Sales Terms for FairSSL A/S

These terms are primarily intended for business customers (B2B). If you are acting as a consumer (B2C), mandatory consumer protection rights in your national legislation take precedence.

sslbrain is a product of FairSSL A/S, a Danish company that develops and sells software for SSL/TLS certificate lifecycle management. FairSSL is independent of all Certificate Authorities (CAs).

All FairSSL employees are bound by confidentiality obligations. Information about the customer's systems, configuration, and infrastructure is treated as confidential.

The agreement basis consists of the order confirmation, these sales terms, the software licence file, and any written supplementary agreements. In case of conflict, supplementary agreements take precedence, followed by the order confirmation, then these terms, and finally the licence file.

Only written agreements entered into by an authorised representative of FairSSL are binding. Oral promises, informal emails, or information provided by employees without authority do not create obligations for FairSSL beyond what is stated in the agreement basis.

sslbrain is an on-premises SSL/TLS certificate lifecycle management appliance, distributed as a Docker container image. The software runs on the customer's own infrastructure. All certificate data, private keys, credentials, and vault contents remain on the customer's servers.

sslbrain is available in multiple tiers with varying limits on endpoints, certificates, users, and integrations. The applicable tiers, limits, and prices are listed on the pricing page at sslbrain.com. FairSSL may change the tier structure with notice in accordance with section 19.

sslbrain requires a connection to sslbrain Cloud for licence validation, certificate issuance, and other supporting services (see section 11). The software is not fully offline-functional unless offline operation has been agreed in writing.

Usage restrictions

sslbrain is a certificate lifecycle management tool. The software is not intended for, and must not be used in, systems where malfunction could result in personal injury, loss of life, or damage to critical infrastructure (including medical devices, nuclear facilities, weapons systems, or similar). FairSSL disclaims all liability for use in such contexts.

The customer is responsible for compliance with applicable export control legislation, including EU Regulation 2021/821 on dual-use items. The software must not be exported, re-exported, or used in countries, regions, or by entities subject to sanctions from the EU, UN, or Denmark.

sslbrain is licensed, not sold. The software is source-available under a proprietary licence. The source code can be inspected to verify security and data handling, but the software is not open source. The right of inspection does not alter the licence terms and does not grant permission to copy, modify, or distribute the code.

Each licence grants the right to run one instance of sslbrain. The licence is bound to one sslbrain Cloud account and is validated continuously against sslbrain Cloud.

Not permitted

• Redistribution, sublicensing, resale, or publication of the software without written agreement.
• Using the source code to create a competing product or service, including through "clean room" reimplementation based on the software's functionality.
• Circumventing licence validation, tier restrictions, or other technical limitations.
• Developing, distributing, or selling plugins, add-ons, modules, or other components that bypass tier separation or provide access to functionality beyond what the customer's licence covers.
• Removing or altering copyright notices, licence labels, or module integrity verification.

Anti-avoidance

If an arrangement, configuration, or action is primarily intended to avoid licence fees or circumvent restrictions in these terms, FairSSL may disregard the arrangement and treat the use according to its actual scope. What matters is the actual use, not the technical packaging. This provision applies regardless of whether the specific action is mentioned elsewhere in these terms.

Software modification

Modifying the software's code, configuration, or modules with the intent to circumvent licence restrictions, report inaccurate usage data, or otherwise manipulate licence validation is a material breach. FairSSL monitors for discrepancies between expected and actual behaviour and reserves the right to immediately suspend access to sslbrain Cloud upon confirmed manipulation.

sslbrain is intended for normal operational use of certificate lifecycle management within the licensed scope. An endpoint is any device with at least one valid certificate managed through sslbrain. Each tier has limits on endpoints and certificates as shown on the pricing page and in your licence. A single certificate can be installed on multiple devices without consuming additional capacity. FairSSL does not impose an artificial limit on the number of issuances. Certificate Authorities and sslbrain Cloud have public rate limits, which are documented by the relevant CA and in sslbrain's documentation.

The following constitutes abuse:

• Creating multiple accounts to circumvent licence limits (one account per organisation).
• Using a single endpoint configuration across multiple physical servers to circumvent the endpoint limit.
• Automated or systematic account creation.
• Using the free tier in an organisation where the scale of use realistically requires a paid licence.
• Resale, white-labeling, or use as a managed service for third parties without written agreement with FairSSL.
• Use that places disproportionate load on sslbrain Cloud infrastructure.

This list is not exhaustive. FairSSL reserves the right to determine whether specific use constitutes abuse.

Consequences

Free tier

FairSSL may suspend access to sslbrain Cloud if FairSSL reasonably determines that usage constitutes abuse. FairSSL will endeavour to notify the account holder but is not obligated to provide prior notice for free accounts.

Paid tiers

In the event of a breach, FairSSL will provide written notice describing the issue. The customer has 30 days to remedy the situation (cure period). If the breach is not remedied, FairSSL may suspend access to sslbrain Cloud. Suspension is the first step, not account closure. The customer's local data, certificates, and keys are not affected by suspension.

Immediate suspension (all tiers)

FairSSL may suspend access immediately in the following cases:

• Manipulation of the software's code or licence system.
• Use that poses an immediate security risk to sslbrain Cloud or other users.
• A requirement from a Certificate Authority, regulatory body, or court.
• Use in violation of sanctions legislation.

In the event of immediate suspension of a paying customer, FairSSL will notify the customer as soon as reasonably possible and to the extent legally permitted.

Restoration

For ordinary breaches, paying customers receive notice and the opportunity to remedy the issue before any restrictions are applied. If a suspension is due to an error or misunderstanding, it is lifted once the issue has been resolved.

Actions that fall outside the scope of normal commercial use, such as technical manipulation of the software's control functions, are not covered by this right of restoration. Because such actions are not part of a normal operating situation, they may result in permanent loss of access to the service.

Licence verification

sslbrain Cloud continuously verifies that usage is within the licensed limits. If usage exceeds the licence limit, a warning is displayed in the sslbrain appliance, and the customer is contacted to arrange an upgrade.

An agreement is formed when the customer creates an account and completes payment (for paid tiers). The free tier is activated upon account creation.

Orders can be placed via the sslbrain Cloud portal, the sslbrain appliance UI, or by email to info@fairssl.dk for individual agreements.

FairSSL reserves the right to decline orders in case of suspected abuse, use in violation of sanctions legislation, or previous unpaid debts.

All prices are publicly available on the pricing page and listed in EUR excluding VAT unless otherwise stated. VAT is added in accordance with applicable legislation. Customers with a valid VAT number in an EU country other than Denmark are exempt from Danish VAT.

FairSSL may change prices with at least 30 days' notice. Price changes do not affect current subscription periods.

Payment methods

• Payment cards (Visa, Mastercard, and Dankort and American Express in DKK only): Handled by Scanpay with Clearhaus or Nets as acquirer. FairSSL does not have access to or receive card data. Card details are stored by the payment provider in compliance with PCI DSS.
• Invoice: Available for customers with individual agreements. Payment terms: NET 30.

Stored cards and consent

Customers may store a payment card for future payments and automatic renewal. Enrolment requires the customer's active consent. The customer may remove a stored card at any time via the sslbrain Cloud portal. The payment provider may use automatic card updating (Account Updater) when card numbers change.

Late payment

FairSSL reserves the right to charge interest and fees for late payment in accordance with applicable law. Continued use of sslbrain after a subscription period has ended, regardless of whether renewal has been completed, creates a payment obligation for that period.

Chargebacks

An unjustified chargeback (reversal of card payment) constitutes a material breach of these terms. FairSSL may suspend access to sslbrain Cloud upon a chargeback and restore access once the matter is resolved. Services and licences already delivered cannot be refunded via chargeback.

Paid licences are subscription-based. Billing periods and prices are listed on the pricing page. Subscriptions renew automatically at the end of each period unless the customer cancels before the renewal date. FairSSL sends renewal reminders.

All products are delivered electronically. Delivery is considered complete when the sslbrain Cloud account has been created, the licence key is available, and the Docker image can be downloaded. Installation and configuration are the customer's responsibility unless additional services have been purchased.

Money-back guarantee

FairSSL voluntarily offers a money-back guarantee on licence purchases. The guarantee period is listed on the pricing page and varies by tier. For consumers (B2C), the statutory 14-day right of withdrawal for distance sales also applies.

Excluded from refund are services already performed (onboarding, consulting) and consumed SSL unit licences (certificates already issued).

Contact info@fairssl.dk with your account number within the guarantee period. Refunds are processed to the original payment method within 14 days.

FairSSL provides support in Danish, Swedish, and English. Support levels and response times vary by tier and are listed on the pricing page. The free tier does not include direct support.

Support covers the use of sslbrain and sslbrain Cloud. Support does not cover the customer's infrastructure, network configuration, DNS setup, or third-party software unless consulting services have been purchased.

If the software does not function as described, contact info@fairssl.dk. FairSSL investigates and responds to complaints within 5 business days. For business customers, complaints must be filed within 1 year of delivery. For consumers, statutory complaint periods apply.

sslbrain is on-premises software. The customer is responsible for:

• Installation, operation, and security maintenance of the Docker host environment.
• Backing up sslbrain data, configuration, and vault.
• Firewall rules, DNS configuration, and network access to sslbrain Cloud.
• Protecting access to the sslbrain appliance.
• Verifying that certificates are correctly installed and renewed on target servers.
• Providing accurate information to Certificate Authorities (domain names, organisation data, contacts).
• Correct CAA configuration in DNS so that it does not block the CAs used by sslbrain.
• Keeping contact details in sslbrain Cloud up to date (email, billing information). Notices sent to the registered email address are considered delivered.

Duty to update

The customer decides when to install software updates. FairSSL always recommends installing security patches promptly. If the customer fails to install a security update after reasonable notice, and an incident occurs that the update would have prevented, the customer bears the responsibility for the consequences.

Private keys

All private keys are generated and stored on the customer's infrastructure. FairSSL never has access to the customer's private keys.

sslbrain Cloud provides licence validation, ACME proxy for certificate issuance, Auto-DNS validation, vault support (encrypted cloud-based key; vault data remains local), software updates, and an account portal.

All tiers require internet access to sslbrain Cloud unless offline operation has been agreed in writing. FairSSL aims for high uptime. Uptime guarantees for Cloud services are listed on the pricing page for the relevant tiers.

Data sent to sslbrain Cloud

The sslbrain appliance sends the following to sslbrain Cloud:

• Licence key, tier identification, and software version.
• Anonymised operational telemetry (number of servers, certificates, agents, and similar statistics without customer-identifying information).
• Certificate requests with associated domain names. sslbrain Cloud forwards these to the relevant CA, which issues the certificate. Domain names in publicly issued certificates are logged in Certificate Transparency (CT) logs and are therefore publicly available. The completed certificate is returned to the customer's sslbrain appliance.
• API tokens for Cloud services. sslbrain Cloud provides an encryption key (KEK) to the appliance, which is used to protect locally encrypted data.
• Emails sent via sslbrain Cloud on behalf of the customer (alerts, notifications, status updates). These may contain names, email addresses, server names, IP addresses, certificate data, and information about errors or outages.

Login

Login to sslbrain Cloud can be done via email or via an external provider (Google, GitHub, or Microsoft). When using an external provider, login information is sent to the chosen provider in accordance with their terms.

Data that remains local

Private keys, certificate files, vault contents (decrypted), local appliance login data, audit logs, and operational data are processed and stored exclusively on the customer's infrastructure and are not sent to sslbrain Cloud.

sslbrain uses third-party Certificate Authorities (CAs) for SSL/TLS certificate issuance via the ACME protocol. FairSSL strives to maintain redundancy across multiple free and paid CAs, selected based on FairSSL's assessment of security, trust, technical suitability, stability, and compliance with industry standards.

Industry changes

The SSL/TLS industry is continuously evolving and is governed by the CA/Browser Forum and browser root programs. Changes in industry requirements may affect certificate lifetimes, validation methods, key requirements, supported algorithms, and other technical aspects. Such changes are outside FairSSL's control. FairSSL notifies affected customers as soon as possible and adapts the software as needed.

CAs may at any time cease offering certificates, change their terms, restrict issuance volume, be distrusted by browsers, or otherwise become unavailable. FairSSL may likewise choose to add or remove CAs if they no longer meet our requirements. When a CA becomes unavailable, FairSSL will endeavour to offer alternatives so that the customer can continue certificate issuance.

CA authorisation and subscriber obligations

When using sslbrain for certificate issuance, the customer accepts the relevant CA subscriber agreements. The customer authorises FairSSL to accept these agreements on the customer's behalf and to manage certificate orders (issuance, renewal, reissuance, and revocation) via sslbrain Cloud. The customer authorises FairSSL to share the necessary information with the CA.

The customer undertakes to protect private keys, revoke certificates within 24 hours of suspected key compromise, provide accurate information for validation, use certificates only on the domains listed in the certificate, and cease use of a certificate after revocation.

Certificate Transparency

As described in section 11, domain names in publicly issued certificates are automatically logged in CT logs. This is an industry requirement that neither FairSSL nor the customer can opt out of.

Revocation

FairSSL may revoke or request revocation of certificates when required by a CA, by CA/Browser Forum rules, or by applicable law. FairSSL is not liable for service disruptions caused by mandatory or industry-required revocation.

Software updates are included in all subscriptions and distributed as Docker images via sslbrain Cloud.

FairSSL supports the latest version and the immediately preceding major version. Older versions do not receive security patches or support. FairSSL provides at least 90 days' notice before a version is marked as end-of-life.

Changes that require customer action are notified via email and in the appliance dashboard with at least 30 days' notice for planned changes.

sslbrain verifies module integrity at startup. Modification of signed modules may cause the appliance to refuse to load them.

Vulnerabilities

No software is free of defects. FairSSL takes vulnerability reports seriously. Credible vulnerability reports are acknowledged within 3 business days. Confirmed vulnerabilities are fixed as quickly as possible, starting with the latest version, and updates are released for supported versions. Depending on the severity of the vulnerability, FairSSL reserves the right to notify all affected customers directly.

Since the source code is available for inspection, FairSSL encourages responsible disclosure of vulnerabilities directly to info@fairssl.dk. FairSSL is not obligated to respond to automated scan results, generic enquiries, or enquiries that require payment for information.

sslbrain is configured by the customer to obtain, install, and maintain SSL/TLS certificates on the customer's servers, and where possible to monitor and alert when this does not succeed. sslbrain must not be used as the sole monitoring of critical systems or services that cannot tolerate downtime, as the software is primarily a certificate lifecycle tool and is not designed to monitor or assess the overall operational state of other systems.

What FairSSL does

FairSSL secures sslbrain through a redundant cloud infrastructure located within the EU and by minimising the amount of data stored centrally. To protect the customer's internal infrastructure, sslbrain is designed to use outbound connections only. FairSSL has no access to the customer's servers, data, or private keys.

All sslbrain updates and agents that have been reviewed and approved by FairSSL are cryptographically signed with physically secured keys before release. The agent review aims to ensure that agents follow sslbrain's standards for input handling and restricts agent access to certificate-related operations where technically possible. Ultimately, it is the customer who decides which agents to install and with what settings they are used. To prevent unintended incidents, sslbrain does not update automatically by default. The source code is made available for inspection so that the customer can independently verify security before deploying the software.

What the customer does

The customer bears full responsibility for the local installation, including networking, security, and access control in their own environment. The customer decides when to install updates and with what settings the software runs. The security of the customer's sslbrain installation depends on the security of the server it runs on. If the server is compromised for other reasons, sslbrain cannot protect the data on that server.

Limitation of liability

FairSSL is not liable for indirect losses, loss of business, lost profits, consequential damages, data loss, regulatory fines, or losses arising from the customer's use of sslbrain. FairSSL's total liability is limited to the amount paid by the customer to FairSSL in the 12 months preceding the event giving rise to the claim. This limitation does not apply where mandatory law provides otherwise.

FairSSL is not liable for losses caused by the customer's infrastructure, configuration, failure to maintain or update, CA decisions, industry changes, or actions of third parties.

Any uptime guarantees for sslbrain Cloud do not constitute a guarantee against all forms of downtime. Any SLA credits are the exclusive remedy for Cloud downtime and cannot be combined with other claims for damages.

FairSSL is not liable for failure or delay in performing obligations due to circumstances beyond FairSSL's reasonable control, including natural disasters, war, terrorism, sanctions, government intervention, strikes, outages at CAs, DNS providers, or cloud providers, major internet disruptions, cyber attacks, and power failures.

In the event of force majeure, FairSSL will notify the customer as soon as possible and make efforts to minimise the consequences.

FairSSL processes personal data in accordance with the GDPR and the Danish Data Protection Act. Our full privacy policy is available at: Privacy Policy.

A Data Processing Agreement (DPA) tailored to the customer's tier is available in the sslbrain Cloud portal after login. For Enterprise customers, the DPA is typically entered into as part of the overall agreement. Contact info@fairssl.dk with questions.

The customer is responsible for the content of free-text fields (descriptions, notes, tags) in sslbrain. FairSSL advises against storing personal data, passwords, or confidential information in free-text fields. If such data is uploaded or synchronised to sslbrain Cloud (e.g. via support bundles), FairSSL processes it in accordance with the privacy policy.

The following notifications cannot be opted out of: order confirmations, invoices, payment reminders, licence status, security alerts, critical updates, industry changes affecting certificate management, and sslbrain Cloud operational notices.

The customer may cancel their subscription at any time via the sslbrain Cloud portal. On cancellation, the subscription runs until the end of the paid period, after which the account is downgraded to the free tier.

The rules for suspension due to abuse are set out in section 4. For non-payment, the grace period in section 7 applies.

Since sslbrain is on-premises software, the customer always has full access to their own data directly on their own infrastructure. Closing the sslbrain Cloud account does not affect data that already exists locally.

FairSSL may block Cloud traffic from cancelled or suspended accounts.

• Current subscriptions: Changes are notified at least 30 days before they take effect. The customer may cancel before the effective date.
• New purchases: The version in effect at the time of order applies to that order.
• Free tier: Changes to the free tier's limitations are notified with at least 90 days' notice.

The current version is always available on this page.

Assignment

FairSSL may assign these terms and associated rights and obligations to another company in connection with a merger, acquisition, restructuring, or sale of all or a substantial part of the business. The customer will be notified. The acquiring party assumes FairSSL's obligations towards the customer.

The customer may not assign their licence or account to a third party without FairSSL's written consent.

Severability

If any provision of these terms is found to be invalid or unenforceable, this does not affect the validity of the remaining provisions. The invalid provision shall be replaced by a valid provision that reflects the original intent to the greatest extent possible.

No waiver

FairSSL's failure to enforce a right or provision in a specific situation does not mean that FairSSL has waived that right or the ability to enforce the provision in the future.

Survival

Provisions that by their nature are intended to apply after termination of the agreement shall remain in effect. This includes, among other things, licence restrictions, limitation of liability, dispute resolution, confidentiality, and obligations regarding revocation and payment of outstanding amounts.

These terms are governed by Danish law.

Any disputes that cannot be resolved by negotiation shall be brought before the Court of Randers (Retten i Randers) as the agreed venue, with the usual right of appeal under Danish procedural law.

For consumers, mandatory venue rules in the consumer's country of residence apply.

Consumer complaints

If you are a consumer and wish to file a complaint, contact info@fairssl.dk. If we are unable to reach a resolution, you may file a complaint with the Danish Centre for Complaint Resolution (Nævnenes Hus), Toldboden 2, 8800 Viborg, Denmark, via naevneneshus.dk.