Effective Date: October 31, 2023

[These posted terms are for reference only. Any purchase or use of Inbenta’s Services will require execution of a Terms of Service Agreement by both Parties.]

Terms of Service

These Terms of Service (the “TOS”) set forth the general legal terms governing the relationship between Inbenta, or its Affiliate that is providing the relevant Service, and Customer as each entity is identified in the related document executed by the Parties setting forth the Services being purchased by Customer (“SOW”). The full “SaaS Agreement” between the Parties will be composed of these TOS, the relevant SOW, and any addenda or amendments agreed to between Inbenta and Customer for the specific purchase, and will in full force and effect at all times Services are provided to Customer . Inbenta and Customer are each a “Party,” or collectively “Parties” hereunder.

Each Party warrants that its respective signatories whose signatures appear on any SOW are on the date of signature duly authorized to bind the Party to the SaaS Agreement.

1. Scope of Services. During the Term (defined in Sec. 11.1, below), and subject to the terms and conditions of the SaaS Agreement, Inbenta shall deliver to Customer the Services for the Customer to use in accordance with the terms and conditions set forth in the SaaS Agreement. “Services” means Inbenta’s proprietary technology and software solutions offered in hosted form (“Platform Services”) and related professional services provided by Inbenta as agreed to by the Parties in an SOW (“Professional Services”). Inbenta may, in its sole discretion, permit use of the Services by an Affiliate of Customer, but in each such case, an Affiliate will be required to execute a separate SOW with Inbenta that references these TOS. An “Affiliate” of a Party is any entity that directly or indirectly controls, is controlled by, or is under common control with the Party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.
   
   
2. Fees and Payment. As consideration for the provision of the Services, Customer shall pay to Inbenta the fees in accordance with the payment terms set forth herein and in the SOW. In the event of a conflict between these payment terms and those set forth in the SOW, the payment terms of the SOW shall control.
   
   2.1. Payment of Fees. Customer shall pay all undisputed fees due under each invoice within thirty (30) days of the invoice date. If any invoiced fee is disputed, Customer must notify Inbenta of the disputed amount before the due date for payment of the invoice, and timely pay all undisputed amounts in the invoice. Customer will cooperate with Inbenta in its investigation of the disputed amount, including by providing a detailed explanation of the dispute and any supporting documentation requested by Inbenta. Upon completion of its investigation, Inbenta will either credit incorrect amounts on Customer’s account, or provide supporting documentation for the amounts invoiced. Customer will pay amounts found to be correctly invoiced within 30 days of being provided the supporting documentation. All Services are non-cancelable and the related fees are non-refundable when paid.
   
   2.2. Late Charges. Inbenta reserves the right to charge, and Customer agrees to pay, a late charge equal to one and one-half percent (1.5%) per month, or the maximum amount allowed by law, whichever is lower, on any amount that is not the subject of a good faith dispute that is unpaid on the due date, and on any other outstanding balance.
   
   2.3. Taxes. Fees identified in the SaaS Agreement do not include any applicable sales, use, VAT, and other taxes. Customer will be responsible for payment of all taxes, fees, duties and charges, and any related penalties and interest, arising from the payment of any fees hereunder (other than taxes based on Inbenta’s gross income, for which Inbenta will be solely responsible). Customer will make all payments of fees to Inbenta free and clear of, and without reduction for, any taxes, including withholding taxes. Any such taxes imposed on any payments hereunder to Inbenta will be Customer’s sole responsibility, will be paid in addition to the fees charged by Inbenta in connection with the SaaS Agreement, and Customer will, upon Inbenta’s request, provide Inbenta with official receipts issued by the appropriate taxing authority, or such other evidence as Inbenta may reasonably request, to establish that such taxes have been paid.
   
   
3. Access and Use
   
   3.1. Access. During the Term of the relevant SOW, and subject to the terms and conditions of the SaaS Agreement, including limitations or restrictions set forth in the related SOW, Inbenta hereby grants to Customer the right to access and use the Platform Services as provided by Inbenta from Inbenta’s hosted network for Customer’s own internal business purposes (which may include allowing access to the Platform Services by Customer’s customers and prospective customers (“Users“) to facilitate interactions with such individuals). For the avoidance of doubt, nothing in the SaaS Agreement is intended to grant Customer any right, title, or interest in or to any intellectual property, nor any Intellectual Property Rights in, nor access to, any code (including in object code, source code, or any other format), databases, or other underlying components of the Services. “Intellectual Property Rights” means any right or interest in and to any current or future patent, copyright, trademark, trade secret, or service mark including moral rights, know-how, mask works, and any other work that may be the subject matter of intellectual property or industrial property rights protection of any state, country or jurisdiction, whether registrable or not.
   
   3.2. Obligations. Customer shall:
   3.2.1. Identify the Administrator Users that Customer wants to grant access and use of the Services at the initial set-up stage. Thereafter, Customer is responsible for establishing individual user accounts and account login credentials for each of Customer’s subsequent Administrator Users. Customer may only make employees, consultants, contractors, or agents Administrator Users. An “Administrator User” is an individual, other than a User, who Customer has named to access and use the Services on Customer’s behalf under the rights granted to Customer pursuant to the SaaS Agreement.
   
   3.2.2. Require Administrator Users to (i) maintain the confidentiality of their account login credentials and (ii) not share their account login credentials with any other individual.
   
   3.2.3. Be responsible for its Administrator Users and any noncompliance, with the terms of the SaaS Agreement and any and all applicable laws of any and all applicable jurisdictions.
   
   3.2.4. Remain responsible for all use of the Services through Customer’s account, including any fees associated, regardless of whether such use or user was specifically authorized by Customer.
   
   3.2.5. At all times use the Services in compliance with Inbenta’s Acceptable Use Policy, available at https://www.inbenta.com/compliance/acceptable-use-policy/, which is incorporated into these terms by this reference.
   
   3.3. Integrated Services. Customer acknowledges that the Services operate on, are integrated with, or are provided using application programming interfaces (APIs) and other services. Inbenta’s provision of any Service is subject to all limitations identified as applicable to the Service (ex: API limitations or session length limitations), including at the Developer Portal: https://developers.inbenta.io/general/rate-limits/current-rate-limits, and Customer will comply with all such limitations. Where an API or other service integration is provided by companies that are not affiliated with Inbenta, Customer acknowledges that Customer may be required to install certain software applications and agree to additional terms and conditions set forth by the companies providing the integrated services in order to access the Services. Where Customer engages with its own integrator, Customer will require such integrator to implement the appropriate endpoints to track Usage Data (defined in Section 4.3, below) correctly. NOTWITHSTANDING ANY APPROVAL OF A THIRD-PARTY SERVICE IMPLEMENTATION, CUSTOMER UNDERSTANDS THAT INBENTA DOES NOT WARRANT OR GUARANTEE THESE THIRD-PARTY SERVICES NOR THAT THE THIRD-PARTY SERVICE WILL PROPERLY INTERACT WITH THE SERVICES.
   
   
4. Proprietary Rights.
   4.1. Services. As between the Parties, all title to and interest in the Services and associated Intellectual Property Rights are the exclusive property of Inbenta. Except for the access and use rights expressly granted in the SaaS Agreement, no other rights are granted by Inbenta to Customer and all other rights are expressly reserved by Inbenta.
   
   4.2. Improvements. All title to and rights in any extensions, enhancements, derivative works (as defined in 17 U.S.C. § 101), improvements, or further developments to the Services created or developed in connection with performance under the SaaS Agreement, whether conceived or developed alone by either Party or jointly by the Parties, together with all associated Intellectual Property Rights (all of the foregoing, “Improvements”), shall be the sole property of Inbenta. For the avoidance of doubt, and without limiting the foregoing, Improvements include any of the foregoing resulting from feedback, suggestions, or recommendations provided by Customer. Customer shall irrevocably assign, and does hereby irrevocably assign, and, if applicable, shall cause its Administrator Users to assign, to Inbenta all right, title, and interest it may have in such Improvements.
   
   4.3. Usage Data. “Usage Data” is any performance data, statistics, and other data related to the use of the Services, and any information derived from the implementation of or input into or use of the Services, such as any synonyms, jargon, or other natural language processing feedback learned by the Services. All title to and interest in Usage Data and associated Intellectual Property Rights are the exclusive property of Inbenta and, as applicable, its licensors. Customer acknowledges that Inbenta may use and reproduce Usage Data for any purposes. To the extent such Usage Data is disclosed, it will only be disclosed in a generic, anonymized, or aggregated manner that does not identify any entity or any individual. Inbenta shall implement reasonable technical safeguards that prevent reversal of such Usage Data and implement reasonable business processes to prevent inadvertent release of Confidential Information. Usage Data will not include any information which is protected as “personal data”, “personal information”, “personally identifiable information” or similarly defined terms under any privacy law applicable to the provision of the Services (“Personal Data”).
   
   4.4. Further Assurances. Customer agrees to cooperate with Inbenta in executing and delivering such documents and other papers in a timely manner as are necessary to carry out Inbenta’s obligations and permit its filing and prosecution of any applications for patents, copyrights or other Intellectual Property Rights. Customer shall cause its employees and agents to sign, execute, and acknowledge any and all documents and to perform such acts as may be reasonably requested by Inbenta for the purposes of perfecting the foregoing assignments and ownership rights, and enforcing and defending Intellectual Property Rights as set forth herein. Customer further agrees that its obligation to sign, execute, and acknowledge, or cause to be signed, executed, and acknowledged, when it is in its power to do so, any such documents will survive following the termination of the SaaS Agreement. Inbenta hereby agrees to reimburse Customer in reasonable, out-of-pocket expenses incurred by Customer as a result of its compliance with this Section.
   
   4.5. Publicity/Use of Marks. Inbenta may use Customer’s name and logo on its web sites, and issue a press release or other communication, to announce Customer as a customer of Inbenta.
   
   4.6. Content License. “Customer Data” is any data that is provided by or made available, whether directly, indirectly, or through the Services, by Customer for Inbenta to access and use in the performance of the Services. As between the Parties, all title to and interest in Customer Data and associated Intellectual Property Rights are the exclusive property of Customer. Customer hereby grants to Inbenta, during the term of the relevant SOW, a limited, worldwide, non-exclusive, non-transferable (except as provided in Section 13.3) license under all Intellectual Property Rights therein and thereto, to use, store, modify, and copy all Customer Data as necessary to provide the Services to Customer.
   
   4.7. Use of Artificial Intelligence. Customer acknowledges that Inbenta may use artificial intelligence, machine learning, or data analytics (i.e. technologies that assist or replace human decision-making) for purposes including but not limited to risk assessment, statistical, trend analysis, and planning; and to make decisions, provide, and operate the Services. Without altering Customer’s ownership of its Customer Data, as stated in Section 4.6, above, Customer agrees that any information learned from Inbenta’s use of artificial intelligence, machine learning, or analytics performed on Customer Data is and remains the exclusive property of Inbenta under all applicable Intellectual Property Rights.
   
   4.7.1. Generative AI Services. Where Customer purchases generative artificial intelligence (“GAI”) Services, Customer must have at least one existing large language model (“LLM”) and provide Inbenta with the API keys to such LLM to facilitate the integration. Customer acknowledges that during the provision of the GAI Services, Customer is directing Inbenta to share data with Customer’s LLM provider(s) and that if required under applicable law, Customer may have an obligation to notify its Users of the use of generative artificial intelligence tools, and that it is sharing data with Inbenta and the LLM provider(s). Customer is solely responsible for making all such required disclosures.
   
   4.7.2. GAI Services Disclaimer. Due to the probabilistic nature of artificial intelligence and machine learning, Inbenta cannot and does not guarantee that any GAI generated responses will be 100% accurate. Customer acknowledges that GAI uses experimental technology and may sometimes provide inaccurate content, and that Customer should use discretion before relying on content provided by the GAI-powered Services. It is Customer’s responsibility to review all the source links provided along with any response generated by the GAI-powered Services, and advise Users to do the same. Notwithstanding any other language in the SaaS Agreement, Inbenta will not be liable in any way for any damages resulting from the purchase or use of the GAI-powered Services, including but not limited to any lack of availability, delays, or errors caused or related to Customer’s LLM provider(s). Inbenta shall implement reasonable technical and organizational measures to keep Customer’s LLM’s API keys secure, but cannot guarantee the security of such keys from theft or authorized access or other misuse. Upon Customer’s written request, Inbenta shall rotate Customer’s LLM’s API keys within five (5) business days of such request.
   
   
5. Confidentiality.
   
   5.1. “Confidential Information” means information not generally known or available to the public, disclosed by or on behalf of the Discloser to the Recipient, or permitted by Discloser to be accessed by Recipient, whether directly, indirectly, or through the Services, during the Term, regardless of whether such information is labeled or otherwise identified as being confidential. Confidential Information shall not include data or information which (i) was in the public domain at the time it was disclosed or falls within the public domain, except through the fault of Recipient; (ii) was known to Recipient at the time of disclosure without an obligation of confidentiality, as evidenced by Recipient’s written records; (iii) was disclosed after written approval of Discloser; or (iv) is independently developed by the Recipient without reference or access to any of the Confidential Information. The term “Discloser” refers to the Party disclosing Confidential Information, and the term “Recipient” refers to the Party receiving Confidential Information.
   
   5.2. Each Party retains all right, title, and interest in Confidential Information that it, as the Discloser, provides to the other Party hereto. Neither Party shall (i) disclose to any third party any Confidential Information of the other, except as necessary to provide the Services, or (ii) use such other Party’s Confidential Information for any purpose not specified in the SaaS Agreement. Each Party agrees to notify the other promptly of any unauthorized disclosure of such other Party’s Confidential Information and to assist it in remedying any such unauthorized disclosure or use. Recipient agrees that all persons having access to the Confidential Information of the other Party under the SaaS Agreement will be bound by confidentiality obligations at least as protective as those set forth in these TOS.
   
   5.3. Neither Party shall disclose to the other Party hereto any information which is confidential or proprietary to a third party without first obtaining the written consent of such third party.
   
   5.4. If Confidential Information of the Discloser is required to be disclosed by the Recipient pursuant to applicable law, regulation, judicial order or other legal process, the Recipient may disclose such Confidential Information as legally required provided; however, that to the extent the Recipient is permitted to do so under applicable law, Recipient shall: (i) first provide the Discloser advance prompt written notice and an opportunity to seek confidential treatment thereof or obtain a protective order therefore, and (ii) cooperate with the Discloser to protect the Discloser’s Confidential Information at Discloser’s expense.
   
   5.5. Upon termination of the relevant SOW, each Party shall ensure the prompt return to the other Party or destruction of all Confidential Information of the other Party.
   
   5.6. Each Party acknowledges that disclosure of the other Party’s Confidential Information by it, or breach of the provisions contained herein may give rise to irreparable injury to the other Party and such breach or disclosure may be inadequately compensable in money damages. Accordingly, each Party may seek injunctive relief against the breach or threatened breach of the foregoing undertakings. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity.
   
   5.7. Customer will not disclose the contents of any SOW without the prior written consent of the Inbenta, unless (i) such disclosure is required by law or governmental regulation or (ii) such disclosure is made to a potential acquirer, attorney, accountant, or parent organization subject to a nondisclosure or confidentiality agreement with terms at least as restrictive as the terms contained in this Article 5.
   
   
6. Compliance with Laws and Regulations; Data Security.
   
   6.1. General. During the term of the SaaS Agreement, each Party hereto shall comply with all federal, state, and local laws and regulations including those pertaining to data protection, privacy, and security laws, as applicable to such Party in its performance under the SaaS Agreement.
   
   6.2. Data Security. Each Party shall maintain an industry-standard, written information security program containing physical, administrative, and technical safeguards appropriate to the size, complexity, and nature of the Party’s activities, that are designed to (i) to ensure the security and confidentiality of Personal Data; (ii) to protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) to protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any consumer. Each Party acknowledges that the maintenance of such an information security program does not guarantee the security of information from theft or authorized access or other misuse. If a Party becomes aware of unauthorized access to the Party’s systems affecting the other Party’s Confidential Information contained on such systems, the Party will without undue delay: (a) notify the other Party of the incident; (b) investigate the incident and provide the other Party with relevant information about the incident; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the incident. Customer is responsible for any security vulnerabilities and the consequences of such vulnerabilities arising from Customer’s networks, from any materials Customer provides, or from any use of the Services in a manner that is inconsistent with the terms of the SaaS Agreement.
   
   6.3. Personal Data. The processing of Personal Data under the SaaS Agreement for those Services that processes such data is governed by Inbenta’s Data Processing Addendum, attached hereto as Exhibit A (“DPA”). Unless otherwise agreed by the Parties for specific purposes, Customer shall make their best efforts to avoid provision of any Personal Data when using the Services in interactions between or amongst Customer, Administrator Users, and Users.
   
   
7. Representations, Warranties, and Grants.
   
   7.1. Corporation in Good Standing. Each Party represents and warrants that it is and will remain a corporation duly incorporated, validly existing and in good standing under the laws of its jurisdiction of incorporation.
   
   7.2. Content and Consent. Customer represents and warrants to Inbenta that Customer has provided notifications to, obtained consents from, and otherwise has all rights necessary (and will continue to ensure the foregoing) to transmit, upload, permit access to, or otherwise provide any and all Customer Data.
   
   7.3. No Third-Party Approval. Each Party represents and warrants to the other Party that its execution and performance of the SaaS Agreement throughout its duration does not and will not require consent from any third party and will not (i) violate (with the lapse of time or giving of notice or both) rights granted to any third party, or (ii) violate or otherwise interfere with the provisions of any agreement to which the Party is bound, or (iii) preclude the Party from complying with the provisions hereof, or (iv) violate any applicable law or regulation or judicial order.
   
   7.4. Credential Sharing. To the extent Customer shares or otherwise permits Inbenta or the Services to make use of any credentials to obtain any Customer Data, Customer represents and warrants that such sharing of credentials shall not violate the rights of, or any contractual obligations with, any third party.
   
   
8. DISCLAIMER OF REPRESENTATIONS AND WARRANTIES. ALL SERVICES ARE PROVIDED “AS IS” AND “WITH ALL FAULTS”. EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS AGREEMENT, INBENTA DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES, AND INBENTA HEREBY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, ORAL OR WRITTEN, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, RELATING TO THE SERVICES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE IN TRADE. INBENTA DOES NOT MAKE ANY COMMITMENT THAT THE SERVICES WILL BE UNINTERRUPTED, ACCURATE OR ERROR FREE, NOR THAT ANY CONTENT WILL BE SECURE OR NOT LOST OR ALTERED.
   
   
9. LIMITATION OF LIABILITY.
   
   9.1. NO CONSEQUENTIAL DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE OR RESPONSIBLE TO THE OTHER PARTY FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY BREACH OF CONTRACT OR OTHERWISE UNDER THE AGREEMENT (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE, BREACH OF STATUTORY DUTY, STRICT LIABILITY), OR OTHERWISE) EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   
   9.2. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY’S TOTAL CUMULATIVE LIABILITY ARISING UNDER THE SAAS AGREEMENT (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE, BREACH OF STATUTORY DUTY, STRICT LIABILITY), OR OTHERWISE), INCLUSIVE OF ANY PENALTY, CREDIT DUE TO CUSTOMER, OR OTHER COMPENSATION, SHALL NOT EXCEED THE AGGREGATE FEES PAID OR PAYABLE BY CUSTOMER TO INBENTA WITHIN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY. Amounts to be paid under any indemnity are obligations and not liabilities, regardless of the label placed on the underlying indemnified claim.
   
   
10. Indemnification.
    
    10.1. Customer Indemnification. Customer shall indemnify, defend, and hold harmless Inbenta and its respective officers, directors, employees, agents, advisers, and representatives from and against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees and the cost of enforcing any right to indemnification hereunder (collectively, “Losses”) arising out of or in connection with any third-party claim, suit, action, or proceeding (each a “Third-Party Claim”) relating to (i) Customer’s provision of or Inbenta’s use, storage or copy of any Customer Data provided by Customer under this SaaS Agreement, (ii) Customer’s or anyone accessing the Services through Customer’s use of the Services; or (iii) Customer’s breach of any of Inbenta’s Intellectual Property Rights.
    
    10.2. Inbenta Indemnification. Inbenta shall indemnify, defend, and hold harmless the Customer from and against all Losses arising out of or in connection with any Third-Party Claim that any Services provided by Inbenta infringes a copyright or patent or misappropriates a trade secret. Notwithstanding the foregoing, Inbenta shall not be obligated to indemnify, defend, or hold harmless Customer to the extent a claim of infringement is based on: (i) portions or components of the Services that were not created by Inbenta; (ii) Customer’s or its Administrator Users’ use or modification of the Services; (ii) Customer’s failure to use corrections, enhancements, or other updates made available to Customer at no additional cost; (iii) Customer’s use of the Services in combination with any service, product, software or hardware not expressly directed or authorized by Inbenta in writing to be used with the Services; or (iv) information, direction, specifications, or materials provided by Customer or any third party on Customer’s behalf. If any portion of the Services is, or in Inbenta’s opinion is likely to be, held to constitute an infringing item, Inbenta may at its sole option and expense either: (A) procure for Customer the right to continue using the relevant Services under the terms of the SaaS Agreement; (B) replace or modify the relevant Services with equivalent functionality so that it is non-infringing, or (C) to the extent that (A) and (B) are not commercially reasonable, terminate the SaaS Agreement and refund to Customer the fees paid for such item, prorated for the remaining time left in the current Term of the relevant SOW. THE PROVISIONS OF THIS SECTION 10 CONSTITUTE THE INDEMNIFIED PARTY’S SOLE AND EXCLUSIVE REMEDIES AND INDEMNIFYING PARTY’S ENTIRE OBLIGATION TO THE INDEMNIFIED PARTY WITH RESPECT TO INFRINGEMENT AND MISAPPROPRIATION.
    
    10.3. Indemnification Procedure. A Party seeking indemnity under Section 10, must promptly notify the indemnifying Party of the commencement of the Third-Party Claim. Failure to promptly notify the indemnifying Party will not relieve the indemnifying Party of any duty to indemnify, except to the extent they are prejudiced by the failure. Upon proper notification, the indemnifying Party will have the right to control the defense against any such Third-Party Claims, utilizing counsel chosen in the indemnifying Party’s sole discretion. The indemnified Party may participate in any such defense, at its own expense, by separate counsel of its choice. The indemnifying Party will obtain the prior written approval of the indemnified Party before ceasing to defend against any Third-Party Claim or entering into any settlement, adjustment, or compromise of the claim involving any terms other than payment of money. The indemnified Party shall reasonably cooperate with the indemnifying Party in the provision of any such defense by providing to the indemnifying Party all information, assistance, and authority as may reasonably be requested by the indemnifying Party.
    
    
11. Term, Termination and Suspension.
    
    11.1. Term. The term of these TOS will begin upon the Effective Date and continue for so long as any SOW remains active (“Term”).
    
    11.2. Termination and Suspension.
    11.2.1. Termination for Material Breach. In the event of a material breach of the SaaS Agreement by either Party hereto, the other Party may provide written notice to the breaching Party (the “Breach Notice”) specifying the nature of the breach. If such breach is not cured to the reasonable satisfaction of the non-defaulting Party within thirty (30) days after service of the Breach Notice, the nonbreaching Party may terminate the relevant SOW immediately by providing written notice of termination to the breaching Party.
    
    11.2.2. Suspension for Material Breach. Inbenta reserves the right to suspend Customer’s access to and use of the Services during any period when Customer is in material breach of the SaaS Agreement. Should Inbenta suspend Customer’s access, Customer will be required to pay a reinstatement fee in additional to any past due amounts before Inbenta reinstates access to the Services. Inbenta also reserves the right to suspend or terminate access to and use of the Services if access to or use of any necessary third-party services or products are suspended or terminated. Inbenta will not be liable to Customer nor any third party for such suspension. Customer acknowledges and agrees that the foregoing is reasonable for the protection of Inbenta’s Intellectual Property Rights.
    
    11.2.3. Bankruptcy. Either Party may terminate this SaaS Agreement upon written notice to the other Party if the other Party (and Inbenta may immediately suspend access to the Services if Customer) (i) becomes insolvent; (ii) files, submits, initiates, agrees to or is subject to any bankruptcy petition, conservatorship, request or petition for appointment of a receiver, or demand or application for voluntary or involuntary dissolution or similar proceeding; or (iii) makes a general assignment for the benefit of its creditors.
    
    11.3. Effects of Termination.
    11.3.1. Access and Use Rights. The licenses and any other rights granted in Article 3 shall immediately terminate for the relevant SOW(s). Customer shall immediately and permanently discontinue use of all relevant Services. Customer shall ensure that it has retrieved all Customer Data saved to Customer’s knowledge base from the Services prior to the termination date.
    
    11.3.2. Other SOWs. Termination of Inbenta’s provision of Services under one SOW will not affect provision of Services under any other SOWs associated with the TOS.
    
    11.4. Surviving Rights. The expiration or termination of the SaaS Agreement will not release or discharge either Party from any liabilities, obligations, debts, or liabilities set forth herein which (i) the Parties have expressly agreed herein will survive any such expiration or termination or (ii) previously accrued or remain to be performed or by their nature would be intended to be applicable following any such expiration or termination. The rights and obligations set forth in Article 2 (Fees and Payment), Article 4 (Proprietary Rights), Article 5 (Confidentiality), Article 6 (Compliance with Laws and Regulations; Data Security), Article 8 (Disclaimer of Representations and Warranties), Article 9 (Limitation of Liability), Article 10 (Indemnification), Section 11.3 (Effects of Termination), this Section 11.4 (Surviving Rights), and Article 13 (General) shall survive termination or expiration of the SaaS Agreement for any reason. Termination or expiration of the SaaS Agreement shall not be deemed a waiver of any claims arising from activities occurring prior to the effective date of termination or expiration.
    
    
12. Compliance.
    
    12.1. Policies; Laws. Each Party shall maintain written policies and procedures requiring its employees and contractors to comply with all applicable laws relating to bribery, corruption, anti-money-laundering, and other laws relating to ethical business practices, and shall comply with all applicable laws relating to use of the Services.
    
    12.2. International Trade. Each Party will comply with all economic sanctions, export control laws, and other restrictive trade measures administered by the U.S. and other applicable governments. Each Party understands and acknowledges that it is solely responsible for its own compliance with such laws whenever applicable. Customer further understands and acknowledges that it will not directly or indirectly export, import, sell, disclose, or otherwise transfer any Services to any country or party subject to such restrictions, and that it is solely responsible for obtaining any license(s) to export, re-export, or import the Services that may be required.
    
    
13. General.
    
    13.1. Entire SaaS Agreement; Modification; Headings. The SaaS Agreement, including all attachments hereto, forms the entire agreement between the Parties. All prior agreements, commitments, statements, and discussions are merged into and superseded by the SaaS Agreement. No waiver, alteration or modification of any of the provisions hereof shall be binding unless made in writing and signed by the Parties. The headings contained in the SaaS Agreement are for convenience of reference only and shall not be considered in construing the SaaS Agreement.
    
    13.2. Severability. If any term or provision of the SaaS Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect the enforceability of any other term or provision of the SaaS Agreement, or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon a determination that any term or provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify the SaaS Agreement to give effect the original intent of the Parties as closely as possible in order that the transactions contemplated hereby are consummated as originally contemplated to the greatest extent possible.
    
    13.3. Assignment. The SaaS Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and assigns. Neither the SaaS Agreement nor any rights or obligations hereunder may be assigned or otherwise transferred by either Party without the prior written consent of the other Party (which consent shall not be unreasonably withheld). Notwithstanding the forgoing, either Party may assign the SaaS Agreement and its rights and obligations hereunder to an Affiliate, or to another party (that is not a competitor of the other Party hereto) in connection with the transfer or sale of all or substantially all of the business of such Party, whether by merger, sale of stock, sale of assets, or otherwise, upon providing written notice thereof without needing the other Party’s consent. Any unauthorized attempted assignment shall be null and void and of no force or effect.
    
    13.4. WAIVER OF JURY TRIAL. CUSTOMER AND INBENTA ARE AGREEING TO IRREVOCABLY GIVE UP ANY RIGHTS TO LITIGATE CLAIMS IN A COURT BEFORE A JURY.
    
    13.5. Dispute Escalation. Prior to filing a claim in any court, the Parties will first escalate any claim, dispute, or controversy arising between Customer and Inbenta under the SaaS Agreement or relating in any way to the delivery of Services, to senior management of each Party. The senior managers will have authority to resolve the dispute and will meet at such times and places as agreed to between them to discuss the issues and resolutions for not less than 30 days. If no resolution is agreed to during this time, the aggrieved Party may proceed with filing its claim with the courts.
    
    13.6. The provisions of Section 13.5 will not be interpreted to restrict either Party’s rights under Section 5.6 or Section 11.2.
    
    13.7. Governing Law. All matters arising out of or relating to the SaaS Agreement are governed by and construed in accordance with the internal laws of the State of Texas without giving effect to any choice or conflict of law provision or rule (whether of the State of Texas or any other jurisdiction) that would cause the application of the laws of any jurisdiction other than those of the State of Texas. The application of the United Nations Convention on Contracts for the International Sale of Goods to this Agreement is expressly excluded. Each Party consents to the exclusive jurisdiction of the federal and state courts of the State of Texas and venue in the courts in Allen, Texas to settle all disputes or claims arising out of or in connection with the SaaS Agreement.
    
    13.8. No Waiver. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in the SaaS Agreement, no failure to exercise, or delay in exercising, any right, remedy, power, or privilege arising from the SaaS Agreement will operate or be construed as a waiver thereof; nor will any single or partial exercise of any right, remedy, power, or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
    
    13.9. Relationship of the Parties. The relationship between the Parties is that of independent contractors. Nothing contained in the SaaS Agreement will be construed as creating any agency, partnership, joint venture, or other form of joint enterprise, employment, or fiduciary relationship between the Parties, and neither Party has authority to contract for or bind the other Party in any manner whatsoever.
    
    13.10. No Third-Party Beneficiaries. Except as set forth herein, the SaaS Agreement is for the sole benefit of the Parties hereto and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or will confer upon any third party any legal or equitable right, benefit, or remedy of any nature whatsoever.
    
    13.11. Force Majeure. Notwithstanding any provision contained herein to the contrary, neither Party will be deemed to be in default hereunder for failing to perform its obligations under the SaaS Agreement if such failure is the result of any (i) act, neglect or default of the other Party; or (ii) embargo, war, act of terror, riot, incendiary, fire, flood, earthquake, epidemic or pandemic, public health emergency or other calamity, act of God, or governmental act or the necessity of complying with any governmental order. If any event in subsection (ii), above, continues for a period in excess of thirty (30) days, either Party shall have the right to terminate the SaaS Agreement by providing the other Party with a written notice of its desire to terminate the SaaS Agreement at least thirty (30) days prior to the effective date of any such termination.
    
    13.12. Notices. All notices required under this SaaS Agreement shall be sent to the addresses on the signature page of these TOS, and, if the notice relates to an SOW, to any additional notice addresses listed in such SOW, to the attention of the signatories, with a copy to the Legal Department of the Party. All notices under the SaaS Agreement shall be deemed given: (i) when delivered by hand; (ii) 1 business day after being sent by commercial overnight courier with written verification of receipt; or (iii) 5 days after being sent by registered or certified mail, return receipt requested, postage prepaid. Either Party may from time to time change its address for notification purposes by giving the other Party written notice of the new address and the date upon which it will become effective. If no address is provided then notice delivered to the Party’s headquarters to the attention of the Legal Department will be deemed effective.
    

———- End of Terms of Service ———-

EXHIBIT A:
INBENTA DATA PROCESSING ADDENDUM

This Global Data Processing Addendum (“DPA“) constitutes an integral part of all SaaS Agreements by and between Inbenta and Customer, as each Party is identified in the relevant agreement document(s);

jointly “the Parties“, and each a “Party“,

including each fully executed order or Statement of Work, or under any services agreement or similar agreement (collectively, “Agreement“). This DPA reflects the Parties’ agreement with regard to the Processing of Customer Data in accordance with the requirements of Data Protection Laws.

This DPA is effective on the Effective Date of the TOS, and amends, supersedes and replaces any prior agreement relating to data processing and/or data protection the Parties entered into.

1. DEFINITIONS
   In this In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
   
   “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   
   “Applicable Data Protection Laws” means all applicable laws or regulations relating in any way to privacy, confidentiality, security matters, as they may be amended from time to time, in any jurisdiction, including, all data protection laws and regulations in the European Economic Area, including the Data Protection Act 2018 (UK), EU Regulation 2016/679 ( “EU GDPR”); (b) and the UK GDPR as defined in Section 3(10) of the Data Protection Act 2018 (“UK GDPR”). See also Appendix 3 for jurisdiction specific terms in relation to Applicable Data Protection Laws.
   
   “Authorized Affiliate” means an entity that (1) owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise, and (2) is permitted to use the Services provided by Inbenta pursuant to the Agreement between Customer and Inbenta.
   
   “Controller” has the meaning given the EU and UK GDPR.
   
   “Data Subject Rights” means all rights granted to Data Subjects under the Applicable Data Protection Laws.
   
   “Customer Data” means Customer Representative Data and/or User Data.
   
   “Customer Representative Data” means Personal Data concerning the Customer’s employees and other personnel Processed by Inbenta pursuant to or in connection with the Agreement.
   
   “Data Subject” has the meaning given the EU and UK GDPR.
   
   “EEA” means the European Economic Area.
   
   “Personal Data” has the meaning given in the EU and UK GDPR.
   
   “Processor” has the meaning given in the EU and UK GDPR.
   
   “Processing” has the meaning given in the EU and UK GDPR.
   
   “Restricted Transfer” means the transfer of Personal Data where (1) Customer originally held the Personal Data in, or imported the Personal Data from, the EEA, Switzerland, or the UK, or Customer is otherwise subject to the GDPR, FADP or UK GDPR in relation to such Personal Data, (2) the Personal Data will be received by Inbenta outside of the EEA, Switzerland, or the UK, as applicable, and (3) the transfer would be prohibited by Applicable Data Protection Law or a previously executed set of Standard Contractual Clauses, as applicable, in the absence of Standard Contractual Clauses or another adequate transfer mechanism as approved by the relevant Regulatory Authority, such as an adequacy decision approved by the European Commission, including but not limited to the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, or similar such adequacy decisions applicable to Inbenta and/or its Affiliates.
   
   “Security Breach” means any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure or destruction of Customer Data stored on Inbenta’s equipment or in Inbenta’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Data stored by a Inbenta Subprocessor.
   
   “Security Practices Document” means the Information Security Practices Document (or the applicable part dependent on what Services Customer purchases from Inbenta), as updated from time to time, and made available to Customer on request.
   
   “Services” means the services provided to Customer by Inbenta involving the processing of Personal Data on behalf of Customer.
   
   “Special Category Data” shall have the meaning given in the EU and UK GDPR.
   
   “Subprocessor” means any data processor (including any Inbenta Affiliates, but excluding an employee of Inbenta or any of its sub-contractors) appointed by or on behalf of Inbenta or any Inbenta Affiliate to Process Personal Data on behalf of Customer or Authorized Affiliates in connection with the Agreement.
   
   “User” means any individuals who use the Services that Customer has licensed pursuant to the Agreement and made available for communication with such individuals, including its customers and prospective customers.
   
   “User Data” means all Personal Data concerning Users.
   
   The terms, “Commission“, “Member State“, and “Supervisory Authority” shall have the same meaning as in the Applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
   
   The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
   
   
2. AUTHORITY
   
   2.1. Roles of the Parties. The Parties acknowledge and agree that:
   2.1.1. in relation to the Processing of User Data, Customer is the Controller while Inbenta is the Processor; and
   2.1.2. in relation to the Processing of Customer Representative Data, Inbenta is an independent Controller and shall independently determine the means and purposes of that processing.
   
   2.2. Controlling Agreement. This DPA supplements the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail.
   
   2.3. Affiliates. Inbenta warrants and represents that, before any Inbenta Affiliate Processes any Customer Data Inbenta’s entry into this DPA as agent for and on behalf of that Inbenta Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Inbenta Affiliate.
   
   
3. PROCESSING OF CUSTOMER REPRESENTATIVE DATA
   
   3.1. Compliance with laws. Inbenta shall comply with all Applicable Data Protection Laws in the Processing of Customer Representative Data.
   
   3.2. Purpose limitation. Without prejudice to the generality of the foregoing, Inbenta shall not Process Customer Representative Data for any purpose other than the purposes for which it was collected, namely the identification of representatives of the Customer for the purposes of controlling access to its systems and the data they contain, fulfilling its contractual obligations to the Customer, maintain and improving its services and systems, and fulfilling any relevant regulatory obligations.
   
   3.3. Details of Processing Activities. The subject matter, duration of the Processing, the nature and purpose of the Processing, the types of Customer Representative Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1 – Part A of this DPA.
   
   
4. PROCESSING OF USER DATA
   
   4.1. Compliance with laws. Both parties shall comply with all Applicable Data Protection Laws in the Processing of User Data.
   
   4.2. Purpose limitation. Without prejudice to the generality of the foregoing, Inbenta shall not Process User Data other than on the Customer’s documented instructions unless Processing is required by Applicable Data Protection Laws to which Inbenta is subject, in which case Inbenta shall, to the extent permitted by Applicable Data Protection Laws, inform Customer of that legal requirement before the relevant Processing of that User Data.
   
   4.3. Customer’s instructions and obligations. Without prejudice to the generality of clause 4.1, Customer shall provide notice to all Users of its use of Inbenta as Processor. Customer warrants that its instructions for the Processing of User Data pursuant to this DPA comply with the Applicable Data Protection Laws. Customer instructs Inbenta to Process User Data as reasonably necessary for the provision of the Services and consistent with the Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out herein on behalf of each of its Authorized Affiliate.
   
   4.4. Details of Processing Activities. The subject matter, duration of the Processing, the nature and purpose of the Processing, the types of User Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1 – Part B of this DPA.
   
   4.5. Excluded Personal Data. It is not in the Parties’ intention that the Services will be used to collect and otherwise process financial or payment information, or any Special Category Data, concerning Users. Customer acknowledges that Inbenta provides an obfuscation tool that can be enabled by Customer which will serve to mask personal information identified by the Customer once the information has been provided by the User through the Services. Customer shall ensure that it takes all reasonable steps to prevent Users from providing financial or payment information, or any Special Category Data, concerning Users through use of the Services; and, to the extent such information is provided by a User, Customer shall ensure it deletes such information immediately. Additionally, Customer represents and warrants that it will not include Personal Data of any kind in its knowledge content provided by Customer for the use of the Services, unless otherwise explicitly agreed to in writing by Inbenta with appropriate amendments made to this DPA to the extent necessary.
   
   
5. INBENTA’S OBLIGATIONS
   
   5.1. Confidentiality. Inbenta shall ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Inbenta shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Inbenta shall ensure that access to Customer Data is limited to those personnel performing Services in accordance with the Agreement on a need-to-know basis.
   
   5.2. Data Subject Requests. Inbenta shall, to the extent legally permitted, promptly notify Customer if Inbenta receives a request from a Data Subject to exercise a Data Subject Request relating to User Data. Inbenta will assist the Customer by implementing reasonable technical and organizational measures, insofar as this is possible, to fulfil Customer’s obligation to respond to requests for exercising Data Subject Rights. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Inbenta shall upon Customer’s written request provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent Inbenta is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Inbenta’s provision of such assistance.
   
   5.3. Supervisory Authority Requests. Inbenta will assist Customer in addressing any communications and abiding by any advice or orders from the Supervisory Authority relating to User Data within the timeframe specified by the Supervisory Authority, to the extent required under Applicable Data Protection Laws.
   
   5.4. Disclosure to Third Parties. Inbenta will not disclose User Data to third parties except as permitted by this DPA or the Agreement, unless Inbenta is legally required to disclose User Data, in which case Inbenta shall, to the extent legally permitted, notify Customer in writing and liaise with Customer before complying with such disclosure request.
   
   5.5. Data Protection Impact Assessment. Upon Customer’s request, Inbenta shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Inbenta.
   
   5.6. Retention. Inbenta will retain User Data in its raw form for at least 100 days, as otherwise required by Customer for Processing, or as required under the applicable law, after which time the User Data is archived and is only accessible to respond to legal requests and auditing purposes in a CSV export format. Raw data generated by the Messenger Services are excluded from this process and remain available in the system as archived tickets. At the termination of this DPA, or upon Customer’s written request, Inbenta will either delete or return User Data to Customer, unless legal obligations require storage of User Data.
   
   5.7. Security. Inbenta shall maintain appropriate administrative, physical, and technical safeguards intended for protection of the security, confidentiality, and integrity of User Data, as such measures are set out in Appendix 2 of this DPA. Inbenta monitors compliance with these safeguards. In assessing the appropriate level of security, Inbenta shall take account in particular of the risks that are presented by Processing, in particular from a Security Breach.
   
   
6. THIRD PARTY CERTIFICATION AND AUDITS
   
   6.1. Certifications. Upon Customer’s written request at reasonable intervals, but in any event no more than annually, and subject to the confidentiality obligations set forth in the Agreement, Inbenta shall make available to Customer that is not a competitor of Inbenta (or Customer’s independent, third-party auditor that is not a competitor of Inbenta) a copy of Inbenta’s then most recent third-party audits or certifications, as applicable.
   
   6.2. Audits. Customer may contact Inbenta to request an audit of Inbenta’s procedures relevant to the protection of Customer Data, but only to the extent required under Applicable Data Protection Laws, and at Customer’s sole expense. Such audit will be conducted by an independent third party reasonably acceptable to Inbenta. Before the commencement of any such on-site audit, Customer and Inbenta shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. Such audits will not occur more than annually, unless requested by a Supervisory Authority. The results of the inspection and all information reviewed during such inspection will be deemed Inbenta’s confidential information and shall be protected by the auditor in accordance with the confidentiality obligations set forth in the Agreement. Notwithstanding any other terms, the auditor may only disclose to Customer specific violations of the DPA, if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection to Customer.
   
   
7. SUB-PROCESSING
   
   7.1. General Consent. Customer acknowledges and agrees that (a) Inbenta’s Affiliates may be retained as Subprocessors; and (b) Inbenta and Inbenta’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services subject to the conditions noted in this section. As a condition of engaging Subprocessors, Inbenta or a Inbenta Affiliate will enter into a written agreement with each Subprocessor containing data protection obligations, including security measures, not less protective than those in this DPA with respect to the protection of User Data to the extent applicable to the nature of the services provided by such Subprocessor.
   
   7.2. Consent to Subprocessor Engagement. Customer acknowledges and agrees that Inbenta may engage Subprocessors to Process Customer Data. A current list of approved Subprocessors is listed on the following URL: https://www.inbenta.com/compliance/security-and-privacy/#Privacyandprotectionofpersonallyidentifiableinformation.
   Without prejudice to Section 7.3, Customer generally authorizes the engagement as Subprocessor of any other third parties.
   
   7.3. Notification of New Subprocessors and Customer Objection. During the term of the Agreement, Inbenta will update its current Subprocessor list in the customer portal on its website periodically to reflect any changes. Inbenta will strive to notify Customer if it adds or removes Subprocessors at least fifteen (15) days prior to any changes if Customer provides Inbenta with written instructions of an appropriate email address for such notification. Customer may object to Inbenta’s use of a new Subprocessor by notifying Inbenta promptly in writing within ten (10) business days after receipt of Inbenta’s notice of appointment of Subprocessor, provided such objection is based on reasonable grounds, such as the violation of Applicable Data Protection Laws or the weakening of the security of the User Data. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence, the Parties agree to discuss commercially reasonable alternative solutions in good faith. If the Parties cannot reach a resolution within sixty (60) days from the date of Inbenta’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Inbenta. In the absence of timely and valid objection by Customer, such Subprocessor may be commissioned to process User Data.
   
   7.4. Liability. Inbenta shall be liable for the acts and omissions of its Subprocessors to the same extent Inbenta would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
   
   
8. SECURITY BREACH
   
   8.1. If Inbenta becomes aware of a Security Breach, Inbenta will without undue delay: (a) notify Customer of the Security Breach; (b) investigate the Security Breach and provide Customer with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach. Inbenta’s obligation to report or respond to a Security Breach under this Section is not and will not be construed as an acknowledgement by Inbenta of any fault or liability with respect to the Security Breach.
   
   8.2. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Inbenta selects, including via email. It is Customers’s sole responsibility to ensure it maintains accurate contact information on Inbenta’s support systems at all times.
   
   
9. LIMITATION OF LIABILITY
   Inbenta and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement. The liability described in the SCCs shall in no event exceed the limitations set forth in the Agreement, and that under no circumstances and under no legal theory, whether in contract, tort, negligence, or otherwise, will Inbenta or its Affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to Customer or any third party for any lost profits, lost sales of business, lost data, business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such Party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this section shall not be construed as limiting the liability of either Party with respect to claims brought by Data Subjects.
   
   
10. RESTRICTED TRANSFERS
    
    10.1. To the extent Customer Data is provided to Inbenta in the EEA, UK or Switzerland by Customer or its representatives , except for the circumstances set out below, Inbenta will not transfer to, or carry out any processing of Customer Data in a country outside the EEA, UK or Switzerland unless the country has been recognized by the European Commission, UK or Switzerland as having an adequate level of data protection. Transfers to or processing of Customer Data relating to EU, UK or Swiss Data Subjects carried out in the United States are subject to Inbenta’s participation and self-certification to the E.U.-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, and UK Extension to the EU-U.S. Data Privacy Framework. As such, there are no circumstances in which a Restricted Transfer is carried out between the Customer as Exporter and Inbenta as Importer.
    
    10.2. If the adequacy decisions for the E.U.-U.S. and Swiss-U.S. Data Privacy Frameworks and/or UK Extension to the E.U.-U.S. Data Privacy Framework are invalidated, or if Inbenta no longer participates in the E.U.-U.S. and Swiss-U.S. Data Privacy Frameworks and/or UK Extension, then, as of the moment of invalidation or withdrawal from the Frameworks, transfers of Customer Data from Customer to Inbenta are subject to the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“SCC”), hereby incorporated reference into this Agreement, and/or the UK Addendum to the SCCs issued by the Office of the Information Commissioner (ICO), hereby incorporated by reference into this Agreement.
    
    
11. INTERNATIONAL PROVISIONS
    
    Jurisdiction Specific Terms. To the extent Inbenta Processes Customer Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Appendix 3 (Jurisdiction Specific Terms) of this DPA, the terms specified in Appendix 3 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.
    
    
12. OBLIGATIONS POST-TERMINATION
    
    Termination or expiration of this DPA shall not discharge the Parties from their obligations meant to survive the termination or expiration of this DPA.
    
    
13. SEVERABILITY
    
    Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.

APPENDIX 1 – DETAILS OF PROCESSING

Part A – Customer Representative Data

Subject matter of the processing

Identification of Customer’s representatives for the purpose of granting or denying access to Inbenta’s systems and keeping records of their access.

Duration of the processing

While this Agreement is in force, as long as Customer continues to receive Services and access Inbenta’s systems.

Nature of the processing

Collection, storage, organization, structuring, access, restriction, alteration, erasure, destruction.

Purpose of the processing

Identity verification to control access to the Inbenta systems and the data they contain, fulfilling the contractual obligations, maintaining and improving the services and systems.

Type of personal data

Name, business email, IP Address (or equivalent when accessed through a mobile device), time and date of access, length of session, location.

Categories of data subjects

Employees and other personnel of Customer.

Part B – User Data

Subject matter of the processing

Provision of the following Services, as selected by Customer:

• Chatbot
• Semantic Search
• Knowledge Management
• Messenger Services

Duration of the processing

While this Agreement is in force, as long as Users use the Services that Customer has licensed pursuant to the Agreement and made available for communication with such individuals.

Nature of the processing

Collection, storage, organization, structuring, access, restriction, alteration, erasure, destruction.

Purpose of the processing

Providing electronic customer communication services to Users that Customer has licensed pursuant to the Agreement.

Type of Personal Data

Identity and contact data (such as name, gender, address, email address, phone numbers), IP address, session ID, purchase history, opinions, User questions, conversation histories, time and date of access, length of session, location, Personal Data provided spontaneously by Users, and other additional data fields, which may not include bank account or other Special Categories of Data that Customer notifies Inbenta will be relevant to the provision of Services.

Categories of data subjects

Users.

APPENDIX 2

Technical and Organizational Measures Related to Information Security. Inbenta maintains appropriate technical and organizational measures designed to protect Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access, and to provide an appropriate security level for the risk represented by the processing and the nature of the data to be protected.

Accordingly, Inbenta has implemented an Information Security and Information Privacy Management System compliant with ISO 27001, ISO 27017, and ISO 27701 standards which include, among others, the following measures:

1. Data access policies and procedures to check that access to Inbenta’s computer systems is done through individual users and passwords, such as limiting data access to those employees who strictly require it to perform their job.
2. Backup copies, where appropriate, of the personal data processed by the controllers that require availability and integrity.
3. Ongoing surveillance and monitoring of systems and networks to detect and minimize the impact of any malfunction or threat.
4. Logging of user and administrator events and activities.
5. Security configurations and perimeter protection systems in the network to avoid intrusions, as well as antivirus protection of its computer systems.
6. Registry of security incidents and mechanisms and procedures for the notification of security breaches have been established.
7. Physical access control and protection of the equipment, people, and facilities where the data controller is being processed.
8. In case of managing support or documents with the controller’s personal data, these are duly stored in cabinets or spaces equipped with locking devices.
9. A code of conduct, including prevention of criminal behavior and good practices in security and data privacy.
10. A training and awareness platform in information security and data privacy for all Inbenta staff, including phishing simulations and phishing prevention training.
11. A Continuity Plan that grants the possibility of restoring the availability of and access to personal data quickly, in the event of a physical or technical incident, within the timeframes required to meet the business commitments the parties are bound to by means of the service contract.
12. Contractual clauses and agreements with all sub-processors, including providing sufficient commitments to implement appropriate technical and organizational measures for processing to meet the requirements of the applicable regulations and protect the rights of data subjects.
13. Application of privacy principles by design and by default.

APPENDIX 3 – JURISDICTION SPECIFIC TERMS

1. Australia
   
   1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
   
   1.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
   
   
2. Brazil
   
   2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
   
   2.2 The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to data subjects.
   
   2.3 The definition of “Processor” includes “Operator” as defined under Applicable Data Protection Law.
   
   
3. Canada
   
   3.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
   
   
4. California
   
   4.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (“California Privacy Law”).
   
   4.2 The definition of “Personal Data” includes “Personal Information” as defined under California Privacy Law.
   
   4.3 The definition of “Processor” 4. shall include “Service Provider” and “Contractor” as the terms are defined under California Privacy Law.
   
   4.4 The definition of “Controller” shall include “Business” as that term is defined under California Privacy Law.
   
   4.5 “Sell,” “Selling,” “Sale,” or “Sold” shall means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for monetary or other valuable consideration.
   
   4.6 “Share,” “Shared,” and “Sharing” shall have the meaning assigned in the California Privacy Law.
   
   4.7 For purposes of California Privacy Law, Inbenta will act as a “service provider” in its performance of its obligations under the Agreement that relate to User Data.
   
   4.8 To the extent legally required under California Privacy Law, Inbenta agrees to not Share or Sell Personal Data of California residents to another person or entity: (i) for monetary or other valuable consideration; or (ii) for cross-context behavioural advertising purposes for the benefit of a business in which no money is exchanged; or (iii) combine Personal Data of California residents with Personal Data that Inbenta receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.
   
   
5. China
   
   5.1 The definition of “Applicable Data Protection Law” includes the Personal Information Privacy Law (PIPL).
   
   5.2 The definition of “Controller” includes “Personal Information Processor” as defined under Applicable Data Protection Law. The definition of “Processor” includes “Entrusted Party” as defined under Applicable Data Protection Law.
   
   5.3 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
   
   
6. Israel
   
   6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
   
   6.2 The definition of “Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
   
   6.3 The definition of “Processor” includes “Holder” as defined under Applicable Data Protection Law.
   
   
7. Japan
   
   7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
   
   7.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
   
   7.3 The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law.
   
   7.4 The definition of “Processor” includes a business operator entrusted by the Business Operator with the handling of Controller Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Processor will ensure that the use of the Controller Data is securely controlled.
   
   
8. Singapore
   
   8.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
   
   
9. Switzerland
   
   9.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.
   
   9.2 The definition of “Applicable Data Protection Law” shall include, where the Swiss DPA applies, transferring Customer Data to a country outside Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner