SecBox (hereinafter "Provider") and the entity subscribing to the SecBox Shield service (hereinafter "Customer") for the provision of the managed security services described herein.
Subscribing to the service, including through the clients.secbox.it portal, implies full and unconditional acceptance of these Terms. If the Customer does not accept these Terms, they must refrain from activating or using the service.
These Terms apply exclusively to business-to-business (B2B) relationships and are not intended for consumers within the meaning of Legislative Decree 206/2005 (the Consumer Code).
1. Definitions
For the purposes of these Terms, the following definitions shall apply:
"Service": the SecBox Shield service, in the plan (Core, Pro, or XDR) subscribed to by the Customer, including all technical and support components described in Art. 2.
"Provider": SecBox, IT consultant, VAT no. 03738170780, PEC [email protected].
"Customer": the legal entity (a natural person holding a VAT number, company, body, or association) that subscribes to the Service.
"Customer Portal": the platform available at clients.secbox.it through which the Customer manages their account, views invoices, and opens support tickets.
"Customer's Infrastructure": the Customer's servers, networks, and IT systems on which the Provider operates within the scope of the Service.
"Security Incident": any event that compromises or threatens the confidentiality, integrity, or availability of the Customer's Infrastructure.
"Scheduled Maintenance": planned maintenance interventions communicated to the Customer with a minimum of 48 hours' notice.
2. Description of the Service
2.1 Service Components
SecBox Shield is a managed security service (MSSP – Managed Security Service Provider) which, in the configuration activated by the Customer, may include:
- Management and continuous updating of the next-generation firewall (NGFW) installed on the Customer's Infrastructure
- Virtual Private Network (VPN) encrypted with AES-256 encryption and multi-factor authentication (MFA) for secure remote access
- Immutable storage of security logs using WORM (Write Once Read Many) technology to support the technical requirements of the NIS2 Directive and subsequent implementing provisions
- Protection against DDoS attacks, within the limits of the mitigation threshold provided for the subscribed plan
- Periodic reporting on uptime and security events (available in Pro and XDR plans)
- Technical support according to the service levels defined in the Service Level Agreement document attached to the contract
2.2 Plan Variants
The technical specifications, guaranteed service levels, and applicable fees for each plan (Core, Pro, XDR) are indicated in the offer sheet signed by the Customer and on the pricing page available at secbox.it/prezzi-shield/. In case of any discrepancy between these documents, the signed offer sheet shall prevail.
2.3 Modifications to the Service
The Provider reserves the right to modify the technical characteristics of the Service in order to improve it, adapt it to regulatory or technological changes, or to ensure its security and operational continuity. Modifications that result in a substantial reduction of the functionalities included in the Customer's plan will be communicated with at least 30 days' notice. In such a case, the Customer has the right to terminate the contract without penalty within the notice period.
2.4 Scope of Service and Regulatory Compliance
SecBox Shield is a technical tool that supports the implementation of cybersecurity measures. The Provider does not provide legal advice and does not certify or guarantee the Customer's compliance with specific regulations, including the NIS2 Directive and its Italian transposition. The assessment of its own regulatory compliance is the sole responsibility of the Customer, who must engage qualified legal counsel. The Provider disclaims all liability for penalties, disputes, or damages arising from compliance assessments independently carried out by the Customer based on the functionalities of the Service.
3. Service Activation
3.1 Activation Procedure
The Service will be activated within 5 business days of receipt of the first fee payment and the access credentials to the Customer's Infrastructure. Activation includes the technical onboarding phase, during which the Provider will proceed with the initial configuration of the firewall and VPN systems.
3.2 Customer's Cooperation
The Customer is required to promptly and completely provide all information and access credentials necessary for activation. Failure to comply with this obligation shall release the Provider from any liability for delays in activation.
3.3 Acceptance of the Service
The Customer is required to verify the correct activation of the Service within 5 business days of the Provider's notification of completed configuration. Once this period has elapsed without any written objections, the Service shall be deemed accepted.
4. Fees and Payments
4.1 Fee
The Service is provided in exchange for the payment of a periodic fee, in the amount indicated in the signed offer sheet or, in the absence of an offer sheet, on the pricing page in effect on the subscription date. The fee is exclusive of VAT, which will be applied at the statutory rate.
4.2 Payment Methods
Payment is made through the methods indicated on the Customer Portal (credit/debit card, bank transfer, or other available methods). For card payments, the fee is automatically charged on the renewal date. For bank transfer payments, the Customer is required to make the payment within 15 days of the invoice issue date.
4.3 Automatic Renewal and Price Adjustment
The contract automatically renews on a month-to-month basis, unless canceled with at least 30 days' notice prior to the renewal date. The Provider reserves the right to adjust the fees, by notifying the Customer of the change via email at least 30 days in advance. Continued use of the Service after the effective date of the new fee constitutes acceptance thereof. If the Customer does not wish to accept the change, they have the right to terminate without penalty within the notice period.
4.4 Late Payment
In the event of non-payment by the due date, the Provider has the right to apply, without the need for formal notice of default, the late payment interest stipulated by Legislative Decree 231/2002 (statutory interest on late payments in commercial transactions). If 15 days have passed since the due date without payment being made, the Provider also has the right to suspend the Service pursuant to Art. 6. The Provider reserves the right to proceed with debt collection through the competent legal channels.
5. Customer's Obligations
The Customer undertakes to:
a) Provide updated, functional access credentials to the Infrastructure with the necessary privileges for the provision of the Service, and to update them promptly in case of modification.
b) Inform the Provider, with reasonable notice, of any significant changes to the Infrastructure (e.g., addition or decommissioning of servers, changes to the network architecture, change of connectivity provider) that may affect the provision of the Service.
c) Not to interfere with the security configurations implemented by the Provider, nor to modify them without prior written agreement. A Customer who makes unauthorized modifications to the Infrastructure assumes all responsibility for any resulting service disruptions or security incidents.
d) Use the Service exclusively for lawful purposes and in accordance with applicable law, including provisions on cybersecurity (Legislative Decree 65/2018 implementing the NIS Directive, and the subsequent NIS2 Directive and its related implementing legislation).
e) Maintain the confidentiality of VPN and Customer Portal access credentials, promptly notifying the Provider of any suspected unauthorized use.
6. Suspension of the Service
The Provider has the right to suspend the Service, upon written notice, in the following cases:
a) Non-payment: if 15 days have passed since the payment due date, the Provider may suspend the Service. The Service will be restored within 2 business days of full payment of the amount due, including any accrued late payment interest.
b) Breach of contractual obligations: in the event of a serious or repeated breach of the obligations set forth in Art. 5, the Provider may suspend the Service with 5 business days' prior written notice, during which the Customer is invited to remedy the breach.
c) Security emergencies: in the event of a Security Incident or an imminent threat requiring immediate action, the Provider may temporarily suspend parts of the Service without prior notice, communicating this to the Customer at the same time as or immediately after the intervention.
d) Scheduled Maintenance: the Provider reserves the right to partially suspend the Service for scheduled maintenance interventions, after notifying the Customer at least 48 hours in advance. SLAs do not apply during periods of Scheduled Maintenance.
The Provider is not liable for damages suffered by the Customer during periods of legitimate suspension of the Service.
7. Limitation of Liability
7.1 Exclusions
The Provider shall not be liable for any damages, losses, or Service interruptions resulting from:
- Cyberattacks (DDoS, intrusions, ransomware) that exceed the mitigation capacity contractually provided for the subscribed plan
- Failure, delay, or inaccuracy by the Customer in communicating changes to the Infrastructure or security incidents
- Unauthorized modifications to the configurations implemented by the Provider
- Interruptions, malfunctions, or price changes of third-party services (connectivity providers, data centers, cloud services, CDNs) over which the Provider has no direct control
- Force majeure events, understood as extraordinary and unforeseeable events beyond the reasonable control of the Provider, including but not limited to, natural disasters, national network blackouts, government orders, or pandemics
- Negligent, willful, or non-compliant behavior with the Provider's instructions by the Customer or third parties authorized by the Customer
7.2 Limitation
Without prejudice to mandatory provisions of law, the Provider's total aggregate liability to the Customer for any cause (contractual, tortious, or statutory) shall be limited to the amount of the monthly fees paid by the Customer in the 12 months preceding the harmful event. The Provider shall in no event be liable for indirect damages, loss of profits, loss of data, or loss of business opportunities.
8. Confidentiality
Both parties undertake to keep confidential the technical, commercial, and organizational information received from the other party within the scope of the contractual relationship, not to disclose it to third parties without the prior written consent of the providing party, and to use it exclusively for purposes related to the performance of the contract.
The confidentiality obligation shall survive for 3 years after the termination of the contract, except for information that has become public domain without breach of this obligation, that the other party already knew prior to disclosure, or that must be disclosed in compliance with legal obligations or orders from public authorities.
9. Intellectual Property
The Provider holds all intellectual property rights related to the software, methodologies, processes, reports, and tools developed or used in the provision of the Service. Subscribing to the contract does not transfer any intellectual property rights to the Customer. The Customer is authorized to use the Service and the reports provided exclusively for internal purposes, with no right to sublicense or resell.
10. Term, Withdrawal, and Termination
10.1 Term
The contract has a monthly term, with automatic renewal pursuant to Art. 4.3, unless canceled with at least 30 days' notice before the renewal date, via written communication to [email protected] or through the Customer Portal.
10.2 Termination for Cause
Either party may terminate the contract with immediate effect, by written notice, if the other party commits a material breach of these Terms and fails to cure it within 15 days of being notified of said breach. In the event of termination by the Customer due to the Provider's default, the Provider shall refund to the Customer the fee corresponding to the period during which the Service was not provided.
10.3 Effects of Termination
Upon termination of the contract, the Provider will proceed with the removal of the configurations implemented on the Customer's Infrastructure within 5 business days, subject to agreement on the operational procedures. The Customer is responsible for restoring its own security configurations at its own care and expense.
11. Assignment of the Contract
The Customer may not assign the contract or the rights and obligations arising therefrom to third parties without the prior written consent of the Provider. The Provider may assign the contract to a third party (e.g., in the event of a corporate reorganization, merger, or acquisition) with 30 days' prior notice to the Customer.
12. Notices
Contractual communications between the parties must be made in writing, via email to the addresses indicated in the contract. Notices shall be deemed received on the day they are sent, provided that no non-delivery report is received. The Customer is required to keep the email address indicated in the Customer Portal updated.
13. Applicable Law and Competent Court
This contract is governed by Italian law. For any dispute concerning its interpretation, performance, or termination, the Court of Milan shall have exclusive jurisdiction.
14. Final Provisions
The nullity or ineffectiveness of individual clauses of these Terms shall not entail the nullity of the entire contract. The Provider's failure to react to a breach of these Terms does not constitute a waiver of the right to enforce said breach in the future.
These Terms supersede in their entirety any prior agreements, understandings, or representations between the parties having the same subject matter.
For information: [email protected]