Robotics Service Contract: Twelve Clause Blocks for RaaS

Robotics Service Contract: Why Standard Clauses Fall Short

A robotics service contract drawn from the machine-building template covers about 40 percent of the dispute points [source to be added] that arise in live operation of a security robot. Security robots are not machine tools. They generate forensic data, make autonomous movement decisions and actively intervene in security processes. A BGB works contract under §§ 631 ff. governs the repair of a defective component. It does not govern who owns the patrol data, who is accountable for model updates, and how an availability guarantee is to be measured.

The EU Machinery Regulation 2023/1230 mandates documented maintenance cycles for autonomous machine systems. Standard contracts do not supply this documentation. As a complement, the standard EN ISO 13482 defines safety requirements for personal care robots and provides the reference for maintenance documentation of autonomous mobile systems. Anyone who contractually binds a security robot without reference to these sources shifts the interpretation risk entirely into their own house.

For KRITIS facilities, a third layer applies. The contract has to be compatible with the reporting duties under the KRITIS Umbrella Act (KRITIS-Dachgesetz). The operator is required to notify the BBK within 24 hours. The information chain between service provider and operator must be contractually secured.

From 36 months of RaaS operation we isolated twelve clause blocks that cover 95 percent of practical disputes [source to be added]. Structurally, a service contract in the Robotics-as-a-Service model differs from a classical maintenance contract. Ownership of the robot remains with the provider throughout, and hardware maintenance is included in the monthly rate. The contract therefore governs service and availability, not transfer of ownership.

Scope, SLA and Availability: Clause Blocks 1 to 3

Clause 1 (scope of service). The scope separates hardware maintenance from software care. Hardware covers battery, sensors, drive, chassis. Software covers model updates, security patches, firmware. Both areas are documented separately because they follow different escalation paths. A sensor failure is an on-site dispatch. A model update is an OTA event.

Clause 2 (availability). For QR-2 in 24/7 outdoor patrol the SLA target is 98 percent availability across a 30-day average. Measurement runs over patrolled hours per shift schedule, not calendar hours. Planned maintenance windows are excluded, but require 72 hours advance notice.

Clause 3 (response time). On-site dispatch within 24 hours for QR-1 and QR-2. For QR-3 in KRITIS locations a tighter response time of 12 hours applies. Penalty for SLA breach: pro rata refund of the monthly rate, capped at 100 percent of the monthly fee. Force majeure is narrowly defined. Natural events such as flooding or storm fall under it, supply chain disruptions of individual components explicitly do not. The service provider bears the procurement risk of its own supply chain.

What works here: clear measurement methodology, unambiguous penalty. What does not work here: defining availability over calendar hours, because nighttime without patrol assignment then distorts the average.

Data Sovereignty, GDPR and Forensic Review: Clause Blocks 4 to 6

Clause 4 (data ownership). Ownership of raw video data remains entirely with the operator. Model training data is governed in a separate annex and used only in anonymised form. A blanket usage right for the service provider to train AI on customer data is to be rejected.

Clause 5 (data processing). A data processing agreement under Art. 28 GDPR is a mandatory annex, not an option. It defines purpose, duration, type and scope of processing, the categories of affected persons, and the technical and organisational measures. Without a DPA the contract is GDPR-non-compliant.

Clause 6 (retention and access). Standard retention for patrol footage: 72 hours. Incident recordings 30 days, extendable in individual cases with documented security justification. Service provider access to live streams is restricted to fault resolution only and subject to logging. Each access generates an audit log entry which is made available to the operator monthly.

For KRITIS deployments, data processing is contractually restricted to DACH data centres. Hyperscaler regions outside Germany, Austria or Switzerland are excluded, even where they would be permissible under EU law. This tightening follows from the KRITIS-Dachgesetz draft. It sets documented resilience and reporting chains between operator and service provider as a requirement.

Liability, Insurance and Damage Caps: Clause Blocks 7 to 9

Clause 7 (liability cap). Per damage event the twelve-fold monthly rate. For personal injury the statutory minimum coverage of EUR 7.5 million applies [add source, e.g. § 10 ProdHaftG or applicable regulation]. A flat liability cap at one annual rate is inappropriately low for security-relevant services and will not survive AGB review under § 307 BGB.

Clause 8 (product liability). Product liability under ProdHaftG remains with the manufacturer of the robot. The service contract governs maintenance fault only. If a design defect causes the damage, the claim runs against the manufacturer, not against the maintenance provider. This separation has to be contractually clear. In the RaaS model, manufacturer and service provider are frequently the same entity, but legally take on different roles.

Clause 9 (cyber liability). Cyber liability is to be itemised separately. The most common dispute point: an attacker enters the operator's IT network via the robot interface. Who is liable? The contract establishes that the service provider is liable for hardening of the robot interface, the operator for segmentation of their network. The provider's operating liability insurance sits at a minimum of EUR 10 million with annual proof [add source]. A waiver of recourse by the provider applies in the case of gross negligence by the operator. Examples: unauthorised hardware modification or bypassing of security updates.

The NIS-2 Directive 2022/2555 extends obligations to suppliers and service providers of critical entities. Anyone procuring in the KRITIS sector has to align liability clauses with this. More in our analysis of NIS-2 board liability.

Term, Termination and Exit Handover: Clause Blocks 10 to 12

Clause 10 (term). Minimum term 24 months in the RaaS model. This period covers amortisation of initial hardware provisioning and the learning curve at the site. After 24 months a notice period of 3 months to month-end applies. Longer lock-ins without special termination rights are neither enforceable nor sensible in practice.

Clause 11 (extraordinary termination). With three documented SLA breaches within six months an extraordinary termination right applies without notice. This clause prevents continued contractual binding under systematic underperformance. In return, the service provider holds an extraordinary termination right for payment default exceeding two monthly rates.

Clause 12 (exit handover). Full data return in machine-readable format within 14 days after contract end. Deletion confirmation by the provider within 30 days, listing all affected systems. Hardware return takes place at the provider. There is no residual value discussion, because ownership remains with the provider throughout. This structural decision is the central difference from a classical maintenance contract.

For provider changes the contract provides a 60-day standstill period with parallel operation on request. This lets the operator onboard the new provider without creating a security gap. The economic assessment of this model compared with personnel services is in the TCO comparison Wachschutz.

KRITIS-Specific Add-On Clauses

For KRITIS operators the twelve standard clauses are not enough. Five add-on clauses are added as a sector annex.

Reporting duty. The provider reports security-relevant incidents within 24 hours to the operator, in parallel with its own BBK notification. The deadline is absolute, not business-day. Incident categories are exhaustively defined in the annex.

Background checks. Maintenance personnel with access to KRITIS facilities are vetted under the Sicherheitsüberprüfungsgesetz (SÜG). For sectoral KRITIS the vetting level is documented. Subcontractor personnel are subject to the same duty.

Resilience proof. Availability also during failure of the public mobile network. This requires redundant connectivity via a second network or local edge processing with buffering. Proof is provided through documented quarterly resilience tests.

Subcontractors. Only certified partners with named approval by the operator. A blanket subcontractor permission is incompatible with KRITIS duties.

Sector specifics. Hospital, energy and water differ considerably in access and escalation protocols. Hospitals have patient rights and hygiene zones. Energy facilities have ATEX-classified restricted areas. Water plants have sensory requirements for drinking water protection. Each sector receives its own contract annex governing these specifics. The operational implementation is outlined in the KRITIS-Dachgesetz checklist.

Price Adjustment and Indexation Over the Term

The fixed price applies for 24 months. After that, an annual adjustment follows the German consumer price index, capped at 3 percent per year [add source for index basis, e.g. Destatis VPI]. This cap protects the operator from inflation-driven jumps. A reference for wage development in the security industry is provided by the BDSW industry data on personnel cost structures, which serves as a benchmark for RaaS service contracts.

Sensor upgrades, such as a move from QR-2 to QR-3, are priced as a contract amendment, not as indexation. The operator receives a new price offer with its own minimum term for the additional component. Add-on services such as drone detection or LiDAR analysis are listed at unit price in the annex, not hidden inside the main contract.

From the fifth robot onwards a volume tier with 8 percent discount on the monthly rate applies [link internal evidence or price annex]. The tier is documented in the price annex and is not negotiation-dependent. Transparency beats hidden costs: no set-up fees, no training lump sums outside the monthly rate. The three-tariff overview shows the base conditions without annex obligations.

What works here: capped indexation, modular add-on services. What does not work here: blanket escalation clauses tied to wage indices, because they have no substantive link in the RaaS model.

From Template to Pilot Agreement in 14 Days

The path from contract draft to productive operation takes 14 days when the site is prepared.

Day 1 to 3. Site walk-through, definition of patrol routes, selection between QR-1, QR-2 and QR-3. The decision follows the risk profile: indoor, outdoor, KRITIS classification. Route points and shift windows are documented.

Day 4 to 7. Contract adaptation along the twelve clause blocks. The DPA is coordinated with the operator's data protection officer. For KRITIS sites the sector add-on clauses are negotiated in parallel.

Day 8 to 10. Security clearance, network connection, emergency protocols. The operator's IT releases the segment in which the robot operates. Escalation chains to the control room are tested.

Day 11 to 14. Robot delivery, shift handover, start of SLA measurement. From day 14 the contract runs productively.

The pilot phase covers 90 days with a shortened termination period in the event of documented unsuitability. This special clause is the Quarero standard offer for first-time customers. It removes the risk that a 24-month contract becomes a burden if it lacks practical fitness. The twelve clause blocks in the context of the full model are explained in the Robotics-as-a-Service model.