Legal

Enterprise Master Services Agreement

Effective date: June 1, 2026

This Enterprise Master Services Agreement ("Agreement") is entered into as of the Effective Date set forth in the applicable Order Form by and between NorthCoast DevOps LLC dba coThink ("Provider") and the customer entity identified in the applicable Order Form ("Customer").

1. Parties

This Agreement is between:

  • Provider: NorthCoast DevOps LLC dba coThink, a limited liability company ("Provider" or "coThink")
  • Customer: The legal entity identified in the applicable Order Form ("Customer")

Each individually a "Party" and collectively the "Parties."

2. Scope of Agreement

This Agreement establishes the general terms governing Customer's access to and use of the coThink platform and related services. Specific services, subscription quantities, support commitments, and fees shall be identified in one or more Order Forms executed by the parties.

This Agreement covers:

  • Access to the coThink SaaS platform
  • Enterprise features and functionality
  • Professional services (if purchased)
  • Future Order Forms executed by the parties

3. Definitions

As used in this Agreement:

  • "Authorized User" means an individual employee, contractor, or agent of Customer who is authorized by Customer to access and use the Services under Customer's account.
  • "Confidential Information" means any non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure.
  • "Customer Data" means all data, content, and information submitted to or processed by the Services by or on behalf of Customer or its Authorized Users.
  • "Documentation" means Provider's standard technical and user documentation for the Services made available to Customer.
  • "Order Form" means a written order document executed by both parties that specifies the Services, subscription quantities, fees, and other relevant terms.
  • "Professional Services" means implementation, configuration, consulting, onboarding, training, or other professional services provided by Provider as specified in an Order Form or Statement of Work.
  • "Security Incident" means any confirmed unauthorized access to, disclosure of, alteration of, or destruction of Customer Data.
  • "Services" means the coThink SaaS platform and related services made available to Customer under this Agreement and applicable Order Forms.
  • "Subscription Term" means the period during which Customer is authorized to access and use the Services as specified in the applicable Order Form.

4. Service Access and License

License Grant

Subject to the terms and conditions of this Agreement and Customer's timely payment of applicable fees, Provider grants Customer a non-exclusive, non-transferable, limited right to access and use the Services during the Subscription Term solely for Customer's internal business purposes and in accordance with the Documentation.

Restrictions

Customer shall not, and shall not permit any third party to:

  • Reverse engineer, decompile, disassemble, or attempt to derive the source code of the Services
  • Resell, sublicense, or otherwise make the Services available to third parties except as expressly permitted under this Agreement
  • Access or use the Services to develop a competing product or service
  • Publish or disclose the results of any benchmarking or performance testing of the Services without Provider's prior written consent
  • Remove or alter any proprietary notices, labels, or marks on the Services
  • Use the Services in violation of applicable law or this Agreement

5. Customer Responsibilities

Customer is responsible for:

  • Managing Authorized User accounts and access permissions
  • Protecting account credentials and promptly notifying Provider of any suspected unauthorized access
  • Ensuring all use of the Services by Authorized Users complies with this Agreement and applicable law
  • Maintaining any third-party accounts, API credentials, model subscriptions, and usage agreements required for Customer's selected AI providers

Customer is solely responsible for maintaining any third-party AI provider accounts, API credentials, model subscriptions, and usage agreements required for Customer's selected AI providers. Provider is not a party to any such third-party agreements and assumes no liability thereunder.

6. Bring Your Own Model (BYOM)

coThink operates under a Bring Your Own Model ("BYOM") architecture. Customer selects and manages its own AI providers and models through the Services. Under this architecture:

  • Provider does not guarantee the availability, quality, accuracy, uptime, or continued operation of any third-party AI provider or model
  • Provider is not responsible for any third-party AI usage charges, overages, or costs incurred by Customer
  • Customer's use of third-party AI providers is governed solely by Customer's agreements with those providers
  • Provider is not liable for any outputs, errors, or failures attributable to third-party AI providers or models selected by Customer

Customer assumes all risk associated with its selection and use of third-party AI providers and models under the BYOM architecture.

7. Data Ownership

Customer retains all right, title, and interest in and to Customer Data. Provider acquires no ownership rights in Customer Data by virtue of this Agreement.

Provider may access and process Customer Data only as necessary to:

  • Provide and maintain the Services
  • Comply with applicable legal obligations
  • Maintain the security and integrity of the Services
  • As otherwise expressly authorized in writing by Customer

Provider shall not use Customer Data for any other purpose, including to train or improve AI models, without Customer's prior written consent.

8. Security

Provider shall maintain administrative, technical, and organizational safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, and destruction. Provider's security program includes, at minimum:

  • Encryption in transit using TLS 1.2 or higher (TLS 1.3 preferred)
  • Encryption at rest using AES-256 or equivalent
  • Multi-factor authentication (MFA) support
  • Role-based access controls (RBAC)
  • Security logging and monitoring
  • Vulnerability management and patch procedures
  • A documented incident response process

Additional security terms are set forth in the Security Addendum attached as Exhibit B.

9. Encrypted Rooms

Certain Services may support end-to-end encrypted collaboration rooms. When this feature is enabled:

  • Customer controls the applicable encryption keys
  • Provider cannot recover Customer-controlled encryption keys
  • Provider cannot access content stored within encrypted rooms
  • Loss or destruction of encryption keys by Customer may result in permanent, irrecoverable loss of access to encrypted data

Provider expressly disclaims any liability for data loss resulting from Customer's failure to maintain or safeguard its encryption keys.

10. Confidentiality

Obligations

Each party agrees to: (a) hold the other party's Confidential Information in strict confidence; (b) not disclose Confidential Information to any third party without the disclosing party's prior written consent, except to employees, contractors, or advisors who have a need to know and are bound by confidentiality obligations at least as protective as those herein; and (c) use the other party's Confidential Information only for purposes of performing its obligations or exercising its rights under this Agreement.

Exclusions

Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was already known to the receiving party prior to disclosure; (c) is independently developed by the receiving party without use of the disclosing party's Confidential Information; or (d) is required to be disclosed by law or court order, provided the receiving party provides prompt prior written notice to the disclosing party where legally permissible.

Survival

Confidentiality obligations shall survive termination or expiration of this Agreement for a period of five (5) years. Obligations with respect to trade secrets shall survive indefinitely.

11. Compliance

Provider supports Customer's compliance obligations as follows:

  • SOC 2: Provider is pursuing SOC 2 Type II certification. Current certification status is available through Provider's Trust Center.
  • HIPAA: HIPAA-covered customers may enter into a Business Associate Agreement (BAA) with Provider. The BAA is attached as Exhibit D.
  • GDPR: Provider supports Customer's GDPR obligations through the Data Processing Addendum (DPA) attached as Exhibit C.
  • CCPA: Provider supports Customer's CCPA obligations as a service provider under applicable California law.

Provider shall not represent or imply certifications or compliance statuses that have not been formally obtained. Current compliance documentation is available through Provider's Trust Center.

12. Service Levels

Service availability commitments, support response times, planned maintenance windows, and service credit terms are set forth in the Service Level Agreement attached as Exhibit A.

Provider shall use commercially reasonable efforts to provide advance notice of planned maintenance and to schedule maintenance during low-usage periods.

13. Professional Services

Scope

Professional Services, including implementation, configuration, onboarding, training, consulting, and custom development, shall be described in a Statement of Work (SOW) or Order Form executed by both parties.

Intellectual Property

Provider retains all right, title, and interest in and to Provider Materials, including methodologies, templates, tools, software, pre-existing intellectual property, and any general knowledge, know-how, or skills developed in connection with the performance of Professional Services. Subject to full payment of applicable fees, Provider grants Customer a non-exclusive, non-transferable license to use any deliverables specified in the applicable SOW solely for Customer's internal business purposes.

14. Fees and Payment

Fees

Customer shall pay the fees set forth in the applicable Order Form. All fees are non-refundable except as expressly set forth in this Agreement.

Payment Terms

Invoices are due and payable within thirty (30) days of the invoice date unless otherwise specified in the applicable Order Form.

Taxes

Fees are exclusive of all applicable taxes. Customer is responsible for all sales, use, value-added, and similar taxes, excluding taxes based on Provider's net income.

Late Payment

Undisputed amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, from the due date until paid.

15. Warranties

Provider Warranty

Provider warrants that the Services will materially conform to the Documentation during the Subscription Term. Provider's sole obligation and Customer's sole remedy for breach of this warranty shall be for Provider to use commercially reasonable efforts to correct the non-conformity. If Provider is unable to correct the non-conformity within a reasonable time, Customer may terminate the affected Order Form and receive a pro-rated refund of prepaid fees for the unused portion of the Subscription Term.

Mutual Warranties

Each party represents and warrants that: (a) it has full authority to enter into this Agreement; (b) this Agreement constitutes a binding obligation of such party; and (c) its performance hereunder will not violate any applicable law or third-party agreement.

16. Disclaimers

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS." PROVIDER DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

AI-generated outputs may be inaccurate, incomplete, misleading, outdated, or otherwise unsuitable for Customer's intended purpose. Customer is solely responsible for reviewing, validating, and approving all AI-generated outputs before use or reliance. Provider does not warrant the accuracy, completeness, reliability, or fitness of AI-generated content for any particular purpose.

17. Indemnification

Provider Indemnification

Provider shall defend, indemnify, and hold harmless Customer from and against any third-party claims alleging that the Services, as provided by Provider and used in accordance with this Agreement, infringe any third-party intellectual property right. Provider shall have no obligation under this section to the extent a claim arises from: (a) Customer's modification of the Services; (b) use of the Services in combination with products or services not provided by Provider; or (c) Customer's failure to use updated versions of the Services made available by Provider.

Customer Indemnification

Customer shall defend, indemnify, and hold harmless Provider from and against any third-party claims arising from: (a) Customer Data, including any claim that Customer Data violates applicable law or third-party rights; (b) Customer's or any Authorized User's violation of this Agreement or applicable law; or (c) Customer's use or misuse of third-party AI providers or models under the BYOM architecture.

Indemnification Procedure

The indemnified party shall: (a) promptly notify the indemnifying party of any claim; (b) grant the indemnifying party sole control of the defense and settlement; and (c) provide reasonable cooperation at the indemnifying party's expense.

18. Limitation of Liability

General Cap

EXCEPT AS SET FORTH IN THIS SECTION, PROVIDER'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO PROVIDER DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

Exclusion of Consequential Damages

IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITIES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Exclusions from Cap

The general liability cap does not apply to: (a) fraud or willful misconduct; (b) a party's indemnification obligations; (c) breaches of confidentiality obligations; or (d) Customer's payment obligations.

19. Cyber Liability Cap

Liability arising from a Security Incident caused by Provider's failure to maintain the security controls required under this Agreement shall be subject to a separate aggregate liability cap equal to two (2) times the total fees paid by Customer to Provider during the twelve (12) months immediately preceding the Security Incident. This cyber liability cap is independent of and in addition to the general liability cap set forth in Section 18.

20. Term and Termination

Term

This Agreement commences on the Effective Date and continues until all Order Forms have expired or been terminated, unless earlier terminated in accordance with this section.

Termination for Breach

Either party may terminate this Agreement or any Order Form upon thirty (30) days written notice if the other party materially breaches this Agreement and fails to cure such breach within the notice period.

Termination for Insolvency

Either party may terminate this Agreement immediately upon written notice if the other party: (a) becomes insolvent; (b) makes an assignment for the benefit of creditors; (c) has a receiver appointed; or (d) becomes the subject of voluntary or involuntary bankruptcy proceedings.

Effect of Termination

Upon termination or expiration: (a) all licenses granted under this Agreement shall immediately terminate; (b) Customer shall cease all use of the Services; and (c) each party shall return or destroy the other party's Confidential Information, subject to Section 21 regarding Customer Data export.

Survival

Sections 7, 10, 16, 17, 18, 19, 21, 25, and 26, and any other provisions that by their nature should survive, shall survive termination or expiration of this Agreement.

21. Data Return and Deletion

Upon termination or expiration of this Agreement, Customer may export Customer Data for a period of sixty (60) days following the effective date of termination. Provider shall not intentionally impede Customer's ability to export Customer Data during this period.

Following the sixty (60) day export period, Provider shall delete or destroy Customer Data in accordance with its data retention and deletion policies, except to the extent retention is required by applicable law. Upon request, Provider shall provide written confirmation of deletion.

22. Audit Rights

Customer may review Provider's security documentation, audit reports, certifications, and compliance materials through Provider's Trust Center. Provider shall maintain, at minimum, a SOC 2 Type II report or equivalent third-party security assessment, conducted annually, and shall make such report available to Customer under appropriate confidentiality obligations upon written request.

Customer may, upon no less than thirty (30) days prior written notice and no more than once per calendar year, conduct or commission a security audit of Provider's controls directly relevant to the processing of Customer Data, at Customer's expense. Provider shall cooperate reasonably with such audits, subject to reasonable scheduling and confidentiality requirements.

23. Insurance

Provider shall maintain, during the term of this Agreement, the following minimum insurance coverages:

Coverage Minimum Limit
Commercial General Liability $1,000,000 per occurrence
Professional Liability / Errors & Omissions $1,000,000 per occurrence
Cyber Liability $1,000,000 per occurrence
Workers' Compensation Statutory limits

Provider shall provide certificates of insurance to Customer upon written request.

24. Publicity

Neither party may use the other party's name, logo, trademarks, or service marks in any press release, marketing material, customer list, case study, or public communication without the other party's prior written consent. This restriction does not apply to either party's routine use of the other party's name solely to identify the business relationship in internal communications.

25. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles. Any dispute arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in California, and each party hereby consents to such jurisdiction and venue.

26. Order of Precedence

In the event of any conflict or inconsistency between the documents comprising this Agreement, the following order of precedence shall apply, with documents listed first taking precedence:

  1. Signed Amendment to this Agreement
  2. Order Form
  3. Data Processing Addendum (DPA)
  4. Service Level Agreement (SLA)
  5. Security Addendum
  6. This Master Services Agreement
  7. Provider's standard Terms of Service

27. Artificial Intelligence Terms

AI Output Disclaimer

Customer acknowledges that AI-generated outputs may be inaccurate, incomplete, misleading, outdated, or otherwise unsuitable for Customer's intended purpose.

Customer is solely responsible for:

  • Reviewing outputs
  • Verifying accuracy
  • Evaluating appropriateness
  • Making decisions based upon outputs
  • Compliance with applicable laws and regulations

Provider does not warrant the accuracy, completeness, reliability, or fitness of AI-generated content.

No Professional Advice

The Services do not provide:

  • Legal advice
  • Financial advice
  • Medical advice
  • Tax advice
  • Regulatory advice
  • Professional consulting advice

Customer should consult qualified professionals before relying upon AI-generated outputs for professional, legal, medical, financial, or regulatory matters.

AI Provider and Model Changes

Provider may add, remove, replace, modify, or discontinue supported AI providers, models, and integrations as necessary to maintain service functionality, security, compliance, operational stability, or commercial viability. Provider shall provide Customer with no less than thirty (30) days prior written notice of any material change to AI providers or models where such change would reasonably be expected to materially affect the functionality or performance of the Services, except where such change is required for security, legal, or compliance reasons, in which case Provider shall provide notice as soon as reasonably practicable.

28. Third-Party Provider Dependencies

Certain functionality depends upon third-party providers, including but not limited to:

  • AI providers
  • Identity providers
  • Email providers
  • Calendar providers
  • Cloud infrastructure providers
  • Telecommunications providers

Provider shall exercise commercially reasonable vendor oversight with respect to critical third-party providers, including maintaining contractual protections and, where available, obtaining service level commitments designed to support Provider's obligations to Customer. Provider shall notify Customer promptly upon becoming aware of any material third-party service disruption reasonably expected to affect Customer's use of the Services. Except to the extent caused by Provider's failure to exercise such commercially reasonable oversight, Provider is not responsible for outages, service interruptions, pricing changes, performance degradation, security incidents, or discontinuation of third-party services.

29. Government Requests for Data

Unless legally prohibited, Provider shall promptly notify Customer of any governmental, regulatory, law enforcement, or judicial request seeking access to Customer Data.

Provider may disclose Customer Data only to the extent required by applicable law.

30. Security Incident Notification

Provider shall notify Customer without unreasonable delay and no later than seventy-two (72) hours after Provider confirms that a Security Incident affecting Customer Data has occurred. For purposes of this section, "confirmation" means the point at which Provider's internal security team has determined with reasonable certainty that unauthorized access to, disclosure of, or destruction of Customer Data has taken place. Where a Security Incident involves Protected Health Information, payment card data, or government-regulated personal data, Provider shall use commercially reasonable efforts to provide notification within twenty-four (24) hours of confirmation.

Notification shall include, to the extent known:

  • Nature of the incident
  • Categories of affected data
  • Estimated impact
  • Remediation efforts
  • Recommended Customer actions

Provider shall cooperate with Customer in investigating and responding to the Security Incident.

31. Vulnerability Disclosure Program

Provider maintains a documented process for receiving, investigating, and remediating reported security vulnerabilities.

Verified vulnerabilities shall be prioritized and remediated according to Provider's internal risk management procedures.

32. Export Controls and Sanctions

Each party shall comply with all applicable export control, sanctions, import, and trade laws and regulations.

Customer shall not use the Services in violation of any applicable export restrictions or trade sanctions.

33. Anti-Bribery and Compliance

Each party represents and warrants that it shall comply with applicable anti-corruption and anti-bribery laws, including but not limited to:

  • U.S. Foreign Corrupt Practices Act (FCPA)
  • UK Bribery Act
  • Similar applicable laws and regulations

34. Force Majeure

Neither party shall be liable for delays or failures resulting from causes beyond its reasonable control, including:

  • Natural disasters
  • Internet outages
  • Utility failures
  • Labor disputes
  • Government actions
  • Acts of terrorism
  • Civil unrest
  • Public health emergencies

For the avoidance of doubt, outages or disruptions affecting Provider's cloud infrastructure or hosting providers do not constitute force majeure events, as Provider assumes responsibility for managing its upstream infrastructure dependencies. The affected party shall use commercially reasonable efforts to minimize disruption and resume performance as promptly as practicable.

35. Assignment and Change of Control

Neither party may assign this Agreement without the other party's prior written consent, except in connection with:

  • Merger
  • Acquisition
  • Corporate reorganization
  • Sale of substantially all assets

This Agreement shall be binding upon successors and permitted assigns.

36. Subprocessors

Provider may engage subprocessors to deliver portions of the Services.

Provider shall:

  • Maintain a current list of subprocessors
  • Publish the list through its Trust Center
  • Provide Customer with no less than ten (10) days prior written notice before adding or replacing any subprocessor that will process Customer Data
  • Remain responsible for subprocessor obligations relating to Customer Data

Customer may object to a new or replacement subprocessor by providing written notice to Provider within ten (10) days of receiving notification. If the parties are unable to resolve Customer's objection within a reasonable time, either party may terminate the affected Order Form upon written notice without penalty. Provider's obligation to notify and Customer's right to object apply to subprocessors that process Customer Data and do not apply to subcontractors providing ancillary services (such as facility management or general IT support) that do not involve access to Customer Data.

37. Open Source Software

The Services may contain open source software components subject to applicable open source licenses.

Nothing in this Agreement shall restrict Customer's rights under applicable open source licenses.

38. Beta and Preview Features

Provider may make available beta, preview, experimental, early access, or pre-release features.

Such features:

  • Are provided "as is"
  • May contain defects
  • May be modified at any time
  • May be discontinued without notice

Beta features are excluded from service level commitments and warranties. Provider shall clearly designate features as beta or preview within the Services or accompanying documentation. Upon a feature's transition from beta or preview to general availability, standard warranty and service level terms shall apply.

39. Business Continuity and Disaster Recovery

Provider shall maintain commercially reasonable business continuity and disaster recovery procedures designed to support the availability and recovery of critical systems.

Provider shall periodically review and test such procedures, no less than once per calendar year, and shall make a summary of such testing results available to Customer upon written request.

40. Data Portability

During the Subscription Term and for sixty (60) days following termination, Customer may export Customer Data in commercially reasonable machine-readable formats, which shall include at minimum comma-separated values (CSV) or JSON format, as applicable to the data type. Where Provider offers an API, Customer may use such API to facilitate export. Provider shall not intentionally impede Customer's ability to export Customer Data.

41. Records Retention and Deletion

Provider shall maintain documented retention and deletion procedures.

Unless otherwise required by law:

  • Customer Data shall be retained only as necessary to provide the Services
  • Deleted data shall be removed according to Provider's retention schedule
  • Backup retention periods may differ from primary storage retention periods

42. Customer Decision Responsibility

Customer acknowledges that coThink provides collaboration, facilitation, analysis, planning, workflow, and AI-assisted decision support capabilities.

Provider does not:

  • Make decisions on behalf of Customer
  • Direct Customer operations
  • Approve Customer actions
  • Assume responsibility for Customer outcomes

Customer remains solely responsible for all decisions, actions, omissions, strategies, business outcomes, regulatory compliance obligations, and operational consequences arising from use of the Services.

43. Responsible AI and Human Oversight

Customer acknowledges that AI-assisted outputs should be reviewed by appropriately qualified individuals before implementation.

Provider encourages meaningful human oversight for:

  • Strategic decisions
  • Personnel decisions
  • Legal matters
  • Financial matters
  • Healthcare matters
  • Regulatory compliance activities

Customer is responsible for determining the appropriate level of review and oversight.

44. AI Governance and Future Compliance Framework

Provider may publish additional policies, standards, and governance frameworks relating to:

  • Artificial Intelligence
  • Security
  • Privacy
  • Compliance
  • Model Management

Such materials may be incorporated by reference into future Order Forms, Data Processing Addenda, Security Addenda, or Compliance Addenda.

45. Enterprise Procurement Package Reference

The parties acknowledge that enterprise contracting may include one or more of the following supplemental documents:

  1. Master Services Agreement (MSA)
  2. Order Form(s)
  3. Statement(s) of Work (SOW)
  4. Data Processing Addendum (DPA)
  5. Security Addendum
  6. Service Level Agreement (SLA)
  7. Business Associate Agreement (BAA)
  8. Privacy Policy
  9. Trust Center Documentation
  10. Subprocessor List
  11. Security Whitepaper
  12. Incident Response Summary

To the extent of any conflict, the Order of Precedence section of the Agreement shall govern.

46. Audit Rights and Security Certifications

Provider shall maintain, at minimum, a SOC 2 Type II certification or equivalent industry-recognized security audit, conducted by a qualified independent third party no less than annually. Provider shall make the resulting report or certification summary available to Customer under appropriate confidentiality obligations upon written request. Customer may, upon no less than thirty (30) days prior written notice and no more than once per calendar year, conduct or commission an audit of Provider's security controls and practices directly relevant to the processing of Customer Data, at Customer's expense. Provider shall cooperate reasonably with such audits.

47. Intellectual Property in AI Outputs and Configurations

As between the parties, Customer retains all right, title, and interest in and to: (a) Customer Data; (b) prompts, instructions, and configurations provided by Customer; and (c) outputs generated by the Services based on Customer Data or Customer-provided inputs, subject to any restrictions imposed by applicable AI provider terms. Provider does not acquire any ownership interest in Customer-specific configurations, prompt templates, or fine-tuning inputs. Nothing in this Agreement grants Provider the right to use Customer Data to train or improve AI models without Customer's prior written consent.

Recommended Additional Exhibits

Exhibit A — Service Level Agreement (SLA)

Defines:

  • Availability commitments
  • Response times
  • Service credits
  • Planned maintenance

Exhibit B — Security Addendum

Defines:

  • Security controls
  • Encryption standards
  • Access controls
  • Monitoring and logging
  • Vulnerability management

Exhibit C — Data Processing Addendum (DPA)

Defines:

  • GDPR obligations
  • International transfers
  • Data subject rights
  • Processor responsibilities

Exhibit D — Business Associate Agreement (BAA)

Used when handling Protected Health Information (PHI).

Exhibit E — Acceptable Use Policy

Defines:

  • Prohibited activities
  • Abuse prevention
  • Security expectations

Exhibit F — Support and Success Terms

Defines:

  • Support tiers
  • Escalation procedures
  • Customer success services
  • Technical account management

← Back to Legal