Terms of Service

Last updated: 2026-05-18

1. Scope, contracting parties

1.1 These General Terms and Conditions ("Terms") govern the contractual relationship between the provider and the customer regarding the use of the Software-as-a-Service platform Mailantis ("Service", "Platform") in its respective current version.

1.2 The offer is exclusively addressed to entrepreneurs within the meaning of Section 1 (1) (1) of the Austrian Consumer Protection Act (KSchG). The provider does not enter into contracts with consumers within the meaning of Section 1 (1) (2) KSchG. By registering, the customer assures that they act as an entrepreneur. If this assurance proves to be incorrect, the provider may terminate the contract for good cause with immediate effect.

1.3 These Terms apply to all current and future contracts regarding the Service, even if they are not expressly referenced in later contracts.

1.4 Deviating, conflicting or supplementary terms of the customer — in particular purchasing terms — do not become part of the contract unless the provider expressly agrees to their application in writing. Performing the Service without objection does not constitute consent.

1.5 Individually agreed written provisions take precedence over these Terms.

2. Definitions

Term	Meaning
Service / Platform	The SaaS platform offered at mailantis.eu for monitoring DMARC, SPF and DKIM, including all functions contained therein.
Organisation	The tenant to which the customer is assigned within the meaning of this contract.
MSP account	An organisation with the Managed Service Provider function activated, managing sub-organisations.
Sub-organisation	A subordinate organisation managed by an MSP account (e.g. an end customer of the MSP).
Plan	The booked service package (e.g. pro, enterprise) with defined feature and volume scope.
Trial	The 30-day free trial period pursuant to clause 3.4.
DMARC, SPF, DKIM	Standardised procedures for email authentication (RFC 7489, RFC 7208, RFC 6376).
RUA report / aggregate report	Aggregated DMARC report from a receiving mail server.
RUF report / forensic report	Forensic DMARC report from a receiving mail server.
Claim token	A unique token generated by the provider, inserted into the customer's DMARC RUA record as proof of authority over the domain.
S/MIME module	Optional add-on module for ordering and managing S/MIME certificates via a certificate provider (in particular Sectigo).
Customer data	All data entered, uploaded or processed by the customer through the Service, including domain data, configuration data and DMARC reports attributable to the customer's organisation.

3. Subject matter and scope of services

3.1 Main service

For the duration of the contract, the provider makes the Mailantis platform available to the customer for use via a current web browser. The specific feature and volume scope results from the plan selected by the customer and from the current service description on mailantis.eu.

3.2 Features (overview)

Depending on the booked plan, the platform offers in particular the following features:

• onboarding of email domains into monitoring, including a recommended DMARC DNS record;
• verification of authority over a domain via claim token in the DMARC RUA record;
• automated, periodic DNS checks of monitored domains (DMARC, SPF, DKIM, MX);
• reception, parsing and analysis of DMARC aggregate reports (RUA);
• optional reception and display of DMARC forensic reports (RUF);
• enrichment of IP data in reports (reverse DNS, ASN, geolocation);
• alerts on predefined events (e.g. DMARC policy change, increase in failure rate) — plan-dependent;
• multi-tenant management with MSP hierarchy;
• optional: ordering and managing S/MIME certificates via an external certificate provider ("S/MIME module").

3.3 What the Service is not

3.3.1 The Service is a monitoring and analysis tool. It does not actively intervene in the customer's mail flow, does not block emails, does not perform filtering, and is no substitute for a mail server, a mail gateway or a spam filter.

3.3.2 The Service does not make any changes to the customer's DNS records. All DNS configuration changes lie exclusively with the customer or their DNS provider (see clause 5).

3.3.3 The Service does not constitute legal or tax advice and does not replace expert guidance for the introduction of DMARC.

3.4 Trial phase

3.4.1 The provider may make the Service available to the customer free of charge for testing purposes for a period of 30 calendar days from activation ("Trial"). Feature scope and volume limits of the trial phase result from the service description on mailantis.eu.

3.4.2 The trial ends automatically upon expiry of the 30-day period. No termination is required. Upon expiry, the customer's right of use expires unless the customer has previously booked a paid plan.

3.4.3 The customer may book a paid plan at any time during the trial; in this case the account, including all configurations and data created up to that point, is transferred to the chosen plan.

3.4.4 If the trial ends without a paid plan being booked, the account and associated data are kept in an inactive state for 90 calendar days in order to allow a later resumption of the business relationship without loss of configuration. During this time, access to the Service is not possible; incoming DMARC reports are discarded without processing. If the customer books a paid plan within the 90 days, the account, including remaining configurations and data, is reactivated. After expiry of the 90 days, account and data are finally deleted; restoration is then not possible. Clause 10.4 otherwise applies analogously.

3.4.5 The trial can only be claimed once per customer and per economically affiliated group (in particular corporate group, common control). The provider reserves the right to technically prevent or subsequently terminate multiple trial registrations.

3.4.6 During the trial, warranty and liability claims are excluded to the maximum extent permitted by law, except for damages from intent and personal injuries. In particular, the provider does not guarantee any availability, any backups, or any defect remediation deadlines during the trial.

3.4.7 The provider may end the trial phase at any time without notice for objective reasons (e.g. abuse, multiple registration, overload).

3.5 Further development

The provider continuously develops the platform. Features may be added, changed or discontinued. Material changes that significantly restrict the scope of the booked plan will be notified to the customer at least 30 days in advance by email. In this case, the customer has an extraordinary right to terminate effective on the date the change takes effect.

4. Contract conclusion, registration, user account

4.1 Registration

4.1.1 Use of the Service requires the registration of an organisation and at least one user account. The customer ensures that all data provided is correct and complete and keeps it up to date.

4.1.2 By registering, the acting person assures that they are authorised to represent the customer. For legal entities and partnerships, the relevant legal entity is the customer.

4.2 Contract conclusion

The contract is concluded upon confirmation of the registration — in case of trial activation upon its activation, in case of paid plans upon acceptance of the order by the provider or upon activation of the plan — whichever occurs first.

4.3 Access credentials

The customer undertakes to protect access credentials (passwords, passkeys, API tokens, session tokens) from unauthorised third-party access and not to disclose them to unauthorised persons. Any suspected compromise must be reported to the provider without delay. Until receipt of such a report, the customer is liable, within the statutory provisions, for all activities carried out via their account.

4.4 MSP constellation

4.4.1 If the customer activates the MSP function and creates sub-organisations for their own end customers, the customer (MSP) remains the sole contracting party of the provider. No contractual relationship arises between the provider and the MSP's end customers through the use of the Service.

4.4.2 The MSP is responsible vis-à-vis the provider for all acts of its sub-organisations and their users as if they were its own acts.

4.4.3 The MSP ensures that all data-protection and contractual obligations existing vis-à-vis its end customers are fulfilled and that the processing of sub-organisation data by the provider is permissible.

5. Customer obligations and responsibility (DNS, configuration, data)

5.1 DNS and mail configuration as customer responsibility

5.1.1 The configuration of DNS records (DMARC, SPF, DKIM, MX) and all related settings of the customer's mail system lie exclusively within the customer's area of responsibility.

5.1.2 The provider may issue recommendations for DMARC records (e.g. a recommended DMARC record value). These recommendations are general technical hints. They replace neither an individual review of the customer's mail-flow environment nor expert advice. The decision whether, when and with which policy (p=none, p=quarantine, p=reject, sp=…, pct=…) a DMARC record is set lies exclusively with the customer.

5.1.3 The customer acknowledges and accepts that an incorrect, incomplete or overly restrictive DMARC, SPF or DKIM configuration may cause legitimate emails to be rejected, moved to the spam folder or otherwise not delivered by third-party receiving mail servers. The customer bears the associated risk exclusively.

5.1.4 The customer undertakes, before activating restrictive DMARC policies (quarantine, reject), to carefully review their SPF and DKIM configuration and, where appropriate, to roll them out gradually (e.g. via pct value).

5.2 Authority over domains

5.2.1 The customer assures that for each domain entered into the Service they are authorised to set up and change the DNS records of that domain.

5.2.2 The provider reserves the right to exclude domains from processing if there are legitimate doubts about the customer's authority.

5.3 Permitted use

The customer undertakes

1. to use the Service only within the scope of the booked plan and for the intended purposes;
2. not to take any measures that would jeopardise the provider's infrastructure or the availability of the Service for other customers (in particular no penetration testing without prior written approval, no scraping, no load attacks);
3. not to circumvent or manipulate security mechanisms;
4. not to decompile, disassemble or otherwise reverse-engineer the platform's source code, unless permitted by mandatory law;
5. not to introduce any unlawful, offensive, personality-rights-infringing or criminally relevant content into the Service.

5.4 No sensitive data

5.4.1 The Service is not intended for the processing of special categories of personal data within the meaning of Art. 9 GDPR (health data, biometric data, data on racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life/orientation).

5.4.2 The customer undertakes not to enter or upload such data into the Service. If the customer violates this obligation, the provider is entitled to delete affected data without prior notice and — in case of repeated or serious violation — to terminate the contract for good cause.

5.5 Customer-side backup

The customer is responsible for additional backup of the data they bring into the Service (in particular exportable configurations). The provider regularly creates backups as part of its operations (cf. clause 11.4), but does not owe data backup as a separate service unless expressly agreed.

5.6 Cooperation obligations in case of incidents

The customer reports detected Service incidents to the provider's support address without delay and assists, as far as possible, in narrowing them down (browser, operating system, time, affected domain, description of the behaviour and the expected result).

6. Availability, no service level

6.1 Best-effort availability

6.1.1 The provider endeavours to keep the Service available around the clock but assumes no warranty for any specific availability, response time, reaction time or restoration time ("no-SLA clause").

6.1.2 In particular, no minimum availability in percent is guaranteed. Any empirical values mentioned in advertising, FAQs or help pages are non-binding and do not represent a warranted characteristic.

6.1.3 Service credits, refunds or other monetary compensation for non-availability are excluded.

6.2 Maintenance and updates

6.2.1 The provider is entitled to carry out planned and unplanned maintenance work. During such times the Service may be limited or unavailable.

6.2.2 Planned maintenance is carried out, where reasonable, outside common business hours and announced in the platform or by email.

6.2.3 Unplanned maintenance for security reasons, to fix critical bugs or in technical emergencies may take place at any time without prior notice.

6.3 Third-party providers

6.3.1 The Service relies on third-party services (in particular hosting, DNS resolvers, Cloudflare, Microsoft Graph for mailbox retrieval, Sectigo for S/MIME). Disruptions, outages or changes at these third-party providers are not attributable to the provider, provided the provider selected and configured them with industry-standard care.

6.3.2 In particular, the provider is not responsible for the behaviour of third-party receiving mail servers, their DMARC evaluation, their delivery decisions or the sending/non-sending of DMARC reports.

6.4 Functional defects ("bugs")

6.4.1 The customer acknowledges that software may inherently contain defects. The provider remedies defects that significantly impair main functions described in the service description within a reasonable period, provided that

1. the defect was reported reproducibly by the customer (at least description of the process, expected and actual result, browser, operating system, time),
2. the defect is reproducible by the provider, and
3. it is not based on circumstances outside the provider's area of responsibility.

6.4.2 No specific response time or remediation deadline is guaranteed (cf. clause 6.1).

7. S/MIME module (optional)

7.1 Scope

If the customer uses the S/MIME module, the provisions of this clause apply in addition to the other Terms. The S/MIME module enables the ordering of S/MIME certificates via an external certificate provider (in particular Sectigo).

7.2 Role of the provider

7.2.1 The provider acts as a technical intermediary. The contracting party for the issued certificate is and remains the respective certificate provider with the conditions applicable there (Subscriber Agreement / Relying Party Terms). The validation and issuance decision lies solely with the certificate provider.

7.2.2 The provider is not liable for the certificate provider's decision to issue, revoke or suspend a certificate.

7.3 Key material, passphrase

7.3.1 Private keys are generated on behalf of the customer by the provider, processed in-memory and stored exclusively in encrypted form (Vault Transit).

7.3.2 The passphrase provided by the customer for the PKCS#12 file is not stored. It is used solely once to create the delivery bundle. Recovery of the passphrase or a re-download after loss is technically impossible.

7.3.3 The certificate download is provided via a time-limited single-use token with a limited number of attempts. If the validity expires unused or the attempt limit is exceeded, a re-order is required; fees already paid will not be refunded in this case.

7.4 Responsibility for the email address

The customer assures that they are authorised over the email address for which the certificate is issued and that they confirm all validation emails of the certificate provider on time.

7.5 No advice

The provider does not advise on the selection of the appropriate certificate product, on the legal effect of signatures (in particular eIDAS compliance) or on the customer's cryptographic setup.

8. Intellectual property rights, usage rights

8.1 Provider's rights

All rights to the platform, its software, source code, database structures, documentation, design and all trademarks, logos and other signs remain with the provider or its licensors.

8.2 Customer's right of use

For the duration of the contract, the customer receives a simple, non-exclusive, non-sublicensable, non-transferable right to use the platform via a web browser within the scope of the booked plan and in accordance with these Terms.

8.3 Customer data

8.3.1 The provider does not acquire any rights to the customer data. The customer remains the sole owner of their data.

8.3.2 The customer grants the provider the right to store, reproduce, process and pass on the customer data to sub-processors (cf. clause 11.3) to the extent required for performance of the contract. This includes the creation of backups, caching, and the processing required for error analysis and remediation.

8.4 Aggregated and anonymised data

The provider is entitled to use fully anonymised and aggregated data (e.g. statistical evaluations of typical failure rates, time series, IP provider distributions) without temporal or geographic limitation for the improvement of the Service, for security research and for anonymised publications. Such data does not allow any inference about the customer or individual natural persons.

8.5 Reference customer clause

The provider is entitled to name the customer as a reference, using its name and logo, on its website and in marketing materials. The customer may object to this use at any time with effect for the future by email.

9. Remuneration and payment

9.1 Fees

9.1.1 The amount of the fee follows the chosen plan and the price list valid on mailantis.eu at the time of ordering or renewal.

9.1.2 Where Austrian VAT is statutorily applicable, it will be shown separately. If the provider is exempt from VAT under Section 6 (1) (27) UStG (small-business regulation), no VAT is invoiced on this basis.

9.2 Billing period

9.2.1 Unless otherwise agreed, the fee is invoiced monthly or annually in advance. Invoicing is done electronically by email.

9.2.2 Invoices are due for payment within 14 days of the invoice date without deduction.

9.3 Default of payment

9.3.1 If the customer is in default of payment, the provider is entitled to claim default interest pursuant to Section 456 UGB as well as reminder and collection fees.

9.3.2 In case of payment default of more than 30 days, the provider may suspend access to the Service after a written reminder with a reasonable grace period. The provider's claim to remuneration remains unaffected.

9.4 Price adjustment

9.4.1 The provider is entitled to adjust prices with at least 60 days' advance notice. Notification is by email to the contact address on file.

9.4.2 If the fee increases by more than the annual rate of inflation (measured by the Austrian Consumer Price Index), the customer may terminate the contract extraordinarily up to the effective date of the adjustment. If they do not terminate, the adjustment is deemed accepted. The provider expressly draws attention to the right of termination in the adjustment notice.

9.5 Additional services

Services outside the booked plan (e.g. individual consulting, manual data recovery, migration support) are billed on a time-and-materials basis at the provider's then-current hourly rates, unless a flat rate has been agreed.

10. Contract duration, termination, data export

10.1 Start and term

10.1.1 The contract starts with acceptance of the order or with activation of the plan.

10.1.2 Unless otherwise agreed, the contract is concluded for an indefinite period and follows the chosen billing period (monthly or annual).

10.2 Ordinary termination

10.2.1 With monthly billing the contract is terminable with 14 days' notice to the end of a billing period.

10.2.2 With annual billing the contract is terminable with 30 days' notice to the end of a billing period.

10.2.3 Termination is in writing (email is sufficient) or via the termination function provided in the platform.

10.3 Extraordinary termination

The right to terminate for good cause remains unaffected. A good cause exists in particular in case of

1. substantial payment default after unsuccessful reminder with a reasonable grace period;
2. repeated or serious violations of obligations under these Terms, in particular clause 5;
3. opening of insolvency proceedings over a contracting party's assets or rejection for lack of assets;
4. incorrect assurance of the entrepreneur status pursuant to clause 1.2.

10.4 Consequences of termination

10.4.1 With effect of the termination, the customer's right to use the platform ends. The customer undertakes to refrain from any further use.

10.4.2 Before contract end, the provider provides the customer with a free data export of master and configuration data in an industry-standard format (e.g. JSON or CSV). Raw data of DMARC reports can be provided on request against reimbursement of expenses on a time-and-materials basis.

10.4.3 30 days after the contract ends, customer data is finally deleted or anonymised, unless statutory retention obligations apply. Backups are overwritten as part of the usual backup rotation.

10.4.4 The customer is responsible for timely own backups. Recovery of data after the stated deadline is not possible.

10.4.5 S/MIME certificates retain their validity after contract end in accordance with the respective certificate provider's rules. Renewal via the platform is no longer possible after contract end.

11. Data protection and data security

11.1 General

11.1.1 To the extent that the provider processes personal data attributable to the customer within the scope of the Service, this is done as a processor within the meaning of Art. 28 GDPR. The parties conclude a data processing agreement (DPA) for this purpose; the DPA is available on request at [email protected] and is deemed agreed upon contract conclusion.

11.1.2 Where the provider processes personal data on its own responsibility (e.g. for billing and contract administration), the provider's privacy policy applies.

11.2 DMARC reports and third-party data

11.2.1 DMARC reports typically contain IP addresses of sending mail servers, domain names and aggregate counts. These do not originate from the customer but are generated by third-party receiving mail servers and sent to the address indicated by the customer in the DMARC record.

11.2.2 The data-protection assessment of the processing of these reports (in particular legal basis, information obligations vis-à-vis data subjects) lies with the customer as controller. The provider supports the customer to the extent provided for by law.

11.3 Sub-processors

11.3.1 The provider is entitled to use sub-processors to provide the Service. A current list of engaged sub-processors, including location and processing purpose, is part of the data processing agreement (cf. clause 11.1.1) and available on request at [email protected].

11.3.2 Changes to the set of sub-processors will be notified to the customer with reasonable advance notice. The customer may object to the engagement of a new sub-processor for good cause; in this case both parties are entitled to extraordinary termination.

11.4 Backups

The provider regularly creates backups of the platform and customer data as part of its operations. The backups serve to protect against data loss due to system failures. Data recovery upon customer request is only possible to the extent that a corresponding backup still exists; it is billed on a time-and-materials basis (cf. clause 9.5).

11.5 Security

The provider takes technical and organisational measures appropriate to the state of the art to protect customer data (in particular encryption in transit, encryption of sensitive secrets, strict tenant separation, audit logging, access control). Details are set out in the DPA.

12. Confidentiality

12.1 Each contracting party treats confidential information of the other party strictly confidential, uses it solely for performance of the contract and does not disclose it to third parties without consent. Confidential are in particular information marked as such, as well as information whose confidentiality results from its nature.

12.2 Excluded are information that is publicly known, was lawfully known to the receiving party, was lawfully obtained from third parties or was developed independently.

12.3 Statutory or official disclosure obligations remain unaffected; the party obligated to disclose informs the other party — to the extent permitted — in advance.

12.4 The confidentiality obligation continues for three years after contract end.

13. Warranty

13.1 General

The provider warrants that, during the contract term, the Service substantially provides the main functions described in the service description. Insignificant deviations do not constitute a defect.

13.2 Warranty exclusions

Warranty claims do not exist for

1. defects caused by improper use, configuration errors by the customer or third-party interventions;
2. defects based on third-party software/services that were not selected by the provider;
3. impairments resulting from the customer's DNS record configuration (cf. clause 5.1);
4. impairments due to the behaviour of third-party receiving mail servers (cf. clause 6.3.2);
5. impairments due to force majeure (cf. clause 15).

13.3 Statute of limitations, burden of proof, defect notice

13.3.1 Warranty claims expire six (6) months from knowledge of the defect.

13.3.2 The presumption rule of Section 924 ABGB is excluded. The customer bears the burden of proof for the existence of a defect and its presence at handover.

13.3.3 Defect notices are submitted in writing (email is sufficient) with the information pursuant to clause 5.6.

14. Liability

14.1 Principle

The provider is liable in accordance with the following provisions. Mandatory liability under the Product Liability Act and for personal injury remains unaffected.

14.2 Limitation of liability

14.2.1 The provider is liable only for damages caused by intent or gross negligence. Liability for slight negligence is — to the extent permitted by law — excluded.

14.2.2 Liability for indirect damages, lost profit, interest damages, business interruption, production losses, data loss, additional expense for data recovery or third-party claims is excluded unless intent or grossly gross negligence is present.

14.2.3 The provider's liability is limited per case of damage to the fee paid by the customer in the 12 months preceding the damaging event, but at most EUR 5,000.—. During the trial, the broader liability exclusion pursuant to clause 3.4.6 applies.

14.2.4 Claims for damages expire according to the statutory provisions, but at the latest one year after knowledge of damage and damaging party.

14.3 Liability exclusion for DNS configuration and undeliverable emails

14.3.1 The provider is not liable for damages arising from emails not being delivered, being moved to the spam folder, being quarantined or being rejected by third-party receiving mail servers due to a DNS configuration (in particular DMARC, SPF, DKIM, MX records) set or omitted by the customer, their employees or representatives.

14.3.2 This also applies if the customer has used the DMARC record value recommended by the provider: the recommendation is a general technical hint and not a warranted characteristic within the meaning of Section 922 ABGB.

14.3.3 The liability exclusion in 14.3.1 covers in particular the following types of damage:

• undelivered or delayed emails to customers, business partners, authorities or other third parties;
• lost business, lost revenue or lost profit due to undelivered emails;
• efforts for diagnosis, correction or communication with recipients;
• reputational damages, image damages, contractual penalties or third-party claims resulting from undelivered emails.

14.3.4 The liability exclusion does not apply to damages from intent or grossly gross negligence of the provider in case of a configuration service expressly and separately remunerated.

14.4 Recommendations are not warranties

Recommendations by the provider on DMARC policies, SPF records, DKIM selectors, MX configurations or comparable configurations are non-binding technical hints and do not constitute warranted characteristics, binding configuration instructions or expert case-by-case advice.

14.5 Sub-processors and third-party providers

To the extent the provider integrates third-party services (in particular Cloudflare, Microsoft, Sectigo, hosting providers), the provider is not liable for their outages, errors or behaviour, provided the provider selected and engaged them with industry-standard care.

14.6 Data loss

In case of a data loss for which the provider is responsible, liability is limited to the typical costs of recovering the data from backups maintained by the customer. If no backups are maintained by the customer, the provider is not liable for their re-procurement. Clause 14.2.3 (liability cap) applies additionally.

15. Force majeure

15.1 Neither party is liable for non-performance or delayed performance of its contractual obligations to the extent these are due to force majeure. Force majeure includes in particular natural disasters, war, riot, pandemics, official orders, large-scale failures of power grids, internet backbone infrastructure or central cloud services, cyber attacks on critical infrastructure as well as other unforeseeable and unavoidable events outside the sphere of the affected party.

15.2 The affected party informs the other party without delay of the event and its expected duration.

15.3 If the event lasts longer than 60 days, both parties are entitled to extraordinary termination.

16. Final provisions

16.1 Written form

Amendments, additions and side agreements require the written form. This also applies to the cancellation of this written form requirement. Email preserves the written form.

16.2 Amendments to the Terms

16.2.1 The provider may amend these Terms with effect for the future. Material changes will be notified to the customer at least 60 days before they take effect by email or via the platform.

16.2.2 If the customer does not object to the change within 30 days of notification, it is deemed accepted. In case of objection, either party may terminate the contract extraordinarily to the effective date of the change. The provider expressly draws attention to the meaning of silence and the right of termination in the amendment notice.

16.3 Assignment

The customer may transfer or assign rights and obligations under this contract only with the prior written consent of the provider. The provider is entitled to transfer the contract to a legal successor (e.g. in case of conversion into another legal form); in this case the provider informs the customer with reasonable advance notice.

16.4 Severability

Should individual provisions of these Terms be invalid, unenforceable or incomplete, the validity of the remaining provisions remains unaffected. The invalid provision is replaced by a regulation that comes closest to the economic purpose of the invalid provision.

16.5 Applicable law

Austrian law applies, to the exclusion of the conflict-of-laws rules of private international law and the UN Convention on Contracts for the International Sale of Goods.

16.6 Place of jurisdiction

Exclusive place of jurisdiction for all disputes arising from or in connection with this contract is the competent court for 4020 Linz (Landesgericht Linz).

16.7 Communication

Binding notices in the context of this contract are sent to the customer's last-known email address or to the provider's address as stated in the legal notice. Changes must be notified without delay.

Questions about the Terms of Service: [email protected]