SAAS MASTER SUBSCRIPTION AGREEMENT WITH AI GOVERNANCE CLAUSES

IOWA

(the "Agreement")

Effective Date: [__/__/____]

Provider: [________________________________] ("Provider"), a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________].

Customer: [________________________________] ("Customer"), a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________].

Provider and Customer are each a "Party" and collectively the "Parties."

1. DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership of more than fifty percent (50%) of the voting interests.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or other algorithmic decision-making capabilities embedded in or accessible through the Services, as described in Exhibit A (AI Feature Schedule).

1.3 "AI Impact Assessment" means a documented evaluation of the risks, benefits, fairness, transparency, and accountability implications of deploying AI Features, including assessments of potential bias and discriminatory outcomes.

1.4 "AI Incident" means any unintended behavior, output, or failure of AI Features that results in or could reasonably result in: (a) material harm to individuals; (b) discriminatory outcomes based on protected characteristics; (c) unauthorized processing of Personal Data; (d) material inaccuracy in automated decisions; or (e) violation of applicable law.

1.5 "Algorithmic Decision" means any decision made wholly or substantially by AI Features that produces legal effects or similarly significant effects concerning a natural person, including decisions related to employment, credit, insurance, housing, education, or access to essential services.

1.6 "Authorized Users" means Customer's employees, contractors, agents, and Affiliates who are authorized by Customer to access and use the Services under this Agreement.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other, whether orally, in writing, or electronically, that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure.

1.8 "Customer Data" means all data, content, materials, and information that Customer or its Authorized Users submit, upload, transmit, or otherwise provide to or through the Services, including Personal Data.

1.9 "Data Processing Agreement" or "DPA" means the data processing terms attached as Exhibit D.

1.10 "Documentation" means Provider's then-current technical and functional documentation for the Services, including user guides, API specifications, and integration instructions.

1.11 "Effective Date" means the date first written above.

1.12 "Feedback" means suggestions, enhancement requests, recommendations, or other feedback provided by Customer regarding the Services.

1.13 "High-Risk AI" means AI Features that: (a) make or substantially inform Algorithmic Decisions; (b) process Sensitive Data; (c) perform profiling or scoring of individuals; or (d) are deployed in contexts involving health, safety, employment, financial services, or essential government services.

1.14 "Model" means any machine learning model, neural network, algorithm, or statistical model used to provide AI Features.

1.15 "Order Form" means an ordering document executed by the Parties that references this Agreement and specifies the Services, fees, subscription term, and other commercial terms, attached as Exhibit B.

1.16 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable natural person, as defined under the Iowa Consumer Data Protection Act (Iowa Code Chapter 715D, effective January 1, 2025). Personal Data does not include de-identified data or publicly available information.

1.17 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis or condition, sexual orientation, citizenship or immigration status, genetic or biometric data used to uniquely identify a specific individual, Personal Data collected from a known child, or precise geolocation data.

1.18 "Services" means the cloud-based software-as-a-service platform and any associated AI Features, tools, APIs, integrations, and updates provided by Provider as described in the applicable Order Form and Documentation.

1.19 "Subscription Term" means the period during which Customer has the right to access and use the Services as specified in an Order Form.

1.20 "Training Data" means any data used to train, retrain, fine-tune, validate, or test a Model, including labeled datasets, feedback loops, and reinforcement learning inputs.

2. SUBSCRIPTION AND ACCESS

2.1 Grant of Rights. Subject to the terms and conditions of this Agreement and payment of all applicable fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Subscription Term solely for Customer's internal business operations.

2.2 Authorized Users. Customer may permit its Authorized Users to access and use the Services, provided that: (a) Customer ensures each Authorized User complies with this Agreement; (b) Customer is responsible for all acts and omissions of its Authorized Users; and (c) the total number of Authorized Users does not exceed the limits specified in the applicable Order Form.

2.3 Usage Restrictions. Customer shall not, and shall not permit any third party to: (a) copy, modify, or create derivative works of the Services; (b) reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Services; (c) sublicense, sell, resell, transfer, assign, or distribute the Services; (d) access the Services for purposes of building a competitive product or service; (e) use the Services to store or transmit infringing, defamatory, or unlawful material; (f) interfere with or disrupt the integrity or performance of the Services; or (g) attempt to gain unauthorized access to the Services or related systems.

2.4 Reservation of Rights. Provider reserves all rights not expressly granted. No implied licenses are granted.

2.5 Modifications to Services. Provider may update or modify the Services from time to time, provided modifications do not materially diminish core functionality during an active Subscription Term. Provider shall provide at least thirty (30) days' prior written notice of material changes.

2.6 Access Credentials. Customer is responsible for maintaining the confidentiality of all login credentials and access keys. Customer shall promptly notify Provider of any unauthorized use.

3. AI FEATURES AND GOVERNANCE

3.1 AI Feature Description. The AI Features included in the Services are described in Exhibit A (AI Feature Schedule). Provider shall maintain and update Exhibit A to accurately reflect the AI Features available to Customer, including a plain-language description of each AI Feature's purpose, data inputs, outputs, and known limitations.

3.2 Training Data Restrictions. Provider shall not use Customer Data as Training Data for any generalized AI Model or for the benefit of any third party without Customer's prior express written consent. If Customer consents, Provider shall: (a) anonymize or de-identify Customer Data before use as Training Data; (b) document the scope of use; (c) allow Customer to revoke consent upon thirty (30) days' written notice; and (d) upon revocation, cease using Customer Data as Training Data and delete such data from training pipelines within ninety (90) days.

3.3 Explainability and Transparency. Provider shall provide Customer with: (a) documentation describing the general logic, purpose, and intended use of each AI Feature; (b) information about the types of data processed by AI Features; (c) disclosure of known risks, biases, and limitations; (d) where technically feasible, explanations of how AI Features reach specific outputs; and (e) information sufficient to enable Customer to comply with its transparency obligations under the Iowa Consumer Data Protection Act.

3.4 Human Oversight Controls. Provider shall ensure that: (a) Customer can disable or override AI Features without losing access to core Service functionality; (b) High-Risk AI Features include human review capabilities before final decisions are executed; (c) Customer can configure AI Features to require human approval for specified categories of outputs; and (d) Provider maintains clear escalation procedures for AI-related concerns.

3.5 Prohibited AI Uses. Neither Party shall use the AI Features to: (a) make wholly automated Algorithmic Decisions that produce legal or similarly significant effects on natural persons without meaningful human oversight; (b) engage in unlawful discrimination based on race, color, religion, sex, national origin, age, disability, or other protected characteristics under Iowa or federal law; (c) conduct real-time biometric identification in publicly accessible spaces without explicit legal authorization; (d) generate deceptive content designed to mislead individuals about the AI-generated nature of such content; or (e) process Sensitive Data without the required consent under the Iowa Consumer Data Protection Act.

3.6 Iowa Consumer Data Protection Act -- AI-Specific Compliance. Provider shall support Customer's compliance with the Iowa Consumer Data Protection Act (ICDPA, Iowa Code Chapter 715D, effective January 1, 2025) as it relates to AI Features, including:

(a) Consumer Rights Support. Provider shall implement technical and organizational measures to enable Customer to respond to consumer requests to: (i) confirm whether the controller is processing the consumer's Personal Data and access such data; (ii) delete Personal Data provided by the consumer; (iii) obtain a copy of Personal Data in a portable and readily usable format; and (iv) opt out of the sale of Personal Data.

(b) Scope of Consumer Rights. The Parties acknowledge that the ICDPA provides a more limited set of consumer rights compared to some other state privacy laws. Specifically, the ICDPA does not include: (i) a right to correct inaccurate Personal Data; (ii) a right to opt out of targeted advertising; or (iii) a right to opt out of profiling. Provider acknowledges these limitations and shall not represent to consumers that such rights exist under Iowa law, while ensuring compliance with the rights that are provided.

(c) Sensitive Data Consent. Provider shall not process Sensitive Data through AI Features without Customer's prior confirmation that appropriate consumer consent has been obtained, as required by the ICDPA.

(d) Applicability Thresholds. The ICDPA applies to persons that: (i) control or process Personal Data of at least 100,000 Iowa consumers; or (ii) derive over 50% of gross revenue from the sale of Personal Data and process or control Personal Data of at least 25,000 Iowa consumers. Customer shall determine whether it meets these thresholds and notify Provider accordingly.

(e) Exemptions. The ICDPA does not apply to government agencies, entities subject to the Gramm-Leach-Bliley Act, organizations governed by HIPAA, nonprofit organizations, or institutions of higher education. Customer shall notify Provider if any exemption applies.

3.7 Ninety-Day Cure Period. The Parties acknowledge that the ICDPA provides a ninety (90) day cure period for violations. If the Iowa Attorney General notifies either Party of a potential violation related to AI Features or data processing, the notified Party shall: (a) promptly inform the other Party; (b) cure the violation within the ninety (90) day period; and (c) provide written assurance of the cure to the other Party and the Attorney General. Unlike some other state privacy laws, the ICDPA's cure period does not sunset.

3.8 Algorithmic Accountability. Provider shall: (a) maintain records documenting the development, testing, and deployment of AI Features; (b) conduct periodic reviews of AI Feature outputs for accuracy, fairness, and compliance; (c) implement mechanisms for individuals to contest Algorithmic Decisions; and (d) provide Customer with sufficient information to explain AI-driven outcomes.

4. AI RISK CLASSIFICATION AND ASSESSMENT

4.1 Risk Classification. Provider shall classify each AI Feature according to the following risk tiers:

• ☐ Minimal Risk: AI Features that perform basic automation, data organization, or content formatting without processing Personal Data or making consequential decisions.
• ☐ Limited Risk: AI Features that interact with individuals and require transparency disclosures but do not make Algorithmic Decisions.
• ☐ High Risk: AI Features that make or substantially inform Algorithmic Decisions, process Sensitive Data, or are deployed in contexts involving health, safety, employment, or financial services.
• ☐ Unacceptable Risk: AI Features prohibited under Section 3.5.

4.2 AI Impact Assessments. Provider shall conduct AI Impact Assessments for all High-Risk AI Features prior to deployment and at least annually thereafter. Each assessment shall include: (a) description of the AI Feature and purpose; (b) analysis of risks to individuals; (c) evaluation of Training Data quality and representativeness; (d) mitigation measures; (e) human oversight documentation; (f) testing results with fairness metrics; and (g) compliance assessment under applicable Iowa law.

4.3 Bias Testing and Monitoring. For High-Risk AI Features, Provider shall: (a) conduct pre-deployment bias testing; (b) implement ongoing monitoring; (c) establish correction procedures; (d) share results with Customer upon request; and (e) promptly remediate material bias.

4.4 AI Incident Response. Provider shall: (a) maintain an AI Incident response plan; (b) notify Customer within forty-eight (48) hours of discovery; (c) provide root cause analysis within thirty (30) days; (d) implement corrective measures; and (e) maintain an incident log available to Customer.

4.5 Model Performance Monitoring. Provider shall continuously monitor Model performance and notify Customer of degradation below Exhibit A thresholds.

4.6 Third-Party AI Components. Provider shall disclose, ensure compliance, and remain responsible for third-party AI components.

5. IMPLEMENTATION AND SUPPORT

5.1 Implementation Services. Provider shall deliver implementation, configuration, and onboarding services as described in the applicable Order Form or Statement of Work.

5.2 Professional Services. Any professional services beyond standard implementation shall be governed by a mutually agreed Statement of Work.

5.3 Support Services. Provider shall provide technical support per Exhibit C (Service Level Agreement).

5.4 Training. Provider shall provide reasonable training on the Services, including AI Features, at no additional charge during initial implementation.

5.5 Updates and Upgrades. Provider shall provide updates with release notes and at least fourteen (14) days' advance notice for material changes.

6. FEES AND PAYMENT

6.1 Fees. Customer shall pay the fees specified in the applicable Order Form (Exhibit B). Unless otherwise stated, fees are: (a) in United States dollars; (b) non-refundable except as expressly provided; and (c) exclusive of applicable taxes.

6.2 Invoicing and Payment. Provider shall invoice Customer [________________________________] (e.g., monthly, quarterly, annually in advance). All invoices are due within [____] days of the invoice date.

6.3 Late Payments. Overdue amounts shall accrue interest at the lesser of: (a) one and one-half percent (1.5%) per month; or (b) the maximum rate permitted under Iowa law. The legal rate of interest in Iowa is ten percent (10%) per annum (Iowa Code Section 535.2). For consumer transactions, the maximum rate is twelve percent (12%) per annum (Iowa Code Section 535.2(3)(a)). For commercial transactions not subject to the consumer limitation, interest rates above the legal rate require a written agreement.

//GUIDANCE: Iowa's legal rate of interest is 10% per annum. A written agreement is required for rates above the legal rate. For commercial SaaS agreements, verify the applicable rate and ensure compliance with Iowa Code Section 535.2. The 1.5% per month (18% annualized) rate proposed here exceeds the legal rate and requires a written agreement, which this Agreement constitutes.

6.4 Taxes -- Iowa SaaS Tax Treatment. Fees exclude all taxes, levies, and duties imposed by taxing authorities. Customer is responsible for all applicable taxes, excluding taxes based on Provider's net income. Iowa generally does not impose sales tax on remotely accessed SaaS. Prewritten (canned) software delivered via download or tangible media is taxable. If the Services include downloadable software components, Provider shall separately itemize taxable components. Customer shall provide valid tax exemption certificates where applicable.

6.5 Fee Increases. Provider may increase fees for renewal Subscription Terms upon at least sixty (60) days' prior written notice. Fee increases shall not exceed [____] percent per renewal term.

6.6 Disputed Invoices. Customer may dispute invoices in good faith within thirty (30) days. Undisputed amounts are due by the original due date.

6.7 Suspension for Non-Payment. If undisputed amounts remain unpaid for more than [____] days, Provider may suspend access upon fifteen (15) days' notice.

7. PROPRIETARY RIGHTS AND INTELLECTUAL PROPERTY

7.1 Provider Ownership. Provider retains all right, title, and interest in the Services, Documentation, AI Features, Models, algorithms, and all related IP.

7.2 Customer Data Ownership. Customer retains all rights in Customer Data. Provider acquires no ownership rights.

7.3 License to Customer Data. Customer grants Provider a non-exclusive, worldwide, royalty-free license to process Customer Data solely to provide the Services.

7.4 AI-Generated Outputs. Unless otherwise specified, AI Outputs generated using Customer Data shall be owned by Customer, subject to Provider's underlying IP rights.

7.5 Feedback. Provider may use Feedback without restriction, provided it does not disclose Customer's Confidential Information.

7.6 Reservation of Rights. All rights not expressly granted are reserved.

8. CUSTOMER DATA AND DATA PROCESSING

8.1 Data Processing Agreement. The Parties shall comply with the DPA attached as Exhibit D. The DPA prevails in the event of conflict on data processing matters.

8.2 Data Ownership and Control. Customer is the controller; Provider is the processor.

8.3 Data Localization. Provider shall process and store Customer Data in locations specified in the DPA. No transfer outside the United States without consent.

8.4 Data Return and Deletion. Upon termination: (a) Customer Data available for export for [____] days; (b) deletion within thirty (30) days of Customer's request; (c) written certification of deletion upon request.

8.5 Data Portability. Provider shall support data export in structured, machine-readable formats, consistent with the ICDPA's portability rights.

9. DATA PROTECTION AND SECURITY

9.1 Security Program. Provider shall implement and maintain a comprehensive information security program aligned with recognized frameworks (SOC 2 Type II, ISO 27001, or NIST).

9.2 Security Measures. Provider's security program shall include: (a) encryption in transit (TLS 1.2+) and at rest (AES-256); (b) MFA for admin access; (c) annual vulnerability assessments and penetration testing; (d) intrusion detection/prevention; (e) least-privilege access controls; (f) logging and monitoring; (g) employee security training; and (h) incident response procedures.

9.3 Iowa Consumer Data Protection Act Compliance. Provider shall support Customer's compliance with the ICDPA (Iowa Code Chapter 715D, effective January 1, 2025), including:

(a) Consumer Rights. Technical measures to enable Customer to respond to consumer requests for: (i) access confirmation and data access; (ii) deletion of consumer-provided Personal Data; (iii) copies in a portable format; and (iv) opt-out of the sale of Personal Data.

(b) Limitations on Consumer Rights. The ICDPA does not include a right to correct data, opt out of targeted advertising, or opt out of profiling. Provider's obligations under this Agreement are limited to the rights actually provided by the ICDPA.

(c) Sensitive Data. Provider shall not process Sensitive Data without Customer's confirmation that consumer consent has been obtained as required by the ICDPA.

(d) Response Timeline. Provider shall support Customer in responding to consumer requests within ninety (90) days, as required by the ICDPA.

(e) No Private Right of Action. The ICDPA does not provide a private right of action. Enforcement is exclusively by the Iowa Attorney General. The Parties acknowledge this enforcement framework when allocating risk under this Agreement.

9.4 Iowa Data Breach Notification. Provider shall comply with Iowa's data breach notification requirements (Iowa Code Chapter 715C), including:

(a) Notification Timeline. Provider shall notify Customer of any security breach affecting Customer Data without unreasonable delay and in no event later than forty-eight (48) hours after discovery.

(b) Statutory Notification Deadline. Iowa law requires notification to affected individuals within sixty (60) days of the discovery of a breach (Iowa Code Section 715C.2). Provider shall provide Customer with sufficient information to meet this deadline.

(c) Content of Notice. The notification shall include: (i) nature of the breach; (ii) categories and approximate number of affected individuals; (iii) types of Personal Data compromised; (iv) response and remediation measures; and (v) contact information.

(d) Attorney General Notification. Where a breach affects 500 or more Iowa residents, Provider shall cooperate with Customer's obligation to notify the Iowa Attorney General within five (5) business days of notifying affected individuals.

(e) Cooperation. Provider shall cooperate with Customer's breach investigation, including preserving evidence and supporting notification.

9.5 Subprocessors. Provider shall maintain a subprocessor list, provide thirty (30) days' advance notice of new subprocessors, and allow Customer to object on reasonable grounds.

9.6 Audits and Certifications. Provider shall maintain SOC 2 Type II or equivalent, make reports available under NDA, cooperate with annual audits, and remediate material findings.

10. CONFIDENTIALITY

10.1 Confidentiality Obligations. Each Party shall hold the other's Confidential Information in strict confidence and use it solely for purposes of this Agreement.

10.2 Permitted Disclosures. Disclosure to employees, contractors, advisors, and Affiliates with a need to know, bound by equivalent obligations.

10.3 Exclusions. Publicly available, prior knowledge, independent development, third-party receipt without restriction.

10.4 Compelled Disclosure. Prompt notice and minimum disclosure where compelled by law.

10.5 Trade Secrets. Governed by the Iowa Uniform Trade Secrets Act (Iowa Code Chapter 550). Trade secret protections survive termination for so long as the information qualifies as a trade secret.

10.6 Return or Destruction. Upon termination, return or destroy Confidential Information. Customer Data governed by Section 8.4.

10.7 Confidentiality Period. Five (5) years post-termination, except trade secrets which continue indefinitely.

11. WARRANTIES AND DISCLAIMERS

11.1 Performance Warranty. Provider warrants the Services shall perform materially in accordance with the Documentation during the Subscription Term.

11.2 Security Warranty. Provider warrants the Services shall be free from viruses, malware, or malicious code introduced by Provider.

11.3 Compliance Warranty. Provider warrants compliance with applicable federal and Iowa laws, including the ICDPA, Iowa data breach notification requirements, and applicable AI governance standards.

11.4 AI Feature Warranty. Provider warrants that: (a) AI Features shall function materially as described in Exhibit A; (b) appropriate testing has been conducted; (c) AI Features shall not knowingly produce discriminatory outputs; and (d) reasonable safeguards are implemented.

11.5 Authority Warranty. Each Party warrants legal authority to enter into this Agreement.

11.6 DISCLAIMER. EXCEPT FOR THE EXPRESS WARRANTIES IN THIS SECTION 11, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY IOWA LAW, PROVIDER DISCLAIMS ALL OTHER WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE. PROVIDER DOES NOT WARRANT THE ACCURACY OR RELIABILITY OF AI OUTPUTS.

11.7 AI Output Disclaimer. CUSTOMER ACKNOWLEDGES THAT AI FEATURES MAY PRODUCE INACCURATE, INCOMPLETE, OR BIASED OUTPUTS. CUSTOMER IS SOLELY RESPONSIBLE FOR REVIEWING AND VALIDATING ALL AI OUTPUTS BEFORE RELIANCE OR USE.

12. SERVICE LEVELS AND CREDITS

12.1 Service Level Commitments. Per Exhibit C (Service Level Agreement).

12.2 Uptime Guarantee. [____]% availability per calendar month, excluding scheduled maintenance.

12.3 Service Credits. Credits per Exhibit C, not to exceed [____]% of monthly fees. Sole remedy for uptime failures.

12.4 Chronic Failure. If uptime fails for three (3) or more consecutive months or four (4) months in twelve (12), Customer may terminate and receive a pro-rata refund.

12.5 Maintenance Windows. Seventy-two (72) hours' advance notice required.

12.6 AI Feature Performance. Monitoring per Exhibit A. Remediation or termination rights if performance fails for thirty (30)+ consecutive days.

13. INDEMNIFICATION

13.1 Indemnification by Provider. Provider shall defend, indemnify, and hold harmless Customer from third-party claims arising from: (a) IP infringement; (b) breach of data protection or security obligations; (c) violation of the ICDPA or Iowa breach notification law; (d) AI Incidents caused by Provider's negligence; (e) bodily injury or property damage from gross negligence or willful misconduct; or (f) violation of applicable law.

13.2 Indemnification by Customer. Customer shall defend, indemnify, and hold harmless Provider from third-party claims arising from: (a) Customer Data or misuse of Services; (b) failure to obtain required consents; (c) misuse of AI Outputs; or (d) breach of obligations.

13.3 Indemnification Procedures. Prompt notice, sole control of defense, reasonable cooperation. No settlement imposing obligations on the indemnified Party without consent.

13.4 IP Infringement Remedies. Provider may: (a) procure rights; (b) replace or modify; or (c) terminate and refund.

14. LIMITATION OF LIABILITY

14.1 Cap on Liability. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY'S AGGREGATE LIABILITY SHALL NOT EXCEED [____] TIMES THE FEES PAID OR PAYABLE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

14.2 Exclusion of Consequential Damages. EXCEPT FOR EXCLUDED CLAIMS, NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES.

14.3 Excluded Claims. Limitations do not apply to: (a) indemnification obligations; (b) breach of data protection or confidentiality; (c) gross negligence or willful misconduct; (d) IP infringement; (e) payment obligations; or (f) liability that cannot be limited under Iowa law.

14.4 Essential Purpose. LIMITATIONS APPLY TO THE MAXIMUM EXTENT PERMITTED BY IOWA LAW.

15. TERM AND TERMINATION

15.1 Agreement Term. Commences on the Effective Date and continues until all Order Forms expire or are terminated.

15.2 Order Form Term. Auto-renewal unless [____] days' notice of non-renewal.

15.3 Termination for Cause. Material breach uncured within thirty (30) days after notice, or insolvency.

15.4 Termination for Convenience. Customer may terminate upon [____] days' notice, subject to accrued fees and early termination fees.

15.5 Termination for Material AI Failure. Customer may terminate upon thirty (30) days' notice if: (a) unremediated AI Incident causes material harm; (b) material AI governance failure; or (c) legal change renders AI Features non-compliant and Provider fails to cure within sixty (60) days.

15.6 Effect of Termination. Access ceases; Confidential Information returned or destroyed; Customer Data export per Section 8.4; accrued obligations survive. Surviving sections: 1, 7, 8.4, 9, 10, 11.6-11.7, 13, 14, 15.6, 16, and 17.

16. DISPUTE RESOLUTION

16.1 Informal Resolution. Good faith negotiation within fifteen (15) business days.

16.2 Escalation. Senior executive escalation if unresolved within thirty (30) days.

16.3 Mediation. Non-binding mediation in [________________________________], Iowa, if unresolved within sixty (60) days.

16.4 Arbitration (Optional). ☐ If checked, binding arbitration in [________________________________], Iowa, applying Iowa law.

16.5 Litigation. Per Section 17.2 if arbitration not elected.

16.6 Injunctive Relief. Either Party may seek injunctive relief to prevent irreparable harm.

16.7 Continued Performance. Unless terminated, obligations continue during disputes.

17. GENERAL PROVISIONS

17.1 Governing Law. Iowa law, without regard to conflict of laws. The UN Convention on Contracts for the International Sale of Goods does not apply.

17.2 Venue. Exclusive jurisdiction and venue in state and federal courts in [________________________________] (e.g., Polk County), Iowa.

17.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY IOWA LAW, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT.

17.4 Electronic Signatures. Governed by the Iowa Uniform Electronic Transactions Act (Iowa Code Chapter 554D) and the federal E-SIGN Act.

17.5 Notices. Written notices deemed given when: (a) delivered personally; (b) sent by confirmed email; (c) three (3) business days after certified mail; or (d) one (1) business day after overnight courier.

Provider notice address: [________________________________]
Customer notice address: [________________________________]

17.6 Assignment. No assignment without consent, except to an Affiliate or in connection with a merger, acquisition, or sale of substantially all assets.

17.7 Force Majeure. Neither Party liable for delays beyond reasonable control. Does not excuse payment obligations. Termination permitted after sixty (60) days.

17.8 Entire Agreement. This Agreement and all Exhibits constitute the entire agreement, superseding prior agreements.

17.9 Amendments. Only by written instrument signed by both Parties.

17.10 Waiver. No waiver effective unless in writing.

17.11 Severability. Invalid provisions reformed; remaining provisions continue.

17.12 Independent Contractors. No partnership, joint venture, agency, or employment relationship.

17.13 Third-Party Beneficiaries. No third-party rights conferred.

17.14 Counterparts. Execution in counterparts; each an original.

17.15 Order of Precedence. (a) DPA; (b) this Agreement; (c) Order Form; (d) SLA; (e) AI Feature Schedule.

17.16 Iowa Consumer Protection Compliance. The Parties shall comply with the Iowa Consumer Fraud Act (Iowa Code Chapter 714H). Provider shall not engage in unfair or deceptive practices.

17.17 Export Compliance. Compliance with EAR and OFAC sanctions.

17.18 Publicity. No use of the other Party's name or marks without prior written consent.

EXHIBITS

EXHIBIT A -- AI FEATURE SCHEDULE

Model Performance Thresholds:
- Accuracy: [____]%
- Precision: [____]%
- Recall: [____]%
- Maximum acceptable drift: [____]%
- Monitoring frequency: [________________________________]

AI Feature Restrictions:
- ☐ AI Features may not be used for automated employment decisions
- ☐ AI Features may not be used for credit or lending decisions
- ☐ AI Features may not process Sensitive Data without consent per the ICDPA
- ☐ AI Features require human oversight for all Algorithmic Decisions
- ☐ Other: [________________________________]

EXHIBIT B -- ORDER FORM

Order Form No.: [________________________________]
Order Form Date: [__/__/____]

Subscription Term: [________________________________]
Renewal Terms: [________________________________]
Billing Frequency: [________________________________]
Payment Terms: Net [____] days

Total Fees: $[________________________________]

EXHIBIT C -- SERVICE LEVEL AGREEMENT

Uptime Guarantee: [____]%

Service Credit Schedule:

EXHIBIT D -- DATA PROCESSING AGREEMENT

1. Scope. This DPA governs Provider's processing of Personal Data on behalf of Customer.

2. Roles. Customer is the controller; Provider is the processor.

3. Processing Purpose. Provider shall process Personal Data solely to provide the Services.

4. Data Categories. [________________________________]

5. Data Subject Categories. [________________________________]

6. Processing Duration. For the duration of the Agreement plus any data return/deletion period.

7. Iowa Consumer Data Protection Act Compliance. Provider shall: (a) process only on documented instructions; (b) ensure confidentiality obligations; (c) implement appropriate security measures; (d) assist Customer with consumer rights requests within the ICDPA's ninety (90) day timeline; (e) assist with breach notification under Iowa Code Chapter 715C, including the sixty (60) day notification requirement; (f) delete or return Personal Data upon termination; (g) demonstrate compliance; and (h) obtain consent for Sensitive Data processing per the ICDPA.

8. Subprocessors. Per Section 9.5.

9. International Transfers. No transfer outside the U.S. without consent.

10. Security Breach Notification. Per Section 9.4.

11. Audit Rights. Per Section 9.6.

EXECUTION BLOCK

☐ Provider has reviewed and agrees to all terms of this Agreement
☐ Customer has reviewed and agrees to all terms of this Agreement
☐ Legal counsel review has been completed by Provider
☐ Legal counsel review has been completed by Customer
☐ AI governance requirements have been reviewed and accepted
☐ Data Processing Agreement has been reviewed and accepted
☐ Iowa Consumer Data Protection Act compliance requirements have been reviewed

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

This Agreement consists of [____] pages, including all Exhibits.

CONFIDENTIAL -- This document contains proprietary and confidential information. Unauthorized reproduction or distribution is prohibited.