Terms of Service.

1. Parties and acceptance

1.1. These Terms of Service (the "Terms") constitute a binding agreement between:

• BIG BOX Hosting d.o.o., a Slovenian private limited liability company (družba z omejeno odgovornostjo), registered at Trg republike 3, Floor 2, 1000 Ljubljana, Slovenia, entered in the Slovenian Business Register (AJPES) under registration number [VERIFY: matična številka], VAT identification number [VERIFY: SIxxxxxxxx] (the "Provider", "we", "us", or "our"); and
• The natural or legal person who enters into a contract for the Services described in section 2 (the "Customer", "you", or "your").

1.2. The Customer accepts these Terms by signing an Order Form, by clicking an electronic acceptance mechanism on the Provider's website, or by commencing use of the Services. Continued use of the Services constitutes ongoing acceptance.

1.3. Where a Customer has signed a separate Master Service Agreement (MSA) with the Provider, the terms of the MSA prevail over these Terms to the extent of any conflict. In all other cases, these Terms govern the contractual relationship.

2. Services

2.1. The Provider offers managed email infrastructure services, including but not limited to:

• Managed PowerMTA hosting on dedicated bare metal;
• Managed KumoMTA hosting on dedicated bare metal;
• SMTP relay services;
• IP warmup operated as a managed service;
• SPF, DKIM, DMARC, MTA-STS, BIMI configuration audit and remediation;
• Email Authentication Suite (DMARC monitoring, MTA-STS deployment, BIMI/VMC issuance);
• Offshore dedicated servers in five jurisdictions (Slovenia, Luxembourg, Switzerland, Iceland, Sweden).

2.2. The specific Services contracted by a Customer, the applicable pricing, the relevant Service Level Agreement parameters, and any agreed customisation are set out in the signed Order Form or the equivalent electronic record. Where these Terms and the Order Form conflict, the Order Form prevails.

2.3. The Provider may modify the technical implementation of the Services from time to time. Material changes that adversely affect the Customer's use of the Services will be notified at least 30 days in advance. Non-material technical changes (security patches, software version updates, infrastructure improvements that do not adversely affect the Customer's use of the Services) may be made without prior notice.

3. Acceptable use

3.1. The Customer warrants that the use of the Services will at all times comply with applicable law in the jurisdiction where the Customer is established, in the jurisdiction where the Services are operated (which may be Slovenia or Luxembourg or Switzerland or Iceland or Sweden, depending on the Order Form), and in any jurisdiction targeted by the Customer's communications.

3.2. Prohibited content. The following categories of content and use are strictly prohibited on infrastructure operated by the Provider, and constitute material breach of contract giving rise to immediate termination without refund:

• Child sexual abuse material (CSAM), under any framing or jurisdiction. Detected CSAM is reported to law enforcement under the Slovenian Criminal Code (KZ-1, Article 176) and the Provider's obligations under Slovenian law;
• Explicit incitement to violence against identifiable persons or groups;
• Content or activity that violates the law applicable in the jurisdiction where the relevant infrastructure is hosted (Slovenia for primary services; Luxembourg, Switzerland, Iceland or Sweden for tenants on regional clusters);
• Distribution of malware, phishing kits, ransomware, exploit toolkits, or any other software designed to compromise the security of third-party systems;
• Operation of botnet command-and-control infrastructure, DDoS-for-hire services, or similar abuse infrastructure;
• Sustained, knowingly fraudulent commercial practices, including but not limited to advance-fee fraud, deceptive impersonation of regulated financial institutions, and other practices likely to constitute criminal fraud under applicable law.

3.3. Email-specific acceptable use. Where the Services include email transmission, the Customer further agrees:

• To send only to recipients who have consented to receive the relevant communications, in accordance with the consent requirements of GDPR Article 6 and the ePrivacy Directive 2002/58/EC as transposed in the relevant jurisdiction;
• To honour unsubscribe requests within the timeframes required by the applicable law (typically 10 business days under EU practice);
• To configure SPF and DKIM authentication on all sending domains, with a DMARC policy aligned to the Yahoo and Google bulk sender requirements (effective February 2024) and the Microsoft sender requirements (effective May 2025);
• Not to send to recipient lists obtained without consent, including but not limited to scraped lists, purchased lists, or lists transferred without legal basis;
• Not to spoof or falsify sender identification, whether in the message headers, the SMTP envelope or the message body.

3.4. Investigation and enforcement. Where the Provider has reasonable grounds to believe that section 3.2 or 3.3 has been violated, the Provider may suspend the Services with respect to the affected accounts or domains pending investigation, request the Customer to provide additional information, refer the matter to the Provider's legal counsel for assessment, and where the violation is confirmed, terminate the affected portion of the Services with immediate effect. Material violations affecting the Provider's network or third parties (such as ransomware operation or sustained spam attack from Customer infrastructure) may result in immediate termination of the entire contract.

3.5. DMCA and copyright. The Digital Millennium Copyright Act is United States federal law. It does not directly apply in any of the jurisdictions where the Provider operates infrastructure. The Provider responds to lawful copyright orders issued by competent courts in the jurisdiction where the relevant infrastructure is hosted. Frivolous or automated or jurisdictionally inapplicable copyright complaints (including DMCA notices submitted to non-US infrastructure) are reviewed but not automatically actioned.

4. Fees and payment

4.1. Currency and pricing. All fees are denominated in Euros (EUR) and exclusive of any applicable value-added tax (VAT), goods and services tax, or equivalent indirect tax. The Customer is responsible for any such tax payable in the Customer's jurisdiction, except where the Provider is required by Slovenian law to collect VAT (DDV) directly (typically when the Customer is a natural person established in the European Union without a valid VAT identification number).

4.2. Invoicing. Invoices are issued in EUR and dated as of the first day of each calendar month or, for one-time services, within five business days of service delivery. Invoices include all elements required by the Slovenian Value Added Tax Act (ZDDV-1) and the EU VAT Directive 2006/112/EC.

4.3. Payment terms. Payment is due within 14 days of invoice date, by any of the following methods:

• SEPA bank transfer to the Provider's IBAN published on the invoice;
• Card payment processed by Mollie B.V. (Visa, Mastercard, Maestro, Bancontact, iDEAL);
• Cryptocurrency payment in Bitcoin (BTC), Ethereum (ETH), USDT, or USDC, against an invoice-specific address. Conversion to EUR uses the spot rate at the time of payment.

4.4. Late payment. Invoices unpaid 14 days after the due date accrue late-payment interest at the reference rate set by the Bank of Slovenia plus 8 percentage points per annum, in accordance with the Slovenian Act on Prevention of Late Payments (ZPreZP-1) and EU Directive 2011/7/EU. The Provider may suspend Services for invoices unpaid more than 30 days after the due date, and may terminate the contract for invoices unpaid more than 60 days after the due date, after sending two written notices to the Customer's registered email address.

4.5. Price changes. The Provider may adjust the prices of recurring Services upon at least 60 days' written notice to the Customer. The Customer may terminate the affected Services without penalty during the notice period if the Customer does not accept the new pricing. Prices for one-time services are fixed at the time of the Order Form.

5. Service Level Agreement (SLA)

5.1. Uptime commitments. The Provider commits to the following uptime targets, measured monthly on a calendar-month basis:

• Production MTA services: 99.95% monthly uptime;
• Control plane / customer dashboard: 99.99% monthly uptime;
• Network availability (per PoP): 99.99% monthly uptime.

5.2. Service credits. Where the Provider fails to meet the uptime commitments in section 5.1 in a given calendar month, the Customer is entitled to a service credit applied against the next invoice, calculated as a percentage of the monthly recurring fee for the affected Service:

• 99.94% to 99.50% — 5% credit;
• 99.49% to 99.00% — 10% credit;
• 98.99% to 98.00% — 25% credit;
• Below 98.00% — 50% credit, plus the Customer's right to terminate the affected Service without penalty within 30 days.

5.3. Exclusions from SLA calculation. The following events are excluded from uptime calculations:

• Scheduled maintenance, announced at least seven days in advance, performed within published maintenance windows;
• Force majeure events as defined in section 9;
• Downtime caused by the Customer's own actions, including (without limitation) misconfigured DNS, expired payment, content that triggers blocking by upstream networks, and authorised testing that exhausts service capacity;
• Internet routing problems outside the Provider's own network and the immediate peering at the in-PoP exchanges, where the Provider can demonstrate that traffic is leaving the Provider's network correctly.

5.4. Incident response and notification. The Provider operates a 24/7/365 on-call rotation. Severity 1 and Severity 2 incidents are responded to within seven minutes of detection or customer report. Customer notification of confirmed Severity 1 or 2 incidents is sent through the published status page within 30 minutes of confirmation, with email notification to the registered Customer contact within the same window. A post-mortem report is published within 72 hours of resolution.

5.5. Service credit claim process. Service credits are not issued automatically. The Customer must submit a credit claim by email to [email protected] within 30 days of the end of the calendar month in which the SLA was missed, identifying the affected Service and providing supporting evidence (typically the Provider's status page record). The Provider will respond within 10 business days.

5.6. Service credits as exclusive remedy. Subject to section 9 (limitation of liability), service credits issued under this section are the Customer's exclusive remedy for failure of the Provider to meet the uptime commitments in section 5.1.

6. Data protection and processing

6.1. Personal data processed by the Provider as a controller (in respect of the Customer's account plus billing plus direct communications) is governed by the Privacy Policy at /legal/privacy/, which forms part of these Terms.

6.2. Personal data processed by the Provider as a processor on behalf of the Customer (typically email recipient data flowing through the Customer's MTA infrastructure) is governed by a Data Processing Agreement entered into separately between the parties, in accordance with GDPR Article 28. The DPA template is published at /trust/#contact.

6.3. The Customer is the controller of the personal data of its end-recipients and is responsible for: establishing the legal basis for the processing under GDPR Article 6; obtaining consent where required; honouring data subject rights requests; conducting Data Protection Impact Assessments where required by Article 35; and notifying supervisory authorities and affected data subjects in the event of a personal data breach involving the Customer's data, in accordance with Articles 33 and 34.

6.4. The Provider will assist the Customer in complying with the obligations in section 6.3, in accordance with the DPA, taking into account the nature of the processing and the information available to the Provider.

7. Intellectual property and confidentiality

7.1. Customer content. The Customer retains all intellectual property rights in any content that the Customer uploads or otherwise transmits through the Services ("Customer Content"). The Customer grants the Provider a non-exclusive, worldwide, royalty-free licence to host and process Customer Content (including incidental storage and transmission) solely to the extent necessary to provide the Services. This licence terminates when the Service terminates and the data is deleted in accordance with section 8.

7.2. Provider intellectual property. All intellectual property rights in the Provider's software plus configuration plus documentation plus infrastructure tooling remain the property of the Provider or its licensors. No transfer of intellectual property rights to the Customer is implied by the provision of the Services.

7.3. Confidentiality. Each party agrees to keep confidential any non-public information disclosed by the other party in the course of the contract, and to use such information solely for the purpose of performing its obligations under the contract. The confidentiality obligation survives termination for three years.

7.4. Confidentiality obligations under section 7.3 do not apply to information that: (a) is or becomes publicly known through no fault of the receiving party; (b) was lawfully known to the receiving party before disclosure; (c) is lawfully obtained from a third party without confidentiality obligation; (d) is required to be disclosed by law, court order, or competent regulatory authority, in which case the disclosing party will notify the other party where lawful and practicable to do so.

8. Term and termination

8.1. Term. Unless otherwise specified in the Order Form, the contract is entered into for an indefinite term and renews automatically on a monthly basis. Either party may terminate the contract for convenience by written notice to the other party at least 30 days before the end of the current monthly billing period.

8.2. Termination for material breach. Either party may terminate the contract with immediate effect if the other party materially breaches the contract and fails to remedy the breach within 30 days of written notice. Material breach includes, without limitation, repeated failure to pay fees when due (where the breaching party is the Customer), and repeated failure to deliver the Services to the standard required by section 5 (where the breaching party is the Provider).

8.3. Termination for cause without remedy period. The Provider may terminate the contract with immediate effect and without remedy period in the circumstances set out in section 3.4 (acceptable use violation), or where the Customer becomes insolvent, files for bankruptcy, enters administration, or undergoes equivalent insolvency proceedings.

8.4. Effect of termination. Upon termination, the Provider will: (a) cease providing the Services; (b) issue a final invoice for any unpaid amounts up to the termination date; (c) make Customer Content available for download by the Customer for 30 days after termination, in machine-readable formats consistent with the EU Data Act (Regulation 2023/2854/EU) cloud-portability requirements; (d) after the 30-day period, securely delete Customer Content from production systems and (within 90 days) from backup systems, except where retention is required by law (typically Slovenian fiscal and accounting records under the Companies Act, ZGD-1).

8.5. Survival. Sections 4 (fees, for amounts due as of termination), 6 (data and privacy, in respect of post-termination obligations), 7.3-7.4 (confidentiality), 9 (limitation of liability), 10 (governing law and dispute resolution), and any provision that by its nature is intended to survive, will survive termination of the contract.

9. Limitation of liability and force majeure

9.1. Mutual exclusions. Neither party is liable to the other for any indirect or consequential damages — including incidental, special and punitive damages — arising out of or in connection with the contract, including (without limitation) loss of profits, loss of business, loss of goodwill, loss of data (other than as covered by section 6 and the DPA), or business interruption, even if the party has been advised of the possibility of such damages.

9.2. Liability cap. The aggregate liability of either party arising out of or in connection with the contract, whether in contract, tort (including negligence), or otherwise, is limited to the total fees paid by the Customer to the Provider in the 12 months preceding the event giving rise to the claim.

9.3. Exclusions from cap. The limitations in sections 9.1 and 9.2 do not apply to: (a) liability that cannot be limited or excluded under applicable law (including, for natural-person consumers, certain rights under EU consumer protection law); (b) the Customer's obligation to pay fees due under the contract; (c) either party's breach of confidentiality under section 7.3; (d) either party's wilful misconduct or fraud.

9.4. Force majeure. Neither party is liable for any failure to perform its obligations under the contract caused by events beyond its reasonable control, including (without limitation) acts of God, war, terrorism, civil unrest, pandemic, governmental order, denial-of-service attack of a magnitude exceeding ordinary network defences, regulatory action, or failure of essential utilities. The affected party will notify the other party of the force majeure event without delay and will resume performance as soon as the event ends.

10. Governing law and dispute resolution

10.1. Governing law. The contract, including these Terms, the Privacy Policy, the DPA, and any Order Form, is governed by Slovenian law, without prejudice to the mandatory consumer protection rights of any natural-person Customer established in another EU member state under Regulation (EC) No 593/2008 (Rome I).

10.2. Jurisdiction. Any dispute arising out of or in connection with the contract that cannot be resolved through good-faith negotiation between the parties will be submitted to the exclusive jurisdiction of the Slovenian courts of Ljubljana, in particular the District Court of Ljubljana (Okrožno sodišče v Ljubljani) and the courts of appeal subordinate to it. Natural-person consumers retain the right to bring proceedings in the courts of the consumer's habitual residence within the European Union under Regulation (EU) 1215/2012 (Brussels I recast).

10.3. Pre-litigation negotiation. Before initiating litigation, the parties will attempt to resolve any dispute through good-faith negotiation conducted at the level of senior representatives of each party. Either party may at any time refer the dispute to mediation under the rules of a recognised Slovenian mediation institution, such as the mediation centre of the Chamber of Commerce and Industry of Slovenia (GZS), or another mutually agreed mediation institution.

10.4. EU online dispute resolution. For natural-person Customers established in the European Union, the European Commission's Online Dispute Resolution platform is available at https://ec.europa.eu/consumers/odr/. The Provider's contact email for ODR purposes is [email protected].

11. General provisions

11.1. Entire agreement. The contract (these Terms, the Privacy Policy, the DPA, and any Order Form) constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior or contemporaneous agreements and understandings, whether written or oral.

11.2. Amendment. The Provider may amend these Terms from time to time. Material amendments will be communicated to the Customer by email at least 30 days before they take effect. The Customer may terminate the contract without penalty during the notice period if the Customer does not accept the amendment. Continued use of the Services after the effective date of an amendment constitutes acceptance of the amendment.

11.3. Assignment. Neither party may assign or transfer the contract, in whole or in part, without the prior written consent of the other party, except that the Provider may assign to a successor in connection with a merger, acquisition, or sale of substantially all of its assets, in which case the Provider will notify the Customer.

11.4. Severability. If any provision of these Terms is held by a competent court to be invalid or otherwise unenforceable, that provision will be modified to the minimum extent necessary to render it enforceable under applicable law, and the remaining provisions will continue in full force and effect.

11.5. No waiver. The failure of either party to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision.

11.6. Notices. Notices to the Provider should be sent to [email protected] and to the registered office at Trg republike 3, Floor 2, 1000 Ljubljana, Slovenia. Notices to the Customer will be sent to the email address registered in the customer dashboard. Notices are deemed received on the next business day after sending.

11.7. Language. The authoritative language of these Terms is English. Translations into other languages may be provided for convenience, but in the event of any conflict between the English version and a translation, the English version prevails.