SaaS Master Service Agreement with AI Governance Clauses - Alabama

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF ALABAMA

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of Alabama, with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to this Agreement and Alabama law; and

WHEREAS, the Parties wish to establish comprehensive AI governance standards that protect consumers, comply with existing Alabama law, and anticipate future Alabama AI regulation;

NOW, THEREFORE, in consideration of the mutual covenants herein, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means any condition in which the use of an AI system results in unlawful differential treatment or disparate impact on the basis of race, color, religion, sex, national origin, age, disability, or other characteristic protected under Alabama or federal law.

1.6 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the Services.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other that is designated as confidential or reasonably should be understood to be confidential.

1.8 "Customer Data" means all data, content, and information submitted by or on behalf of Customer or its Authorized Users to the Services.

1.9 "Documentation" means Provider's then-current materials describing the Services.

1.10 "High-Risk AI Use" means any use of AI Features to make, or be a substantial factor in making, decisions with material legal or similarly significant effects on individuals, including employment, credit, insurance, housing, healthcare, education, or access to essential services.

1.11 "Order Form" means an ordering document specifying Services, term, fees, and usage limits.

1.12 "Sensitive Personally Identifying Information" means information as defined in the Alabama Data Breach Notification Act (Ala. Code Section 8-38-2), including an individual's first name or first initial and last name in combination with specified data elements (Social Security number, driver's license number, financial account numbers, medical or health information, user credentials) when not encrypted or redacted.

1.13 "Services" means the SaaS applications, AI Features, professional services, and support described in the Order Form.

1.14 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term for internal business purposes.

2.2 Authorized Users. Customer may permit Authorized Users to access the Services. Customer is responsible for their compliance.

2.3 Usage Limits. Per Order Form.

2.4 Provisioning. Access within [____] business days following Order Form execution.

2.5 Service Modifications. Updates without materially diminishing functionality. Thirty (30) days' notice for material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Per Schedule PS-1.

3.2 Technical Support. Per Schedule SUP-1.

3.3 Service Level Agreement. Per Schedule SLA-1, including uptime, performance, and service credits.

3.4 Training. Materials and sessions available upon request.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Per Order Form. Non-refundable unless otherwise stated.

4.2 Invoicing. [☐ Advance / ☐ Arrears], [☐ monthly / ☐ quarterly / ☐ annual]. Due within [____] days.

4.3 Late Payments. Interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted under Alabama law. Under Ala. Code Section 8-8-1, the legal rate of interest in Alabama is six percent (6%) per annum where no rate is specified. Parties may agree in writing to a higher rate, but courts may review for unconscionability.

4.4 Taxes. Fees exclude taxes. Customer is responsible for applicable Alabama state and local sales and use taxes. Alabama taxes SaaS as a taxable service in many cases; counsel should verify current guidance from the Alabama Department of Revenue.

4.5 Fee Disputes. Written notice within thirty (30) days.

4.6 Suspension. Provider may suspend after [____] days' written notice of delinquent undisputed amounts.

ARTICLE 5. PROPRIETARY RIGHTS

5.1 Provider Ownership. Provider retains all rights in the Services, AI Models, and related intellectual property.

5.2 Customer Data Ownership. Customer retains all rights in Customer Data.

5.3 License to Customer Data. Limited license to process Customer Data solely for providing the Services.

5.4 Feedback. Provider may use Feedback without obligation, provided no Confidential Information is disclosed.

5.5 Aggregate Data. Provider may use aggregate, anonymized data that cannot identify Customer or individuals.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Customer shall not: (a) reverse engineer the Services; (b) build competing products; (c) bypass security controls; (d) upload malware; (e) violate applicable law; (f) sublicense or resell; or (g) exceed usage limits.

6.2 Data Accuracy. Customer is responsible for the accuracy and legality of Customer Data.

6.3 Credential Security. Customer shall secure credentials and report unauthorized access promptly.

6.4 Compliance. Customer shall comply with all applicable laws, including the Alabama Deceptive Trade Practices Act (Ala. Code Section 8-19-1 et seq.).

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Strict confidence; disclosure only to those with need to know who are bound by confidentiality.

7.2 Exclusions. Public information, prior knowledge, independent development, lawful third-party receipt.

7.3 Compelled Disclosure. Permitted if required by law, with prompt notice.

7.4 Trade Secret Protection. Alabama Trade Secrets Act (Ala. Code Section 8-27-1 et seq.) governs trade secret claims. Remedies include injunctive relief (Section 8-27-4), damages including unjust enrichment (Section 8-27-4), and exemplary damages not exceeding twice the award for willful and malicious misappropriation (Section 8-27-4(b)).

7.5 Return or Destruction. Upon termination, return or destroy Confidential Information.

7.6 Injunctive Relief. Breach may cause irreparable harm; equitable relief available.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Each Party warrants legal authority, no conflict, and binding obligation.

8.2 Performance Warranty. Services shall perform materially per Documentation. Customer's remedy is correction, or termination with pro-rata refund if uncorrectable within sixty (60) days.

8.3 Security Warranty. Free of malware; industry-standard security measures.

8.4 Compliance Warranty. Provider warrants compliance with applicable Alabama laws in all material respects.

8.5 DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED, SERVICES ARE "AS IS." TO THE EXTENT PERMITTED BY ALABAMA LAW, PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. ALABAMA COURTS GENERALLY ENFORCE REASONABLE WARRANTY DISCLAIMERS IN COMMERCIAL AGREEMENTS.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Indemnification for: (a) IP infringement; (b) breach of data protection or security obligations; (c) Algorithmic Discrimination caused by Provider's failure to exercise reasonable care; and (d) material breach of applicable law.

9.2 By Customer. Indemnification for: (a) Customer Data claims; (b) use in violation of Agreement or law; and (c) unlawful use of AI Outputs.

9.3 Procedures. Prompt notice, sole control of defense, reasonable cooperation.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY'S TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED [____] TIMES THE FEES PAID OR PAYABLE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

10.2 Consequential Damages Waiver. EXCEPT FOR EXCLUDED CLAIMS, NO LIABILITY FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.

10.3 Excluded Claims. Indemnification obligations; breach of confidentiality; breach of data protection; breach of acceptable use; gross negligence or willful misconduct; amounts owed under Article 4.

10.4 Super Cap. Each Party's aggregate liability for Excluded Claims shall not exceed [____] times the Fees paid or payable in the twenty-four (24) months preceding the claim.

10.5 Alabama Law. These limitations apply to the maximum extent permitted by Alabama law. Alabama courts generally enforce contractual limitation of liability provisions in arms-length commercial agreements. Nothing limits liability under the Alabama Deceptive Trade Practices Act (Ala. Code Section 8-19-1 et seq.) or other mandatory provisions where limitation is prohibited.

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. Commences on the Effective Date and continues until all Order Forms expire or terminate.

11.2 Order Form Term. Auto-renews unless either Party provides [____] days' notice of non-renewal.

11.3 Termination for Cause. Material breach uncured within thirty (30) days of written notice.

11.4 Termination for AI Regulatory Non-Compliance. Either Party may terminate upon sixty (60) days' notice if AI law changes render performance unlawful or commercially impracticable.

11.5 Effect of Termination. Access ceases; outstanding Fees due; Customer Data export for [____] days; Confidential Information returned or destroyed; applicable articles survive.

PART B: AI GOVERNANCE CLAUSES

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. The AI Features included in the Services are described in Schedule AI-1, which shall include:

(a) A plain-language description of each AI Feature and its intended purpose;

(b) The type of AI Model used (e.g., supervised learning, generative AI, large language model);

(c) Input data types required by each AI Feature;

(d) AI Output types produced;

(e) Known limitations, constraints, and failure modes;

(f) Whether any AI Feature constitutes a High-Risk AI Use.

12.2 Risk Classification. Provider shall classify each AI Feature:

☐ Minimal Risk -- Negligible harm risk (e.g., spam filtering, document formatting)

☐ Limited Risk -- Consumer interaction without consequential decisions (e.g., chatbots, content recommendations)

☐ High Risk -- Decisions with legal or similarly significant effects (e.g., credit scoring, employment screening, insurance underwriting)

☐ Prohibited -- Prohibited under applicable law or this Agreement

12.3 New AI Features. Provider shall not deploy any new AI Feature or materially modify an existing AI Feature without providing Customer at least thirty (30) days' prior written notice and an updated Schedule AI-1. Customer may reject within fifteen (15) days.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY

13.1 Model Documentation. Provider shall maintain and make available to Customer documentation for each AI Model, including: (a) model architecture and training methodology; (b) performance metrics (accuracy, precision, recall, F1); (c) training data sources and known biases; (d) pre-processing and post-processing techniques; and (e) model version history and changelog.

13.2 Explainability for High-Risk Uses. For High-Risk AI Uses, Provider shall:

(a) Provide explanations of individual AI Outputs upon Customer's reasonable request, including the principal factors and data inputs that influenced the output;

(b) Implement explainability methods appropriate to the AI Model type (e.g., SHAP values, LIME, feature importance rankings);

(c) Ensure explanations are provided in a format understandable to non-technical stakeholders;

(d) Document any AI Outputs that cannot be explained and the reasons therefor.

13.3 Consumer-Facing Disclosures. Where AI Features interact directly with consumers or end users, Provider shall support Customer's ability to disclose: (a) that the consumer is interacting with an AI system; (b) the general nature and purpose of the AI system; and (c) how the consumer may request human review of any AI-generated decision. These disclosure obligations are consistent with FTC Act guidance (15 U.S.C. Section 45) and best practices recommended by the Alabama Governor's Task Force on Generative AI.

13.4 Alabama AI Task Force. Provider acknowledges that Alabama Governor Kay Ivey established the Governor's Task Force on Generative Artificial Intelligence via Executive Order No. 738 (February 2024) to assess AI use in state government and recommend policies. Provider shall monitor and comply with any rules, regulations, policies, or guidance issued pursuant to the Task Force's recommendations, particularly as they relate to AI used by or on behalf of state agencies.

ARTICLE 14. AI BIAS TESTING AND FAIRNESS

14.1 Bias Testing Program. Provider shall implement and maintain a bias testing program that includes:

(a) Regular testing of AI Models for Algorithmic Discrimination across protected classes, conducted at least [☐ quarterly / ☐ semi-annually / ☐ annually];

(b) Use of recognized fairness metrics, including demographic parity, equalized odds, predictive parity, and calibration across groups;

(c) Testing across intersectional demographic categories where feasible;

(d) Documentation and retention of all bias testing results for a minimum of three (3) years.

14.2 Bias Mitigation. Upon discovery of statistically significant bias:

(a) Provider shall notify Customer within [____] business days;

(b) Provider shall implement remediation measures within [____] days;

(c) Provider shall provide Customer with a written remediation report;

(d) Customer may suspend use of the affected AI Feature pending remediation.

14.3 Alabama Non-Discrimination Compliance. Provider represents and warrants that the AI Features are designed and tested to comply with applicable non-discrimination laws, including:

(a) Alabama Age Discrimination Act (Ala. Code Section 25-1-20 et seq.);

(b) Alabama Equal Pay Act (Ala. Code Section 25-1-30);

(c) Federal non-discrimination laws including Title VII of the Civil Rights Act of 1964 (42 U.S.C. Section 2000e et seq.), the Americans with Disabilities Act (42 U.S.C. Section 12101 et seq.), the Age Discrimination in Employment Act (29 U.S.C. Section 621 et seq.), the Fair Housing Act (42 U.S.C. Section 3601 et seq.), and the Equal Credit Opportunity Act (15 U.S.C. Section 1691 et seq.).

14.4 Healthcare AI Restrictions. If AI Features are used in connection with health insurance coverage determinations, Provider shall comply with any enacted version of Alabama SB 63, which would prohibit health insurance companies from using exclusively artificial intelligence to make coverage determinations and require a human to make the final decision to deny or reduce coverage.

14.5 Third-Party Audits. Upon Customer's written request (no more than once per year), Provider shall engage a mutually agreed-upon independent third party to conduct a bias and fairness audit. Costs shall be borne by [☐ Provider / ☐ Customer / ☐ shared equally].

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Provider's use of Customer Data for AI training shall be subject to the following (select one):

☐ Option A (No Training): Provider shall NOT use Customer Data for any AI Model training, retraining, fine-tuning, or development purposes whatsoever.

☐ Option B (Consent-Based Training): Provider may use Customer Data for AI Model training only upon Customer's prior written consent, which may be revoked at any time upon thirty (30) days' written notice.

☐ Option C (Anonymized Only): Provider may use only aggregated, anonymized, and de-identified Customer Data for AI Model training, provided such data cannot reasonably be re-identified.

15.2 Data Lineage. Provider shall maintain data lineage records for all Training Data, including: (a) source and provenance; (b) collection methods and consent mechanisms; (c) processing and transformation steps; (d) quality assessments; and (e) retention and deletion records.

15.3 Training Data Rights. Provider represents and warrants that it has obtained all necessary rights, licenses, and consents to use all Training Data.

15.4 Data Segregation. Provider shall implement technical and organizational measures to ensure Customer Data is logically segregated from other customers' data.

15.5 Data Deletion. Upon termination or upon Customer's written request, Provider shall delete Customer Data from all AI training sets, model weights, and embeddings to the extent technically feasible. Provider shall certify such deletion within [____] days.

ARTICLE 16. AI OUTPUT OWNERSHIP AND INTELLECTUAL PROPERTY

16.1 AI Output Ownership. Select one:

☐ Option A (Customer Owns): All AI Outputs generated using Customer Data or at Customer's direction shall be owned by Customer.

☐ Option B (Provider Owns): All AI Outputs shall be owned by Provider, with Customer receiving a perpetual, non-exclusive license for internal business purposes.

☐ Option C (Joint Ownership): AI Outputs shall be jointly owned.

16.2 No Warranty of Originality. Provider makes no representation that AI Outputs are original, unique, or non-infringing.

16.3 Customer Responsibility. Customer is solely responsible for evaluating the accuracy, suitability, and legality of AI Outputs before use.

16.4 IP Indemnification. Provider's indemnification obligations extend to claims that AI Outputs infringe third-party intellectual property rights.

ARTICLE 17. AI PERFORMANCE METRICS AND BENCHMARKS

17.1 Performance Standards. Provider shall maintain AI Feature performance at or above benchmarks specified in Schedule AI-1, including: (a) accuracy metrics; (b) latency and throughput requirements; (c) availability targets; (d) error and hallucination rates; and (e) drift detection thresholds.

17.2 Performance Monitoring. Provider shall continuously monitor AI Feature performance and provide Customer with monthly reports summarizing key metrics against benchmarks.

17.3 Model Drift. Provider shall implement monitoring for concept drift, data drift, and model degradation. Upon detection: (a) notify Customer within [____] business days; (b) implement corrective measures; and (c) provide written report.

17.4 Performance Remedies. If AI Features fail benchmarks for [____] consecutive months, Customer may: (a) require a remediation plan; (b) suspend use without penalty; or (c) terminate the applicable Order Form with a pro-rata refund.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. Prior to deploying any High-Risk AI Feature, and at least annually thereafter, Provider shall conduct an algorithmic impact assessment evaluating: (a) purpose and intended use; (b) categories of affected individuals and potential harms; (c) data inputs and quality; (d) mitigation measures; (e) monitoring plans; and (f) bias testing results.

18.2 Risk Management. Provider shall maintain a risk management program conforming to NIST AI RMF 1.0 or equivalent recognized framework.

18.3 Safety Testing. Provider shall conduct adversarial testing, red-teaming, and safety evaluations, testing for: (a) prompt injection vulnerabilities; (b) harmful outputs; (c) data leakage; (d) adversarial robustness; and (e) edge cases and failure modes.

18.4 AI Guardrails. Provider shall implement safeguards to prevent AI Features from: (a) generating illegal or harmful content; (b) disclosing Sensitive Personally Identifying Information from training data; (c) operating outside designed parameters; and (d) making fully autonomous decisions in High-Risk scenarios without human oversight.

ARTICLE 19. HUMAN OVERSIGHT REQUIREMENTS

19.1 Human-in-the-Loop. For all High-Risk AI Uses, Provider shall ensure that: (a) no AI Output constituting a consequential decision is implemented without meaningful human review; (b) the human reviewer has sufficient information; (c) the reviewer has authority to override or reject the AI Output; and (d) the AI system supports rather than supplants human judgment.

19.2 Override Capability. Provider shall enable Customer to: (a) override individual AI Outputs; (b) disable specific AI Features without affecting other Services; (c) escalate decisions to human reviewers; and (d) configure the level of human oversight.

19.3 Automation Bias Mitigation. Provider shall implement features to reduce automation bias, including confidence scores, alternative recommendations, and periodic calibration exercises.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Provider shall maintain an AI ethics policy addressing: (a) fairness and non-discrimination; (b) transparency and explainability; (c) privacy and data protection; (d) safety and security; (e) accountability and governance; (f) human autonomy and oversight; and (g) environmental sustainability.

20.2 Prohibited AI Uses. Neither Party shall use the AI Features for:

(a) Social scoring of individuals;

(b) Manipulation through subliminal or deceptive techniques;

(c) Exploitation of vulnerable populations;

(d) Unauthorized biometric identification;

(e) Predictive policing based solely on profiling;

(f) Creation or distribution of deceptive AI-generated media for election purposes in violation of Alabama HB 172 (2024);

(g) Creation of AI-generated sexual depictions of minors in violation of the Alabama Child Protection Act (2024);

(h) Any purpose violating applicable law.

20.3 Alabama Election Media Compliance. Provider shall ensure AI Features do not facilitate the creation or distribution of AI-generated deceptive media intended to influence elections or harm candidates in violation of Alabama HB 172 (2024), which imposes criminal penalties for distributing materially deceptive AI-generated media in the electoral context.

20.4 Child Protection. Provider shall ensure AI Features comply with the Alabama Child Protection Act (2024), which criminalizes the use of AI to create sexual depictions of children. Provider shall implement safeguards to prevent the AI Features from generating exploitative content of any kind.

ARTICLE 21. AI REGULATORY COMPLIANCE

21.1 Alabama AI Regulatory Framework. As of the Effective Date, Alabama has not enacted comprehensive AI-specific business regulation. Provider shall monitor and comply with all applicable Alabama laws affecting AI, including:

(a) Executive Order No. 738 (2024): Establishing the Governor's Task Force on Generative AI to assess state government AI use and recommend policies. Provider shall comply with any policies issued pursuant to the Task Force recommendations, particularly for government customer engagements;

(b) HB 172 (2024): Deceptive Election Media, prohibiting distribution of AI-generated materially deceptive media intended to influence elections;

(c) Alabama Child Protection Act (2024): Criminalizing AI-generated sexual depictions of children;

(d) SB 63 (2025, proposed): If enacted, prohibiting health insurers from using exclusively AI for coverage determinations;

(e) HB 324 (2025, proposed): If enacted, requiring age verification for AI chatbot interactions with minors and safety protocols for harmful intent detection;

(f) Ala. Code Section 8-38-1 et seq.: Alabama Data Breach Notification Act, as applied to AI system breaches;

(g) Ala. Code Section 8-19-1 et seq.: Alabama Deceptive Trade Practices Act, as applied to AI-driven consumer interactions.

21.2 Federal and International Compliance. Provider shall also comply with:

(a) FTC Act (15 U.S.C. Section 45) guidance on AI in commercial practices;

(b) EEOC guidance on AI in employment decisions;

(c) Executive Order 14110 on Safe, Secure, and Trustworthy AI;

(d) EU AI Act (Regulation (EU) 2024/1689), to the extent Customer's operations require compliance.

21.3 Regulatory Change Management. Provider shall: (a) closely monitor Alabama legislative activity regarding AI regulation; (b) notify Customer within thirty (30) days of any new Alabama AI law or regulation; (c) implement necessary modifications to the AI Features; and (d) cooperate with Customer to assess regulatory impact.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Provider shall maintain a version control system including: (a) unique version identifiers; (b) changelogs; (c) retention of prior versions for [____] months; and (d) rollback capability.

22.2 Update Notification. (a) Thirty (30) days' notice for major updates; (b) seven (7) days for minor updates; (c) updated Documentation.

22.3 Testing Window. Fifteen (15) days in staging environment before major production deployment.

22.4 Opt-Out Rights. Customer may delay updates up to [____] days, except security patches.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. An "AI Incident" means any event involving AI Features that results in or could result in: (a) Algorithmic Discrimination; (b) material harm to individuals; (c) unauthorized disclosure of Sensitive Personally Identifying Information or Confidential Information; (d) operation outside designed parameters; (e) material inaccuracy or unreliability; or (f) violation of applicable law.

23.2 Incident Notification. Provider shall notify Customer: (a) within twenty-four (24) hours for incidents involving Algorithmic Discrimination, unauthorized data disclosure, or material harm; and (b) within seventy-two (72) hours for all other AI Incidents.

23.3 Alabama Data Breach Notification. If an AI Incident constitutes a breach of security under the Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.), Provider shall:

(a) Conduct a good faith and prompt investigation to determine the likelihood that Sensitive Personally Identifying Information has been or will be misused (Ala. Code Section 8-38-4);

(b) Notify Customer as expeditiously as possible and without unreasonable delay, but no later than forty-five (45) days from the determination that a breach has or is reasonably likely to have occurred (Ala. Code Section 8-38-5(a));

(c) Cooperate with Customer's notification obligations to the Alabama Attorney General when a breach affects more than one thousand (1,000) Alabama residents (Ala. Code Section 8-38-6);

(d) Cooperate with Customer's notification obligations to consumer reporting agencies when a breach affects more than one thousand (1,000) Alabama residents (Ala. Code Section 8-38-7);

(e) Maintain records of all breach investigations and notifications as required by law.

23.4 Incident Response Plan. Provider shall maintain an AI incident response plan including: (a) defined roles and escalation procedures; (b) containment and mitigation; (c) root cause analysis; (d) remediation and corrective action; (e) communication protocols; and (f) post-incident review.

23.5 Incident Reporting. Following any AI Incident, Provider shall provide Customer with a written report within [____] business days.

23.6 Cooperation. Provider shall cooperate fully with Customer and applicable regulatory authorities in investigating and resolving AI Incidents.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Customer, or its designated independent third-party auditor, may audit Provider's AI governance practices, including: (a) AI Model documentation and performance records; (b) bias testing results and remediation actions; (c) training data provenance; (d) incident logs; (e) compliance with this Agreement; and (f) security controls.

24.2 Audit Frequency. Up to [☐ one (1) / ☐ two (2)] time(s) per calendar year with thirty (30) days' prior notice; at any time without the frequency limitation following an AI Incident.

24.3 Audit Procedures. Audits shall be conducted during normal business hours, minimizing disruption. Customer bears costs unless findings reveal material breach.

24.4 Remediation. Provider shall address non-compliance findings within [____] days.

24.5 Certifications. Provider shall make available: (a) SOC 2 Type II reports; (b) ISO/IEC 42001 certification, if obtained; (c) ISO 27001 certification; (d) independent bias audit results; and (e) regulatory examination reports.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. The Parties shall execute the Data Processing Agreement attached as Schedule DPA-1.

25.2 Security Program. Provider shall maintain a security program aligned with SOC 2 Type II and ISO 27001 standards.

25.3 Alabama Data Breach Notification. Provider shall comply with the Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.), including the forty-five (45) day notification deadline and Attorney General notification requirements.

25.4 Data Localization. Per Order Form or Schedule DPA-1.

ARTICLE 26. GOVERNING LAW AND DISPUTE RESOLUTION

26.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Alabama, without regard to its conflict of laws principles.

26.2 Venue. The Parties submit to the exclusive jurisdiction and venue of the state and federal courts located in [☐ Jefferson County (Birmingham) / ☐ Montgomery County / ☐ Madison County (Huntsville) / ☐ [________________________________]], Alabama.

26.3 Dispute Resolution. Prior to initiating any legal proceeding, the Parties shall attempt to resolve any dispute through good-faith negotiation for thirty (30) days.

26.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY ALABAMA LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ANY RIGHT TO A TRIAL BY JURY IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT. Note: Alabama courts have upheld contractual jury waivers in commercial agreements; however, counsel should review current Alabama case law, as the enforceability of jury waivers continues to develop.

26.5 Electronic Signatures. This Agreement may be executed electronically in accordance with the Alabama Uniform Electronic Transactions Act (Ala. Code Section 8-1A-1 et seq.).

ARTICLE 27. GENERAL TERMS

27.1 Notices. All notices shall be in writing and deemed given when delivered personally, sent by confirmed email, one (1) business day after deposit with overnight courier, or three (3) business days after mailing by certified or registered mail.

27.2 Assignment. Neither Party may assign without prior written consent, except in connection with a merger, acquisition, or sale of substantially all assets.

27.3 Force Majeure. Neither Party shall be liable for delays due to causes beyond reasonable control, including natural disasters (including tornados and severe storms common in Alabama), war, terrorism, pandemics, or government orders.

27.4 Entire Agreement. This Agreement, with all Order Forms, Schedules, and Exhibits, constitutes the complete agreement.

27.5 Amendments. Written, signed by both Parties.

27.6 Severability. Invalid provisions severed; remaining provisions continue in full force.

27.7 Waiver. No failure or delay constitutes waiver.

27.8 Independent Contractors. No partnership, joint venture, agency, or employment relationship.

27.9 Counterparts. May be executed in counterparts, each deemed an original. Electronic signatures valid per Ala. Code Section 8-1A-1 et seq.

27.10 Order of Precedence. (a) Data Processing Agreement; (b) this Agreement; (c) Order Form; (d) Schedules and Exhibits.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description and Controls
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: AI Model Documentation and Performance Benchmarks
☐ Schedule AI-3: AI Bias Testing Protocol and Results
☐ Schedule AI-4: AI Incident Response Plan

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel licensed in Alabama has reviewed this Agreement
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.): https://law.justia.com/codes/alabama/title-8/chapter-38/
• Alabama Trade Secrets Act (Ala. Code Section 8-27-1 et seq.): https://law.justia.com/codes/alabama/title-8/chapter-27/
• Alabama Deceptive Trade Practices Act (Ala. Code Section 8-19-1 et seq.): https://law.justia.com/codes/alabama/title-8/chapter-19/
• Executive Order No. 738 (Governor's AI Task Force): https://governor.alabama.gov/wp-content/uploads/2024/02/EO-738-Artificial-Intelligence.pdf
• Alabama HB 172 (2024) Deceptive Election Media: https://www.akingump.com/en/insights/ai-law-and-regulation-tracker/Alabama-Passes-House-Bill-161
• Alabama AI Law Tracker: https://ai-law-center.orrick.com/alabama/
• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework