Exhibit 10.25
Certain portions of this exhibit have been omitted pursuant to Item 601(b)(10)(iv) of Regulation S-K because they are both (i) not material and (ii) the type of information that the registrant treats as private or confidential. Omitted portions are indicated by [***].
MASTER SERVICES AGREEMENT
COVER SHEET
This Master Services Agreement (this “Agreement”) is entered into as of the Effective Date set forth below by and between Sixtyfour AI, Inc., located at 539 Bryant St., Suite 304, San Francisco, CA 94107 (the “Company”) and the Customer identified below. This Cover Sheet, together with the attached Terms and Conditions, constitutes the entire Agreement between the parties with respect to the subject matter hereof.
|
Customer: |
FullPAC, Inc. 1206 Laskin Rd Ste 201-o, Virginia Beach, VA 23451 |
| Customer Contact: | Travis Trawick, Chief Executive Officer, travis@gotv.com, +1 (757) 575-3743 |
| Effective Date: | [Signing Date] |
Monthly Fee; Total Minimum Commitment; Monthly Credit Allotment:
|
Monthly Credit Allotment |
Monthly Fee / Total Minimum Commitment | |
| [***] Credits per month (usable for deep search, enrichment, verification, and outbound workflows) |
Monthly Fee: $27,500 per month, billed monthly
Total Minimum Commitment: $495,000 over the Initial Term, non-cancelable
Per-Credit Rate: [***] per Credit (list rate)
Monthly Fee and per-Credit rate fixed for the Initial Term |
Additional Credits available for purchase upon request at Company’s then-current rates, or as otherwise agreed upon by the parties.
|
API Access: |
[X] Yes ☐ No |
| Data Sources: | All Data Sources used by Company as part of the Services, subject to continued availability in all cases, as further described in the Terms & Conditions. |
| Additional Terms: |
Customer shall also receive the following in connection with the provision of Services pursuant to this Agreement:
● Early Feature Access & Continuous Improvements (priority access to all platform upgrades during the Term) |
| Total Fees Due Upon Execution of this Agreement: | $27,500 (first monthly installment) |
IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.
COMPANY: Sixtyfour AI, Inc. |
CUSTOMER: FullPAC, Inc. | |||
| By: | /s/ Christopher Price | By: | /s/ Travis Trawick | |
| Name: | Christopher Price | Name: | Travis Trawick | |
| Title: | Chief Operating Officer | Title: | Chief Executive Officer | |
| Date: | ___________________________ | Date: | ___________________________ | |
MASTER SERVICES AGREEMENT
TERMS AND CONDITIONS
1. DEFINITIONS.
1.1. “Agreement” means this Master Services Agreement, including the Cover Sheet and these Terms and Conditions, as each may be amended from time to time in accordance with the terms hereof.
1.2. “API” means the application programming interface(s) made available by Company and listed in the Cover Sheet, through which Customer may access the Services.
1.3. “Competing Product” means any product or service that is substantially similar to, or competitive with, the Services or any data product offered by Company.
1.4. “Confidential Information” means all non-public information disclosed by or on behalf of a party (the “Disclosing Party”) to the other party (the “Receiving Party”) in connection with this Agreement, whether disclosed orally, in writing, electronically, or by inspection, including business plans, technical data, product plans, financial information, and the terms and conditions of this Agreement. Confidential Information shall not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was known to the Receiving Party prior to disclosure without restriction on use or disclosure; (c) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; or (d) is rightfully received by the Receiving Party from a third party without restriction on use or disclosure.
1.5. “Credits” means the prepaid usage credits purchased by Customer hereunder, which may be applied toward the use of the Services in accordance with the applicable rate card or pricing schedule provided by Company.
1.6. “Customer Data” means any data, content, or information provided or submitted by Customer to Company in connection with Customer’s use of the Services.
1.7. “Data” means any data, datasets, information, or content made available to Customer through the Services.
1.8. “Documentation” means the user guides, technical manuals, API documentation, and other materials made available by Company to Customer describing the features, functionality, and use of the Services, APIs, or Platform, as updated by Company from time to time.
1.9. “Platform” means Company’s proprietary software-as-a-service platform through which Customer may access the Data and Services.
1.10. “Services” means the services made available by Company to Customer via the API and/or the Platform.
1.11. “Political Entity” means (i) a candidate for elective office, (ii) a political campaign or campaign committee, (iii) an elected official acting in their elected capacity, (iv) a political party committee, (v) or a political consulting firm whose primary business is the provision of consulting services to candidates, campaigns, or party committees. Notwithstanding the foregoing, “Political Entity” does not include any technology company, software platform, payment processor, or infrastructure provider whose products or services are general-purpose in nature and whose use by Political Entities is incidental to a broader commercial customer base, even where its end users could be Political Entities.
2. SERVICES AND ACCESS
2.1. Grant of Access. Subject to the terms and conditions of this Agreement and Customer’s payment of all applicable fees, Company hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable right during the Term to access and use the Services solely for Customer’s internal business purposes and in accordance with the Documentation. Notwithstanding the foregoing, subject to the other restrictions in this Agreement, Customer may access and use the Services to source Data to share with its own customers.
2.2. API License. Subject to the terms and conditions of this Agreement, Company hereby grants to Customer a limited, non-exclusive, non-transferable, non-sublicensable license during the Term to access and use the API solely for the purpose of accessing the Services in accordance with the Documentation. Customer shall comply with all usage limitations, rate limits, and technical requirements applicable to the API as set forth in the Documentation or as otherwise communicated by Company. All rights not expressly granted herein are reserved by Company.
2.3. Restrictions. Except as expressly permitted under this Agreement, Customer shall not, and shall not permit any third party to: (a) sublicense, sell, resell, transfer, assign, distribute, or otherwise make available the Services, the Platform or any API to any third party; (b) modify, create derivative works based upon, reverse engineer, decompile, or disassemble the API, the Platform, or any component thereof; (c) access the Services in order to build a competitive product or service; (d) without limiting the foregoing restriction, use the Data in connection with or in furtherance of a Competing Product; (e) use the Services, the Platform, the API, or the Data in any manner that violates applicable law or regulation; or (f) use the Services, the Platform, or the API to transmit any malicious code, viruses, or harmful content.
2.4. Modifications to Services. Company reserves the right to modify, update, or discontinue any aspect of the Services, the Platform, or the API at any time in its sole discretion, provided that Company shall use commercially reasonable efforts to provide Customer with prior notice of any material, adverse changes.
2.5. Political Exclusivity. During the Term, Company will not provide the Services or the Platform to any Political Entity other than Customer; provided, however, that the following are expressly excluded from this restriction and remain available to Company without limitation: (a) government agencies and public sector bodies; (b) defense and national security contracts; (c) advocacy organizations, nonprofit organizations, and public-affairs firms, solely to the extent that the use of the Services by any such advocacy organization, nonprofit organization, or public-affairs firm is unrelated to any candidate, campaign, election, or ballot measure; and (d) access to the Services or the Platform obtained through Company’s self-serve offering under Company’s standard online terms, it being understood that this Section 2.5 applies only to negotiated agreements signed by Company and that Company has no obligation to monitor the identity, affiliation, or use of self-serve users; provided that if Company becomes aware that a self-serve user is a Political Entity, Company will refer such user to Customer under Section 2.6. The exclusivity set forth in this Section 2.5 may be suspended or terminated only upon and after Customer’s failure to cure any failure to pay amounts due under this Agreement within the cure period set forth in Section 8.2.
2.6. Referrals; Commission. During the Term, Company will refer inbound prospects that are Political Entities to Customer. In consideration of such referrals, Customer will pay Company a commission equal to ten percent (10%) of Customer’s margin on amounts received from each referred account, payable monthly. Customer shall provide Company with a monthly written report of all amounts received from each referred account. For purposes of this Section 2.6, ‘margin’ means amounts actually received by Customer from the referred account, less Customer’s direct third-party costs attributable to such account (including data acquisition, carrier and messaging fees, media and advertising pass-through costs, and subcontracted services). Each monthly report shall set forth the calculation of margin in reasonable detail.
3. SUPPORT AND MAINTENANCE
3.1. Support. During the Term, Company shall make technical support available to Customer for issues related to the Services, the Platform, and the API during normal business hours (8:00 a.m. to 5:00 p.m. Pacific Standard Time, excluding weekends and Company-observed holidays) via email or such other channels as Company may designate from time to time. Company shall use commercially reasonable efforts to respond to Customer support requests in a timely manner. Customer shall provide Company with sufficient detail regarding any reported issue to enable Company to diagnose and address such issue.
3.2. Updates. During the Term, Company shall provide Customer with all standard updates, upgrades, enhancements, bug fixes, and patches to the Platform and APIs that Company makes generally available to its customers at no additional charge (“Updates”). All Updates shall be deemed part of the Services and shall be subject to the terms and conditions of this Agreement. Company shall use commercially reasonable efforts to provide Customer with advance notice of any scheduled maintenance that may result in material downtime or disruption to the Services.
4. CREDITS AND PAYMENT
4.1. Monthly Fee; Total Minimum Commitment. Customer commits to a non-cancelable Total Minimum Commitment of $495,000 over the Initial Term, payable in monthly installments of $27,500 per month, invoiced monthly in advance, with [***] Credits allotted to Customer each calendar month at [***] per Credit. All amounts paid or payable under this Section 4.1 are non-refundable regardless of actual usage of Credits or the Services.
4.2. Credit Purchase. At the commencement of each calendar month during the Initial Term, Company shall issue Customer [***] Credits, which Credits shall be applied against Customer’s usage of the Services in accordance with Company’s then-current rate card or pricing schedule. Customer may purchase additional Credits at any time at the rates set forth in the applicable rate card or pricing schedule, or as otherwise agreed upon by the parties.
4.3. Credit Rollover; Expiration. Unused Credits issued in any calendar month shall roll over to subsequent calendar months during the Term. Any Credits remaining unused upon expiration or termination of this Agreement shall be forfeited in accordance with Section 9.4 and shall not be refunded or credited to Customer.
4.4. Payment Terms. All fees are due and payable within thirty (30) days of the date of the applicable invoice, unless otherwise specified on the Cover Sheet. All amounts payable under this Agreement are denominated in United States Dollars. Undisputed late payments by Customer shall bear interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law. Failure by Customer to pay any amount by its due date shall constitute a material breach of this Agreement, subject to the notice and cure provisions of Section 8.2.
4.5. Taxes. All fees and amounts payable under this Agreement are exclusive of any applicable taxes, levies, duties, or similar governmental assessments, including sales, use, value-added, and withholding taxes (collectively, “Taxes”). Customer shall be responsible for all Taxes associated with its purchases hereunder, excluding taxes based on Company’s net income.
4.6. Annual Price Adjustment. Company reserves the right to increase any fees, rates, or pricing applicable under this Agreement (including, without limitation, the per-Credit pricing, the Monthly Fee, the Total Minimum Commitment) on an annual basis, effective as of the commencement of each Renewal Term. Company shall provide Customer with written notice of any such price increase at least forty-five (45) days prior to the commencement of the applicable Renewal Term. If Customer does not wish to accept the price increase, Customer may elect not to renew this Agreement by providing written notice of non-renewal in accordance with Section 9.1 prior to the expiration of the then-current Term. Customer’s continued use of the Services following the commencement of any Renewal Term shall constitute acceptance of the applicable price increase. Notwithstanding the foregoing, no increase to the Monthly Fee or the per-Credit rate shall apply during the Initial Term.
5. DATA
5.1. Provision of Data from Data Sources. Company shall use commercially reasonable efforts to source and provide Data from those Data Sources listed on the Cover Sheet. Company shall have no liability for and will not be in breach of this Agreement for its failure to, or for ceasing to offer or provide Data to Customer from any particular Data Source. Company may, in its sole discretion, substitute alternative Data Sources for any Data Source listed on the Cover Sheet. Company shall use commercially reasonable efforts to notify Customer if a previously available Data Source is no longer available. For the avoidance of doubt, the unavailability of any Data Source shall not affect Customer’s payment obligations under this Agreement, including the Total Minimum Commitment.
5.2. As-Is. Company makes the Data available to Customer through the Services on an “as is” and “as available” basis. Company makes no representations or warranties of any kind, whether express, implied, statutory, or otherwise, regarding the Data, including with respect to the ownership, accuracy, completeness, quality, legality, reliability, suitability, or availability of the Data, or Company’s right, title, or interest in or to the Data. For the avoidance of doubt, Company solely grants Customer a limited right to access such Data through the Services during the Term, and does not grant Customer any ownership interest in the Data. Company makes no representation or warranty as to whether any rights, licenses, or consents are required for Customer’s use of the Data for its intended purposes, and to the extent any such rights, licenses, or consents are required, Customer shall be solely responsible for obtaining them at its own cost and expense. Customer acknowledges that its access to and use of the Data may be subject to additional terms, conditions, or restrictions imposed by the applicable Data Source, and Customer shall comply with all such terms as communicated by Company from time to time. Notwithstanding the foregoing, Company represents that it has the right to provide the Data to Customer for the purposes contemplated by this Agreement, and that providing the Data does not, to Company’s knowledge, infringe or misappropriate any third party’s intellectual-property rights or violate applicable law in any material respect.
5.3. Customer’s Reliance on Data. Customer is solely responsible for its use of and reliance on the Data, including any decisions made or actions taken based on the Data. Customer shall independently evaluate the suitability of the Data for its intended purposes and shall comply with all applicable laws, rules, and regulations in connection with its use of the Data. Customer shall not represent to any third party that the Data has been verified by Company or constitutes verified fact, and shall use commercially reasonable efforts to advise recipients of reports derived from the Data that such Data is unverified and requires independent verification prior to reliance or publication.
5.4. Customer Data. As between the parties, Customer retains all right, title, and interest in and to the Customer Data. Customer hereby grants to Company a non-exclusive, worldwide, royalty-free license to use, reproduce, and process the Customer Data solely as necessary to provide the Services (including for accounting and compliance purposes, to monitor the service, and otherwise as permitted by law) and to perform Company’s obligations under this Agreement. Notwithstanding the foregoing, Company may use, reproduce, modify, and create derivative works of Customer Data in de-identified, anonymized, and/or aggregated form that does not directly identify Customer or any natural individual (“De-identified Data”) for the purposes of (a) improving, developing, and enhancing Company’s products and services, (b) training, developing, and improving Company’s artificial intelligence and machine learning models, and (c) conducting analysis and benchmarking. As between the parties, Company shall own all right, title, and interest in and to any De-identified Data. Customer acknowledges that Company may use and disclose Customer Data for its own business purposes, including to improve, develop, and enhance Company’s products and services. In respect of any such processing for Company’s own business purposes, Company: (i) independently determines the purposes and means of such processing; (ii) shall comply with applicable laws (if and as applicable in the context); (iii) shall process such data as described in Company’s relevant privacy notices/policies, as updated from time to time; and (iv) shall apply technical and organizational safeguards designed to protect such data.
5.5. Data Storage and Backup. Customer acknowledges and agrees that the Services and the Platform are not intended to serve as a data backup, archival, or disaster recovery service. Customer is solely responsible for maintaining independent backup copies of all data and other materials stored on or through the Platform and Services, including any data provided by Company and any Customer Data uploaded, submitted, or otherwise stored by Customer. Company shall have no obligation to maintain, preserve, or recover any Data or Customer Data stored on or through the Platform and Services, and Company shall not be liable for any loss, cost, expense, or damage arising from Customer’s failure to maintain adequate backup copies of such data.
5.6. Privacy and Security. To the extent Customer Data contains any Personal Data (as defined in Exhibit B), and Company is Customer’s Processor (as defined in Exhibit B) of such Personal Data, the parties agree that such Personal Data shall be Processed (as defined in Exhibit B) in accordance with, and that the parties shall comply with their respective obligations under, the Data Protection Agreement (“DPA”) attached as Exhibit B.
5.7. Bulk Sensitive Personal Data Rule. Customer represents and warrants that it is not a “covered person” under the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (“Bulk Sensitive Personal Data Rule”), 28 C.F.R. §§ 202 et. Seq. During the Agreement’s term, Customer shall not (i) become a “covered person” or as defined by the Bulk Sensitive Personal Data Rule, or (ii) transfer or otherwise provide “access” to Data to any “covered person” or “country of concern” as defined by the Bulk Sensitive Personal Data Rule. If at any time Customer cannot continue to comply with this Section 5.7, it shall immediately cease all access to, use of, and any other activities related to Data obtained or otherwise made available by Company and shall immediately notify Company.
6. INTELLECTUAL PROPERTY
6.1. Company Intellectual Property. As between the parties, Company and its licensors retain all right, title, and interest in and to the Services, the Platform, the API, the Documentation, the Data, and all related technology, software, algorithms, models, and intellectual property rights therein (collectively, “Company IP”). No rights are granted to Customer hereunder except as expressly set forth in this Agreement.
6.2. Feedback. If Customer provides any suggestions, ideas, enhancement requests, or other feedback regarding the Company IP (“Feedback”), Customer hereby assigns to Company all right, title, and interest in and to such Feedback, including all intellectual property rights therein. Company shall be free to use, disclose, reproduce, license, and otherwise exploit such Feedback without restriction or obligation to Customer of any kind.
7. CONFIDENTIALITY
7.1. Obligations. The Receiving Party shall: (a) protect the Disclosing Party’s Confidential Information using at least the same degree of care that Disclosing Party uses to protect its own confidential information of a similar nature, but in no event less than reasonable effort; (b) not disclose such Confidential Information to any third party except to its employees, agents, and advisors who have a need to know and who are bound by obligations of confidentiality no less restrictive than those set forth herein; and (c) not use such Confidential Information for any purpose other than as necessary to exercise its rights or perform its obligations under this Agreement.
7.2. Compelled Disclosure. The Receiving Party may disclose Confidential Information to the extent required by applicable law, regulation, or court order, provided that the Receiving Party shall (to the extent legally permitted) provide the Disclosing Party with prompt written notice of such requirement and reasonably cooperate with the Disclosing Party’s efforts to obtain a protective order or other appropriate remedy.
8. TERM AND TERMINATION
8.1. Term. This Agreement shall commence on the Effective Date and, unless terminated earlier in accordance with the terms herein, shall continue for an initial term of eighteen (18) months (“Initial Term”). Thereafter, this Agreement shall automatically renew for successive one (1) year terms, unless either party provides written notice of non-renewal to the other party at least thirty (30) days prior to the expiration of the then-current term (each, a “Renewal Term”). The “Term” shall mean the Initial Term and all Renewal Terms.
8.2. Termination for Cause. Either party may terminate this Agreement upon written notice to the other party if: (a) the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice specifying the breach; or (b) the other party becomes the subject of a petition in bankruptcy or any proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors. In addition, Company may terminate this Agreement upon written notice to Customer if Customer fails to pay any amount when due and does not cure such failure within thirty (30) days after receipt of written notice of such nonpayment. In addition, Customer may terminate this Agreement upon thirty (30) days’ written notice if (i) Company materially breaches Section 2.5 and fails to cure such breach within thirty (30) days after written notice, or (ii) any of the following occurs and Company fails to cure within thirty (30) days after written notice describing the issue in reasonable detail: (A) the Services or the Platform are unavailable or materially inoperative for five (5) or more consecutive business days, or ten (10) or more days in any calendar quarter; (B) Company discontinues, or materially reduces the functionality of, the Services’ deep search, enrichment, or verification capabilities without providing substantially equivalent replacement functionality; or (C) there is a sustained and material decline, measured against the trailing six (6) months, in the breadth of Data returned by the Services for comparable requests, as reflected in the Services’ output metrics (including populated data fields, source references, and confidence scores). Upon such termination by the Customer, Customer shall have no further obligation with respect to the unaccrued portion of the Total Minimum Commitment, and Company shall refund any prepaid fees attributable to periods after the effective date of termination.
8.3. Effect of Termination. Upon expiration or termination of this Agreement: (a) all rights and licenses granted to Customer hereunder shall immediately terminate; (b) Customer shall immediately cease all access to and use of the Services, Platform, and APIs; (c) any unused Credits shall be forfeited and no refund shall be due to Customer; (d) each party shall return or destroy all Confidential Information of the other party in its possession or control; and (e) all provisions of this Agreement that by their nature should survive termination shall survive. If Company terminates this Agreement as a result of Customer’s failure to pay any amount when due, an amount equal to the lesser of (i) the unpaid balance of the Total Minimum Commitment and twelve (12) months of Monthly Fees shall become immediately due and payable.
9. DISCLAIMER OF WARRANTIES
9.1. Disclaimer. THE COMPANY IP IS PROVIDED “AS IS” AND “AS AVAILABLE.” COMPANY AND ITS LICENSORS HEREBY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND QUIET ENJOYMENT. WITHOUT LIMITING THE FOREGOING, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, OR THAT ANY DEFECTS WILL BE CORRECTED.
10. INDEMNIFICATION
10.1. Customer Indemnity. Customer shall defend, indemnify, and hold harmless Company and its affiliates, officers, directors, employees, and agents from and against any and all third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Customer’s use or publication of Data, including any claim based on the accuracy or completeness of such Data; (b) defamation or false light claims arising from Customer’s use of Data; or (c) violations of any person’s privacy or publicity rights arising from Customer’s use of Data; provided that Customer shall have no obligation under this Section 10.1 to the extent a claim arises from the Data as delivered by Company (without material modification by Customer) or from Company’s breach of its representation in Section 5.2. Customer’s aggregate liability under this Section 10.1 shall not exceed the total amounts paid and payable by Customer under this Agreement during the twelve (12) months preceding the event giving rise to the claim. This indemnification obligation applies notwithstanding the exclusivity and referral provisions in Sections 2.5 and 2.6 and survives expiration or termination of this Agreement.
11. LIMITATION OF LIABILITY
11.1. Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL COMPANY OR ITS AFFILIATES, LICENSORS, OR SUPPLIERS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, REVENUE, GOODWILL, DATA, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY (WHETHER IN CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
11.2. Cap on Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COMPANY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL AMOUNTS ACTUALLY PAID BY CUSTOMER TO COMPANY UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
12. GENERAL PROVISIONS
12.1. Neither party shall assign or transfer this Agreement, or any rights or obligations hereunder, without the other party’s prior written consent. Notwithstanding the foregoing, either party may freely assign this Agreement in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets without the other party’s consent. Any attempted assignment in violation of this Section shall be null and void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.
12.2. Governing Law; Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles. The parties hereby consent to the exclusive jurisdiction and venue of the state and federal courts located in the State of California for the resolution of any disputes arising out of or relating to this Agreement.
12.3. Notices. All notices required or permitted under this Agreement shall be in writing and shall be delivered by (a) email, (b) nationally recognized overnight courier, or (c) certified mail, return receipt requested. Notices to Company shall be sent to chrisprice@sixtyfour.ai or physical address set forth on the Cover Sheet. Notices to Customer shall be sent to legal@fullpac.com or the physical address set forth on the Cover Sheet. Notices shall be deemed given: (i) if by email, on the date sent, provided no bounce-back or error notification is received by the sender within twenty-four (24) hours of sending; (ii) if by overnight courier, one (1) business day after deposit with the courier; or (iii) if by certified mail, three (3) business days after deposit in the mail. Each party shall promptly notify the other party in writing of any change to its notice address.
12.4. Force Majeure. Neither party shall be liable for any failure or delay in the performance of its obligations under this Agreement (other than payment obligations) to the extent such failure or delay results from circumstances beyond such party’s reasonable control, including acts of God, natural disasters, pandemics, war, terrorism, riots, embargoes, acts of governmental authorities, power failures, telecommunications failures, or internet disruptions.
12.5. Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid, illegal, or unenforceable provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the parties’ original intent.
12.6. Waiver. No failure or delay by either party in exercising any right, power, or remedy under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any right, power, or remedy preclude any other or further exercise thereof or the exercise of any other right, power, or remedy.
12.7. Entire Agreement; Order of Precedence. This Agreement, including the Cover Sheet and these Terms and Conditions, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, negotiations, representations, and communications, whether oral or written, relating to such subject matter. In the event of any conflict or inconsistency among the components of this Agreement, the following order of precedence shall apply (in descending order of priority): (a) the DPA; (b) the Cover Sheet; and (c) these Terms and Conditions. This Agreement may be amended only by a written instrument signed by both parties. For the avoidance of doubt, this Agreement supersedes any prior agreement between the parties relating to the subject matter hereof, including the agreement dated June 3, 2026, any amounts paid by Customer thereunder, including the $5,000 previously paid, shall be credited against Customer’s payment obligations under this Agreement, and no further amounts shall be due under such prior agreement.
12.8. Independent Contractors. The parties are independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship between the parties.
12.9. Publicity. Customer hereby grants to Company a non-exclusive, royalty-free, worldwide license to use Customer’s name, trademarks, and logos (collectively, “Customer Marks”) for the purpose of identifying Customer as a customer of Company in Company’s marketing materials, promotional content, press releases, case studies, presentations, and customer lists, including on Company’s website. Company shall use the Customer Marks in accordance with any trademark usage guidelines provided by Customer to Company in writing. Customer may request that any particular use of Customer Marks be discontinued. Notwithstanding the foregoing, Company shall not issue any press release or other public statement that identifies or names Customer without Customer’s prior written approval of the specific content of such press release or public statement, which approval shall not be unreasonably withheld or delayed.
12.10. Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed original signatures for all purposes.
EXHIBIT B
Data Protection Agreement
This DPA supplements and forms part of the agreements between the Company (“Provider”) and Customer. Capitalized terms not defined in this DPA are defined in the main body of the Agreement. In the event of any conflict or inconsistency between the DPA and the Agreement, the DPA will govern.
1. Definitions
For purposes of this DPA, the terms below have the meanings set forth below.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means, as and to the extent applicable, the State Privacy Laws, GDPR, and FADP.
(c) Controller means the entity that, alone or jointly with others, determines the purposes or means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the California Consumer Privacy Act.
(d) Data Subject means the identified or identifiable natural person to whom Personal Data relates.
(e) EEA means the European Economic Area.
(f) FADP means the Swiss Federal Act on Data Protection in its revised version of 25 September 2020.
(g) FDPIC means Swiss Federal Data Protection and Information Commissioner.
(h) GDPR means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, replacement, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
(i) Information Security Incident means an actual breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(j) Personal Data means Customer Content that constitutes “personal data,” “personal information,” “nonpublic personal information” or “personally identifiable information” as defined in Applicable Data Protection Laws, except that Personal Data does not include such information received by Provider directly or from other sources (such as its other customers) independent of Provider’s relationship with Customer.
(k) Process or Processing means any operation or set of operations which is performed by Provider on behalf of Customer under this Agreement, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(l) Processor means the entity that Processes Personal Data on behalf and at the direction of the Controller, including, as applicable, any “service provider” as that term is defined by the California Consumer Privacy Act.
(m) Restricted Transfer means the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) when transferred from the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); (ii) when transferred from the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”); and (iii) when transferred from Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss authorities (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under the GDPR or FADP.
(n) SCCs means the applicable (C-to-C, C-to-P, P-to-P or P-to-C) standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914)
(o) Security Measures has the meaning given in Section 4(a) (Provider Security Measures).
(p) Services means the services that Provider performs for Customer under the Agreement.
(q) State Privacy Laws means, collectively, the comprehensive state-specific data privacy laws and their regulations currently in effect and applicable to Provider’s Processing of Personal Data under the Agreement.
(r) Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.
(s) Supervisory Authority means any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (ICO); and (iii) in the context of Switzerland and the FADP, means the FDPIC.
(t) UK Transfer Addendum means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
2. Duration and Scope of DPA
(a) This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
(b) Processing of Personal Data subject to the GDPR shall be subject to Annex 2 (European Annex).
(c) Processing of Personal Data subject to the State Privacy Laws with respect to which Customer is a Business, Controller, Processor, or Service Provider and Provider is Customer’s service provider or processor (as such terms are defined in State Privacy Laws) shall be subject to Annex 3 (State Privacy Laws Annex) to this DPA.
3. Customer Instructions
(a) Provider will Process Personal Data in accordance with Customer’s instructions to Provider. By entering into this DPA, Customer instructs Provider to Process Personal Data to provide the Services and to perform its other obligations and exercise its rights under the Agreement. The Parties acknowledge and agree that the details of Provider’s Processing of Personal Data under this DPA (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
4. Security
(a) Provider Security Measures. Provider will implement and maintain technical, administrative, physical and organizational measures designed to protect Personal Data against Information Security Incidents as described in Annex 4 (the “Security Measures”). Provider may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
(b) Security Compliance by Provider Staff. Provider shall require that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(c) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Provider becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider’s notification of or response to an Information Security Incident will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Information Security Incident. Provider shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Information Security Incident. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident. If Customer determines that an Information Security Incident must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Customer agrees to (i) notify Provider in advance, and (ii) in good faith, consult with Provider and consider any clarifications or corrections Provider may reasonably recommend or request to any such notification, which: (i) relate to Provider’s involvement in or relevance to such Information Security Incident; and (ii) are consistent with applicable laws.
(d) Customer’s Security Responsibilities. Customer agrees that Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.
(e) Customer’s Security Assessment. Customer has determined that the Services, the Security Measures and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
5. Data Subject Rights
(a) Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary and technically feasible for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control, including but not limited to, access, correction, deletion, and cessation of Processing of Personal Data. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will (i) notify Customer; and (ii) advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding to any such request.
6. Customer Responsibilities
(a) Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has all rights, in each case, as may be required under applicable law or otherwise for Provider to Process Personal Data as contemplated by the Agreement.
(b) Customer represents and warrants to Provider that Customer Data does not and will not contain any Personal Data that contains racial, ethnic or national origin; religious or philosophical beliefs; political opinions; protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”); other mental or physical health condition, diagnosis, history, treatment or other health data; health insurance information; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; genetic, biometric, neural or biological data; personal information of children or teens; precise location information; Social Security number; driver’s license number; state identification card number; passport number; other government-issued identification numbers; financial information or account number; account login information; tax return data; contents of a communication to which you were not a party; or any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice’s Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation (collectively, “Restricted Data”); provided, however, that Customer Data may include political-opinion, political-affiliation, voter-registration, and other election-related information, and publicly available information concerning candidates, public officials, donors, and politically active individuals, in each case to the extent inherent in Customer’s use of the Services, and such information shall not constitute Restricted Data for purposes of this Section 6(b) except to the extent it constitutes bulk U.S. sensitive personal data or government-related data under 28 C.F.R. Part 202.
(c) Customer represents and warrants that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Provider of Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)).
(d) Customer shall ensure that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Provider of Personal Data.
7. Subprocessors
(a) Consent to Subprocessor Engagement. Customer generally authorizes Provider to engage third parties as Subprocessors in accordance with this Section 7.
(b) Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at compliance.sixtyfour.ai (the “Subprocessor Site”). Provider may continue to use those Subprocessors already engaged by Provider as at the date of this DPA.
(c) Requirements for Subprocessor Engagement. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor in connection with the services they provide to Provider to the same extent as Provider would have been had it performed the Processing itself.
(d) Opportunity to Object to Subprocessor Changes. When Provider engages any new Subprocessor after the effective date of the DPA, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.
8. Audits
(a) Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws. Provider will contribute to such audits by providing Customer with the information and assistance reasonably necessary to conduct the audit. Due to the nature of the Services, on-site audits are not necessary for Customer to audit Provider’s compliance with this DPA. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 8 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider the audit reports generated in connection with the audit(s) under this Section 8, unless prohibited by Applicable Data Protection Laws. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 8 at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
9. Return and Deletion
(a) Subject to Sections 9(b) and 9(c), upon the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), Provider shall promptly cease all Processing of Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA. For the avoidance of doubt, this Section 9 does not apply to Telemetry Data.
(b) Subject to Section 9(d), to the extent technically possible in the circumstances (as determined in Provider’s sole discretion), on Customer’s written request to Provider (to be made no later than fourteen (14) days after the Cessation Date (“Post-cessation Storage Period”)), Provider shall within fourteen (14) days of such request, at Customer’s election either: (i) return a complete copy of all structured Personal Data within Provider’s possession to Customer by secure file transfer, promptly following which Provider shall delete or anonymize all other copies of such Personal Data, or (ii) either (at Provider’s option) delete or anonymize all structured Personal Data within Provider’s possession.
(c) In the event that during the Post-cessation Storage Period, Customer does not instruct Provider in writing to either delete or return Personal Data pursuant to Section 9(b), Provider shall, subject to Section 9(d), promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all structured Personal Data then within Provider possession to the fullest extent technically possible in the circumstances.
(d) Notwithstanding the above, Provider may retain Personal Data, where permitted or required by applicable law, for such period as may be permitted or required by such applicable law, provided that Provider shall (i) maintain measures designed to protect all such Personal Data, and (ii) Process the Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
10. Miscellaneous
(a) Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (i) in accordance with any notice clause of the Agreement; (ii) to Provider’s primary points of contact with Customer; or (iii) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
(b) Provider agrees to cooperate in good faith with Customer concerning any amendments as may be reasonably necessary to address compliance with the Applicable Data Protection Laws.
(c) Provider may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.3 of Annex 2 (European Annex).
(d) In the event of any conflict or inconsistency between (i) this DPA and the Agreement, this DPA shall prevail, or (ii) any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
11. Limitation of Liability.
(a) The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with THE AGREEMENT, this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 11 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
Annex 1
Data Processing Details
PROVIDER / ‘DATA IMPORTER’ DETAILS
Name: Sixtyfour AI, Inc. is a U.S. corporation
Address: 39 Bryant St., Suite 304, San Francisco, CA 94107
Contact Details for Data Protection: Chief Operating Officer, chrisprice@sixtyfour.ai
Provider Activities: Provider offers an AI-powered data platform providing deep search, enrichment, verification, and outbound workflow services through its Platform and APIs.
Role: Processor
CUSTOMER / ‘DATA EXPORTER’ DETAILS
Name: The entity or other person who is a counterparty to the Agreement
Customer’s address is: 1206 Laskin Rd Ste 201-o, Virginia Beach, VA 23451
Customer’s Contact Details for Data Protection: Privacy Team, privacy@fullpac.com
Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role: Controller
Categories of Data Subjects: Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Provider to process as part of the provisions of the Service, including [Authorized Users, employees, job candidates, customers, and prospective customers of Customer’s products and services].
Categories of Personal Data: Relevant Personal Data includes any Categories of Personal Data Customer causes Provider to process as part of the provisions of the Service, including:
● Personal details – for example any information that identifies the Data Subject, including name, and contact information.
● Authentication details – for example username, password or PIN code, security questions and other access protocols.
● Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
● Categories of sensitive data: None – as noted in Section 6(b) of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services.
● Additional safeguards for sensitive data: N/A
Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing: as necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA, specifically for the purposes of providing the Services.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor Site.
Annex 2
European Annex
1. PROCESSING OF PERSONAL DATA
1.1 Where Provider receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Provider shall inform Customer.
1.2 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Personal Data by or on behalf of Provider pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.
2. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
2.1 Provider, taking into account the nature of the Processing and the information available to Provider, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Personal Data by Provider.
2.2 Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Provider (at Provider’s then-current professional services rates) in Provider’s provision of any cooperation and assistance provided to Customer under Paragraph 2.1, and shall on demand reimburse Provider any such costs incurred by Provider.
3. RESTRICTED TRANSFERS
EU Restricted Transfers
3.1 To the extent that any Processing of Personal Data under this DPA involves an EU Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
(a) populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
(b) entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
3.2 To the extent that any Processing of Personal Data under this DPA involves a UK Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
(a) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
(b) entered into by the Parties and incorporated by reference into this DPA.
Swiss Restricted Transfers
3.3 To the extent that any Processing of Personal Data under the DPA involves a Swiss Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
(a) varied to address the requirements of the FADP and populated in accordance with Part 3 of Attachment 1; and
(b) entered into by the Parties and incorporated by reference in the DPA.
(c) Nothing in any applicable SCCs (as deemed amended pursuant to this Section 3.3) should be interpreted or construed in such a way as would limit or exclude the rights of Data Subjects under Clause 18(c) of those SCCs (as deemed amended pursuant to this Section 3.3) to bring legal proceedings before the courts in Switzerland where Switzerland is that Data Subject’s place of habitual residence.
Adoption of new transfer mechanism
3.4 Provider may upon notice vary this DPA and replace the relevant SCCs with:
(a) any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
(b) another transfer mechanism, other than the SCCs, that enables the lawful transfer of Personal Data to Provider under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
3.5 In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Provider shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
Operational clarifications
3.6 When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Provider’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
3.7 Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Provider to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
3.8 For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
3.9 The terms and conditions of Section 7 of the DPA apply in relation to Provider’s appointment and use of Subprocessors under the SCCs. Any approval by Customer of Provider’s appointment of a Subprocessor that is given expressly or deemed given pursuant to that Section 7 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.
3.10 The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 8 of the DPA.
3.11 Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request.
Attachment 1
To Annex 2 (European Annex)
POPULATION OF SCCs
● In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA).
● In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA).
● In the context of any Swiss Restricted Transfer, the SCCs as varied and populated by Part 3 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 3.3 of Annex 2 (European Annex) to the DPA.
PART 1: POPULATION OF THE SCCs
1. SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
(a) Module Two of the SCCs applies to any EU Restricted Transfer and/or Swiss Restricted Transfer involving Processing of Personal Data in respect of which Customer is a Controller in its own right; and/or
(b) Module Three of the SCCs applies to any EU Restricted Transfer and/or Swiss Restricted Transfer involving Processing of Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
3. POPULATION OF THE BODY OF THE SCCs
3.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
(a) The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
(b) In Clause 9:
(i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 7(d) of the DPA; and
(ii) OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
(c) In Clause 11, the optional language is not used and is deleted.
(d) In Clause 13, all square brackets are removed and all text therein is retained.
(e) In Clause 17:
(i) OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
(ii) OPTION 2 is not used and that optional language is deleted.
(f) For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
3.2 In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:
(a) Customer being ‘data exporter’; and
(b) Provider being ‘data importer’.
4.2 Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
● Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
● Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
● Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Provider’s contact point for data protection identified in Attachment 1 to Annex 2 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
4.3 Annex II to the Appendix to the SCCs is populated as below:
General:
● Please refer to Section 4 of the DPA and Annex 4 (Security Measures) to the DPA.
● In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Provider, Customer should email Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
Subprocessors: When Provider engages a Subprocessor under these Clauses, Provider shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
● applicable information security measures;
● notification of Information Security Incidents to Provider;
● return or deletion of Personal Data as and where required; and engagement of further Subprocessors.
PART 2: UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
1.1 Where relevant in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
(a) Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
(i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
(ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
(b) Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
1.2 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
PART 3: SWISS RESTRICTED TRANSFERS
1. VARIATIONS FOR SWISS RESTRICTED TRANSFERS
1.1 Where applicable in accordance with Section 6.4 of the DPA, the SCCs also apply in the context of Swiss Restricted Transfers with the following terms deemed to have the following substituted meanings:
(a) “GDPR” means the FADP;
(b) “European Union”, “Union” and “Member State(s)” each mean Switzerland; and
(c) “supervisory authority” means the FDPIC.
1.2 In relation to any Swiss Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 3.
Annex 3
State Privacy Laws Annex
1. For purposes of this Annex 3, the terms “business,” “commercial purpose,” “sell,” “share,” “targeted advertising” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Provider’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Provider that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
3. Provider shall not (a) sell or share any personal information or use it for targeted advertising; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such personal information pertains, except in each case (a) through (d) as and to the extent necessary as a part of Provider’s provision of the Services or as otherwise permitted by a service provider or processor under the State Privacy Laws. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 7 of the DPA shall satisfy Provider’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.
5. Provider agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Provider’s use of personal information is consistent with Provider’s obligations under the State Privacy Laws.
6. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.
Annex 4
Security Measures
1. Organizational management and dedicated staff responsible for the Provider’s information security program.
2. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard technologies for Personal Data that is transmitted over public networks (i.e., the internet).
3. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
4. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
5. Monitoring and maintenance of technology and information systems, including secure disposal of systems and media prior to final disposal or release from the Provider’s possession.
6. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
7. Incident management procedures design to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.
8. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
9. Vulnerability assessment, patch management and threat protection technologies designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
10. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Annex 5
List of Subprocessors
Customer approves that Provider engages the following Subprocessors to Process Personal Data pursuant to this DPA: the Subprocessors listed at the Subprocessor Site (compliance.sixtyfour.ai), as updated from time to time.