SaaS Master Service Agreement with AI Governance Clauses - Colorado

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF COLORADO

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of Colorado, with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to this Agreement and Colorado law, including the Colorado AI Act (SB 24-205) and the Colorado Privacy Act; and

WHEREAS, the Parties wish to establish comprehensive governance, transparency, and accountability standards for the AI components of the Services, consistent with the requirements of the Colorado AI Act;

NOW, THEREFORE, in consideration of the mutual covenants herein, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means, as defined in the Colorado AI Act (C.R.S. Section 6-1-1701(1)), any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or any other classification protected under the laws of this state or federal law.

1.6 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the Services.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other that is designated as confidential or reasonably should be understood to be confidential.

1.8 "Consequential Decision" means, as defined in the Colorado AI Act (C.R.S. Section 6-1-1701(4)), a decision that has a material legal or similarly significant effect on the provision or denial of, or the cost or terms of: education enrollment or opportunity; employment or employment opportunity; financial or lending service; essential government service; healthcare services; housing; insurance; or a legal service.

1.9 "Customer Data" means all data, content, and information submitted by or on behalf of Customer or its Authorized Users to the Services.

1.10 "Deployer" means, as used in the Colorado AI Act, a person doing business in Colorado that deploys a high-risk AI system. Where Customer deploys AI Features that constitute a high-risk AI system, Customer is the "Deployer" and Provider is the "Developer" for purposes of the Colorado AI Act.

1.11 "Developer" means, as used in the Colorado AI Act, a person doing business in Colorado that develops or intentionally and substantially modifies an AI system. Provider may be deemed the "Developer" of AI Features under the Colorado AI Act.

1.12 "Documentation" means Provider's then-current user guides, technical specifications, and other materials describing the Services.

1.13 "High-Risk Artificial Intelligence System" means, as defined in the Colorado AI Act (C.R.S. Section 6-1-1701(6.5)), any AI system that, when deployed, makes, or is a substantial factor in making, a Consequential Decision.

1.14 "Order Form" means an ordering document specifying Services, term, fees, and usage limits.

1.15 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, as defined in the Colorado Privacy Act (C.R.S. Section 6-1-1303(17)).

1.16 "Services" means the SaaS applications, AI Features, professional services, and support described in the Order Form.

1.17 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term for internal business purposes.

2.2 Authorized Users. Customer may permit Authorized Users to access the Services. Customer is responsible for their compliance.

2.3 Usage Limits. Per Order Form limitations.

2.4 Provisioning. Access within [____] business days following Order Form execution.

2.5 Service Modifications. Updates without materially diminishing functionality. Thirty (30) days' notice for material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Per Schedule PS-1.

3.2 Technical Support. Per Schedule SUP-1.

3.3 Service Level Agreement. Per Schedule SLA-1.

3.4 Training. Materials and sessions available upon request, including training on Colorado AI Act compliance obligations for Deployers.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Per Order Form. Non-refundable unless otherwise stated.

4.2 Invoicing. [☐ Advance / ☐ Arrears], [☐ monthly / ☐ quarterly / ☐ annual]. Due within [____] days.

4.3 Late Payments. Interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted under Colorado law (C.R.S. Section 5-12-101 et seq.).

4.4 Taxes. Fees exclude taxes. Customer is responsible for applicable Colorado state and local sales and use taxes. Colorado taxes SaaS as a taxable service in many jurisdictions; counsel should verify current taxability.

4.5 Fee Disputes. Written notice within thirty (30) days.

4.6 Suspension. Provider may suspend after [____] days' written notice of delinquent undisputed amounts.

ARTICLE 5. PROPRIETARY RIGHTS

5.1 Provider Ownership. Provider retains all rights in the Services, AI Models, and related intellectual property.

5.2 Customer Data Ownership. Customer retains all rights in Customer Data.

5.3 License to Customer Data. Limited license to process Customer Data solely for providing the Services.

5.4 Feedback. Provider may use Feedback without obligation, provided no Confidential Information is disclosed.

5.5 Aggregate Data. Provider may use aggregate, de-identified data per CPA standards.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Customer shall not: (a) reverse engineer; (b) build competing products; (c) bypass security; (d) upload malware; (e) violate law; (f) sublicense or resell; or (g) exceed usage limits.

6.2 Data Accuracy. Customer is responsible for Customer Data accuracy and legality.

6.3 Credential Security. Secure credentials; report unauthorized access promptly.

6.4 Compliance. Customer shall comply with all applicable laws, including the Colorado Consumer Protection Act (C.R.S. Section 6-1-101 et seq.), the Colorado Privacy Act, and the Colorado AI Act.

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Strict confidence; disclosure only to those with need to know.

7.2 Exclusions. Public information, prior knowledge, independent development, lawful third-party receipt.

7.3 Compelled Disclosure. Permitted if required by law, with prompt notice.

7.4 Trade Secret Protection. Colorado Uniform Trade Secrets Act (C.R.S. Section 7-74-101 et seq.) governs trade secret claims. Remedies include injunctive relief (Section 7-74-103), damages and unjust enrichment (Section 7-74-104), and exemplary damages up to twice the award for willful and malicious misappropriation.

7.5 Return or Destruction. Upon termination, return or destroy.

7.6 Injunctive Relief. Breach may cause irreparable harm; equitable relief available.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Legal authority, no conflict, valid obligation.

8.2 Performance Warranty. Services perform materially per Documentation. Remedy: correction or termination with pro-rata refund after sixty (60) days.

8.3 Security Warranty. Free of malware; industry-standard security.

8.4 Compliance Warranty. Provider warrants compliance with applicable Colorado laws, including the Colorado AI Act and the CPA.

8.5 Colorado AI Act Warranty. Provider warrants that, to the extent the AI Features constitute a High-Risk Artificial Intelligence System, Provider has exercised reasonable care to protect consumers from any known or reasonably foreseeable risks of Algorithmic Discrimination, as required by the Colorado AI Act (C.R.S. Section 6-1-1702).

8.6 DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED, SERVICES ARE "AS IS." TO THE EXTENT PERMITTED BY COLORADO LAW, PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Indemnification for: (a) IP infringement; (b) breach of data protection; (c) Algorithmic Discrimination caused by Provider's failure to exercise reasonable care under the Colorado AI Act; (d) breach of Developer obligations under the Colorado AI Act; and (e) material breach of applicable law.

9.2 By Customer. Indemnification for: (a) Customer Data claims; (b) use in violation of Agreement or law; (c) Customer's breach of Deployer obligations under the Colorado AI Act; and (d) unlawful use of AI Outputs.

9.3 Procedures. Prompt notice, sole control, reasonable cooperation.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. [____] times Fees in twelve (12) months preceding the claim, excluding Excluded Claims.

10.2 Consequential Damages Waiver. No indirect, incidental, special, consequential, or punitive damages, excluding Excluded Claims.

10.3 Excluded Claims. Indemnification; confidentiality breach; data protection breach; acceptable use breach; Colorado AI Act violations; gross negligence or willful misconduct; amounts owed.

10.4 Super Cap. [____] times Fees in twenty-four (24) months for Excluded Claims.

10.5 Colorado Law. These limitations apply to the maximum extent permitted by Colorado law. A violation of the Colorado AI Act constitutes an unfair trade practice under the Colorado Consumer Protection Act (C.R.S. Section 6-1-105), which permits treble damages in certain circumstances. Nothing herein limits liability for violations of the Colorado Consumer Protection Act or the Colorado AI Act where limitation is prohibited.

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. Effective Date until all Order Forms expire or are terminated.

11.2 Order Form Term. Auto-renews unless [____] days' notice of non-renewal.

11.3 Termination for Cause. Material breach uncured within thirty (30) days.

11.4 Termination for AI Regulatory Non-Compliance. Either Party may terminate upon sixty (60) days' notice if changes to the Colorado AI Act or other applicable AI law render performance unlawful or commercially impracticable.

11.5 Effect of Termination. Access ceases; outstanding Fees due; Customer Data export for [____] days; Confidential Information returned; applicable articles survive.

PART B: AI GOVERNANCE CLAUSES -- COLORADO AI ACT COMPLIANCE

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. Schedule AI-1 shall describe: (a) each AI Feature; (b) AI Model types; (c) inputs and outputs; (d) limitations; (e) whether the AI Feature constitutes a High-Risk Artificial Intelligence System under the Colorado AI Act; and (f) Provider's risk classification.

12.2 High-Risk Classification Under Colorado AI Act. The Parties shall jointly determine whether each AI Feature constitutes a High-Risk Artificial Intelligence System as defined in C.R.S. Section 6-1-1701(6.5). An AI Feature is high-risk if, when deployed, it makes, or is a substantial factor in making, a Consequential Decision. Schedule AI-1 shall identify all High-Risk AI Features and document the basis for each classification.

12.3 Risk Tiers.

☐ Minimal Risk -- AI Features not involved in Consequential Decisions

☐ Limited Risk -- AI Features with limited consumer interaction, not Consequential

☐ High Risk -- AI Features making or substantially contributing to Consequential Decisions (subject to full Colorado AI Act requirements)

☐ Prohibited -- AI Features prohibited under law or this Agreement

12.4 New AI Features. Thirty (30) days' notice and updated Schedule AI-1 required before deployment. Customer may reject within fifteen (15) days. For new High-Risk AI Features, Provider shall provide a Colorado AI Act compliance assessment prior to deployment.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY -- DEVELOPER OBLIGATIONS

13.1 Developer Disclosures Under Colorado AI Act. As a Developer of High-Risk AI Features, Provider shall, pursuant to C.R.S. Section 6-1-1702, make available to Customer (as Deployer):

(a) A general description of the types of High-Risk Artificial Intelligence Systems that Provider develops or intentionally and substantially modifies, and the known or reasonably foreseeable uses of such systems;

(b) Documentation describing how the High-Risk AI System was evaluated for performance and mitigation of Algorithmic Discrimination before deployment, including the type of data used in the evaluation;

(c) Information concerning the data governance measures used in building the training data sets, including the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation;

(d) The intended outputs of the High-Risk AI System;

(e) The measures the Developer has taken to mitigate known or reasonably foreseeable risks of Algorithmic Discrimination;

(f) How the High-Risk AI System should be used, and how it should not be used;

(g) Information necessary for a Deployer to complete an impact assessment under C.R.S. Section 6-1-1703;

(h) Documentation sufficient to allow a Deployer to understand the outputs of the High-Risk AI System and monitor its performance for Algorithmic Discrimination.

13.2 Additional Model Documentation. Provider shall maintain and make available: (a) model architecture and methodology; (b) performance metrics; (c) training data information; (d) processing techniques; and (e) version history.

13.3 Consumer Interaction Disclosures. Where AI Features interact directly with consumers, Provider shall support Customer's obligation under C.R.S. Section 6-1-1703(4)(a) to disclose to consumers that the consumer is interacting with an AI system, unless it would be obvious to a reasonable person.

13.4 Adverse Decision Disclosures. Where a High-Risk AI Feature makes or is a substantial factor in making an adverse Consequential Decision, Provider shall support Customer's obligation under C.R.S. Section 6-1-1703(4)(b) to provide consumers with: (a) a statement that the AI system was used; (b) an explanation of the purpose of the AI system and its role in the decision; (c) contact information for the Deployer; and (d) a description of how the consumer may appeal the decision.

ARTICLE 14. AI BIAS TESTING AND FAIRNESS -- ALGORITHMIC DISCRIMINATION PREVENTION

14.1 Reasonable Care Standard. Provider shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of Algorithmic Discrimination arising from the AI Features, as required by C.R.S. Section 6-1-1702. Reasonable care by Provider as Developer is demonstrated by compliance with the requirements of C.R.S. Section 6-1-1702(2), including:

(a) Making available the Developer disclosures described in Article 13.1;

(b) Making available documentation describing how the High-Risk AI System was evaluated for performance and mitigation measures for Algorithmic Discrimination before deployment;

(c) Making available documentation describing the data governance measures used in building training data sets.

14.2 Deployer Reasonable Care Support. Provider shall support Customer's demonstration of reasonable care as Deployer under C.R.S. Section 6-1-1703, including Customer's:

(a) Implementation of a risk management policy and program governing deployment of the High-Risk AI System;

(b) Completion of an annual impact assessment as required by C.R.S. Section 6-1-1703(3);

(c) Review of AI Outputs for Algorithmic Discrimination before and during deployment;

(d) Disclosure obligations to consumers under C.R.S. Section 6-1-1703(4).

14.3 Annual Impact Assessment Support. Provider shall provide Customer with sufficient information to complete the annual impact assessment required by C.R.S. Section 6-1-1703(3), including:

(a) The purpose, intended use, and deployment context of the High-Risk AI System;

(b) An analysis of whether the system poses known or reasonably foreseeable risks of Algorithmic Discrimination;

(c) The categories of Personal Data processed as inputs or outputs;

(d) The metrics used to evaluate the system's performance and fairness;

(e) A description of the mitigation measures taken;

(f) The extent to which the system has been used in a manner consistent with, or inconsistent with, the Developer's documentation.

14.4 Bias Testing Program. Provider shall test AI Models for Algorithmic Discrimination at least [☐ quarterly / ☐ semi-annually / ☐ annually], using recognized fairness metrics, and retain results for three (3) years.

14.5 Bias Mitigation. Upon discovery of bias: (a) notify Customer within [____] business days; (b) remediate within [____] days; (c) provide written report; and (d) permit suspension.

14.6 Non-Discrimination Compliance. AI Features shall comply with: (a) Colorado Anti-Discrimination Act (C.R.S. Section 24-34-301 et seq.); (b) federal non-discrimination laws including Title VII, ADA, ADEA, Fair Housing Act, and ECOA.

14.7 Third-Party Audits. Annual audit by mutually agreed third party upon Customer's request. Costs borne by [☐ Provider / ☐ Customer / ☐ shared equally].

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Select one:

☐ Option A (No Training): No Customer Data for AI training.

☐ Option B (Consent-Based): Training only with written consent, revocable on thirty (30) days' notice.

☐ Option C (Anonymized Only): Only de-identified data per CPA standards.

15.2 Data Lineage. Provider shall maintain records on sources, methods, processing, quality, and retention.

15.3 Training Data Rights. Provider warrants all necessary rights.

15.4 Data Segregation. Logical segregation of Customer Data.

15.5 Data Deletion. Delete from training sets upon termination or request; certify within [____] days.

15.6 Colorado Privacy Act Data Governance. Where Customer Data includes Personal Data of Colorado consumers, Provider shall: (a) process only as directed by Customer; (b) support consumer rights (access, correction, deletion, portability, opt-out); (c) honor universal opt-out mechanisms; (d) not sell Personal Data or use for targeted advertising without consent; and (e) support data protection assessments for high-risk processing.

ARTICLE 16. AI OUTPUT OWNERSHIP

16.1 Ownership. Select one:

☐ Option A (Customer Owns): Customer owns AI Outputs.

☐ Option B (Provider Owns): Provider owns; perpetual license to Customer.

☐ Option C (Joint): Jointly owned.

16.2 No Originality Warranty. No representation of originality or non-infringement.

16.3 Customer Responsibility. Customer evaluates accuracy and legality.

16.4 IP Indemnification. Provider's indemnity extends to AI Output IP claims.

ARTICLE 17. AI PERFORMANCE METRICS

17.1 Performance Standards. Per Schedule AI-1.

17.2 Monitoring. Continuous; monthly reports.

17.3 Model Drift. Monitoring with notification, corrective measures, and report.

17.4 Remedies. Remediation plan, suspension, or termination with refund.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. For High-Risk AI Features, Provider shall support Customer's annual impact assessment under C.R.S. Section 6-1-1703(3), as described in Article 14.3.

18.2 Risk Management. Provider shall maintain a risk management program conforming to NIST AI RMF 1.0 and aligned with the Colorado AI Act's reasonable care requirements.

18.3 Safety Testing. Adversarial testing, red-teaming, and safety evaluations.

18.4 AI Guardrails. Preventing: (a) illegal or harmful content; (b) training data leakage; (c) out-of-parameter operation; and (d) autonomous High-Risk decisions without human oversight.

ARTICLE 19. HUMAN OVERSIGHT

19.1 Human-in-the-Loop. For High-Risk AI Uses: (a) human review before Consequential Decisions; (b) sufficient information; (c) override authority; and (d) AI supports human judgment.

19.2 Override Capability. Override, disable, escalate, and configure oversight.

19.3 Appeal Process Support. Provider shall support Customer's implementation of the consumer appeal process required under C.R.S. Section 6-1-1703(4)(b), enabling consumers to appeal adverse Consequential Decisions made with the aid of AI.

19.4 Automation Bias Mitigation. Confidence scores, alternatives, and calibration exercises.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Fairness, transparency, privacy, safety, accountability, human oversight, environmental sustainability.

20.2 Prohibited Uses. No use for: (a) social scoring; (b) subliminal manipulation; (c) exploitation of vulnerable groups; (d) unauthorized biometric identification; (e) predictive policing; or (f) any purpose violating the Colorado AI Act or other applicable law.

ARTICLE 21. AI REGULATORY COMPLIANCE -- COLORADO AI ACT

21.1 Colorado AI Act Compliance. This is the cornerstone regulatory provision of this Agreement. Provider shall comply with the Colorado AI Act (SB 24-205, C.R.S. Section 6-1-1701 et seq.) as both a Developer and as a service provider supporting Customer as Deployer. Key obligations include:

(a) Developer Obligations (C.R.S. Section 6-1-1702): Using reasonable care to protect consumers from Algorithmic Discrimination; providing Developer disclosures to Deployers; making available evaluation and data governance documentation; providing contact information for Deployers to send notices of Algorithmic Discrimination;

(b) Deployer Support (C.R.S. Section 6-1-1703): Supporting Customer's risk management policy and program; providing information for annual impact assessments; supporting consumer disclosure and appeal obligations; supporting Customer's obligation to notify the Colorado Attorney General of discovered Algorithmic Discrimination within ninety (90) days;

(c) Enforcement Awareness: Violations of the Colorado AI Act constitute unfair trade practices under the Colorado Consumer Protection Act (C.R.S. Section 6-1-105). The Colorado Attorney General has exclusive enforcement authority. Provider acknowledges the potential for significant penalties;

(d) Effective Date Monitoring: The Colorado AI Act's implementation date was originally February 1, 2026, but was subsequently delayed to June 30, 2026, following a special legislative session in August 2025. Provider shall monitor for any further amendments.

21.2 Colorado Privacy Act Compliance. Provider shall comply with the Colorado Privacy Act (C.R.S. Section 6-1-1301 et seq.), including consumer rights, data protection assessments, and universal opt-out mechanisms.

21.3 Federal and International Compliance. Provider shall comply with: (a) FTC Act (15 U.S.C. Section 45); (b) EEOC guidance on AI; (c) Executive Order 14110; and (d) EU AI Act (Regulation (EU) 2024/1689), to the extent applicable.

21.4 Attorney General Notification Support. Provider shall cooperate with Customer's obligation under C.R.S. Section 6-1-1703(5) to notify the Colorado Attorney General within ninety (90) days of discovering that the High-Risk AI System has caused Algorithmic Discrimination. Provider shall promptly notify Customer of any indication that AI Features may have caused Algorithmic Discrimination.

21.5 Regulatory Change Management. Provider shall: (a) closely monitor Colorado AI Act amendments and rulemaking; (b) notify Customer within thirty (30) days of material changes; (c) implement modifications to maintain compliance; and (d) cooperate on regulatory impact assessment.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Unique identifiers, changelogs, retention for [____] months, rollback.

22.2 Update Notification. Thirty (30) days for major; seven (7) days for minor; updated Documentation.

22.3 Testing Window. Fifteen (15) days in staging.

22.4 Opt-Out Rights. Delay up to [____] days, except security patches.

22.5 Colorado AI Act Reassessment. Following any major AI Model update, Provider shall reassess whether the updated model continues to comply with the Colorado AI Act's reasonable care requirements and update its Developer disclosures accordingly.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. Events resulting in Algorithmic Discrimination, material harm, unauthorized data disclosure, operation outside parameters, material inaccuracy, or law violation.

23.2 Incident Notification. Twenty-four (24) hours for Algorithmic Discrimination, data disclosure, or material harm; seventy-two (72) hours for others.

23.3 Colorado Data Breach Notification. If an AI Incident constitutes a security breach under C.R.S. Section 6-1-716, Provider shall: (a) notify Customer within thirty (30) days of determining that a breach has occurred; (b) cooperate with Customer's notification to the Colorado Attorney General for breaches affecting five hundred (500) or more Colorado residents; and (c) support notification to affected individuals.

23.4 Algorithmic Discrimination Discovery. If Provider discovers or reasonably believes that an AI Feature has caused Algorithmic Discrimination, Provider shall: (a) immediately notify Customer; (b) cooperate with Customer's investigation; (c) support Customer's ninety (90) day notification obligation to the Colorado Attorney General under C.R.S. Section 6-1-1703(5); and (d) implement remediation measures.

23.5 Incident Response Plan. Defined roles, containment, root cause analysis, remediation, communication, and post-incident review.

23.6 Incident Reporting. Written report within [____] business days.

23.7 Cooperation. Full cooperation with Customer, the Colorado Attorney General, and other regulators.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Audit of AI documentation, bias testing, Developer disclosures, impact assessment support materials, training data provenance, incident logs, compliance, and security controls.

24.2 Audit Frequency. Up to [☐ one / ☐ two] time(s) per year; thirty (30) days' notice; any time after AI Incident or discovery of Algorithmic Discrimination.

24.3 Procedures. Normal business hours; minimize disruption; Customer bears costs unless material breach or Algorithmic Discrimination found.

24.4 Remediation. Address findings within [____] days.

24.5 Certifications. SOC 2 Type II; ISO/IEC 42001; ISO 27001; independent bias audits; Colorado AI Act compliance assessments.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. Per Schedule DPA-1.

25.2 Security Program. SOC 2 Type II and ISO 27001 aligned.

25.3 Colorado Data Breach Notification. Per C.R.S. Section 6-1-716. Thirty (30) day notification.

25.4 Colorado Privacy Act Compliance. Consumer rights, data protection assessments, universal opt-out.

25.5 Data Localization. Per Order Form or Schedule DPA-1.

ARTICLE 26. GOVERNING LAW AND DISPUTE RESOLUTION

26.1 Governing Law. Laws of the State of Colorado, without regard to conflict of laws principles.

26.2 Venue. Exclusive jurisdiction in state and federal courts in [☐ Denver County / ☐ [________________________________]], Colorado.

26.3 Dispute Resolution. Good-faith negotiation for thirty (30) days before litigation.

26.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY COLORADO LAW, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL. Note: Colorado courts generally enforce contractual jury waivers; counsel should confirm current case law.

26.5 Electronic Signatures. Per the Colorado Uniform Electronic Transactions Act (C.R.S. Section 24-71.3-101 et seq.).

ARTICLE 27. GENERAL TERMS

27.1 Notices. Written; deemed given upon personal delivery, confirmed email, one business day after overnight courier, or three business days after certified mail.

27.2 Assignment. No assignment without consent, except for merger, acquisition, or sale of substantially all assets.

27.3 Force Majeure. No liability for delays beyond reasonable control.

27.4 Entire Agreement. Complete agreement superseding prior negotiations.

27.5 Amendments. Written, signed by both Parties.

27.6 Severability. Invalid provisions severed.

27.7 Waiver. No failure or delay constitutes waiver.

27.8 Independent Contractors. No partnership, joint venture, or employment.

27.9 Counterparts. May be executed in counterparts.

27.10 Order of Precedence. (a) Data Processing Agreement; (b) this Agreement; (c) Order Form; (d) Schedules.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description, Controls, and Colorado AI Act Classification
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: Developer Disclosures (Colorado AI Act C.R.S. Section 6-1-1702)
☐ Schedule AI-3: Impact Assessment Support Documentation (C.R.S. Section 6-1-1703)
☐ Schedule AI-4: AI Bias Testing Protocol and Results

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel licensed in Colorado has reviewed this Agreement
☐ Colorado AI Act compliance review completed
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• Colorado AI Act (SB 24-205): https://leg.colorado.gov/bills/sb24-205
• Colorado AI Act Full Text: https://leg.colorado.gov/bill_files/47770/download
• Colorado Privacy Act (CPA): https://coag.gov/resources/colorado-privacy-act/
• C.R.S. Section 6-1-716 (Data Breach Notification): https://law.justia.com/codes/colorado/title-6/article-1/part-7/section-6-1-716/
• Colorado Consumer Protection Act: https://law.justia.com/codes/colorado/title-6/article-1/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• Colorado AI Act Compliance Guide: https://trustarc.com/resource/colorado-ai-law-sb24-205-compliance-guide/