SaaS Master Service Agreement with AI Governance Clauses - Delaware

SAAS MASTER SERVICE AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF DELAWARE

THIS MASTER SERVICE AGREEMENT (this "Agreement") is entered into as of [__/__/____] (the "Effective Date") by and between:

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with its principal place of business at [________________________________];

and

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of Delaware, with its principal place of business at [________________________________].

Provider and Customer are each referred to herein as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a software-as-a-service platform that includes artificial intelligence and machine learning capabilities; and

WHEREAS, Customer desires to subscribe to and use Provider's Services, including AI-enabled features, subject to this Agreement and Delaware law; and

WHEREAS, the Parties wish to establish comprehensive governance, transparency, and accountability standards for the AI components of the Services, including compliance with the Delaware Personal Data Privacy Act;

NOW, THEREFORE, in consideration of the mutual covenants herein, the Parties agree as follows:

PART A: STANDARD MSA TERMS

ARTICLE 1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or automated decision-making capabilities incorporated into or accessible through the Services, as described in Schedule AI-1.

1.3 "AI Model" means any algorithm, neural network, statistical model, or computational system that underlies the AI Features.

1.4 "AI Output" means any content, prediction, recommendation, classification, decision, score, or other result generated by the AI Features.

1.5 "Algorithmic Discrimination" means any condition in which the use of an AI system results in unlawful differential treatment or disparate impact on the basis of race, color, religion, sex, national origin, age, disability, or other characteristic protected under Delaware or federal law.

1.6 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the Services.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other that is designated as confidential or reasonably should be understood to be confidential.

1.8 "Consumer" means an individual who is a Delaware resident acting in an individual or household context, as defined by the Delaware Personal Data Privacy Act (DPDPA).

1.9 "Customer Data" means all data, content, and information submitted by or on behalf of Customer or its Authorized Users to the Services.

1.10 "Documentation" means Provider's then-current user guides, technical specifications, and other materials describing the Services.

1.11 "High-Risk AI Use" means any use of AI Features to make, or be a substantial factor in making, decisions with material legal or similarly significant effects on individuals, including employment, credit, insurance, housing, healthcare, education, or access to essential services.

1.12 "Order Form" means an ordering document specifying Services, term, fees, and usage limits.

1.13 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, as defined in the DPDPA (6 Del. C. Chapter 12D). "Personal Data" does not include de-identified data or publicly available information.

1.14 "Profiling" means any form of automated processing of Personal Data to evaluate, analyze, or predict aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, as defined in the DPDPA.

1.15 "Services" means the SaaS applications, AI Features, professional services, and support described in the Order Form and Documentation.

1.16 "Training Data" means any data used to train, retrain, fine-tune, validate, or test an AI Model.

ARTICLE 2. SERVICES AND ACCESS

2.1 Subscription Grant. Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term for internal business purposes.

2.2 Authorized Users. Customer may permit Authorized Users to access the Services. Customer is responsible for their acts and omissions.

2.3 Usage Limits. Use is subject to Order Form limitations.

2.4 Provisioning. Access within [____] business days following Order Form execution.

2.5 Service Modifications. Updates without materially diminishing functionality. Thirty (30) days' notice for material changes.

ARTICLE 3. IMPLEMENTATION AND SUPPORT

3.1 Implementation Services. Per Schedule PS-1.

3.2 Technical Support. Per Schedule SUP-1.

3.3 Service Level Agreement. Per Schedule SLA-1.

3.4 Training. Materials and sessions available upon request.

ARTICLE 4. FEES AND PAYMENT

4.1 Fees. Per Order Form. Non-refundable unless otherwise stated.

4.2 Invoicing. [☐ Advance / ☐ Arrears], [☐ monthly / ☐ quarterly / ☐ annual]. Due within [____] days.

4.3 Late Payments. Interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted under Delaware law. Delaware's legal rate of interest is 5% over the Federal Reserve discount rate (6 Del. C. Section 2301(a)). For commercial contracts, parties may agree to higher rates.

4.4 Taxes. Fees exclude taxes. Customer is responsible for applicable Delaware taxes. Delaware does not impose a general sales tax but counsel should verify treatment of SaaS services under applicable gross receipts tax provisions.

4.5 Fee Disputes. Written notice within thirty (30) days.

4.6 Suspension. Provider may suspend after [____] days' written notice of delinquent undisputed amounts.

ARTICLE 5. PROPRIETARY RIGHTS

5.1 Provider Ownership. Provider retains all rights in the Services, AI Models, and related intellectual property.

5.2 Customer Data Ownership. Customer retains all rights in Customer Data.

5.3 License to Customer Data. Limited license to process Customer Data solely for providing the Services.

5.4 Feedback. Provider may use Feedback without obligation, provided no Confidential Information is disclosed.

5.5 Aggregate Data. Provider may use aggregate, anonymized data that cannot identify Customer or individuals.

ARTICLE 6. CUSTOMER OBLIGATIONS

6.1 Acceptable Use. Customer shall not: (a) reverse engineer; (b) build competing products; (c) bypass security; (d) upload malware; (e) violate law; (f) sublicense or resell; or (g) exceed usage limits.

6.2 Data Accuracy. Customer is responsible for Customer Data accuracy and legality.

6.3 Credential Security. Customer shall secure credentials and report unauthorized access.

6.4 Compliance. Customer shall comply with all applicable laws, including the Delaware Consumer Fraud Act (6 Del. C. Section 2511 et seq.) and the DPDPA.

ARTICLE 7. CONFIDENTIALITY

7.1 Obligations. Strict confidence; disclosure only to those with need to know who are bound by confidentiality.

7.2 Exclusions. Public information, prior knowledge, independent development, lawful third-party receipt.

7.3 Compelled Disclosure. Permitted if required by law, with prompt notice.

7.4 Trade Secret Protection. Delaware Uniform Trade Secrets Act (6 Del. C. Section 2001 et seq.) governs trade secret claims. The Delaware UTSA provides for injunctive relief (Section 2002), damages including unjust enrichment (Section 2003), and exemplary damages not exceeding twice the amount awarded for willful and malicious misappropriation (Section 2003(b)).

7.5 Return or Destruction. Upon termination, return or destroy.

7.6 Injunctive Relief. Breach may cause irreparable harm; equitable relief available.

ARTICLE 8. WARRANTIES

8.1 Mutual Warranties. Legal authority, no conflict, valid obligation.

8.2 Performance Warranty. Services perform materially per Documentation. Remedy: correction or termination with pro-rata refund after sixty (60) days.

8.3 Security Warranty. Free of malware; industry-standard security.

8.4 Compliance Warranty. Compliance with Delaware and federal laws, including the DPDPA.

8.5 DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED, SERVICES ARE "AS IS." TO THE EXTENT PERMITTED BY DELAWARE LAW, PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

ARTICLE 9. INDEMNIFICATION

9.1 By Provider. Indemnification for: (a) IP infringement; (b) breach of data protection; (c) Algorithmic Discrimination caused by Provider's failure to exercise reasonable care; (d) material breach of law, including the DPDPA.

9.2 By Customer. Indemnification for: (a) Customer Data claims; (b) use in violation of Agreement or law; (c) unlawful use of AI Outputs.

9.3 Procedures. Prompt notice, sole control, reasonable cooperation.

ARTICLE 10. LIMITATION OF LIABILITY

10.1 Aggregate Cap. [____] times Fees in twelve (12) months preceding the claim, excluding Excluded Claims.

10.2 Consequential Damages Waiver. No indirect, incidental, special, consequential, or punitive damages, excluding Excluded Claims.

10.3 Excluded Claims. Indemnification; confidentiality breach; data protection breach; acceptable use breach; gross negligence or willful misconduct; amounts owed.

10.4 Super Cap. [____] times Fees in twenty-four (24) months for Excluded Claims.

10.5 Delaware Law. Delaware courts generally enforce limitation of liability provisions. These limitations apply to the maximum extent permitted by Delaware law, including the Delaware Consumer Fraud Act (6 Del. C. Section 2511 et seq.).

ARTICLE 11. TERM AND TERMINATION

11.1 Agreement Term. Effective Date until all Order Forms expire or are terminated.

11.2 Order Form Term. Auto-renews unless [____] days' notice of non-renewal.

11.3 Termination for Cause. Material breach uncured within thirty (30) days.

11.4 Termination for AI Regulatory Non-Compliance. Sixty (60) days' notice if AI law changes render performance unlawful or commercially impracticable.

11.5 Effect of Termination. Access ceases; outstanding Fees due; Customer Data export for [____] days; Confidential Information returned; applicable articles survive.

PART B: AI GOVERNANCE CLAUSES

ARTICLE 12. AI SERVICES DEFINITION AND SCOPE

12.1 AI Services Description. Schedule AI-1 shall describe: (a) each AI Feature and its purpose; (b) AI Model types; (c) input data types; (d) output types; (e) limitations; and (f) High-Risk AI Use designations.

12.2 Risk Classification.

☐ Minimal Risk -- Negligible harm (e.g., spam filtering)

☐ Limited Risk -- Consumer interaction without consequential decisions (e.g., chatbots)

☐ High Risk -- Decisions with legal or significant effects (e.g., credit scoring, employment)

☐ Prohibited -- Prohibited under law or this Agreement

12.3 New AI Features. Thirty (30) days' notice; Customer may reject within fifteen (15) days.

ARTICLE 13. AI MODEL TRANSPARENCY AND EXPLAINABILITY

13.1 Model Documentation. Provider shall maintain documentation on: (a) architecture and methodology; (b) performance metrics; (c) training data sources and biases; (d) processing techniques; and (e) version history.

13.2 Explainability for High-Risk Uses. Provider shall: (a) explain individual AI Outputs upon request; (b) implement explainability methods; (c) provide accessible explanations; and (d) document unexplainable outputs.

13.3 Consumer-Facing Disclosures. Provider shall support Customer's disclosures consistent with FTC Act guidance and the DPDPA's profiling provisions. Where AI Features engage in Profiling that produces legal or similarly significant effects, Provider shall support Customer's obligation to provide Consumers with meaningful information about the logic involved and opt-out mechanisms.

13.4 Delaware AI Commission. Provider acknowledges that Delaware established the Artificial Intelligence Commission under HB 333 (2024), amending 29 Del. C. Chapter 90C, to assess AI risks and recommend AI governance policies for state agencies. Provider shall monitor and comply with any rules, regulations, or guidance issued by the Delaware AI Commission as they relate to the AI Features.

ARTICLE 14. AI BIAS TESTING AND FAIRNESS

14.1 Bias Testing Program. Provider shall: (a) test AI Models for Algorithmic Discrimination at least [☐ quarterly / ☐ semi-annually / ☐ annually]; (b) use recognized fairness metrics; (c) test across intersectional categories; and (d) retain results for three (3) years.

14.2 Bias Mitigation. Upon discovery of significant bias: (a) notify Customer within [____] business days; (b) remediate within [____] days; (c) provide written report; and (d) permit suspension of affected AI Feature.

14.3 Delaware Non-Discrimination Compliance. Provider warrants AI Features comply with: (a) Delaware Discrimination in Employment Act (19 Del. C. Section 710 et seq.); (b) Delaware Fair Housing Act (6 Del. C. Section 4601 et seq.); (c) Delaware Equal Accommodations Law (6 Del. C. Section 4501 et seq.); and (d) federal non-discrimination laws including Title VII (42 U.S.C. Section 2000e et seq.) and ADA (42 U.S.C. Section 12101 et seq.).

14.4 DPDPA Profiling Requirements. Where AI Features engage in Profiling that produces legal or similarly significant effects on Consumers, Provider shall support Customer's compliance with the DPDPA's profiling provisions, including: (a) conducting data protection assessments; (b) providing Consumers with the right to opt out of profiling; and (c) providing meaningful information about the logic involved in such profiling.

14.5 Third-Party Audits. Upon Customer's request (annual limit), Provider shall engage a mutually agreed auditor. Costs borne by [☐ Provider / ☐ Customer / ☐ shared equally].

ARTICLE 15. AI DATA GOVERNANCE

15.1 Training Data Restrictions. Select one:

☐ Option A (No Training): No Customer Data for AI training.

☐ Option B (Consent-Based): Training only with written consent, revocable on thirty (30) days' notice.

☐ Option C (Anonymized Only): Only aggregated, de-identified data per DPDPA standards.

15.2 Data Lineage. Provider shall maintain records on sources, collection methods, processing, quality, and retention.

15.3 Training Data Rights. Provider warrants all necessary rights to use Training Data.

15.4 Data Segregation. Logical segregation of Customer Data.

15.5 Data Deletion. Upon termination or request, delete from AI training sets and certify within [____] days.

15.6 DPDPA Data Governance. Where Customer Data includes Personal Data of Delaware Consumers, Provider shall:

(a) Process Personal Data only as directed by Customer and consistent with the DPDPA;

(b) Support Customer's compliance with Consumer rights under the DPDPA, including rights to access, correct, delete, obtain a copy of, and opt out of processing of Personal Data;

(c) Honor Global Privacy Control (GPC) signals as required by the DPDPA;

(d) Not sell Personal Data or use it for targeted advertising without Consumer consent;

(e) Conduct data protection assessments for processing activities that present a heightened risk of harm, including profiling activities.

ARTICLE 16. AI OUTPUT OWNERSHIP

16.1 Ownership. Select one:

☐ Option A (Customer Owns): Customer owns AI Outputs from Customer Data.

☐ Option B (Provider Owns): Provider owns; Customer gets perpetual license.

☐ Option C (Joint): Jointly owned.

16.2 No Warranty of Originality. No representation of originality or non-infringement.

16.3 Customer Responsibility. Customer evaluates AI Output accuracy and legality before use.

16.4 IP Indemnification. Provider's indemnity extends to AI Output IP claims.

ARTICLE 17. AI PERFORMANCE METRICS

17.1 Performance Standards. Per Schedule AI-1: accuracy, latency, availability, error/hallucination rates, drift thresholds.

17.2 Monitoring. Continuous; monthly reports.

17.3 Model Drift. Monitoring with notification, corrective measures, and written report.

17.4 Remedies. If benchmarks fail for [____] consecutive months: remediation plan, suspension, or termination with refund.

ARTICLE 18. AI SAFETY AND RISK ASSESSMENT

18.1 Impact Assessments. For High-Risk AI Features, initially and annually: purpose, affected individuals, data quality, mitigation, monitoring, and bias results.

18.2 Risk Management. Conforming to NIST AI RMF 1.0 or equivalent.

18.3 Safety Testing. Adversarial testing, red-teaming, safety evaluations for prompt injection, harmful outputs, data leakage, adversarial robustness, and edge cases.

18.4 AI Guardrails. Preventing: (a) illegal or harmful content; (b) training data leakage; (c) out-of-parameter operation; and (d) autonomous High-Risk decisions without human oversight.

ARTICLE 19. HUMAN OVERSIGHT

19.1 Human-in-the-Loop. For High-Risk AI Uses: (a) human review before consequential decisions; (b) sufficient information; (c) override authority; and (d) AI supports human judgment.

19.2 Override Capability. Override, disable, escalate, and configure oversight levels.

19.3 Automation Bias Mitigation. Confidence scores, alternatives, and calibration exercises.

ARTICLE 20. AI ETHICS AND RESPONSIBLE USE

20.1 Ethical Principles. Provider's AI ethics policy shall address fairness, transparency, privacy, safety, accountability, human oversight, and environmental sustainability.

20.2 Prohibited Uses. No use for: (a) social scoring; (b) subliminal manipulation; (c) exploitation of vulnerable groups; (d) unauthorized biometric identification; (e) profiling-based predictive policing; or (f) any purpose violating applicable law.

20.3 DPDPA Compliance. Provider shall not use AI Features to process Personal Data in a manner inconsistent with the DPDPA, including unauthorized Profiling, targeted advertising without consent, or sale of Personal Data.

ARTICLE 21. AI REGULATORY COMPLIANCE

21.1 Delaware AI Regulatory Framework. Provider shall comply with all applicable Delaware AI and privacy laws, including:

(a) Delaware Personal Data Privacy Act (DPDPA) (6 Del. C. Chapter 12D, effective January 1, 2025), including: consumer rights (access, correction, deletion, portability, opt-out); profiling requirements; data protection assessments; GPC/universal opt-out recognition; restrictions on targeted advertising and data sales;

(b) Delaware AI Commission (HB 333, 2024, amending 29 Del. C. Chapter 90C), monitoring for recommendations and guidance;

(c) 6 Del. C. Section 12B-101 et seq. (Computer Security Breaches Act, data breach notification);

(d) 6 Del. C. Section 2511 et seq. (Consumer Fraud Act as applied to AI-driven interactions);

(e) Delaware's status as a leading corporate jurisdiction with well-developed commercial and contract law, including the Delaware Court of Chancery's expertise in technology and IP matters.

21.2 Federal and International Compliance. Provider shall also comply with: (a) FTC Act (15 U.S.C. Section 45); (b) EEOC guidance on AI; (c) Executive Order 14110; and (d) EU AI Act (Regulation (EU) 2024/1689), to the extent applicable.

21.3 Regulatory Change Management. Provider shall: (a) monitor Delaware legislative developments; (b) notify Customer within thirty (30) days of material new laws; (c) implement necessary modifications; and (d) cooperate on regulatory impact assessment.

ARTICLE 22. AI MODEL UPDATES AND VERSION CONTROL

22.1 Version Control. Unique identifiers, changelogs, retention for [____] months, rollback.

22.2 Update Notification. Thirty (30) days for major; seven (7) days for minor; updated Documentation.

22.3 Testing Window. Fifteen (15) days in staging before production.

22.4 Opt-Out Rights. Delay up to [____] days, except security patches.

ARTICLE 23. AI INCIDENT RESPONSE

23.1 AI Incident Definition. Events resulting in Algorithmic Discrimination, material harm, unauthorized data disclosure, operation outside parameters, material inaccuracy, or law violation.

23.2 Incident Notification. Twenty-four (24) hours for discrimination, data disclosure, or harm; seventy-two (72) hours for others.

23.3 Delaware Data Breach Notification. If an AI Incident constitutes a breach of security under 6 Del. C. Section 12B-102, Provider shall comply with the Delaware Computer Security Breaches Act (6 Del. C. Section 12B-101 et seq.), including: (a) notification to affected individuals within sixty (60) days of determination that a breach has occurred (6 Del. C. Section 12B-102(d)); (b) notification to the Delaware Attorney General if the breach affects more than five hundred (500) Delaware residents (6 Del. C. Section 12B-102(e)); and (c) cooperation with Customer's notification obligations.

23.4 Incident Response Plan. Defined roles, containment, root cause analysis, remediation, communication, and post-incident review.

23.5 Incident Reporting. Written report within [____] business days.

23.6 Cooperation. Full cooperation with Customer and regulators.

ARTICLE 24. AI AUDIT RIGHTS

24.1 Customer Audit Rights. Audit of AI documentation, bias testing, training data, incident logs, compliance, and security controls.

24.2 Audit Frequency. Up to [☐ one / ☐ two] time(s) per year; thirty (30) days' notice; any time after AI Incident.

24.3 Procedures. Normal business hours; minimize disruption; Customer bears costs unless material breach found.

24.4 Remediation. Address findings within [____] days.

24.5 Certifications. SOC 2 Type II; ISO/IEC 42001; ISO 27001; independent bias audits; regulatory reports.

PART C: GENERAL PROVISIONS

ARTICLE 25. DATA PROTECTION

25.1 Data Processing Agreement. Per Schedule DPA-1.

25.2 Security Program. SOC 2 Type II and ISO 27001 aligned.

25.3 Delaware Data Breach Notification. Per 6 Del. C. Section 12B-101 et seq. Notification within sixty (60) days of determination.

25.4 DPDPA Compliance. Provider shall process Personal Data of Delaware Consumers in compliance with the DPDPA, including honoring GPC signals and supporting consumer rights.

25.5 Data Localization. Per Order Form or Schedule DPA-1.

ARTICLE 26. GOVERNING LAW AND DISPUTE RESOLUTION

26.1 Governing Law. Laws of the State of Delaware, without regard to conflict of laws principles. The Parties acknowledge Delaware's status as a premier corporate jurisdiction and the expertise of the Delaware Court of Chancery in technology and commercial disputes.

26.2 Venue. Exclusive jurisdiction in the state and federal courts in [☐ New Castle County / ☐ [________________________________]], Delaware. For equitable relief, the Parties consent to the jurisdiction of the Delaware Court of Chancery.

26.3 Dispute Resolution. Good-faith negotiation for thirty (30) days before litigation.

26.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY DELAWARE LAW, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL. Delaware courts consistently enforce contractual jury waivers in commercial agreements.

26.5 Electronic Signatures. Per the Delaware Uniform Electronic Transactions Act (6 Del. C. Section 12A-101 et seq.).

ARTICLE 27. GENERAL TERMS

27.1 Notices. Written; deemed given upon personal delivery, confirmed email, one business day after overnight courier, or three business days after certified mail.

27.2 Assignment. No assignment without consent, except for merger, acquisition, or sale of substantially all assets.

27.3 Force Majeure. No liability for delays beyond reasonable control.

27.4 Entire Agreement. Complete agreement superseding prior negotiations.

27.5 Amendments. Written, signed by both Parties.

27.6 Severability. Invalid provisions severed; remaining provisions continue.

27.7 Waiver. No failure or delay constitutes waiver.

27.8 Independent Contractors. No partnership, joint venture, or employment relationship.

27.9 Counterparts. May be executed in counterparts.

27.10 Order of Precedence. (a) Data Processing Agreement; (b) this Agreement; (c) Order Form; (d) Schedules.

SCHEDULES AND EXHIBITS

☐ Schedule OF-1: Order Form Template
☐ Schedule SLA-1: Service Level Agreement
☐ Schedule SUP-1: Support Policy
☐ Schedule PS-1: Professional Services Statement of Work
☐ Schedule DPA-1: Data Processing Agreement
☐ Schedule AI-1: AI Feature Description and Controls
☐ Schedule SEC-1: Security Controls and Compliance Certificates
☐ Schedule AI-2: AI Model Documentation and Performance Benchmarks
☐ Schedule AI-3: AI Bias Testing Protocol and Results

SIGNATURE BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel licensed in Delaware has reviewed this Agreement
☐ AI governance review completed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

PROVIDER:

CUSTOMER:

SOURCES AND REFERENCES

• Delaware Personal Data Privacy Act (DPDPA): https://legis.delaware.gov
• 6 Del. C. Section 12B-101 et seq. (Computer Security Breaches Act): https://delcode.delaware.gov/title6/c012b/
• 6 Del. C. Section 2001 et seq. (Trade Secrets Act): https://delcode.delaware.gov/title6/c020/
• HB 333 (2024) Delaware AI Commission: https://legis.delaware.gov
• Delaware Court of Chancery: https://courts.delaware.gov/chancery/
• EU AI Act (Regulation (EU) 2024/1689): https://artificialintelligenceact.eu/ai-act-explorer/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework