SaaS Master Service Agreement with AI Governance Clauses

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

UNIVERSAL TEMPLATE

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to the terms and conditions set forth herein; and

WHEREAS, the Parties wish to establish comprehensive governance, transparency, and accountability standards for the AI components of the Services;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership of more than fifty percent (50%) of the voting securities or equivalent ownership interest.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as further described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features, including pre-trained models, fine-tuned models, and ensemble systems.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means any condition in which the use of an AI system results in unlawful differential treatment or disparate impact on the basis of race, color, ethnicity, sex, religion, age, national origin, disability, veteran status, genetic information, or other characteristic protected by applicable law.

1.6 "Authorized Users" means Customer's employees, contractors, and agents who are authorized by Customer to access and use the Services under this Agreement.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other, whether orally, in writing, or electronically, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure.

1.8 "Customer Data" means all data, content, and information submitted, uploaded, or transmitted by or on behalf of Customer or its Authorized Users to the Services.

1.9 "Documentation" means Provider's then-current user guides, technical specifications, API documentation, and other written materials describing the features, functionality, and requirements of the Services.

1.10 "High-Risk AI Use" means any use of AI Features to make, or be a substantial factor in making, decisions that have material legal or similarly significant effects on individuals, including decisions related to employment, credit, insurance, housing, healthcare, education, criminal justice, or access to essential services.

1.11 "Order Form" means an ordering document executed by both Parties that references this Agreement and specifies the Services, subscription term, fees, usage limits, and other commercial terms.

1.12 "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person, as defined under applicable data protection laws.

1.13 "Services" means the software-as-a-service applications, AI Features, professional services, and support services described in the applicable Order Form and Documentation.

1.14 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Subject to the terms and conditions of this Agreement and the applicable Order Form, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term solely for Customer's internal business purposes.

2.2 Authorized Users. Customer may permit its Authorized Users to access and use the Services, provided that Customer shall be responsible for all acts and omissions of its Authorized Users. Customer shall ensure that each Authorized User complies with the terms of this Agreement.

2.3 Usage Limits. Customer's use of the Services is subject to the usage limitations specified in the applicable Order Form, including but not limited to the number of seats, API calls, transaction volumes, storage capacity, and AI Feature usage tiers.

2.4 Provisioning. Provider shall provision Customer's access to the Services within [____] business days following execution of the applicable Order Form. Provider shall provide Customer with login credentials and configuration instructions.

2.5 Service Modifications. Provider may update the Services from time to time, provided that such updates do not materially diminish the core functionality of the Services during the applicable Subscription Term. Provider shall provide Customer with at least thirty (30) days' prior written notice of any material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Provider shall deliver implementation, configuration, data migration, and onboarding assistance as described in the applicable Statement of Work (Schedule PS-1). Implementation milestones and acceptance criteria shall be set forth therein.

3.2 Technical Support. Provider shall provide technical support to Customer in accordance with the Support Policy attached as Schedule SUP-1. Support levels, response times, and escalation procedures are defined therein.

3.3 Service Level Agreement. Provider shall maintain the service levels specified in Schedule SLA-1, including uptime guarantees, performance benchmarks, and response time commitments. Service credits for failure to meet service levels shall be calculated as set forth in Schedule SLA-1.

3.4 Training. Provider shall make available training materials and, upon request, conduct training sessions to enable Customer's Authorized Users to effectively use the Services, including the AI Features. Training scope and fees, if any, shall be specified in the applicable Order Form.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Customer shall pay Provider the fees specified in each Order Form (the "Fees"). Unless otherwise stated in the Order Form, all Fees are non-refundable and non-cancellable.

4.2 Invoicing and Payment. Provider shall invoice Customer [☐ in advance / ☐ in arrears / ☐ as specified in Order Form] on a [☐ monthly / ☐ quarterly / ☐ annual] basis. All invoices are due and payable within [____] days of the invoice date. Payments shall be made in [________________________________] (currency) by [☐ wire transfer / ☐ ACH / ☐ credit card / ☐ check].

4.3 Late Payments. Any undisputed amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, calculated from the date such payment was due until paid in full.

4.4 Taxes. All Fees are exclusive of taxes, levies, and duties. Customer shall be responsible for all sales, use, value-added, withholding, and other taxes and duties arising from this Agreement, excluding taxes based on Provider's net income.

4.5 Fee Disputes. Customer shall notify Provider in writing of any disputed invoice amounts within thirty (30) days of receipt. The Parties shall work in good faith to resolve the dispute. Undisputed amounts remain due and payable during the dispute resolution period.

4.6 Suspension for Non-Payment. If Customer fails to pay any undisputed Fees within [____] days after Provider's written notice of such delinquency, Provider may suspend Customer's access to the Services until all outstanding amounts are paid, without liability to Customer. Provider shall provide at least ten (10) days' prior written notice before any suspension.

ARTICLE 5. PROPRIETARY RIGHTS AND INTELLECTUAL PROPERTY

5.1 Provider Ownership. Provider retains all right, title, and interest in and to the Services, Documentation, AI Models, algorithms, software, and all related intellectual property rights. Nothing in this Agreement transfers ownership of any Provider intellectual property to Customer.

5.2 Customer Data Ownership. Customer retains all right, title, and interest in and to Customer Data. Provider acquires no ownership rights in Customer Data under this Agreement.

5.3 License to Customer Data. Customer grants Provider a limited, non-exclusive, worldwide license to access, use, process, copy, store, transmit, and display Customer Data solely to the extent necessary to provide the Services, comply with applicable law, and perform Provider's obligations under this Agreement.

5.4 Feedback. If Customer provides suggestions, enhancement requests, recommendations, or other feedback regarding the Services ("Feedback"), Provider may freely use, incorporate, and commercialize such Feedback without obligation or compensation to Customer, provided that Provider shall not disclose Customer's Confidential Information in connection with any such use.

5.5 Aggregate and De-Identified Data. Provider may create and use aggregate, anonymized, or de-identified data derived from Customer's use of the Services for purposes of improving the Services, benchmarking, analytics, and product development, provided that such data cannot reasonably be used to identify Customer or any individual.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Customer shall not, and shall not permit any Authorized User to:

(a) Copy, modify, adapt, translate, reverse engineer, decompile, disassemble, or create derivative works based on the Services;

(b) Access or use the Services to build a competing product or service;

(c) Bypass, disable, or circumvent any security, authentication, or access control features of the Services;

(d) Upload, transmit, or store any malicious code, virus, worm, or other harmful content;

(e) Use the Services in violation of any applicable law, regulation, or third-party right;

(f) Sublicense, resell, rent, lease, or otherwise make the Services available to any third party except as expressly permitted herein;

(g) Exceed the usage limits specified in the applicable Order Form without prior written agreement and payment of applicable excess usage fees.

6.2 Data Accuracy. Customer is solely responsible for the accuracy, quality, integrity, legality, and reliability of all Customer Data. Customer represents and warrants that it has all necessary rights, consents, and authorizations to provide Customer Data to Provider for processing in connection with the Services.

6.3 Credential Security. Customer shall maintain the confidentiality and security of all login credentials and access tokens. Customer shall promptly notify Provider of any known or suspected unauthorized access to Customer's account.

6.4 Compliance. Customer shall use the Services in compliance with all applicable laws, regulations, and industry standards, including data protection and privacy laws applicable to Customer's processing of Personal Data through the Services.

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Each Party (the "Receiving Party") shall: (a) hold the other Party's (the "Disclosing Party's") Confidential Information in strict confidence; (b) not disclose such Confidential Information to any third party except to its employees, contractors, and advisors who have a need to know and are bound by confidentiality obligations at least as protective as those herein; and (c) use the Disclosing Party's Confidential Information only for purposes of performing its obligations or exercising its rights under this Agreement.

7.2 Exclusions. Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was lawfully known to the Receiving Party prior to disclosure; (c) is independently developed by the Receiving Party without use of the Disclosing Party's Confidential Information; or (d) is lawfully obtained from a third party without restriction on disclosure.

7.3 Compelled Disclosure. A Receiving Party may disclose Confidential Information to the extent required by applicable law, regulation, or valid legal process, provided that the Receiving Party shall: (a) provide the Disclosing Party with prompt written notice, to the extent legally permitted, so the Disclosing Party may seek a protective order; and (b) disclose only the minimum amount of Confidential Information reasonably necessary to comply.

7.4 Return or Destruction. Upon termination or expiration of this Agreement, or upon the Disclosing Party's written request, the Receiving Party shall promptly return or destroy all copies of the Disclosing Party's Confidential Information, except for copies retained in routine backup systems or as required by law, which shall remain subject to the confidentiality obligations herein.

7.5 Injunctive Relief. Each Party acknowledges that a breach of this Article 7 may cause irreparable harm for which monetary damages would be inadequate, and that the non-breaching Party shall be entitled to seek equitable relief, including injunction and specific performance, in addition to all other remedies available at law or in equity.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Each Party represents and warrants that: (a) it has the legal power and authority to enter into this Agreement; (b) the execution and performance of this Agreement does not conflict with any other agreement to which it is bound; and (c) this Agreement constitutes a valid and binding obligation enforceable in accordance with its terms.

8.2 Performance Warranty. Provider warrants that the Services shall perform materially in accordance with the Documentation during the Subscription Term. If the Services fail to conform to this warranty, Customer's exclusive remedy shall be for Provider to use commercially reasonable efforts to correct the non-conformance, or, if Provider is unable to do so within sixty (60) days of receiving written notice, Customer may terminate the affected Order Form and receive a pro-rata refund of prepaid Fees.

8.3 Security Warranty. Provider warrants that the Services shall be provided free of viruses, malware, and other malicious code, and that Provider maintains security measures consistent with industry standards and as further described in Schedule SEC-1.

8.4 Compliance Warranty. Provider warrants that the Services, including the AI Features, shall comply with all applicable laws and regulations in all material respects, including applicable data protection, consumer protection, and AI governance laws.

8.5 DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." PROVIDER HEREBY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Provider shall defend, indemnify, and hold harmless Customer and its officers, directors, employees, and agents from and against any and all third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to: (a) Provider's infringement or misappropriation of any third-party intellectual property right; (b) Provider's breach of its data protection or security obligations under this Agreement; (c) Algorithmic Discrimination in the AI Features caused by Provider's failure to exercise reasonable care; or (d) Provider's material breach of applicable law.

9.2 By Customer. Customer shall defend, indemnify, and hold harmless Provider and its officers, directors, employees, and agents from and against any and all third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to: (a) Customer Data, including any claim that Customer Data infringes a third-party right; (b) Customer's use of the Services in violation of this Agreement or applicable law; or (c) Customer's use of AI Outputs in a manner that violates applicable law.

9.3 Indemnification Procedures. The indemnified Party shall: (a) provide the indemnifying Party with prompt written notice of any claim; (b) grant the indemnifying Party sole control of the defense and settlement (provided the indemnifying Party shall not settle any claim that imposes obligations on the indemnified Party without the indemnified Party's prior written consent); and (c) provide reasonable cooperation at the indemnifying Party's expense.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. EXCEPT FOR EXCLUDED CLAIMS (DEFINED BELOW), EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED [____] TIMES THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

10.2 Consequential Damages Waiver. EXCEPT FOR EXCLUDED CLAIMS, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, LOST DATA, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10.3 Excluded Claims. "Excluded Claims" means: (a) either Party's indemnification obligations under Article 9; (b) either Party's breach of Article 7 (Confidentiality); (c) Provider's breach of its data protection or security obligations; (d) Customer's breach of Article 6.1 (Acceptable Use); (e) either Party's gross negligence or willful misconduct; and (f) amounts owed under Article 4 (Fees and Payment).

10.4 Super Cap for Excluded Claims. Each Party's aggregate liability for Excluded Claims shall not exceed [____] times the total Fees paid or payable by Customer during the twenty-four (24) month period immediately preceding the event giving rise to the claim.

10.5 Essential Purpose. The limitations of liability set forth in this Article 10 shall apply to the maximum extent permitted by applicable law, even if any limited remedy specified in this Agreement fails of its essential purpose.

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. This Agreement commences on the Effective Date and continues until all Order Forms have expired or been terminated, unless earlier terminated in accordance with this Article 11.

11.2 Order Form Term. Each Order Form shall specify its initial Subscription Term. Unless otherwise stated in the Order Form, each Subscription Term shall automatically renew for successive periods of equal length unless either Party provides written notice of non-renewal at least [____] days prior to the end of the then-current term.

11.3 Termination for Cause. Either Party may terminate this Agreement or any Order Form by written notice if the other Party: (a) materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice; or (b) becomes the subject of bankruptcy, insolvency, receivership, or similar proceedings.

11.4 Termination for AI Regulatory Non-Compliance. Either Party may terminate this Agreement upon sixty (60) days' written notice if a change in applicable AI law or regulation renders the continued performance of the AI Features unlawful or commercially impracticable, and the Parties are unable to agree upon modifications to restore compliance within such sixty (60) day period.

11.5 Effect of Termination. Upon any termination or expiration:

(a) Customer's rights to access and use the Services shall immediately cease;

(b) Customer shall pay all outstanding Fees for Services rendered through the effective date of termination;

(c) Provider shall make Customer Data available for export in a standard, machine-readable format for a period of [____] days following termination, after which Provider may delete Customer Data;

(d) Each Party shall return or destroy the other Party's Confidential Information in accordance with Article 7.4;

(e) The following provisions shall survive: Articles 1, 5, 7, 8.5, 9, 10, 11.5, and 12-20.

PART B: AI GOVERNANCE CLAUSES

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. The AI Features included in the Services are described in Schedule AI-1, which shall include, at minimum:

(a) A plain-language description of each AI Feature and its intended purpose;

(b) The type of AI Model used (e.g., supervised learning, unsupervised learning, reinforcement learning, generative AI, large language model);

(c) A description of the input data types required by each AI Feature;

(d) A description of the AI Output types produced;

(e) Known limitations, constraints, and failure modes;

(f) Whether any AI Feature constitutes a High-Risk AI Use.

12.2 Risk Classification. Provider shall classify each AI Feature according to the following risk tiers:

☐ Minimal Risk -- AI Features that pose negligible risk of harm to individuals (e.g., spam filtering, document formatting)

☐ Limited Risk -- AI Features that interact with individuals or generate content but do not make consequential decisions (e.g., chatbots, content recommendations)

☐ High Risk -- AI Features that substantially contribute to decisions with legal or similarly significant effects on individuals (e.g., credit scoring, employment screening, insurance underwriting)

☐ Prohibited -- AI Features that are prohibited under applicable law or this Agreement (e.g., social scoring, real-time biometric identification without consent)

12.3 New AI Features. Provider shall not deploy any new AI Feature or materially modify an existing AI Feature without providing Customer at least thirty (30) days' prior written notice and an updated Schedule AI-1. Customer shall have the right to reject any new or modified AI Feature within fifteen (15) days of receiving notice.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY

13.1 Model Documentation. Provider shall maintain and make available to Customer, upon request, documentation for each AI Model that includes:

(a) A description of the model architecture, training methodology, and evaluation approach;

(b) Performance metrics, including accuracy, precision, recall, F1 scores, and other relevant measures;

(c) Information about the training data, including data sources, data types, data volume, and any known biases in the training data;

(d) A description of pre-processing, feature engineering, and post-processing techniques;

(e) Model version history and changelog.

13.2 Explainability Requirements. For High-Risk AI Uses, Provider shall:

(a) Provide explanations of individual AI Outputs upon Customer's reasonable request, including the principal factors and data inputs that influenced the output;

(b) Implement and maintain explainability methods appropriate to the AI Model type (e.g., SHAP values, LIME, attention mapping, feature importance rankings);

(c) Ensure that explanations are provided in a format understandable to non-technical stakeholders;

(d) Document any AI Outputs that cannot be explained and the reasons therefor.

13.3 Consumer-Facing Disclosures. Where AI Features interact directly with consumers or end users, Provider shall support Customer's ability to disclose: (a) that the consumer is interacting with an AI system; (b) the general nature and purpose of the AI system; and (c) how the consumer may request human review of any AI-generated decision, consistent with FTC Act guidance (15 U.S.C. Section 45) and the EU AI Act (Regulation (EU) 2024/1689, Article 50).

ARTICLE 14. AI BIAS TESTING AND FAIRNESS

14.1 Bias Testing Program. Provider shall implement and maintain a bias testing program that includes:

(a) Regular testing of AI Models for Algorithmic Discrimination across protected classes, conducted at least [☐ quarterly / ☐ semi-annually / ☐ annually];

(b) Use of recognized fairness metrics, including but not limited to demographic parity, equalized odds, predictive parity, and calibration across groups;

(c) Testing across intersectional demographic categories where feasible;

(d) Documentation and retention of all bias testing results for a minimum of three (3) years.

14.2 Bias Mitigation. Upon discovery of statistically significant bias in any AI Feature:

(a) Provider shall notify Customer within [____] business days;

(b) Provider shall implement remediation measures within [____] days;

(c) Provider shall provide Customer with a written remediation report describing the bias identified, root cause analysis, and corrective actions taken;

(d) Customer may suspend use of the affected AI Feature pending remediation.

14.3 Third-Party Audits. Upon Customer's written request (no more than once per year), Provider shall engage a mutually agreed-upon independent third party to conduct a bias and fairness audit of the AI Features designated by Customer as High-Risk AI Uses. The costs of such audit shall be borne by [☐ Provider / ☐ Customer / ☐ shared equally].

14.4 Non-Discrimination Compliance. Provider represents and warrants that the AI Features are designed and tested to comply with applicable non-discrimination laws, including Title VII of the Civil Rights Act of 1964 (42 U.S.C. Section 2000e et seq.), the Americans with Disabilities Act (42 U.S.C. Section 12101 et seq.), the Age Discrimination in Employment Act (29 U.S.C. Section 621 et seq.), the Fair Housing Act (42 U.S.C. Section 3601 et seq.), and the Equal Credit Opportunity Act (15 U.S.C. Section 1691 et seq.), as applicable.

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Provider's use of Customer Data for AI training purposes shall be subject to the following (select one):

☐ Option A (No Training): Provider shall NOT use Customer Data for any AI Model training, retraining, fine-tuning, or development purposes whatsoever.

☐ Option B (Consent-Based Training): Provider may use Customer Data for AI Model training only upon Customer's prior written consent, which may be revoked at any time upon thirty (30) days' written notice.

☐ Option C (Anonymized Only): Provider may use only aggregated, anonymized, and de-identified Customer Data for AI Model training, provided such data cannot reasonably be re-identified.

15.2 Data Lineage. Provider shall maintain data lineage records for all Training Data used in AI Models that process Customer Data, including:

(a) The source and provenance of Training Data;

(b) Data collection methods and consent mechanisms;

(c) Data processing and transformation steps;

(d) Data quality assessments and validation procedures;

(e) Data retention and deletion records.

15.3 Training Data Rights. Provider represents and warrants that it has obtained all necessary rights, licenses, consents, and authorizations to use all Training Data incorporated into the AI Models, and that such use does not infringe any third-party intellectual property rights, privacy rights, or other legal rights.

15.4 Data Segregation. Provider shall implement technical and organizational measures to ensure that Customer Data is logically segregated from other customers' data within the AI systems. Provider shall not use one customer's data to generate AI Outputs for another customer without explicit authorization.

15.5 Data Deletion. Upon termination of this Agreement, or upon Customer's written request, Provider shall delete or purge Customer Data from all AI training sets, model weights, and embeddings to the extent technically feasible. Provider shall certify in writing the completion of such deletion within [____] days of the request.

ARTICLE 16. AI OUTPUT OWNERSHIP AND INTELLECTUAL PROPERTY

16.1 AI Output Ownership. Ownership of AI Outputs shall be determined as follows:

☐ Option A (Customer Owns): All AI Outputs generated using Customer Data or at Customer's direction shall be owned by Customer.

☐ Option B (Provider Owns): All AI Outputs shall be owned by Provider, with Customer receiving a perpetual, non-exclusive license to use such outputs for its internal business purposes.

☐ Option C (Joint Ownership): AI Outputs shall be jointly owned by the Parties, with each Party having the right to use, reproduce, and create derivative works without accounting to the other.

16.2 No Warranty of Originality. Provider makes no representation or warranty that AI Outputs are original, unique, or non-infringing. Customer acknowledges that AI Outputs may be similar or identical to outputs generated for other customers or third parties.

16.3 Customer Responsibility for AI Outputs. Customer is solely responsible for evaluating the accuracy, suitability, and legality of AI Outputs before use, publication, or reliance thereon. Customer shall not represent AI Outputs as human-generated work product where such representation would be misleading or unlawful.

16.4 IP Indemnification for AI Outputs. Provider's indemnification obligations under Article 9.1(a) extend to claims that AI Outputs generated by the Services infringe third-party intellectual property rights, subject to the exclusions and limitations set forth herein.

ARTICLE 17. AI PERFORMANCE METRICS AND BENCHMARKS

17.1 Performance Standards. Provider shall maintain AI Feature performance at or above the benchmarks specified in Schedule AI-1, which shall include, at minimum:

(a) Accuracy metrics (e.g., precision, recall, F1 score, AUC-ROC);

(b) Latency and throughput requirements;

(c) Availability and uptime targets specific to AI Features;

(d) Error rates and hallucination rates for generative AI models;

(e) Drift detection thresholds for model degradation.

17.2 Performance Monitoring. Provider shall continuously monitor AI Feature performance and provide Customer with:

(a) Real-time or near-real-time performance dashboards, where technically feasible;

(b) Monthly performance reports summarizing key metrics against benchmarks;

(c) Immediate notification of any material degradation in AI Feature performance below the agreed benchmarks.

17.3 Model Drift. Provider shall implement monitoring systems to detect concept drift, data drift, and model degradation. Upon detection of material drift that could impact AI Output quality or reliability, Provider shall:

(a) Notify Customer within [____] business days;

(b) Implement corrective measures, which may include model retraining or recalibration;

(c) Provide Customer with a written report describing the drift event and corrective actions.

17.4 Performance Remedies. If AI Features fail to meet the agreed performance benchmarks for [____] consecutive months, Customer may, in addition to any service credits under Schedule SLA-1: (a) require Provider to implement a remediation plan; (b) suspend use of the non-conforming AI Features without penalty; or (c) terminate the applicable Order Form and receive a pro-rata refund of prepaid Fees.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. Prior to deploying any High-Risk AI Feature, and at least annually thereafter, Provider shall conduct an algorithmic impact assessment that evaluates:

(a) The purpose, intended use, and foreseeable misuse of the AI Feature;

(b) The categories of individuals affected and potential harms;

(c) Data inputs, sources, and quality;

(d) Measures taken to mitigate identified risks;

(e) Ongoing monitoring and evaluation plans;

(f) The results of bias and fairness testing under Article 14.

18.2 Risk Management Framework. Provider shall maintain a risk management policy and program conforming to NIST AI RMF 1.0 (or equivalent recognized framework) that includes:

(a) AI risk identification, assessment, and prioritization processes;

(b) Designated personnel responsible for AI risk management;

(c) Regular review and updating of the risk management program;

(d) Integration with Provider's broader enterprise risk management framework.

18.3 Safety Testing. Provider shall conduct adversarial testing, red-teaming, and safety evaluations of AI Models prior to deployment and following material updates, including testing for:

(a) Prompt injection and jailbreaking vulnerabilities;

(b) Unintended or harmful AI Outputs;

(c) Data leakage and privacy risks;

(d) Robustness under adversarial conditions;

(e) Edge cases and failure modes.

18.4 AI Guardrails. Provider shall implement technical safeguards ("guardrails") to prevent AI Features from:

(a) Generating illegal, harmful, or dangerous content;

(b) Disclosing Personal Data or Confidential Information from training data;

(c) Operating outside defined parameters and use cases;

(d) Making fully autonomous decisions in High-Risk AI Use scenarios without human oversight.

ARTICLE 19. HUMAN OVERSIGHT REQUIREMENTS

19.1 Human-in-the-Loop. For all High-Risk AI Uses, Provider shall ensure that:

(a) No AI Output constituting a consequential decision shall be implemented without meaningful human review by a qualified individual;

(b) The human reviewer has access to sufficient information to understand the basis for the AI Output;

(c) The human reviewer has the authority and ability to override, modify, or reject the AI Output;

(d) The AI system is designed to support, rather than supplant, human judgment.

19.2 Override Capability. Provider shall provide Customer with the ability to:

(a) Override or reverse individual AI Outputs;

(b) Disable specific AI Features without affecting other Services functionality;

(c) Escalate AI-related decisions to designated human reviewers;

(d) Configure the level of human oversight required for different AI Features and use cases.

19.3 Automation Bias Mitigation. Provider shall implement design features to reduce the risk of automation bias, including:

(a) Providing confidence scores or uncertainty indicators with AI Outputs;

(b) Presenting alternative options or recommendations where appropriate;

(c) Implementing periodic calibration exercises for human reviewers;

(d) Ensuring AI Outputs are presented in a manner that encourages independent human judgment.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Provider shall develop, maintain, and adhere to an AI ethics policy that addresses, at minimum:

(a) Fairness and non-discrimination;

(b) Transparency and explainability;

(c) Privacy and data protection;

(d) Safety and security;

(e) Accountability and governance;

(f) Human autonomy and oversight;

(g) Environmental sustainability of AI operations.

20.2 Prohibited AI Uses. Neither Party shall use the AI Features for:

(a) Social scoring or ranking of individuals based on social behavior or personal characteristics;

(b) Manipulation of individuals through subliminal or deceptive techniques;

(c) Exploitation of vulnerabilities of specific groups (e.g., children, persons with disabilities);

(d) Real-time biometric identification in publicly accessible spaces, except as required by law;

(e) Predictive policing based solely on profiling;

(f) Any purpose that violates applicable law or the terms of this Agreement.

20.3 Ethical Review Board. Provider shall maintain an internal AI ethics review process, which may include an ethics committee, ombudsperson, or similar governance mechanism, to review and address ethical concerns related to the AI Features.

20.4 Responsible Disclosure. Provider shall maintain a process for receiving and addressing reports of harmful, unethical, or unlawful AI behavior from customers, employees, researchers, and the public.

ARTICLE 21. AI REGULATORY COMPLIANCE

21.1 General Compliance. Provider shall monitor and comply with all applicable AI-specific laws and regulations, including but not limited to:

(a) United States Federal: FTC Act (15 U.S.C. Section 45), EEOC guidance on AI in employment, Executive Order 14110 on Safe, Secure, and Trustworthy AI, and any successor federal AI legislation;

(b) European Union: EU AI Act (Regulation (EU) 2024/1689), including high-risk system requirements effective August 2, 2026, and GPAI model obligations effective August 2, 2025;

(c) State-Specific Laws: Colorado AI Act (SB 24-205, C.R.S. Section 6-1-1701 et seq., effective February 1, 2026, as may be amended); Connecticut Data Privacy Act AI disclosure requirements (Conn. Gen. Stat. Section 42-515 et seq.); and other state AI laws as enacted;

(d) Industry-Specific Regulations: As applicable to Customer's industry, including regulations issued by the SEC, OCC, CFPB, HHS, and other regulatory bodies addressing AI use.

21.2 Regulatory Change Management. Provider shall:

(a) Monitor legislative and regulatory developments relating to AI in all jurisdictions where the Services are used;

(b) Notify Customer within thirty (30) days of any new law or regulation that materially affects the AI Features or Customer's use thereof;

(c) Implement necessary modifications to the AI Features to maintain compliance within the timeframes required by applicable law;

(d) Cooperate with Customer to assess the impact of regulatory changes on Customer's use of the Services.

21.3 Cross-Border Compliance. Where the Services are used across multiple jurisdictions, Provider shall support Customer's compliance with the most restrictive applicable AI requirements, unless the Parties agree to a jurisdiction-specific compliance approach documented in an addendum to this Agreement.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Provider shall maintain a comprehensive version control system for all AI Models, including:

(a) Unique version identifiers for each AI Model release;

(b) Changelogs documenting modifications, improvements, and bug fixes;

(c) Retention of prior model versions for a minimum of [____] months following replacement;

(d) The ability to roll back to prior model versions upon Customer's request.

22.2 Update Notification. Provider shall provide Customer with:

(a) At least thirty (30) days' prior written notice of planned major AI Model updates (i.e., updates that materially change model behavior, output format, or performance characteristics);

(b) At least seven (7) days' prior notice of minor AI Model updates (i.e., bug fixes, security patches, incremental improvements);

(c) Updated Documentation reflecting changes in AI Model functionality.

22.3 Testing Window. For major AI Model updates, Provider shall provide Customer with access to a staging or sandbox environment for at least fifteen (15) days prior to production deployment, allowing Customer to test the updated AI Features for compatibility, accuracy, and compliance.

22.4 Opt-Out Rights. Customer shall have the right to opt out of or delay specific AI Model updates for a period of up to [____] days, provided that Provider shall not be obligated to maintain security patches or critical fixes in a deferred state and may require acceptance of such updates to maintain service levels.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. An "AI Incident" means any event involving the AI Features that results in, or reasonably could result in: (a) Algorithmic Discrimination; (b) material harm to individuals; (c) unauthorized disclosure of Personal Data or Confidential Information through AI Outputs; (d) AI Feature operation outside designed parameters; (e) material inaccuracy or unreliability of AI Outputs; or (f) violation of applicable law.

23.2 Incident Notification. Provider shall notify Customer of any AI Incident:

(a) Within twenty-four (24) hours of discovery for incidents involving Algorithmic Discrimination, unauthorized data disclosure, or material harm to individuals;

(b) Within seventy-two (72) hours for all other AI Incidents.

23.3 Incident Response Plan. Provider shall maintain an AI incident response plan that includes:

(a) Defined roles, responsibilities, and escalation procedures;

(b) Containment and mitigation procedures, including the ability to immediately disable affected AI Features;

(c) Root cause analysis procedures;

(d) Remediation and corrective action procedures;

(e) Communication protocols for notifying affected parties;

(f) Post-incident review and lessons-learned processes.

23.4 Incident Reporting. Following any AI Incident, Provider shall provide Customer with a written incident report within [____] business days that includes:

(a) A description of the incident and its scope;

(b) The root cause or probable cause;

(c) The corrective actions taken or planned;

(d) Measures implemented to prevent recurrence;

(e) Any regulatory notifications made or required.

23.5 Cooperation. Provider shall cooperate with Customer and any applicable regulatory authority in the investigation and resolution of AI Incidents, including providing access to relevant logs, data, and personnel.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Customer, or its designated independent third-party auditor (subject to reasonable confidentiality obligations), shall have the right to audit Provider's AI governance practices, including:

(a) AI Model documentation and performance records;

(b) Bias testing results and remediation actions;

(c) Training data provenance and rights documentation;

(d) AI incident logs and response records;

(e) Compliance with the AI governance obligations set forth in this Agreement;

(f) Security controls applicable to AI systems.

24.2 Audit Frequency and Notice. Customer may conduct audits:

(a) Up to [☐ one (1) / ☐ two (2)] time(s) per calendar year during the Subscription Term;

(b) Upon at least thirty (30) days' prior written notice;

(c) At any time, without the frequency limitation above, following an AI Incident or a credible allegation of non-compliance.

24.3 Audit Procedures. Audits shall be conducted during Provider's normal business hours, in a manner that minimizes disruption to Provider's operations. Provider shall provide reasonable access to relevant facilities, systems, records, and personnel. Customer shall bear the costs of audits unless the audit reveals a material breach, in which case Provider shall bear the costs.

24.4 Audit Reports and Remediation. Provider shall address any findings of non-compliance identified in an audit report within [____] days, or such shorter period as may be required by the severity of the finding. Provider shall provide Customer with a remediation plan and progress updates until all findings are resolved.

24.5 Certifications and Reports. Provider shall make available to Customer, upon request:

(a) SOC 2 Type II reports covering AI systems;

(b) ISO/IEC 42001 certification (AI Management Systems), if obtained;

(c) ISO 27001 certification;

(d) Results of independent AI bias and fairness audits;

(e) Regulatory examination reports related to AI, to the extent permitted by law.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. The Parties shall execute the Data Processing Agreement attached as Schedule DPA-1, which governs Provider's processing of Personal Data on behalf of Customer.

25.2 Security Program. Provider shall maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect Customer Data, as described in Schedule SEC-1. Provider's security program shall be aligned with recognized frameworks, including SOC 2 Type II and ISO 27001.

25.3 Data Breach Notification. Provider shall notify Customer of any confirmed security breach involving Customer Data within the timeframe required by applicable law, and in no event later than seventy-two (72) hours after discovery. Provider shall cooperate with Customer in investigating and remediating any security breach.

25.4 Data Localization. Provider shall process and store Customer Data in the geographic locations specified in the Order Form or Schedule DPA-1. Provider shall not transfer Customer Data to a jurisdiction outside those specified without Customer's prior written consent.

ARTICLE 26. EXPORT CONTROL AND COMPLIANCE

26.1 Export Compliance. Each Party shall comply with all applicable export control and sanctions laws and regulations, including the Export Administration Regulations (15 C.F.R. Parts 730-774), the International Traffic in Arms Regulations (22 C.F.R. Parts 120-130), and sanctions administered by the Office of Foreign Assets Control (31 C.F.R. Part 500 et seq.).

26.2 Anti-Corruption. Each Party shall comply with applicable anti-corruption laws, including the Foreign Corrupt Practices Act (15 U.S.C. Section 78dd-1 et seq.) and the UK Bribery Act 2010.

ARTICLE 27. GOVERNING LAW AND DISPUTE RESOLUTION

27.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of [________________________________], without regard to its conflict of laws principles.

27.2 Venue. The Parties submit to the exclusive jurisdiction and venue of the state and federal courts located in [________________________________] for any dispute arising out of or relating to this Agreement.

27.3 Dispute Resolution. Prior to initiating any legal proceeding, the Parties shall attempt to resolve any dispute through good-faith negotiation between senior executives. If the dispute is not resolved within thirty (30) days of written notice, either Party may pursue its legal remedies.

27.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ANY RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT.

ARTICLE 28. GENERAL TERMS

28.1 Notices. All notices under this Agreement shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by confirmed email to the addresses specified in the Order Form; (c) one (1) business day after deposit with a nationally recognized overnight courier; or (d) three (3) business days after mailing by certified or registered mail, return receipt requested.

28.2 Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee assumes all obligations under this Agreement. Any purported assignment in violation of this section is void.

28.3 Force Majeure. Neither Party shall be liable for any delay or failure to perform due to causes beyond its reasonable control, including natural disasters, war, terrorism, pandemics, government orders, or infrastructure failures, provided that the affected Party provides prompt notice and uses commercially reasonable efforts to resume performance.

28.4 Entire Agreement. This Agreement, together with all Order Forms, Schedules, and Exhibits, constitutes the entire agreement between the Parties and supersedes all prior and contemporaneous agreements, proposals, and representations, whether written or oral.

28.5 Amendments. This Agreement may only be amended by a written instrument signed by both Parties.

28.6 Severability. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

28.7 Waiver. No failure or delay in exercising any right under this Agreement shall operate as a waiver thereof. No single or partial exercise of any right shall preclude further exercise thereof.

28.8 Independent Contractors. The Parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, franchise, or employment relationship.

28.9 Third-Party Beneficiaries. This Agreement is for the sole benefit of the Parties and their permitted assigns. Nothing herein confers any rights on any third party.

28.10 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which shall constitute one agreement. Electronic signatures shall be deemed valid and binding.

28.11 Order of Precedence. In the event of a conflict between the terms of this Agreement and any Order Form, Schedule, or Exhibit, the following order of precedence shall apply (from highest to lowest priority): (a) the Data Processing Agreement; (b) this Agreement; (c) the applicable Order Form; (d) Schedules and Exhibits.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description and Controls
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: AI Model Documentation and Performance Benchmarks
☐ Schedule AI-3: AI Bias Testing Protocol and Results
☐ Schedule AI-4: AI Incident Response Plan

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel review completed
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
• FTC Act, 15 U.S.C. Section 45: https://www.law.cornell.edu/uscode/text/15/45
• Executive Order 14110 on Safe, Secure, and Trustworthy AI: https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/
• ISO/IEC 42001:2023 AI Management Systems: https://www.iso.org/standard/81230.html
• Colorado AI Act (SB 24-205): https://leg.colorado.gov/bills/sb24-205
• EEOC Guidance on AI in Employment: https://www.eeoc.gov/ai