Skip to main content

Think you can outsmart AI? Announcing ‘Behind The Mask’ – Our all-new cybercrime role-playing game | Play Now

Terms of Use

Last Updated: April 08, 2024

These Terms of Use (these “Terms“) are a legally binding agreement between the party accepting these Terms as set forth in this paragraph (“you“) and CalypsoAI Inc. (“CalypsoAI“) and applies to your access and use of CalypsoAI’s hosted platform and related services (collectively, the “Services“). PLEASE READ THESE TERMS CAREFULLY. WHEN YOU CLICK “ACCEPT,” CHECK A BOX, OR OTHERWISE ACCESS OR USE THE SERVICES, YOU ARE AGREEING TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE WITH ANY OF THESE TERMS, YOU MAY NOT ACCESS OR USE THE SERVICES. 

You may access or use the Services by entering into an order form or other written documentation with CalypsoAI (an “Order Form“). If you enter into an Order Form, the terms, conditions, guidelines, policies, and/or rules included in or incorporated by reference into such Order Form (“Supplemental Terms“) will govern your access and use of the Services. Such Supplemental Terms become part of your agreement with CalypsoAI if you use the Services, and if there is a conflict between these Terms and the Supplemental Terms, the Supplemental Terms will control for that conflict.

CalypsoAI may make changes to these Terms. If CalypsoAI makes changes, CalypsoAI may provide you with notice of such changes, such as by sending an email, providing a notice through the Services, or otherwise. Unless CalypsoAI says otherwise in its notice, the amended Terms will be effective immediately, and your continued use of the Services after CalypsoAI provides such notice will confirm your acceptance of the changes. If you do not agree to the amended Terms, you must immediately stop using the Services. Any changes to these Terms will not apply to any dispute between you and CalypsoAI arising prior to the date on which CalypsoAI posted the updated Terms incorporating such changes or otherwise notified you of such changes.

  • THE SERVICES
      1. Right to Use. Subject to your compliance with the terms and conditions of these Terms, CalypsoAI grants you a limited, non-exclusive, revocable right to use the Services solely for your internal business purposes on a device that you own or control. You may not resell, transfer, assign, or sublicense your rights under these Terms to any third party or use the Services to provide services for the benefit of any third party.
      2. Third-Party Providers. You acknowledge that CalypsoAI may use the services of third-party contractors, including third-party data centers, cloud providers, and software implementation consultants, in providing the Services (collectively, “Service Providers“) and that the Services (including Your Data, as defined below) may be hosted and processed on a network owned and maintained by a Service Provider. The performance of Service Providers is outside CalypsoAI’s control. CALYPSOAI WILL NOT BE LIABLE FOR, AND CALYPSOAI EXPRESSLY DISCLAIMS, ANY LIABILITY FOR LOSSES, COSTS, OR EXPENSES CAUSED BY ANY SERVICE PROVIDERS.
      3. Modifications. Notwithstanding anything to the contrary in these Terms, (a) CalypsoAI may conduct maintenance on the Services from time to time without prior notice to you and (b) CalypsoAI may modify features of the Services from time to time at CalypsoAI’s sole discretion.
  • ELIGIBILITY AND ACCOUNTS
      1. Authorization. If you use the Services on behalf of another person or entity, (a) all references to “you” throughout these Terms (other than in this Section 2.1(a), (b) and (c)) will include that person or entity, (b) you represent that you are authorized to accept these Terms on that person’s or entity’s behalf, and (c) in the event you or that person or entity violates these Terms, that person or entity also agrees to be responsible to us. 
      2. Jurisdiction. You may only use the Services in jurisdictions authorized by CalypsoAI. You represent, warrant and covenant that you are not (a) located in, or a resident or a national of, any country subject to a U.S. government embargo or other restriction, or that has been designated by the U.S. government as a “terrorist supporting” country or (b) on any of the U.S. government lists of restricted end users.
      3. Use and Sharing. The Services are provided to you only for your internal business use and not for the benefit or use of any third party. CalypsoAI may enable you to designate authorized individuals (“Authorized Users“) to use the Services, and if so, only Authorized Users may use the Services.  
      4. Access Credentials. You must create an account to use our Services. You are responsible for access to your account and use of the Services by any Authorized User, as well as for your account access and use of the Services by any third party through your access credentials, whether authorized or not. You are responsible for implementing security measures to safeguard your access credentials and to prevent use and disclosure by unauthorized third parties. You will promptly notify CalypsoAI in writing of any unauthorized use of the Services or access credentials that comes to your attention. Neither CalypsoAI nor any of its Service Providers has any obligation to inquire about the authority of anyone using your personally identifiable information that can be used to identify your account.  CALYPSOAI WILL NOT BE LIABLE FOR, AND CALYPSOAI EXPRESSLY DISCLAIMS, ANY LIABILITY FOR LOSSES, COSTS, OR EXPENSES CAUSED BY ANY UNAUTHORIZED USE OF THE SERVICES THROUGH YOUR ACCOUNT.
  • YOUR OBLIGATIONS
      1. Restrictions. You agree that the Services contain trade secrets and other valuable proprietary information belonging to CalypsoAI. You will not, and will ensure that Authorized Users do not: (a) alter, copy, modify, translate, or make derivative works of, or permit the alteration, copying, modification, translation, or making derivative works of, the Services or any component thereof; (b) attempt to derive the source code or object code for the Services, including by reverse engineering, decompiling, disassembling, or similar means; (c) seek to acquire any ownership interest in or to the Services; (d) license, offer, sell, transfer, or lease the Services or attempt any of the foregoing; (e) remove, alter, or obfuscate any copyright, trademark, or other proprietary rights notices included with the Services; (f) access or use the Services in order to design, develop, or build a similar product or competitive product; (g) enable access to the Services by anyone not authorized to use the Services; (h) develop any scripts or software applications that interact with or integrate with the Services unless first authorized in writing by CalypsoAI; or (i) circumvent or modify any security technologies designed to prevent unauthorized access to the Services. You will not frame or utilize framing techniques to enclose any trademark, logo, or other proprietary information (including images, text, page layout, or form) of CalypsoAI without CalypsoAI’s express written consent. You will not use any meta-tags or any other “hidden text” utilizing any of CalypsoAI’s names, trademarks, or service marks without the express written consent of CalypsoAI.
      2. Acceptable Use. You will not use the Services, and will ensure that Authorized Users do not use the Services, to: (a) infringe on, violate, dilute, or misappropriate the intellectual property rights, rights of publicity, privacy rights, or other rights of any person; (b) engage in any fraudulent, unlawful, or abusive activities; (c) store, send, or post defamatory, inflammatory, trade libelous, threatening, abusive, hateful, harassing, obscene, pornographic, or indecent content or data; (d) interfere with or attempt to interfere with or disrupt the integrity, security, functionality, or proper working of the Services or CalypsoAI provision of services to other customers; (e) attempt to discover, access, read, alter, destroy, or damage any programs, data, or other information stored on or in connection with the Services; or (f) upload or transmit any content that constitutes unsolicited or unauthorized advertising promotional materials, commercial activities, or any other form of solicitation.  
  • YOUR DATA
      1. Ownership. You own and retain all right, title, and interest in and to information, data, content, and/or files transmitted, uploaded, or stored in association with your use of the Services, including personal information (“Your Data“), including all intellectual property rights therein. You acknowledge and agree that you (not CalypsoAI) have control over Your Data stored by operation of the Services. 
      2. Use of Your Data. You hereby grant CalypsoAI and its affiliates a worldwide, royalty-free, fully paid, transferable, assignable, sublicensable (through multiple tiers), perpetual, and irrevocable license to collect, host, use, access, view, store, copy, display, create derivative works of, delete, and otherwise process Your Data (including, without limitation, providing Your Data to applicable Service Providers and others) to (a) provide, support, monitor, analyze, and improve the Services and improve CalypsoAI’s other products and services, (b) communicate with you about your account, (c) comply with the law and any legal and regulatory requirements, including court orders, subpoenas, and requests or requirements for information made by regulatory or investigatory entities, (d) prevent fraud or misuse of the Services, (e) perform market research, (f) conduct product research and improvement and development of products and services by CalypsoAI, and/or (g) for any other lawful purpose. CalypsoAI may expand its use of Your Data in its discretion if not precluded by applicable law. CalypsoAI will not be required to transmit or provide you or any third party with Your Data in any format except as required by applicable law. 
      3. Rights in Your Data. You represent and warrant to CalypsoAI that you have the rights, licenses, and permissions necessary to grant the license and use rights in Section 4.2 and to otherwise provide Your Data to CalypsoAI and allow the collection of Your Data by CalypsoAI in connection with your use of the Services. You will comply with all applicable local, state, national, and foreign laws in connection with your use of the Services, including those laws related to data privacy and the transmission of personal information. You will be solely responsible for ensuring that any processing of Your Data by CalypsoAI and/or you via the Services does not violate any applicable laws. You acknowledge that CalypsoAI exercises no control over the content of Your Data. You will not upload, post, reproduce, or distribute any information, software, or other material protected by copyright, privacy rights, or any other intellectual property rights without first obtaining the permission of the owner of such rights. Without limiting the generality of the foregoing, you will be solely responsible for: (a) ensuring that you and CalypsoAI, to the extent acting on your behalf, have the right to collect, store, use, process, and share Your Data via the Services; and (b) providing adequate notice to, and obtaining any necessary consents from, any individuals as required under applicable laws with respect to Your Data collected, stored, used, processed, and shared in connection with the Services.
      4. Compliance with Laws. You will comply with all applicable local, state, national, and foreign laws in connection with your use of the Services. You acknowledge that all system hardware, system software, proprietary data, know-how, or other data or information (herein referred to as “Systems“) obtained from CalypsoAI may be subject to the import and/or export control laws of one or more countries and, accordingly, their import, export, re-export, and transfer may be restricted or prohibited. You agree not to, directly or indirectly, import, export, re-export, transfer, or cause to be imported, exported, re-exported, or transferred, any such Systems to any destination, entity, or persons prohibited or restricted under any law or regulation, unless you have first obtained prior written consent of CalypsoAI and any applicable governmental entity, either in writing or as provided by applicable regulation, as the same may be amended from time to time.
      5. Data Security. To the extent Your Data contains Personal Data (as defined in the Data Processing Addendum attached as Exhibit A (the “DPA“), the parties agree to the DPA.
  • FEES AND PAYMENT TERMS
      1. General. You will pay CalypsoAI all fees charged for the Services (the “Fees“). Unless we state otherwise, we will invoice you for the Services upfront on an annual basis. 
      2. Payment. You will pay all Fees on the date of the invoice. All payments (a) will be made in U.S. Dollars, unless otherwise specified by us, and (b) are exclusive of taxes and duties (other than taxes based on our net income). We may assess a late charge of the lesser of 1.5% per month or the maximum rate allowed under applicable law for all late payments. You will reimburse us for all costs and expenses (including reasonable attorneys’ fees) that we incur in collecting any past due amounts.
      3. No Refunds. All Fees are non-refundable and non-cancelable, including, without limitation, if Your Subscription (as defined below) is terminated (either by you or by us) before its natural expiration. 
  • INTELLECTUAL PROPERTY RIGHTS
      1. Ownership by CalypsoAI. Subject to the use rights granted under these Terms, as between the parties, CalypsoAI owns and retains all right, title, and interest in and to the Services and any improvements, modifications, enhancements, or derivatives of the foregoing, all work product (including any software) and deliverables created, and all intellectual property rights relating to any of the foregoing. These Terms do not convey to you any rights of ownership in or related to the Services, work product, or deliverables. Except for the rights expressly granted in these Terms, no other rights are granted to you in, to, or under CalypsoAI’s intellectual property rights, whether by implication, estoppel, waiver, or otherwise. 
      2. Usage Data. Notwithstanding anything to the contrary in these Terms, you agree that CalypsoAI may generate, collect, store, use, transfer, and/or disclose to third parties information gathered, prepared, computed, originated, or stored by CalypsoAI resulting from the use or provision of the Services, including information derived from or based on Your Data (“Usage Data“) (a) to perform data analytics, (b) to monitor, improve, and support the Services, (c) to design, develop, and offer CalypsoAI products and services, and/or (d) for any other lawful purpose. CalypsoAI owns and retains all rights to Usage Data, and no rights are granted to you, whether by implication, estoppel, waiver, or otherwise in or to any Usage Data. CalypsoAI has no obligation to provide or make any Usage Data available to you. 
  • TERM, TERMINATION, AND SUSPENSION
      1. Term. The term of these Terms commences on your acceptance of these Terms and, unless either party terminates your access to the Services as set forth in this Section 7, continues until the termination or expiration of the subscription plan you selected when signing up for the Services (your “Subscription Plan“). 
      2. Renewal. 
        1. Trial Subscriptions. If your Subscription Plan is for use of the Services on a “trial” basis (such Subscription Plan, a “Trial Subscription” and the term of such Trial Subscription, the “Trial Term“), then the Trial Subscription (and these Terms) will automatically terminate on expiration of the Trial Term without renewal, unless earlier terminated as set forth herein. You may, at the conclusion of the Trial Term, elect to use the Services for a full Subscription Term (as defined below) by notifying us through the procedures we communicate to you. 
        2. Full Subscriptions. If your Subscription Plan is for use of the Services on a non-trial basis (i.e., for an annual or other full-length subscription) (such Subscription Plan, a “Full Subscription” and the term of such Full Subscription, the “Subscription Term“), then the Full Subscription (and these Terms) will automatically renew at the conclusion of the Subscription Term until terminated for successive terms equal in length to the original Subscription Term (each, a “Renewal Term“). 
      3. Termination for Convenience. Either you or CalypsoAI may terminate your access to the Services for convenience at any time. You may terminate your access by notifying CalypsoAI in writing or by closing your account (and all Authorized User accounts). CalypsoAI may terminate your access to the Services by notifying you in writing (with email notice being sufficient).  
      4. Termination for Cause. Either you or CalypsoAI may terminate your access to the Services upon written notice to the other party (a) if such other party commits a material breach of these Terms and fails to cure such breach within 30 days of having received noticed of the breach or (b) immediately if the other party becomes insolvent, makes an assignment for the benefit of its creditors, appoints a receiver for the whole or part of its assets, if there is a filing of voluntary bankruptcy petition by such other party or the filing against such other party of an involuntary bankruptcy petition that is not stayed or dismissed within 60 days, or there is an issuance of any order or the passing of a resolution for the winding-up of such other party’s business.
      5. Suspension of Services. CalypsoAI may suspend or limit access to the Services at any time: (a) if CalypsoAI determines or reasonably suspects that you are using the Services in violation of applicable law or in connection with any fraudulent activity; (b) if CalypsoAI reasonably determines that your use of the Services adversely affects or interferes with the normal operation of the Services or any service to others; (c) if CalypsoAI is prohibited by an order of a court or other governmental agency from providing the Services; (d) if CalypsoAI reasonably believes there exists a security incident that threatens the security of the Services, Your Data, or any data of others; or (e) for any other reason in CalypsoAI’s reasonable discretion. CALYPSOAI WILL HAVE NO LIABILITY FOR ANY DAMAGES, LIABILITIES, OR LOSSES AS A RESULT OF ANY SUSPENSION OR LIMITATION OF YOUR USE OF THE SERVICES IN ACCORDANCE WITH THIS PARAGRAPH.
      6. Effect of Expiration or Termination. Upon any expiration or termination of these Terms, all rights granted to you under these Terms and CalypsoAI’s obligations will immediately cease, and you will stop accessing or using the Services, except the following provisions will survive: Sections 3.1 (Restrictions), 4.1 (Ownership), 4.2 (Use of Your Data), 5 (Fees and Payment Terms), 6 (Intellectual Property Rights), 7.6 (Effect of Expiration or Termination), 8 (Confidentiality), 9 (Indemnification), 10 (Disclaimers), 11 (Limitation of Liability), and 12 (General Provisions). 
  • CONFIDENTIALITY
      1. Protection. You may be exposed to or receive certain information that is not generally known to the public and is marked as confidential or proprietary, or which, under the circumstances ought to be treated as confidential (“Confidential Information“). You agree that if you are exposed to or receive Confidential Information, you: (a) will protect Confidential Information from unauthorized disclosure using at least a commercially reasonable degree of care; (b) will not disclose Confidential Information to any third party; and (c) will not use the Confidential Information for any purpose. 
      2. Return. After any expiration or termination of these Terms, or at any time upon request from CalypsoAI, you will immediately return or destroy (at CalypsoAI’s sole direction) all materials or media containing any Confidential Information, including all copies thereof, and will certify in writing to CalypsoAI that all such Confidential Information has been returned or destroyed. 
      3. Injunctive Relief. You expressly acknowledge and agree that no adequate remedy exists at law for an actual or threatened breach of this Section 8 and that in such event CalypsoAI will be entitled to seek and obtain immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it.  
      4. Feedback. You may from time to time voluntarily provide suggestions, enhancements, recommendations, requests for features or functionality, comments, or other feedback to CalypsoAI regarding CalypsoAI and/or the Services (“Feedback“). Feedback, even if designated as “confidential” or “proprietary” by you, will not create any confidentiality or other obligation for CalypsoAI, and you hereby assign to CalypsoAI all rights (including intellectual property rights), title and interest in and to such Feedback. All Feedback is Confidential Information.  
  • INDEMNIFICATION 

You will indemnify and hold CalypsoAI and its affiliates, and its and their officers, employees, and agents harmless against any damages, liabilities, losses, costs, or expenses (including reasonable attorneys’ fees) arising from or in connection with (a) your access to or use of the Services, (b) Your Data, (c) your breach or alleged breach of these Terms, and/or (d) your infringement, misappropriation, or violation of any intellectual property rights, rights of publicity, privacy rights, or other rights of a third party (each, an “Indemnifiable Claim“). Additionally, you will, at CalypsoAI’s sole election, defend CalypsoAI from any Indemnifiable Claims. If CalypsoAI directs you to defend an Indemnifiable Claim, then (i) CalypsoAI has the right to approve the counsel you select to defend the Indemnifiable Claim and (ii) CalypsoAI may also have its own counsel participate in the defense and settlement of the Indemnifiable Claim at your expense. CalypsoAI may also exclusively retain control of the defense of an Indemnifiable Claim. You will not settle an Indemnifiable Claim without CalypsoAI’s written consent. 

  • DISCLAIMERS

THE SERVICES ARE PROVIDED “AS IS,” AND TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CALYPSOAI HEREBY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SERVICES AND SERVICE PROVIDERS, WHETHER STATUTORY, EXPRESS, IMPLIED, OR THROUGH A COURSE OF DEALING, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. CALYPSOAI DOES NOT WARRANT, AND SPECIFICALLY DISCLAIMS, THAT THE SERVICES WILL OPERATE UNINTERRUPTED, BE ERROR-FREE, OR THAT ALL DEFECTS WILL BE CORRECTED. CALYPSOAI MAKES NO WARRANTY CONCERNING TIMELINESS, ACCURACY, PERFORMANCE, QUALITY, RELIABILITY, OR COMPLETENESS OF ANY INFORMATION OR RESULTS OBTAINED OR DERIVED THROUGH THE USE OF THE SERVICES. CALYPSOAI DISCLAIMS ANY LIABILITY FOR UNAUTHORIZED ACCESS, USE, OR RELEASE OF ANY OF YOUR DATA.

  • LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, UNDER NO CIRCUMSTANCES WILL (A) CALYPSOAI OR ANY OF ITS SERVICE PROVIDERS BE LIABLE TO YOU OR ANY THIRD PARTY FOR PERSONAL INJURY, PROPERTY DAMAGE, ERROR OR INTERRUPTION OF USE, LOSS, INACCURACY, OR CORRUPTION OF DATA, COVER, LOST PROFITS OR REVENUE, LOSS OF BUSINESS, OR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, EXEMPLARY, PUNITIVE, OR INCIDENTAL DAMAGES, REGARDLESS OF THE FORM IN WHICH THE ACTION IS BROUGHT (INCLUDING NEGLIGENCE), ARISING OUT OF OR RELATING TO THE RELATIONSHIP BETWEEN THE PARTIES (INCLUDING THESE TERMS), INCLUDING THE USE OR INABILITY TO USE THE SERVICES, WHETHER OR NOT CALYPSOAI HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGES, OR (B) CALYPSOAI’S TOTAL LIABILITY UNDER THESE TERMS, REGARDLESS OF LEGAL THEORY (INCLUDING NEGLIGENCE), EXCEED, IN THE AGGREGATE FOR ALL CLAIMS, THE GREATER OF (I) THE AMOUNT YOU PAID TO USE THE SERVICES IN THE PRECEDING SIX-MONTH PERIOD AND (II) $50. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMIT. THE PARTIES ACKNOWLEDGE THAT THIS SECTION 11 REFLECTS THE AGREED UPON ALLOCATION OF RISK BETWEEN THE PARTIES AND THAT NEITHER PARTY WOULD ENTER INTO THESE TERMS WITHOUT THESE LIMITATIONS ON ITS LIABILITY. THIS LIMITATION ON LIABILITY WILL APPLY DESPITE THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY SET FORTH IN THESE TERMS.

  • GENERAL PROVISIONS
    1. Entire Agreement. These Terms constitute the entire understanding of the parties with respect to their subject matter and supersede all prior or contemporaneous proposals, understandings, and agreements. If you provide CalypsoAI with any pre-printed terms and conditions that appear on any purchase order or other form document, such terms will be of no force or effect. 
    2. Assignment. You may not assign or transfer these Terms or any of your rights or obligations under it without CalypsoAI’s prior written consent. CalypsoAI may freely assign these Terms, including to its affiliates. Any attempted assignment in violation of this paragraph will be null and void. Subject to the foregoing, these Terms are binding upon and inures to the benefit of the parties and their respective successors and permitted assigns.
    3. Severability. If a court finds any term of these Terms to be invalid or unenforceable, that term will be enforced to the maximum extent permissible so as to reflect the parties’ intent, and the remainder of these Terms will remain in full force and effect.
    4. Waiver. Either party’s delay or failure to exercise any right under these Terms or any law does not mean a party waives that right or any other rights under these Terms in the future. No waiver of any provision of these Terms, or any rights or obligations of either party under these Terms, will be effective except pursuant to a written instrument signed by the party against whom the waiver is sought.
    5. Use of Name and Logo.  Notwithstanding any terms to the contrary in this Agreement, you consent to CalypsoAI’s use of your name and logo on CalypsoAI’s website and on CalypsoAI’s promotional and marketing related materials, identifying you as a customer of CalypsoAI and describing your use of the Services. 
    6. Independent Contractors. Nothing contained in these Terms will be construed to create a joint venture or partnership between the parties. Neither party is authorized as an agent or legal representative of the other party. Neither party will have the right or authority to bind or create any obligation on the other party.
    7. Force Majeure. CalypsoAI is excused from performance of these Terms and will not be liable for any delay in whole or in part caused by any event outside of its control.  
    8. No Third-Party Beneficiary. Nothing contained in these Terms will be deemed to create, or be construed as creating, any third-party beneficiary right of action upon any third party in any manner whatsoever.  
    9. Governing Law and Venue. These Terms will be governed in all respects in accordance with the laws of the State of New York, without regard to conflict of law principles that would cause the laws of any other jurisdiction to apply. You expressly agree that federal and state courts located in Manhattan, New York will have exclusive jurisdiction over any action or claim that you bring that arises out of or relating to these Terms. You expressly consent to personal jurisdiction in any such court and hereby irrevocably waive any objection to or claim of lack of jurisdiction or forum non conveniens.
    10. Interpretation. The headings of these Terms are for reference only and will not be used to interpret the meaning of these Terms. Any reference to “includes” or “including” will be understood to be exemplary and not limiting and followed by “but not limited to.” Each party has had the opportunity to review these Terms with legal counsel, and there will be no presumption that ambiguities will be construed or interpreted against the drafter.

EXHIBIT A 

DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“DPA“) supplements the Terms of Use between you (“Customer“) and CalypsoAI, Inc. (“Company“) (the “Agreement“). This DPA applies where Company Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA. 

  1. DATA PROCESSING AND PROTECTION

1.1 Limitations on Use. Company will Process Customer Personal Data only: (a) pursuant to Customer’s documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Customer Personal Data to a third country; and (b) as otherwise required by Data Protection Law. Except as permitted by Data Protection Law, Company will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Company receives from individuals or other sources.

1.2 Instructions. Customer instructs Company to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Company are Customer’s documented instructions regarding Company’s Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Company. Customer will not instruct Company to Process Customer Personal Data in violation of any Data Protection Law. Company may suspend Processing based upon any Customer instructions that Company reasonably suspects violate Data Protection Law, provided Company will promptly inform Customer if Company believes an instruction infringes Data Protection Law. 

1.3. Compliance. Each party will comply with its obligations under Data Protection Law; provided, that Customer is solely responsible for the accuracy, quality and legality of (a) the Personal Data provided to Company by or on behalf of Customer, (b) the means by which Customer acquired any such Personal Data and (c) the instructions it provides to Company regarding the processing of such Personal Data. Upon receiving written notice from Customer that Company has Processed Customer Personal Data without authorization, Company will take reasonable and appropriate steps to stop and remediate such Processing.

1.4. Confidentiality. Company will ensure that persons authorized by Company to Process any Customer Personal Data are subject to appropriate confidentiality obligations. 

1.5. Security. Company will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Company may amend the technical and organizational measures, provided the new measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit).

1.6. Disposal. At the choice of Customer, Company will (or will enable Customer via the Services to) delete (and will delete existing copies of) all Customer Personal Data after termination of the Agreement (unless Data Protection Law requires the storage of such Customer Personal Data by Company, in which case Company will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs will be provided on Customers’ written request.

1.7. Usage Data. Company is a Controller with respect to Usage Data (as defined in the Agreement) and may Process Usage Data for any lawful purpose. Company will (a) take reasonable measures to ensure Usage Data cannot be associated with a Data Subject and (b) maintain and use Usage Data in deidentified form and not attempt to reidentify Usage Data except as permitted by Data Protection Law.

1.8. Sensitive Data. Customer represents and warrants to Company that the Customer Personal Data does not and will not, without Company’s prior written consent, contain any of the following information: (a) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; (b) health insurance information; (c) biometric information; (d) credentials to any financial accounts; (e) tax return data; (f) credit reports or consumer reports; (g) any payment card information subject to the Payment Card Industry Data Security Standard; (h) information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; (i) information subject to restrictions under Data Protection Law governing Personal Data of children, including, without limitation, all information about children under 13 years of age; or (j) any information that falls within any special categories of data (as defined in GDPR).

2. DATA PROCESSING ASSISTANCE

2.1 Data Subject Rights Assistance. Customer is responsible for responding to requests from individuals to exercise rights under Data Protection Law relating to Customer Personal Data (each a “Data Subject Request“). Customer will inform Company of any Data Subject Request to which Company must comply and provide the information necessary for Company to comply with the request. Company will, to the extent permitted by Data Protection Law, notify Customer if Company receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Company will, on Customer’s request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law. 

2.2. Security Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable efforts to assist Customer in Customer’s efforts to comply with Customer’s obligations to secure Customer Personal Data by providing the information and assistance described in Section 3 (Audits). 

2.3. Security Incident Notice and Assistance. Company will notify Customer without undue delay after becoming aware of a Security Incident. Company will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and assist Customer in complying with any related notification obligations under Data Protection Law. 

2.4. Data Protection Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable assistance to Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities. 

3. AUDITS

3.1. Company Audits. Company may procure audits by third parties to assess Company’s adherence to the following standards or requirements: (a) SOC 2 Type II; (b) ISO 27001; and/or (c) certifications or other documentation evidencing compliance with alternative standards that are substantially equivalent to the foregoing (collectively, “Audits“). Subject to the confidentiality obligations set forth in the Agreement, Company will provide Customer with summaries of Company’s then-current Audit reports (“Reports“) on Customer’s request. 

3.2. Customer Audits. Customer agrees to exercise its audit rights by first requesting the Reports as described in Section 3.1 (Company Reports). Customer will only request additional information or an on-site audit of Company to the extent the information provided by Company is not reasonably sufficient to enable Customer to evaluate Company’s compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days’ advance notice of its request for an on-site audit and will cooperate in good faith with Company to schedule any such audit on a mutually agreeable date and time. Any such on-site audit must occur during Company’s normal business hours and be conducted by Customer or a nationally recognized independent auditor that has agreed to confidentiality provisions reasonably acceptable to Company. Customer is responsible for ensuring that the audit will comply with Company’s applicable on-site policies and procedures and will not unreasonably interfere with Company’s business activities. Customer will provide a written summary of any audit findings to Company, and the results of the audit will be the Confidential Information (as defined in the Agreement) of Company.  

4. SUBPROCESSORS

4.1. Appointment of Subprocessors. Customer authorizes Company to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a “Subprocessor“). Customer specifically consents to Company’s appointment of the Subprocessors identified on Attachment 4 (the “Subprocessor List“). 

4.2. Objection Right for New Subprocessors. 

4.2.1. Company will notify Customer of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor, either in writing or by updating a publicly-available list of Subprocessors (e.g., on Company’s website). Customer may object to Company’s use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to [email protected] clearly indicating its desire to object to any such change. 

4.2.2. If Customer objects to the change in Subprocessors, Company and Customer will cooperate in good faith to resolve Customer’s objection. If the parties unable to resolve Customer’s objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Company indicates cannot be provided without the objected-to Subprocessor. 

4.3. Liability. Company will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Company will be liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

5. DATA TRANSFERS 

5.1 Overview. The parties will conduct any transfers of European Economic Area, UK, and Swiss residents’ Customer Personal Data to a country not subject to an adequacy decision (a “Data Transfer“) pursuant to the SCCs, which are incorporated and deemed executed by this reference. If Company notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to an alternative transfer mechanism such as the Data Privacy Framework, the parties will rely on the alternative mechanism to legitimize Data Transfers instead of the provisions that follow.

5.2. SCCs. The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs with Customer as the “data exporter” and Company as the “data importer.”

5.3. Transfers Subject to Swiss Data Protection Law. If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP“) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; references to a “Member State” and “EU Member State” will not be read to prevent individuals in Switzerland from suing for their rights in Switzerland; and references to “GDPR” in the SCCs will be understood as references to the FADP.

5.4. Transfers Subject to the UK GDPR. Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated and deemed executed by this reference. 

6. LIMITATION OF LIABILITY

Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 6 is intended to restrict the rights of individuals under Data Protection Law.

7. MISCELLANEOUS

To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law and forum selection provisions of the Agreement will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA. 

 

Attachment 1 – Definitions

For purposes of this DPA, the following terms will have the meanings ascribed below:

CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.

Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.

Customer Personal Data” means Personal Data that Company Processes on behalf of Customer in connection with providing the Services as described in Attachment 2.

Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Company’s Processing of Customer Personal Data.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.

Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.

SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:

  • In Clause 7, the optional docking clause will apply.
  • The audits contemplated by Section 8.9 shall be conducted according to the audit provisions of this DPA.
  • In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in this DPA.
  • In Clause 11 the optional language will not apply to the SCCs or the UK IDTA.
  • In Clause 17, the SCCs shall be governed by the laws of Ireland.
  • In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
  • The information needed to complete Annex I of the SCCs is included in Attachment 2 to this DPA.
  • The information needed to complete Annex II of the SCCs is included in Attachment 3 to this DPA.
  • The information needed to complete Annex III of the SCCs is included in Attachment 4 to this DPA.

Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law. 

Services” means the services provided by Company pursuant to the Agreement. 

UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced). 

UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

 

Attachment 2 – Scope of Processing

A. LIST OF PARTIES

Data exporter

Customer

Data importer

Company

B. DESCRIPTION OF TRANSFER

Subject-Matter and Duration of Processing 

Company Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires. 

Nature and Purpose of Processing 

Company will Process Customer Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

Types of Customer Personal Data

Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to the following categories of data:

  • Direct identifying information (e.g., name, email address, telephone)
  • Indirect identifying information (e.g., gender, date of birth)
  • Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs)
  • Any other Personal Data supplied by users

Categories of Data Subjects 

The data subjects will include Customer’s end-users. 

Special Categories of Data (as applicable)

The Services are not designed for special categories of Personal Data. Company does not anticipate that Customer will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by Customer in its sole discretion.

Frequency of Transfers

Company will import Customer Personal Data on a continuous basis.

Period of Data Retention

Company will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority will be the supervisory authority of the Data Exporter.

 

Attachment 3 – Data Security Exhibit

  1. Program.  Company will implement and maintain a written information security program containing administrative, technical and organizational safeguards appropriate to the risks posed that comply with this Attachment 3 and that: (a) are designed to protect against any Security Incident; and (b) meet or exceed prevailing industry standards and requirements under Data Protection Law. 
  2. Access Controls.  Company will: (a) abide by the “principle of least privilege,” pursuant to which Company will permit access to Personal Data by its personnel solely on a need-to-know basis; and (b) promptly terminate its personnel’s access to Personal Data when such access is no longer required for performance under the Agreement.
  3. Account Management.  Company will effectively manage the creation, use, and deletion of all account credentials used to access Company’s systems, including by implementing: (a) a segregated account with unique credentials for each user; and (b) strict management of administrative accounts. 
  4. Vulnerability Management.  Company will: (a) use automated vulnerability scanning tools to scan its systems; (b) log vulnerability scan reports; (c) use patch management and software update tools for Company’s systems; and (d) prioritize and remediate vulnerabilities by severity.  
  5. Security Segmentation.  Company will monitor, detect and restrict the flow of information on a multilayered basis within its systems using tools such as firewalls, proxies, and network-based intrusion detection systems.  
  6. Data Loss Prevention.  Company will use data loss prevention measures designed to identify, monitor and protect Personal Data in use, in transit and at rest.  Such data loss prevention processes and tools will include: (a) automated tools to identify attempts of data exfiltration; and (b) the secure and managed use of, portable devices. 
  7. Encryption. Company will encrypt, using industry standard encryption tools, all Personal Data that [Company]: (a) transmits or sends wirelessly across public networks or within Company’s systems; and (b) stores on laptops, portable devices or otherwise within Company’s systems. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data. 
  8. Physical Safeguards.  Company will maintain physical access controls designed to secure its systems. 

 

Attachment 4 – Subprocessor List

Subprocessor Name  Description of Processing Countries where Subprocessor will Process Customer Personal Data
Amazon Web Services, Inc. Hosting services United States
Timescale Time Series database United States
Auth0 SSO/identity management United States
Segment Metrics tracking United States
Amplitude  Metrics reporting United States
Mailgun Email sending  United States
Intercom Support and onboarding United States