SaaS Master Service Agreement with AI Governance Clauses - Connecticut

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF CONNECTICUT

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of Connecticut, with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to this Agreement and Connecticut law, including the Connecticut Data Privacy Act; and

WHEREAS, the Parties wish to establish comprehensive AI governance standards consistent with Connecticut's evolving approach to AI regulation;

NOW, THEREFORE, in consideration of the mutual covenants herein, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means any condition in which the use of an AI system results in unlawful differential treatment or disparate impact on the basis of race, color, religious creed, age, sex, gender identity or expression, marital status, national origin, ancestry, present or past history of mental disability, intellectual disability, learning disability, physical disability, or other characteristic protected under Connecticut law (Conn. Gen. Stat. Section 46a-60 et seq.).

1.6 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the Services.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other that is designated as confidential or reasonably should be understood to be confidential.

1.8 "Consumer" means an individual who is a Connecticut resident acting in an individual or household context, as defined under the CTDPA.

1.9 "Customer Data" means all data, content, and information submitted by or on behalf of Customer or its Authorized Users to the Services.

1.10 "Documentation" means Provider's then-current materials describing the Services.

1.11 "High-Risk AI Use" means any use of AI Features to make, or be a substantial factor in making, decisions with material legal or similarly significant effects on individuals.

1.12 "Order Form" means an ordering document specifying Services, term, fees, and usage limits.

1.13 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, as defined under the CTDPA (Conn. Gen. Stat. Section 42-515).

1.14 "Profiling" means any form of automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, as defined under the CTDPA.

1.15 "Services" means the SaaS applications, AI Features, professional services, and support described in the Order Form.

1.16 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Non-exclusive, non-transferable, non-sublicensable right to access the Services for internal business purposes.

2.2 Authorized Users. Customer may permit Authorized Users; Customer is responsible for their compliance.

2.3 Usage Limits. Per Order Form.

2.4 Provisioning. Within [____] business days.

2.5 Service Modifications. Thirty (30) days' notice for material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Per Schedule PS-1.

3.2 Technical Support. Per Schedule SUP-1.

3.3 Service Level Agreement. Per Schedule SLA-1.

3.4 Training. Materials and sessions upon request.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Per Order Form. Non-refundable unless otherwise stated.

4.2 Invoicing. [☐ Advance / ☐ Arrears], [☐ monthly / ☐ quarterly / ☐ annual]. Due within [____] days.

4.3 Late Payments. Interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted under Connecticut law. Under Conn. Gen. Stat. Section 37-3a, interest on money obligations is at the rate of interest of ten percent (10%) per year unless otherwise agreed. For commercial contracts, parties may contract for a higher rate subject to unconscionability limits.

4.4 Taxes. Fees exclude taxes. Customer is responsible for applicable Connecticut sales tax. Connecticut taxes SaaS as a taxable computer and data processing service (Conn. Gen. Stat. Section 12-407(a)(37)(A)); counsel should verify current guidance.

4.5 Fee Disputes. Written notice within thirty (30) days.

4.6 Suspension. Provider may suspend after [____] days' written notice of delinquent amounts.

ARTICLE 5. PROPRIETARY RIGHTS

5.1 Provider Ownership. All rights in Services, AI Models, and IP retained by Provider.

5.2 Customer Data Ownership. Customer retains all rights.

5.3 License to Customer Data. Limited license to process for providing Services.

5.4 Feedback. Provider may use without obligation; no Confidential Information disclosure.

5.5 Aggregate Data. De-identified, aggregate data may be used if not reasonably re-identifiable.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Standard restrictions: no reverse engineering, competing products, security bypass, malware, law violations, sublicensing, or exceeding limits.

6.2 Data Accuracy. Customer responsible for Customer Data.

6.3 Credential Security. Secure credentials; report unauthorized access.

6.4 Compliance. Customer shall comply with all applicable laws, including CUTPA (Conn. Gen. Stat. Section 42-110a et seq.) and the CTDPA.

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Strict confidence; limited disclosure to those with need to know.

7.2 Exclusions. Standard exclusions.

7.3 Compelled Disclosure. Permitted with prompt notice.

7.4 Trade Secret Protection. Connecticut Uniform Trade Secrets Act (Conn. Gen. Stat. Section 35-50 et seq.) governs trade secret claims. Remedies include injunctive relief (Section 35-52), damages and unjust enrichment (Section 35-53), and exemplary damages not exceeding twice the award for willful and malicious misappropriation (Section 35-53(b)).

7.5 Return or Destruction. Upon termination.

7.6 Injunctive Relief. Available for breach.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Authority, no conflict, binding obligation.

8.2 Performance Warranty. Material conformance with Documentation. Remedy: correction or termination with pro-rata refund.

8.3 Security Warranty. Malware-free; industry-standard security.

8.4 Compliance Warranty. Provider warrants compliance with Connecticut laws, including the CTDPA and Public Act No. 25-113.

8.5 DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED, SERVICES ARE "AS IS." TO THE EXTENT PERMITTED BY CONNECTICUT LAW, PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. NOTE: CONNECTICUT'S CUTPA (CONN. GEN. STAT. SECTION 42-110A ET SEQ.) PROVIDES BROAD CONSUMER PROTECTIONS THAT MAY LIMIT THE ENFORCEABILITY OF CERTAIN DISCLAIMERS.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Indemnification for: (a) IP infringement; (b) breach of data protection; (c) Algorithmic Discrimination caused by Provider's failure to exercise reasonable care; (d) breach of CTDPA or Public Act No. 25-113; and (e) material breach of applicable law.

9.2 By Customer. Indemnification for: (a) Customer Data claims; (b) violation of Agreement or law; (c) unlawful use of AI Outputs.

9.3 Procedures. Prompt notice, sole control, reasonable cooperation.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. [____] times Fees in twelve (12) months, excluding Excluded Claims.

10.2 Consequential Damages Waiver. No indirect damages, excluding Excluded Claims.

10.3 Excluded Claims. Indemnification; confidentiality breach; data protection breach; acceptable use breach; CTDPA violations; gross negligence or willful misconduct; amounts owed.

10.4 Super Cap. [____] times Fees in twenty-four (24) months for Excluded Claims.

10.5 Connecticut Law. Limitations apply per Connecticut law. CUTPA provides for punitive damages and attorneys' fees in appropriate cases (Conn. Gen. Stat. Section 42-110g). Nothing limits liability under CUTPA or other mandatory provisions.

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. Effective Date until all Order Forms expire or terminate.

11.2 Order Form Term. Auto-renews unless [____] days' notice.

11.3 Termination for Cause. Material breach uncured within thirty (30) days.

11.4 Termination for AI Regulatory Non-Compliance. Sixty (60) days' notice.

11.5 Effect of Termination. Access ceases; Fees due; Data export for [____] days; Confidential Information returned; survival provisions.

PART B: AI GOVERNANCE CLAUSES

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. Schedule AI-1 shall describe: (a) each AI Feature; (b) AI Model types; (c) inputs and outputs; (d) limitations; and (e) High-Risk AI Use designations.

12.2 Risk Classification.

☐ Minimal Risk -- Negligible harm (e.g., spam filtering)

☐ Limited Risk -- Consumer interaction without consequential decisions

☐ High Risk -- Decisions with legal or significant effects

☐ Prohibited -- Prohibited under law or this Agreement

12.3 New AI Features. Thirty (30) days' notice; Customer may reject within fifteen (15) days.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY

13.1 Model Documentation. Architecture, methodology, performance metrics, training data information, processing techniques, version history.

13.2 Explainability for High-Risk Uses. Explanations of individual AI Outputs upon request; appropriate methods; accessible format; documentation of unexplainable outputs.

13.3 Consumer-Facing Disclosures. Provider shall support Customer's disclosure obligations under the CTDPA, including: (a) disclosure that the consumer is interacting with an AI system; (b) disclosure of the general nature and purpose of the AI; and (c) availability of human review.

13.4 CTDPA AI Training Data Disclosure. Pursuant to Public Act No. 25-113 (2025), which amended the CTDPA, Provider shall disclose to Customer whether Provider uses Personal Data to train AI systems, specifically large language models (LLMs). If Provider uses Personal Data for AI training, Provider shall:

(a) Provide clear and conspicuous notice to consumers whose data is used;

(b) Describe the categories of Personal Data used for training;

(c) Describe the purposes of the AI training;

(d) Provide consumers with the opportunity to opt out of such use, where required;

(e) Maintain records of AI training data sources and consumer notices.

13.5 Connecticut AI Legislative Monitoring. Provider acknowledges that Connecticut has considered but not yet enacted comprehensive AI business regulation. The Connecticut Senate passed an AI transparency bill requiring companies to disclose AI use, but it did not advance further in the legislative session. Provider shall monitor and comply with any Connecticut AI legislation as enacted.

ARTICLE 14. AI BIAS TESTING AND FAIRNESS

14.1 Bias Testing Program. Provider shall: (a) test AI Models at least [☐ quarterly / ☐ semi-annually / ☐ annually]; (b) use fairness metrics; (c) test across intersectional categories; and (d) retain results for three (3) years.

14.2 Bias Mitigation. Notification within [____] business days; remediation within [____] days; written report; suspension available.

14.3 Connecticut Non-Discrimination Compliance. Provider warrants AI Features comply with: (a) Connecticut Fair Employment Practices Act (Conn. Gen. Stat. Section 46a-60 et seq.); (b) Connecticut Fair Housing Act (Conn. Gen. Stat. Section 46a-64b et seq.); (c) Connecticut Public Accommodations Act (Conn. Gen. Stat. Section 46a-64 et seq.); and (d) federal non-discrimination laws including Title VII (42 U.S.C. Section 2000e et seq.) and ADA (42 U.S.C. Section 12101 et seq.).

14.4 CTDPA Profiling Requirements. Where AI Features engage in Profiling that produces legal or similarly significant effects, Provider shall support Customer's compliance with the CTDPA's profiling provisions, including: (a) data protection assessments for profiling activities; (b) consumer opt-out rights for profiling; and (c) meaningful information about the logic involved.

14.5 Third-Party Audits. Annual audit upon Customer's request. Costs borne by [☐ Provider / ☐ Customer / ☐ shared equally].

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Select one:

☐ Option A (No Training): No Customer Data for AI training.

☐ Option B (Consent-Based): Training only with written consent, revocable on thirty (30) days' notice.

☐ Option C (Anonymized Only): Only de-identified data per CTDPA standards.

15.2 Data Lineage. Records on sources, methods, processing, quality, retention.

15.3 Training Data Rights. Provider warrants all necessary rights.

15.4 Data Segregation. Logical segregation.

15.5 Data Deletion. Delete from training sets upon termination or request; certify within [____] days.

15.6 CTDPA Data Governance. Where Customer Data includes Personal Data of Connecticut Consumers, Provider shall: (a) process only as directed by Customer; (b) support consumer rights (access, correction, deletion, portability, opt-out of sale, targeted advertising, and profiling); (c) honor universal opt-out mechanisms; (d) not sell Personal Data or use for targeted advertising without consent; and (e) support data protection assessments.

15.7 Public Act No. 25-113 Compliance. Provider shall comply with the disclosure requirements of Public Act No. 25-113 (2025) regarding the use of Personal Data to train AI systems, including LLMs. If Provider uses any Personal Data from the Services for AI training purposes, Provider shall provide the disclosures required by this Act and support Customer's compliance with consumer notification obligations.

ARTICLE 16. AI OUTPUT OWNERSHIP

16.1 Ownership. Select one:

☐ Option A (Customer Owns): Customer owns AI Outputs from Customer Data.

☐ Option B (Provider Owns): Provider owns; perpetual license to Customer.

☐ Option C (Joint): Jointly owned.

16.2 No Originality Warranty. No representation of originality or non-infringement.

16.3 Customer Responsibility. Customer evaluates accuracy and legality.

16.4 IP Indemnification. Provider's indemnity covers AI Output IP claims.

ARTICLE 17. AI PERFORMANCE METRICS

17.1 Performance Standards. Per Schedule AI-1.

17.2 Monitoring. Continuous; monthly reports.

17.3 Model Drift. Monitoring, notification, correction, and report.

17.4 Remedies. Remediation plan, suspension, or termination with refund.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. For High-Risk AI Features, initially and annually.

18.2 Risk Management. NIST AI RMF 1.0 or equivalent.

18.3 Safety Testing. Adversarial testing, red-teaming, safety evaluations.

18.4 AI Guardrails. Preventing illegal content, data leakage, out-of-parameter operation, and autonomous High-Risk decisions.

ARTICLE 19. HUMAN OVERSIGHT

19.1 Human-in-the-Loop. For High-Risk AI Uses: meaningful human review, sufficient information, override authority, and AI supports judgment.

19.2 Override Capability. Override, disable, escalate, configure.

19.3 Automation Bias Mitigation. Confidence scores, alternatives, calibration exercises.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Fairness, transparency, privacy, safety, accountability, human oversight, environmental sustainability.

20.2 Prohibited Uses. No use for: (a) social scoring; (b) subliminal manipulation; (c) exploitation of vulnerable groups; (d) unauthorized biometric identification; (e) predictive policing; or (f) any purpose violating applicable law.

20.3 CUTPA Compliance. Provider acknowledges that AI-driven practices that are unfair, deceptive, or unconscionable may violate Connecticut's Unfair Trade Practices Act (Conn. Gen. Stat. Section 42-110b). Provider shall not use AI Features in a manner that constitutes an unfair or deceptive trade practice.

ARTICLE 21. AI REGULATORY COMPLIANCE

21.1 Connecticut AI and Privacy Regulatory Framework. Provider shall comply with all applicable Connecticut AI and privacy laws, including:

(a) Connecticut Data Privacy Act (CTDPA) (Conn. Gen. Stat. Section 42-515 et seq.), including: consumer rights (access, correction, deletion, portability, opt-out of sale, targeted advertising, and profiling); data protection assessments for high-risk processing including profiling; data minimization requirements; purpose limitation;

(b) Public Act No. 25-113 (2025) amending the CTDPA to require disclosure by businesses using Personal Data to train AI systems, specifically large language models;

(c) CUTPA (Conn. Gen. Stat. Section 42-110a et seq.) as applied to AI-driven consumer interactions;

(d) Conn. Gen. Stat. Section 36a-701b (data breach notification);

(e) Any future Connecticut AI legislation, including potential enactments of previously considered bills such as SB 2 (AI transparency), SB 1484 (AI in employment), or similar measures.

21.2 Federal and International Compliance. (a) FTC Act (15 U.S.C. Section 45); (b) EEOC guidance on AI; (c) Executive Order 14110; (d) EU AI Act (Regulation (EU) 2024/1689).

21.3 Regulatory Change Management. Monitor Connecticut AI developments; thirty (30) day notification of material changes; implement modifications; cooperate on impact assessment.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Unique identifiers, changelogs, retention for [____] months, rollback.

22.2 Update Notification. Thirty (30) days major; seven (7) days minor; updated Documentation.

22.3 Testing Window. Fifteen (15) days staging before production.

22.4 Opt-Out Rights. Delay up to [____] days, except security patches.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. Algorithmic Discrimination, material harm, unauthorized data disclosure, out-of-parameter operation, material inaccuracy, or law violation.

23.2 Incident Notification. Twenty-four (24) hours for discrimination, data disclosure, or harm; seventy-two (72) hours for others.

23.3 Connecticut Data Breach Notification. If an AI Incident constitutes a breach of security under Conn. Gen. Stat. Section 36a-701b, Provider shall: (a) notify Customer without unreasonable delay; (b) cooperate with Customer's notification to the Connecticut Attorney General; and (c) support notification to affected individuals. Connecticut requires notification "without unreasonable delay" but no later than sixty (60) days after discovery (as amended).

23.4 Incident Response Plan. Roles, containment, root cause analysis, remediation, communication, and post-incident review.

23.5 Incident Reporting. Written report within [____] business days.

23.6 Cooperation. Full cooperation with Customer and regulators.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Audit of AI documentation, bias testing, training data, AI training disclosure compliance (Public Act No. 25-113), incident logs, compliance, and security.

24.2 Audit Frequency. Up to [☐ one / ☐ two] time(s) per year; thirty (30) days' notice; any time after AI Incident.

24.3 Procedures. Normal business hours; minimize disruption; Customer bears costs unless breach found.

24.4 Remediation. Within [____] days.

24.5 Certifications. SOC 2 Type II; ISO/IEC 42001; ISO 27001; bias audits; regulatory reports.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. Per Schedule DPA-1.

25.2 Security Program. SOC 2 Type II and ISO 27001 aligned.

25.3 CTDPA Compliance. Consumer rights, profiling opt-out, data protection assessments, AI training disclosures.

25.4 Data Breach Notification. Per Conn. Gen. Stat. Section 36a-701b.

25.5 Data Localization. Per Order Form or Schedule DPA-1.

ARTICLE 26. GOVERNING LAW AND DISPUTE RESOLUTION

26.1 Governing Law. Laws of the State of Connecticut, without regard to conflict of laws.

26.2 Venue. State and federal courts in [☐ Hartford / ☐ New Haven / ☐ [________________________________]], Connecticut.

26.3 Dispute Resolution. Good-faith negotiation for thirty (30) days.

26.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY CONNECTICUT LAW, EACH PARTY WAIVES JURY TRIAL RIGHTS. Note: Connecticut permits waiver of jury trial rights by written agreement in commercial contracts.

26.5 Electronic Signatures. Per the Connecticut Uniform Electronic Transactions Act (Conn. Gen. Stat. Section 1-266 et seq.).

ARTICLE 27. GENERAL TERMS

27.1 Notices. Written; personal delivery, confirmed email, overnight courier, or certified mail.

27.2 Assignment. No assignment without consent, except for M&A.

27.3 Force Majeure. No liability for delays beyond reasonable control.

27.4 Entire Agreement. Complete agreement.

27.5 Amendments. Written, signed.

27.6 Severability. Invalid provisions severed.

27.7 Waiver. No waiver by inaction.

27.8 Independent Contractors. No partnership or employment.

27.9 Counterparts. May be executed in counterparts.

27.10 Order of Precedence. (a) DPA; (b) Agreement; (c) Order Form; (d) Schedules.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description and Controls
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: AI Model Documentation and Performance Benchmarks
☐ Schedule AI-3: AI Training Data Disclosure (Public Act No. 25-113 Compliance)
☐ Schedule AI-4: AI Bias Testing Protocol and Results

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel licensed in Connecticut has reviewed this Agreement
☐ CTDPA compliance review completed
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• Connecticut Data Privacy Act (CTDPA): https://www.cga.ct.gov/current/pub/chap_743dd.htm
• Public Act No. 25-113 (AI Training Disclosure): https://www.cga.ct.gov
• CUTPA (Conn. Gen. Stat. Section 42-110a et seq.): https://www.cga.ct.gov/current/pub/chap_735a.htm
• Conn. Gen. Stat. Section 36a-701b (Data Breach): https://www.cga.ct.gov/current/pub/chap_669.htm
• Connecticut SB 2 (AI Transparency Bill): https://fpf.org/blog/setting-the-stage-connecticut-senate-bill-2-lays-the-groundwork-for-responsible-ai-in-the-states/
• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework