General Terms and Conditions (GTC)

Last updated: February 2026. This English version is provided for convenience; in case of doubt the German version prevails.

§ 1 Scope

(1) These General Terms and Conditions (hereinafter "GTC") apply to the use of the SaaS service SecretExpiry (hereinafter the "Service"), operated by SSIG-IT GmbH, Zum weißen Jura 3, 89143 Blaubeuren (hereinafter the "Provider").

(2) The Service is directed exclusively at entrepreneurs within the meaning of § 14 of the German Civil Code (BGB) (B2B). Use as a consumer within the meaning of § 13 BGB is not intended.

(3) Deviating, conflicting, or supplementary terms and conditions of the customer only become part of the contract if the Provider has expressly agreed to their validity in writing.

§ 2 Description of services

(1) SecretExpiry is a web-based monitoring service that monitors Microsoft Entra app registrations (Azure Active Directory) and notifies the customer by email about expiring client secrets and certificates.

(2) The scope of services includes in particular:

  • Automatic synchronization of app registration metadata via the Microsoft Graph API (Application.Read.All)
  • Email notifications for upcoming expiry dates (configurable: 90, 30, 14, 7, 1 days before)
  • Dashboard for a central overview of all monitored tenants and secrets
  • Multi-tenant management for Managed Service Providers (MSPs)

(3) Zero-knowledge architecture: The Service reads metadata only (display name, expiry date, type). Actual secret values, passwords, or private keys are never retrieved, transmitted, or stored at any time.

(4) The Provider endeavors to achieve service availability of 99.5% on an annual average, calculated on the basis of monthly uptime. Planned maintenance is announced in advance where possible and does not count as downtime.

§ 3 Conclusion of contract & registration

(1) Registration takes place by entering a business email address and authenticating via magic link. By registering, the customer submits an offer to conclude a usage agreement.

(2) The contract is concluded upon activation of the user account by the Provider.

(3) The customer warrants that they are authorized to conclude the contract on behalf of their company and that the email address provided is a business address.

§ 4 Prices & billing

(1) Use of the Service is subject to a fee. Current prices are set out in the price list on the website valid at the time the contract is concluded.

(2) Billing is per connected Microsoft tenant according to the following tiers:

Number of tenantsPrice per tenant / month
1 – 10€10.00
11 – 20€9.00
21 – 40€8.00
41 – 60€7.00
61 – 100€6.00
101 and aboveIndividual quote

(3) For annual billing, the Provider grants a 20% discount on the monthly price.

(4) All prices are exclusive of statutory VAT.

(5) Payment is made via the payment service provider Stripe, either by credit card, SEPA direct debit, or – for annual billing – by bank transfer against an invoice. For payment by credit card or SEPA direct debit, the customer is obliged to provide valid payment information. For payment by bank transfer, the provider issues an invoice with bank details and a payment reference; the invoiced amount must be transferred within the period stated on the invoice (14 days).

(6) Free trial: New customers can try the Service free of charge for 14 days. No costs are incurred during the trial. For payment by credit card or SEPA direct debit: if no valid means of payment is provided by the end of the trial, the trial ends automatically – no costs are incurred and no cancellation is required. If the customer provides a means of payment, or chooses payment by bank transfer for annual billing, the trial transitions seamlessly into a paid subscription at the end of the 14 days, according to the tiers set out in paragraph 2; for payment by bank transfer, an invoice is then issued after the trial ends. Each customer is entitled to one trial only.

§ 5 Late payment & grace period

(1) In the event of a failed payment, the customer receives a grace period of 7 days during which the Service remains available.

(2) After the grace period expires, access to the Service is restricted until the outstanding payment is settled. Existing data is not deleted.

(3) The Provider reserves the right to terminate the contractual relationship extraordinarily in the event of payment default of more than 30 days.

§ 6 Contract term & termination

(1) With monthly billing, the contract can be terminated at any time effective at the end of the current billing period.

(2) With annual billing, the contract is automatically renewed for a further year unless terminated no later than 14 days before the end of the term.

(3) Termination can be carried out via the dashboard (Settings → Subscription) or by email to info@secretexpiry.com.

(4) The right to extraordinary termination for good cause remains unaffected.

(5) After termination and expiry of the billing period, access to the Service is blocked. The customer can export their data within 30 days after the end of the contract. Thereafter, all data is irrevocably deleted.

§ 7 Customer obligations

The customer undertakes to:

  • Use only valid business email addresses for registration and notifications.
  • Keep access credentials confidential and report any unauthorized access to their account without delay.
  • Properly grant the required Microsoft Entra permissions (admin consent for Application.Read.All).
  • Not misuse the Service, in particular not through automated bulk queries, reverse engineering, or attempts to circumvent security mechanisms.
  • Ensure that use of the Service complies with applicable data protection regulations in relation to its own customers.

§ 8 Microsoft Entra integration

(1) Connecting Microsoft Entra tenants requires admin consent to be granted by an authorized administrator of the respective tenant.

(2) The customer confirms that they have the necessary authority to grant admin consent for the connected tenants – in particular for customer tenants within the scope of a managed-service agreement.

(3) The Provider is not liable for the accuracy, completeness, or timeliness of the metadata provided by Microsoft.

(4) In the event of changes to or revocation of the API permissions by Microsoft or the tenant administrator, synchronization is automatically deactivated. The Provider informs the customer by email.

§ 9 Liability

(1) The Provider is liable without limitation for damages arising from injury to life, body, or health, as well as for intent and gross negligence.

(2) In the case of slight negligence, the Provider is only liable for the breach of material contractual obligations (cardinal obligations). In this case, liability is limited to the foreseeable damage typical for the contract.

(3) In particular, the Provider is not liable for:

  • Secrets or certificates that had already expired before monitoring began
  • Email notifications not delivered or delivered late due to problems at the customer's email provider
  • Changes to the Microsoft Graph API that lead to restricted or interrupted data retrieval
  • Data loss at the customer, insofar as the customer did not maintain adequate data backups
  • Outages or performance limitations of the third-party infrastructure providers used (Vercel, Supabase, Stripe)

(4) Liability under the German Product Liability Act (Produkthaftungsgesetz) remains unaffected.

§ 10 Data protection

(1) The Provider processes the customer's personal data exclusively in accordance with the Privacy Policy and in compliance with the GDPR.

(2) Insofar as the Provider processes personal data of the customer's end customers on the customer's behalf (e.g. tenant metadata of customer tenants), the parties will, upon request, conclude a data processing agreement (DPA) pursuant to Art. 28 GDPR. The customer can request this by email to info@secretexpiry.com.

(3) The Provider implements appropriate technical and organizational measures to protect personal data (TLS, RLS, encryption, rate limiting, CSP).

§ 11 Intellectual property

(1) All rights to the software, design, and content of the Service remain with the Provider. The customer receives a simple, non-transferable right of use for the duration of the contractual relationship.

(2) All data contributed by the customer (tenant configurations, notification settings) remains the property of the customer.

§ 12 Changes to the GTC

(1) The Provider reserves the right to amend these GTC with a notice period of at least 30 days. Changes are communicated to the customer by email.

(2) If the customer does not object to the changes within 30 days of receiving the change notification, the amended GTC are deemed accepted. The Provider will separately point out to the customer, in the change notification, the right to object and its legal consequences.

(3) If the customer objects, the contract continues under the previous terms. In this case, the Provider may terminate the contract by ordinary notice as of the next regular termination date.

§ 13 Final provisions

(1) The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

(2) The place of jurisdiction for all disputes arising from this contractual relationship is the Provider's registered seat, provided that the customer is a merchant, a legal entity under public law, or a special fund under public law.

(3) Should individual provisions of these GTC be or become invalid, the validity of the remaining provisions remains unaffected. The invalid provision shall be replaced by a valid provision that comes closest to the economic purpose of the invalid provision.

(4) Ancillary agreements, amendments, and supplements require text form (email is sufficient).

SecretExpiry — Nie wieder abgelaufene Secrets