SaaS Master Service Agreement with AI Governance Clauses - Arizona

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF ARIZONA

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of Arizona, with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to the terms and conditions set forth herein and in compliance with the laws of the State of Arizona; and

WHEREAS, the Parties wish to establish comprehensive governance, transparency, and accountability standards for the AI components of the Services;

NOW, THEREFORE, in consideration of the mutual covenants herein, and for other good and valuable consideration, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means any condition in which the use of an AI system results in unlawful differential treatment or disparate impact on the basis of race, color, religion, sex, national origin, age, disability, or other characteristic protected under Arizona or federal law.

1.6 "Authorized Users" means Customer's employees, contractors, and agents authorized to access and use the Services.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other that is designated as confidential or reasonably should be understood to be confidential.

1.8 "Customer Data" means all data, content, and information submitted by or on behalf of Customer or its Authorized Users to the Services.

1.9 "Documentation" means Provider's then-current user guides, technical specifications, and other written materials describing the Services.

1.10 "High-Risk AI Use" means any use of AI Features to make, or be a substantial factor in making, decisions that have material legal or similarly significant effects on individuals, including decisions related to employment, credit, insurance, housing, healthcare, education, or access to essential services.

1.11 "Order Form" means an ordering document executed by both Parties specifying the Services, subscription term, fees, and usage limits.

1.12 "Personal Information" means information as defined in A.R.S. Section 18-551, including an individual's first name or first initial and last name in combination with specified data elements when not encrypted, redacted, or secured.

1.13 "Services" means the SaaS applications, AI Features, professional services, and support services described in the Order Form and Documentation.

1.14 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Subject to this Agreement and the Order Form, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term for Customer's internal business purposes.

2.2 Authorized Users. Customer may permit Authorized Users to access the Services. Customer is responsible for all acts and omissions of Authorized Users.

2.3 Usage Limits. Customer's use is subject to limitations specified in the Order Form, including seats, API calls, transaction volumes, storage capacity, and AI Feature usage tiers.

2.4 Provisioning. Provider shall provision Customer's access within [____] business days following Order Form execution.

2.5 Service Modifications. Provider may update the Services provided such updates do not materially diminish core functionality. Provider shall provide at least thirty (30) days' prior written notice of material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Provider shall deliver implementation and onboarding assistance as described in Schedule PS-1.

3.2 Technical Support. Provider shall provide technical support per Schedule SUP-1.

3.3 Service Level Agreement. Provider shall maintain service levels per Schedule SLA-1. Service credits for failures are calculated therein.

3.4 Training. Provider shall make training materials available and conduct training sessions upon request.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Customer shall pay the Fees specified in each Order Form. Unless otherwise stated, all Fees are non-refundable.

4.2 Invoicing and Payment. Provider shall invoice Customer [☐ in advance / ☐ in arrears] on a [☐ monthly / ☐ quarterly / ☐ annual] basis. Invoices are due within [____] days.

4.3 Late Payments. Undisputed amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law. Arizona has no statutory usury limit for commercial contracts (A.R.S. Section 44-1201 et seq. applies primarily to consumer transactions), but the Parties agree to the contractual rate specified herein.

4.4 Taxes. Fees exclude taxes. Customer is responsible for all applicable taxes, including Arizona Transaction Privilege Tax (TPT) applicable to Provider's business activities. Provider shall collect and remit applicable TPT where required.

4.5 Fee Disputes. Customer shall notify Provider in writing of disputed amounts within thirty (30) days.

4.6 Suspension for Non-Payment. Provider may suspend access after [____] days' written notice of delinquent undisputed amounts.

ARTICLE 5. PROPRIETARY RIGHTS AND INTELLECTUAL PROPERTY

5.1 Provider Ownership. Provider retains all right, title, and interest in the Services, Documentation, AI Models, and all related intellectual property.

5.2 Customer Data Ownership. Customer retains all right, title, and interest in Customer Data.

5.3 License to Customer Data. Customer grants Provider a limited license to process Customer Data solely to provide the Services.

5.4 Feedback. Provider may use Customer Feedback without obligation, provided it does not disclose Customer's Confidential Information.

5.5 Aggregate Data. Provider may create and use aggregate, anonymized data from Customer's usage that cannot reasonably identify Customer or individuals.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Customer shall not: (a) reverse engineer the Services; (b) build competing products using the Services; (c) bypass security controls; (d) upload malicious code; (e) use the Services in violation of Arizona or federal law; (f) sublicense or resell the Services; or (g) exceed usage limits.

6.2 Data Accuracy. Customer is responsible for the accuracy and legality of Customer Data.

6.3 Credential Security. Customer shall maintain credential confidentiality and promptly report unauthorized access.

6.4 Compliance. Customer shall use the Services in compliance with all applicable laws, including the Arizona Consumer Fraud Act (A.R.S. Section 44-1521 et seq.).

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Each Party shall hold the other's Confidential Information in strict confidence and not disclose it except to those with a need to know who are bound by confidentiality obligations.

7.2 Exclusions. Standard exclusions for public information, prior knowledge, independent development, and third-party receipt.

7.3 Compelled Disclosure. Disclosure permitted if required by law, with prompt notice to the Disclosing Party.

7.4 Trade Secret Protection. Certain Confidential Information may constitute trade secrets under the Arizona Uniform Trade Secrets Act (A.R.S. Section 44-401 et seq.). This Agreement does not limit either Party's rights or remedies under the Arizona UTSA, including injunctive relief and exemplary damages for willful or malicious misappropriation (A.R.S. Section 44-403).

7.5 Return or Destruction. Upon termination, each Party shall return or destroy Confidential Information, except for required legal or backup copies.

7.6 Injunctive Relief. Breach of confidentiality may cause irreparable harm, entitling the non-breaching Party to equitable relief.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Each Party warrants: (a) legal authority to enter this Agreement; (b) no conflict with other agreements; and (c) valid and binding obligation.

8.2 Performance Warranty. The Services shall perform materially per the Documentation. Customer's remedy is correction or, if uncorrectable within sixty (60) days, termination with pro-rata refund.

8.3 Security Warranty. Services shall be free of malware and maintained with industry-standard security.

8.4 Compliance Warranty. Services shall comply with applicable Arizona and federal laws in all material respects.

8.5 DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES ARE PROVIDED "AS IS." TO THE EXTENT PERMITTED BY ARIZONA LAW, PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Provider shall indemnify Customer against third-party claims arising from: (a) IP infringement; (b) breach of data protection or security obligations; (c) Algorithmic Discrimination caused by Provider's failure to exercise reasonable care; or (d) material breach of applicable law.

9.2 By Customer. Customer shall indemnify Provider against claims arising from: (a) Customer Data; (b) use of Services in violation of this Agreement or law; or (c) use of AI Outputs in violation of law.

9.3 Procedures. Standard indemnification procedures: prompt notice, sole control of defense, and reasonable cooperation.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. EACH PARTY'S TOTAL AGGREGATE LIABILITY (EXCLUDING EXCLUDED CLAIMS) SHALL NOT EXCEED [____] TIMES THE FEES PAID OR PAYABLE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

10.2 Consequential Damages Waiver. EXCEPT FOR EXCLUDED CLAIMS, NO LIABILITY FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.

10.3 Excluded Claims. Indemnification obligations; breach of confidentiality; breach of data protection; breach of acceptable use; gross negligence or willful misconduct; amounts owed under Article 4.

10.4 Super Cap. Liability for Excluded Claims shall not exceed [____] times the Fees paid or payable in the twenty-four (24) months preceding the claim.

10.5 Arizona Law. These limitations apply to the maximum extent permitted by Arizona law. Nothing limits liability that cannot be limited under A.R.S. Section 44-1521 et seq. (Consumer Fraud Act) or other mandatory provisions of Arizona law.

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. Commences on the Effective Date and continues until all Order Forms expire or are terminated.

11.2 Order Form Term. Auto-renews unless either Party provides [____] days' notice of non-renewal.

11.3 Termination for Cause. Either Party may terminate for material breach uncured within thirty (30) days of written notice.

11.4 Termination for AI Regulatory Non-Compliance. Either Party may terminate upon sixty (60) days' notice if AI law changes render performance unlawful or commercially impracticable.

11.5 Effect of Termination. Access ceases; Customer pays outstanding Fees; Provider exports Customer Data for [____] days; Confidential Information returned or destroyed; survival of applicable articles.

PART B: AI GOVERNANCE CLAUSES

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. Schedule AI-1 shall include: (a) plain-language descriptions; (b) AI Model types; (c) input data types; (d) output types; (e) known limitations; and (f) High-Risk AI Use designations.

12.2 Risk Classification. Provider shall classify each AI Feature:

☐ Minimal Risk -- Negligible harm risk (e.g., spam filtering)

☐ Limited Risk -- Consumer interaction without consequential decisions (e.g., chatbots)

☐ High Risk -- Decisions with legal or similarly significant effects (e.g., credit scoring)

☐ Prohibited -- Prohibited under applicable law or this Agreement

12.3 New AI Features. Thirty (30) days' notice required before deployment of new or materially modified AI Features. Customer may reject within fifteen (15) days.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY

13.1 Model Documentation. Provider shall maintain documentation including: (a) architecture and training methodology; (b) performance metrics; (c) training data information; (d) processing techniques; and (e) version history.

13.2 Explainability for High-Risk Uses. Provider shall: (a) explain individual AI Outputs upon request; (b) implement appropriate explainability methods; (c) provide explanations in accessible format; and (d) document unexplainable outputs.

13.3 Consumer-Facing Disclosures. Provider shall support Customer's disclosures that consumers are interacting with AI, the AI's purpose, and how to request human review. These obligations are consistent with FTC Act guidance (15 U.S.C. Section 45) and Arizona's approach to AI transparency.

13.4 Arizona AI Policy Compliance. Provider acknowledges Arizona's Statewide Generative AI Policy (2024), which establishes a comprehensive framework for responsible AI use in government operations. Where Customer is an Arizona government entity or contractor, Provider shall comply with applicable provisions of the Statewide AI Policy, including required transparency disclosures and risk assessments.

13.5 Medical Claims AI Transparency. If the AI Features are used in connection with health insurance claim processing, Provider shall comply with HB 2175 (2025), which restricts the use of AI in medical claim denials without human oversight. Provider shall ensure that no health insurance claim denial is based solely on AI output without qualified human review.

ARTICLE 14. AI BIAS TESTING AND FAIRNESS

14.1 Bias Testing Program. Provider shall: (a) test AI Models for Algorithmic Discrimination at least [☐ quarterly / ☐ semi-annually / ☐ annually]; (b) use recognized fairness metrics; (c) test across intersectional categories; and (d) retain results for three (3) years.

14.2 Bias Mitigation. Upon discovery of significant bias: (a) notify Customer within [____] business days; (b) remediate within [____] days; (c) provide written remediation report; and (d) permit suspension of affected AI Feature.

14.3 Arizona Non-Discrimination Compliance. Provider warrants that AI Features comply with: (a) Arizona Civil Rights Act (A.R.S. Title 41, Chapter 9); (b) Arizona Fair Housing Act provisions; (c) federal non-discrimination laws including Title VII (42 U.S.C. Section 2000e et seq.) and ADA (42 U.S.C. Section 12101 et seq.); and (d) Arizona's anti-deepfake laws (HB 2394, 2024) where AI-generated content could misrepresent individuals.

14.4 Third-Party Audits. Upon Customer's request (annual limit), Provider shall engage a mutually agreed auditor. Costs borne by [☐ Provider / ☐ Customer / ☐ shared equally].

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Select one:

☐ Option A (No Training): No Customer Data used for AI training.

☐ Option B (Consent-Based): Training only with Customer's prior written consent, revocable on thirty (30) days' notice.

☐ Option C (Anonymized Only): Only aggregated, anonymized data.

15.2 Data Lineage. Provider shall maintain lineage records for Training Data, including sources, collection methods, processing steps, quality assessments, and retention records.

15.3 Training Data Rights. Provider warrants it has all necessary rights to use Training Data.

15.4 Data Segregation. Technical and organizational measures shall ensure logical segregation of Customer Data.

15.5 Data Deletion. Upon termination or request, Provider shall delete Customer Data from AI training sets and certify deletion within [____] days.

ARTICLE 16. AI OUTPUT OWNERSHIP AND INTELLECTUAL PROPERTY

16.1 Ownership. Select one:

☐ Option A (Customer Owns): AI Outputs generated using Customer Data are Customer's property.

☐ Option B (Provider Owns): Provider owns AI Outputs; Customer receives perpetual license.

☐ Option C (Joint): Jointly owned.

16.2 No Warranty of Originality. No representation that AI Outputs are original or non-infringing.

16.3 Customer Responsibility. Customer shall evaluate AI Output accuracy and legality before use.

16.4 IP Indemnification. Provider's indemnity extends to IP claims related to AI Outputs.

ARTICLE 17. AI PERFORMANCE METRICS AND BENCHMARKS

17.1 Performance Standards. Provider shall maintain AI Feature performance per Schedule AI-1 benchmarks, including accuracy, latency, availability, error rates, and drift thresholds.

17.2 Performance Monitoring. Continuous monitoring with monthly reports.

17.3 Model Drift. Provider shall monitor for drift and, upon material detection: (a) notify Customer within [____] business days; (b) implement corrective measures; and (c) provide written report.

17.4 Performance Remedies. If benchmarks fail for [____] consecutive months: (a) require remediation plan; (b) suspend use without penalty; or (c) terminate with pro-rata refund.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. Provider shall conduct algorithmic impact assessments for High-Risk AI Features initially and annually, evaluating purpose, affected individuals, data quality, mitigation measures, monitoring plans, and bias results.

18.2 Risk Management. Provider shall maintain a program conforming to NIST AI RMF 1.0.

18.3 Safety Testing. Adversarial testing, red-teaming, and safety evaluations prior to deployment and following material updates, including tests for prompt injection, harmful outputs, data leakage, adversarial robustness, and edge cases.

18.4 AI Guardrails. Technical safeguards to prevent: (a) illegal or harmful content generation; (b) data leakage from training data; (c) operation outside designed parameters; and (d) autonomous decisions in High-Risk scenarios without human oversight.

ARTICLE 19. HUMAN OVERSIGHT REQUIREMENTS

19.1 Human-in-the-Loop. For High-Risk AI Uses: (a) meaningful human review before consequential decisions; (b) sufficient information for the reviewer; (c) authority to override or reject; and (d) AI supports human judgment.

19.2 Override Capability. Customer can: (a) override AI Outputs; (b) disable specific AI Features; (c) escalate to human reviewers; and (d) configure oversight levels.

19.3 Automation Bias Mitigation. Confidence scores, alternative recommendations, and periodic calibration exercises.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Provider's AI ethics policy shall address fairness, transparency, privacy, safety, accountability, human oversight, and environmental sustainability.

20.2 Prohibited Uses. No use for: (a) social scoring; (b) subliminal manipulation; (c) exploitation of vulnerable groups; (d) unauthorized biometric identification; (e) profiling-based predictive policing; or (f) creation of deceptive media in violation of Arizona HB 2394 (2024).

20.3 Arizona Deepfake Compliance. Provider shall ensure AI Features do not facilitate the creation or distribution of materially deceptive AI-generated media in violation of Arizona law (HB 2394, 2024; SB 1359, 2024). Where AI Features generate synthetic images, audio, or video, Provider shall implement watermarking or metadata tagging to identify AI-generated content.

ARTICLE 21. AI REGULATORY COMPLIANCE

21.1 Arizona AI Regulatory Framework. Provider shall comply with all applicable Arizona AI-specific laws, including:

(a) HB 2394 (2024) -- Anti-Deepfake Law, restricting undisclosed use of AI-generated deceptive media;

(b) SB 1359 (2024) -- AI Political Disclosure Law, requiring disclosure of AI-generated content in political communications;

(c) HB 2175 (2025) -- AI in Medical Claims, restricting AI use in health insurance claim denials without human oversight;

(d) HB 2678 (2025) -- AI-Generated Child Exploitation, criminalizing AI-generated explicit images of minors;

(e) Arizona Statewide Generative AI Policy (2024) for government customer engagements;

(f) A.R.S. Section 18-551 et seq. (data breach notification as applied to AI systems);

(g) A.R.S. Section 44-1521 et seq. (Consumer Fraud Act as applied to AI-driven interactions).

21.2 Federal and International Compliance. Provider shall also comply with: (a) FTC Act (15 U.S.C. Section 45); (b) EEOC guidance on AI in employment; (c) Executive Order 14110 on AI; and (d) EU AI Act (Regulation (EU) 2024/1689), to the extent applicable.

21.3 Arizona Judicial Technology Competence. Provider acknowledges the Arizona Supreme Court's adoption of a judicial duty of technology competence (August 2025). Where Customer is a legal services provider subject to Arizona's rules of professional conduct, Provider shall support Customer's compliance with technology competence obligations as they relate to AI Features.

21.4 Regulatory Change Management. Provider shall: (a) monitor Arizona legislative developments; (b) notify Customer within thirty (30) days of material new laws; (c) implement necessary modifications; and (d) cooperate on regulatory impact assessment.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Unique identifiers, changelogs, retention of prior versions for [____] months, and rollback capability.

22.2 Update Notification. Thirty (30) days for major updates; seven (7) days for minor updates; updated Documentation.

22.3 Testing Window. Fifteen (15) days in staging environment before major production deployment.

22.4 Opt-Out Rights. Customer may delay updates up to [____] days, except for security patches.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. Events resulting in Algorithmic Discrimination, material harm, unauthorized data disclosure, operation outside parameters, material inaccuracy, or violation of law.

23.2 Incident Notification. Twenty-four (24) hours for discrimination, data disclosure, or harm incidents; seventy-two (72) hours for others.

23.3 Arizona Data Breach Notification. If an AI Incident constitutes a security breach under A.R.S. Section 18-552, Provider shall comply with Arizona's notification requirements, including notifying affected individuals within forty-five (45) days of determining that a breach has occurred. Provider shall also notify the Arizona Attorney General if the breach affects more than one thousand (1,000) Arizona residents (A.R.S. Section 18-552(F)).

23.4 Incident Response Plan. Defined roles, containment, root cause analysis, remediation, communication, and post-incident review.

23.5 Incident Reporting. Written report within [____] business days.

23.6 Cooperation. Cooperation with Customer and regulatory authorities.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Audit of AI governance practices including documentation, bias testing, training data, incident logs, compliance, and security controls.

24.2 Audit Frequency. Up to [☐ one / ☐ two] time(s) per year with thirty (30) days' notice; at any time following AI Incident.

24.3 Audit Procedures. Normal business hours; minimize disruption; Customer bears costs unless material breach found.

24.4 Remediation. Address findings within [____] days.

24.5 Certifications. SOC 2 Type II; ISO/IEC 42001; ISO 27001; independent bias audits; regulatory reports.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. Per Schedule DPA-1.

25.2 Security Program. Provider maintains comprehensive security aligned with SOC 2 Type II and ISO 27001.

25.3 Arizona Data Breach Notification. Provider shall comply with A.R.S. Section 18-551 et seq. Provider shall notify Customer within forty-five (45) days of determining a breach has occurred.

25.4 Data Localization. Per Order Form or Schedule DPA-1.

ARTICLE 26. GOVERNING LAW AND DISPUTE RESOLUTION

26.1 Governing Law. Laws of the State of Arizona, without regard to conflict of laws principles.

26.2 Venue. Exclusive jurisdiction in state and federal courts in [☐ Maricopa County / ☐ [________________________________]], Arizona.

26.3 Dispute Resolution. Good-faith negotiation for thirty (30) days before litigation.

26.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY ARIZONA LAW, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL IN ANY ACTION ARISING OUT OF THIS AGREEMENT.

26.5 Electronic Signatures. This Agreement may be executed electronically per the Arizona Electronic Transactions Act (A.R.S. Section 44-7001 et seq.).

ARTICLE 27. GENERAL TERMS

27.1 Notices. Written, deemed given upon personal delivery, confirmed email, one business day after overnight courier, or three business days after certified mail.

27.2 Assignment. No assignment without consent, except for merger, acquisition, or sale of substantially all assets.

27.3 Force Majeure. No liability for delays beyond reasonable control, including natural disasters, war, terrorism, pandemics, or government orders.

27.4 Entire Agreement. This Agreement, with Order Forms, Schedules, and Exhibits, is the entire agreement.

27.5 Amendments. Written and signed by both Parties.

27.6 Severability. Invalid provisions severed; remaining provisions continue.

27.7 Waiver. No failure or delay constitutes waiver.

27.8 Independent Contractors. No partnership, joint venture, or employment relationship.

27.9 Counterparts. May be executed in counterparts.

27.10 Order of Precedence. (a) Data Processing Agreement; (b) this Agreement; (c) Order Form; (d) Schedules and Exhibits.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description and Controls
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: AI Model Documentation and Performance Benchmarks
☐ Schedule AI-3: AI Bias Testing Protocol and Results

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel licensed in Arizona has reviewed this Agreement
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• A.R.S. Section 18-551 et seq. (Data Breach Notification): https://www.azleg.gov/arsDetail/?title=18
• A.R.S. Section 44-401 et seq. (Trade Secrets): https://www.azleg.gov/arsDetail/?title=44
• A.R.S. Section 44-1521 et seq. (Consumer Fraud Act): https://www.azleg.gov/arsDetail/?title=44
• Arizona Statewide Generative AI Policy: https://aset.az.gov
• Arizona Supreme Court Judicial Technology Competence Rule (2025): https://www.azcourts.gov
• HB 2394 (2024) Anti-Deepfake Law: https://www.azleg.gov
• HB 2175 (2025) AI in Medical Claims: https://www.azleg.gov
• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework