SAAS MASTER SUBSCRIPTION AGREEMENT WITH AI GOVERNANCE CLAUSES

STATE OF NEW HAMPSHIRE

Agreement No.: [________________________________]

Effective Date: [__/__/____]

PROVIDER:
Name: [________________________________]
Address: [________________________________]
City/State/ZIP: [________________________________]
Contact Email: [________________________________]
Contact Phone: [________________________________]

CUSTOMER:
Name: [________________________________]
Address: [________________________________]
City/State/ZIP: [________________________________]
Contact Email: [________________________________]
Contact Phone: [________________________________]

This Master Subscription Agreement with AI Governance Clauses (this "Agreement") is entered into as of the Effective Date by and between the Provider and the Customer identified above (each a "Party" and collectively the "Parties").

ARTICLE 1: DEFINITIONS

1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership of more than fifty percent (50%) of voting securities or equivalent ownership interest.

1.2 "AI Features" means any artificial intelligence, machine learning, deep learning, natural language processing, computer vision, generative AI, or other algorithmic decision-making capabilities integrated into or accessible through the Services, as further described in Schedule AI-1.

1.3 "Algorithm" means a set of computational rules, procedures, or instructions, including statistical models and machine learning models, used to process data, make predictions, generate outputs, or automate decisions within the Services.

1.4 "Authorized User" means any individual employee, contractor, or agent of Customer or its Affiliates who is authorized by Customer to access and use the Services under this Agreement.

1.5 "Automated Decision-Making" means a decision made by the Services through automated processing of data without meaningful human oversight, including decisions derived from profiling, scoring, classification, or recommendation engines.

1.6 "Bias" means systematic and unfair discrimination in AI outputs resulting from flawed training data, model design, or algorithmic logic that disproportionately affects individuals or groups based on protected characteristics.

1.7 "Confidential Information" means all non-public information disclosed by one Party to the other in connection with this Agreement that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure.

1.8 "Consumer" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act (N.H. Rev. Stat. Chapter 507-H), meaning a natural person who is a resident of New Hampshire acting in an individual or household context, but does not include a natural person acting in a commercial or employment context.

1.9 "Controller" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act, meaning a person that, alone or jointly with others, determines the purpose and means of processing personal data.

1.10 "Customer Data" means all data, content, materials, and information submitted, uploaded, or transmitted by or on behalf of Customer or its Authorized Users to the Services, including Personal Data.

1.11 "Documentation" means the user guides, technical manuals, specifications, help files, and other written materials provided by Provider describing the functionality, operation, and use of the Services.

1.12 "Explainability" means the ability to describe, in terms understandable to a non-technical person, the factors, logic, data inputs, and decision criteria used by an AI Feature to produce a specific output or decision.

1.13 "Feedback" means suggestions, enhancement requests, recommendations, or other feedback provided by Customer regarding the Services.

1.14 "Generative AI" means AI Features that create new content, including text, images, code, audio, or synthetic data, based on patterns learned from training data.

1.15 "Hallucination" means an output generated by an AI Feature that is factually incorrect, fabricated, or not supported by the input data or training data.

1.16 "Human Override" means the ability of a natural person to review, modify, reverse, or supersede a decision, recommendation, or output generated by an AI Feature.

1.17 "Model" means a trained computational artifact that processes input data to generate predictions, classifications, or other outputs.

1.18 "Order Form" means a document referencing this Agreement that specifies the Services, subscription details, fees, and other commercial terms, attached as Schedule OF-1.

1.19 "Personal Data" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act (N.H. Rev. Stat. Chapter 507-H), meaning any information that is linked or reasonably linkable to an identified or identifiable individual. Personal Data does not include de-identified data or publicly available information.

1.20 "Processor" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act, meaning a person that processes Personal Data on behalf of a Controller.

1.21 "Profiling" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act, meaning any form of automated processing of Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, personal preferences, interests, reliability, behavior, location, or movements.

1.22 "Professional Services" means implementation, configuration, customization, training, or consulting services provided by Provider as described in a Statement of Work.

1.23 "Sensitive Data" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act, meaning Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for identification purposes; Personal Data collected from a known child; or precise geolocation data.

1.24 "Services" means the SaaS application(s) and related cloud-based services described in the Order Form, including all AI Features, updates, and enhancements provided during the Subscription Term.

1.25 "Subscription Term" means the period during which Customer is authorized to access and use the Services, as specified in the Order Form.

1.26 "Targeted Advertising" has the meaning ascribed under the New Hampshire Consumer Expectation of Privacy Act, meaning displaying advertisements to a consumer where the advertisement is selected based on Personal Data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.

1.27 "Training Data" means the datasets used to develop, train, validate, test, or fine-tune Models or Algorithms within the AI Features.

ARTICLE 2: SUBSCRIPTION AND ACCESS

2.1 License Grant. Subject to the terms and conditions of this Agreement and Customer's payment of applicable Fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Services solely for Customer's internal business purposes as specified in the Order Form.

2.2 Authorized Users. Customer may permit its Authorized Users to access and use the Services, provided that Customer shall be responsible for each Authorized User's compliance with this Agreement. Customer shall maintain accurate records of all Authorized Users and promptly remove access for any individual who no longer qualifies.

2.3 Usage Limits. Customer's use of the Services is subject to the usage limitations specified in the applicable Order Form, including the number of Authorized Users, data storage capacity, API call volumes, transaction limits, and processing thresholds. Customer shall monitor its usage and promptly notify Provider if Customer anticipates exceeding applicable limits.

2.4 Access Credentials. Customer is responsible for maintaining the confidentiality and security of all login credentials, access tokens, and API keys. Customer shall implement reasonable security measures including multi-factor authentication where available and shall promptly notify Provider of any unauthorized access or suspected compromise.

2.5 Restrictions. Customer shall not, and shall not permit any third party to: (a) sublicense, sell, resell, rent, lease, or otherwise make the Services available to any third party except as expressly permitted; (b) modify, adapt, or create derivative works of the Services; (c) reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code; (d) access the Services for competitive analysis or to build a competing product; (e) use the Services to transmit malicious code; (f) interfere with or disrupt the Services; or (g) use the Services in violation of applicable law, including New Hampshire law.

2.6 Reservation of Rights. Provider reserves all rights in and to the Services not expressly granted herein.

ARTICLE 3: AI FEATURES AND GOVERNANCE

3.1 AI Feature Documentation. Provider shall maintain complete and current documentation of all AI Features integrated into the Services, including: (a) the purpose and intended use case; (b) the types of data processed; (c) the decision-making logic and methodology; (d) known limitations and constraints; (e) potential risks of Bias or Hallucination; and (f) recommended Human Override procedures. Documentation shall be provided in Schedule AI-1 and updated no less than quarterly.

3.2 Training Data Restrictions.
(a) Provider shall not use Customer Data to train, retrain, fine-tune, or improve any generalized AI Models without Customer's prior express written consent, which may be withheld in Customer's sole discretion.
(b) If Customer grants consent, Provider shall: (i) anonymize and aggregate Customer Data before use; (ii) ensure no Customer Data can be extracted from the resulting Model; (iii) document all training uses in Schedule AI-1; and (iv) provide Customer with an opt-out mechanism.
(c) Provider represents that Training Data used for AI Features has been lawfully obtained with all necessary consents and licenses.

3.3 Explainability Requirements.
(a) For any AI Feature that generates decisions, recommendations, or classifications, Provider shall provide meaningful explanations including: (i) the key factors and data inputs that influenced the output; (ii) the relative importance of each factor; (iii) alternative outcomes from different inputs; and (iv) confidence levels where applicable.
(b) Explainability documentation shall be accessible to non-technical users.

3.4 Human Override.
(a) Customer shall have the right to override, modify, or reject any decision, recommendation, or output generated by AI Features.
(b) Provider shall implement technical mechanisms enabling Human Override, including: (i) review of AI outputs before they take effect; (ii) modification of parameters and thresholds; (iii) disabling specific AI Features; and (iv) reversion to non-AI processing where feasible.
(c) Provider shall not design AI Features in a manner that makes Human Override impractical.

3.5 Prohibited AI Uses. Neither Party shall use AI Features for:
(a) Automated Decision-Making that produces legal or similarly significant effects on individuals without appropriate Human Override;
(b) Discriminatory Profiling based on protected characteristics under New Hampshire or federal law;
(c) Targeted Advertising based on Sensitive Data without the consumer's express opt-in consent as required by the New Hampshire Consumer Expectation of Privacy Act;
(d) Processing Personal Data in violation of state or federal anti-discrimination laws;
(e) Mass surveillance or tracking of individuals without lawful basis;
(f) Generation of deceptive content intended to mislead consumers; or
(g) Any purpose that violates applicable federal, state, or local law.

3.6 New Hampshire Consumer Expectation of Privacy Act — AI and Profiling Compliance.
(a) Provider shall support Customer's compliance with the New Hampshire Consumer Expectation of Privacy Act (N.H. Rev. Stat. Chapter 507-H, effective January 1, 2025), including:
(i) Opt-Out Rights for Profiling: Supporting consumers' rights to opt out of Profiling that solely results in automated decisions producing legal or similarly significant effects, including decisions concerning financial or lending services, housing, insurance, education enrollment, criminal justice, employment, or healthcare;
(ii) Targeted Advertising Opt-Out: Supporting consumers' rights to opt out of processing of Personal Data for Targeted Advertising;
(iii) Sale of Personal Data Opt-Out: Supporting consumers' rights to opt out of the sale of Personal Data;
(iv) Sensitive Data Consent: Processing Sensitive Data only with the consumer's prior opt-in consent;
(v) Consumer Rights Support: Supporting consumers' rights to access, correct, delete, and obtain a portable copy of their Personal Data;
(vi) Data Minimization: Limiting Personal Data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose;
(vii) Purpose Limitation: Not processing Personal Data for purposes incompatible with those disclosed to the consumer without additional consent.
(b) Provider acknowledges that "decisions that produce legal or similarly significant effects" under the Act include decisions resulting in the provision or denial of financial services, housing, insurance, education, criminal justice, employment, healthcare, or access to essential goods and services.
(c) The New Hampshire Attorney General has sole enforcement authority. Neither this Agreement nor the Act provides a private right of action.

3.7 Data Protection Assessments for AI.
(a) Provider shall cooperate with Customer in conducting data protection assessments as required by the New Hampshire Consumer Expectation of Privacy Act for processing activities that present a heightened risk of harm, including:
(i) Processing Personal Data for Targeted Advertising;
(ii) Sale of Personal Data;
(iii) Processing Personal Data for Profiling where the Profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial injury, physical injury, intrusion on solitude or seclusion, or other substantial injury to consumers;
(iv) Processing Sensitive Data; and
(v) Any processing involving Personal Data that presents a heightened risk of harm.
(b) Assessments shall weigh the benefits of the processing to the Controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer.
(c) Provider shall make its data protection assessments available to the New Hampshire Attorney General upon request.

3.8 Bias Monitoring and Mitigation.
(a) Provider shall implement ongoing monitoring to detect, measure, and mitigate Bias in AI Features, including: (i) regular statistical testing across demographic groups; (ii) analysis of output disparities; (iii) review of training data for representativeness; and (iv) documentation of identified Bias and corrective actions.
(b) Provider shall promptly notify Customer if material Bias is detected and implement corrective measures within [____] business days.
(c) Provider shall provide periodic Bias assessment reports no less than [quarterly/semi-annually].

3.9 Model Documentation and Versioning.
(a) Provider shall maintain version-controlled records of all Models, including training methodologies, validation results, performance metrics, and change histories.
(b) Provider shall notify Customer at least [____] days prior to deploying material Model changes.
(c) Customer may request rollback to a prior Model version within [____] days of notification.

ARTICLE 4: AI RISK CLASSIFICATION AND ASSESSMENT

4.1 Risk Tiers. Provider shall classify each AI Feature according to the following risk framework:

☐ Tier 1 - Minimal Risk: AI Features performing routine data processing, formatting, search optimization, or administrative tasks with no direct impact on individual rights or significant business decisions.

☐ Tier 2 - Limited Risk: AI Features providing recommendations, insights, or analytics to inform human decision-makers but not autonomously executing decisions.

☐ Tier 3 - Elevated Risk: AI Features significantly influencing decisions affecting individuals' access to services, employment, credit, housing, insurance, or other material opportunities, or processing Sensitive Data as defined by the New Hampshire Consumer Expectation of Privacy Act.

☐ Tier 4 - High Risk: AI Features autonomously making or materially determining decisions with legal or similarly significant effects as defined under the New Hampshire Consumer Expectation of Privacy Act, including automated eligibility determinations, risk scoring, or biometric identification.

4.2 Impact Assessments.
(a) For Tier 3 and Tier 4 AI Features, Provider shall conduct AI impact assessments before deployment, including: (i) description of the AI Feature and purpose; (ii) types of data processed; (iii) potential benefits and risks; (iv) analysis of potential Bias and discriminatory impacts; (v) measures to mitigate risks; (vi) Human Override mechanisms; and (vii) ongoing monitoring plans.
(b) Assessments shall be available to Customer upon request and updated annually or when material changes occur.
(c) Assessments for Tier 3 and Tier 4 features shall address the data protection assessment requirements of the New Hampshire Consumer Expectation of Privacy Act.

4.3 New Hampshire-Specific Risk Considerations.
(a) AI Features that engage in Profiling as defined under the New Hampshire Consumer Expectation of Privacy Act require data protection assessments and consumer opt-out mechanisms.
(b) Provider shall maintain technical capabilities to: (i) honor opt-out requests for Profiling producing legal or similarly significant effects within fifteen (15) days of receipt; (ii) cease processing for Targeted Advertising upon opt-out; (iii) process universal opt-out signals recognized by the New Hampshire Attorney General; and (iv) document all opt-out requests and responses.
(c) Provider shall not discriminate against consumers who exercise their rights under the Act, including by denying goods or services, charging different prices, or providing a different quality of service.

ARTICLE 5: IMPLEMENTATION AND SUPPORT

5.1 Implementation Services. Provider shall deliver implementation, configuration, data migration, and onboarding services as described in Schedule PS-1. Implementation shall include configuration of AI Features and privacy controls to support Customer's compliance with the New Hampshire Consumer Expectation of Privacy Act.

5.2 Training. Provider shall provide training to Customer's designated personnel on the use of the Services, including specific training on: (a) AI Features, capabilities, and limitations; (b) consumer privacy rights management under New Hampshire law; (c) opt-out mechanism administration; and (d) data protection assessment procedures.

5.3 Technical Support. Provider shall provide technical support in accordance with Schedule SUP-1, including:
(a) Designated support channels (email, phone, online portal);
(b) Support hours and response time commitments by severity level;
(c) Escalation procedures for critical issues;
(d) AI-specific support for explainability inquiries;
(e) Privacy rights request support.

5.4 Updates and Enhancements. Provider shall provide all updates, patches, and security fixes at no additional charge during the Subscription Term. Provider shall provide reasonable advance notice of material changes and shall not remove material functionality without Customer's prior consent.

5.5 Change Management. Provider shall implement change management procedures for AI Feature updates, including: (a) advance notification; (b) documentation of changes and expected impacts; (c) testing in non-production environments; and (d) rollback capability.

ARTICLE 6: FEES AND PAYMENT

6.1 Fees. Customer shall pay the Fees set forth in the applicable Order Form. Unless otherwise specified, all Fees are non-refundable except as expressly provided in this Agreement.

6.2 Invoicing and Payment Terms. Provider shall invoice Customer per the billing frequency in the Order Form. Undisputed invoices are due within [____] days of receipt. Customer shall notify Provider of disputed charges within [____] days of invoice receipt with a detailed description.

6.3 Late Payment. Undisputed amounts not paid when due shall bear interest at the lesser of: (a) [____]% per month; or (b) the maximum rate permitted under New Hampshire law. //GUIDANCE: New Hampshire does not have a general usury statute for commercial transactions. The default judgment interest rate is 10% per annum (N.H. Rev. Stat. § 336:1). Confirm with counsel whether the agreed-upon rate is enforceable.

6.4 Taxes.
(a) All Fees are exclusive of applicable taxes. Customer is responsible for all taxes other than Provider's income taxes.
(b) New Hampshire Tax Treatment: New Hampshire does not impose a state sales or use tax. Accordingly, the Fees under this Agreement are not subject to New Hampshire sales tax. New Hampshire is one of five states without a general sales tax. However, New Hampshire does impose a Business Enterprise Tax (BET) and Business Profits Tax (BPT), which are Provider's responsibility for its own operations.
(c) If any other jurisdiction's tax authority requires collection of taxes on the Services delivered to Customer in New Hampshire, Provider shall consult with Customer before applying such taxes.

6.5 Fee Increases. Provider may increase Fees for renewal Subscription Terms upon at least [____] days' prior written notice. Fee increases shall not exceed [____]% per renewal term.

6.6 Suspension for Non-Payment. If Customer fails to pay undisputed Fees within [____] days after written notice, Provider may suspend access upon [____] days' additional notice. Provider shall restore access promptly upon payment.

ARTICLE 7: PROPRIETARY RIGHTS AND INTELLECTUAL PROPERTY

7.1 Provider Ownership. Provider retains all right, title, and interest in the Services, Documentation, Models, Algorithms, software, APIs, and related intellectual property. Nothing transfers ownership to Customer.

7.2 Customer Data Ownership. Customer retains all right, title, and interest in Customer Data.

7.3 License to Customer Data. Customer grants Provider a non-exclusive, royalty-free license during the Subscription Term to process Customer Data solely to provide the Services, perform Provider's obligations, and generate anonymized Aggregated Data subject to Customer's prior written consent.

7.4 Aggregated Data. Provider may use Aggregated Data for lawful business purposes provided it cannot reasonably identify Customer or any individual. Provider's rights to Aggregated Data survive termination.

7.5 Feedback. Customer grants Provider a non-exclusive, perpetual, irrevocable, royalty-free license to use Feedback, provided Provider shall not disclose Customer's Confidential Information.

7.6 AI-Generated Outputs. Ownership of outputs generated by AI Features using Customer Data belongs to Customer, subject to Provider's underlying IP rights in Models and Algorithms.

ARTICLE 8: CUSTOMER DATA AND DATA PROCESSING

8.1 Data Processing Agreement. The Parties shall execute the Data Processing Addendum attached as Schedule DPA-1, which governs Provider's processing of Personal Data on behalf of Customer.

8.2 New Hampshire Consumer Expectation of Privacy Act Compliance.
(a) Where Customer acts as a Controller and Provider acts as a Processor under the New Hampshire Consumer Expectation of Privacy Act, Provider shall:
(i) Process Personal Data only in accordance with Customer's documented instructions;
(ii) Assist Customer in responding to consumer rights requests, including requests to access, correct, delete, or obtain a portable copy of Personal Data, within the timeframes required by the Act;
(iii) Implement appropriate technical and organizational measures to protect Personal Data;
(iv) Not combine Personal Data received from Customer with Personal Data received from other controllers or collected from Provider's own interactions with consumers, unless expressly instructed by Customer;
(v) Delete or return all Personal Data upon Customer's request at the end of the provision of Services;
(vi) Make available all information necessary to demonstrate compliance with the Act;
(vii) Allow and cooperate with reasonable assessments or audits by Customer;
(viii) Engage subprocessors only with Customer's consent and pursuant to a written agreement imposing equivalent obligations.
(b) Provider shall process consumer rights requests within forty-five (45) days of receipt, with one forty-five (45) day extension permitted where reasonably necessary.
(c) If Provider determines it cannot comply with its obligations, it shall immediately notify Customer.

8.3 Data Localization. Provider shall process and store Customer Data in the geographic locations specified in the Order Form or Schedule DPA-1. No transfers outside specified regions without Customer's prior written consent.

8.4 Data Portability. Provider shall maintain Customer Data in export-ready formats (CSV, JSON, XML) and provide tools or assistance for portability.

8.5 Data Retention and Deletion. Upon termination: (a) Customer Data available for export for [____] days; (b) secure deletion within [____] days after the export period; and (c) written certification of deletion upon request.

8.6 Subprocessors. Provider shall not engage subprocessors without Customer's prior written consent. Provider shall maintain a current subprocessor list and notify Customer at least [____] days prior to engaging new subprocessors. Customer may object within [____] days.

ARTICLE 9: DATA PROTECTION AND SECURITY

9.1 Security Program. Provider shall maintain a comprehensive information security program including administrative, technical, and physical safeguards aligned with:

☐ SOC 2 Type II
☐ ISO/IEC 27001
☐ NIST Cybersecurity Framework
☐ Other: [________________________________]

9.2 Security Measures. Provider's security program shall include:
(a) Encryption in transit (minimum TLS 1.2) and at rest (minimum AES-256);
(b) Role-based access controls with least privilege and MFA for administrative access;
(c) Regular vulnerability assessments and penetration testing;
(d) Intrusion detection and prevention systems;
(e) Logging and monitoring of access to Customer Data;
(f) Employee security training and background checks;
(g) Incident response plan and procedures;
(h) Business continuity and disaster recovery capabilities.

9.3 Security Audits. Provider shall annually: (a) provide current SOC 2 reports or equivalent certifications; (b) respond to security questionnaires; and (c) permit security assessments by Customer or its designee, subject to reasonable scheduling and confidentiality.

9.4 New Hampshire Data Breach Notification.
(a) Provider shall comply with N.H. Rev. Stat. §§ 359-C:19-21, including:
(i) Notifying Customer of any security breach involving Personal Data as expediently as possible and without unreasonable delay;
(ii) Notifying the New Hampshire Attorney General's office if notification is required;
(iii) Providing written notice to affected New Hampshire residents that includes a description of the breach, categories of information involved, steps taken, and contact information;
(iv) Cooperating with Customer's investigation and notification obligations;
(v) Covering costs of notification and remediation attributable to Provider's breach.
(b) "Personal information" under New Hampshire breach notification law means an individual's first name or initial and last name in combination with Social Security number; financial account number with access code; or biometric data such as fingerprints, retina/iris images, or other unique physical representation or digital representation of biometric data.
(c) Provider shall maintain records of all security incidents for a minimum of five (5) years.

9.5 AI-Specific Security. Provider shall implement security measures specific to AI Features, including:
(a) Protection against adversarial attacks, prompt injection, and model manipulation;
(b) Secure storage and access controls for Training Data and Model artifacts;
(c) Monitoring for data poisoning;
(d) Version control and integrity verification for deployed Models;
(e) Isolation of Customer-specific data in AI processing pipelines.

ARTICLE 10: CONFIDENTIALITY

10.1 Obligations. Each Receiving Party shall hold Confidential Information in strict confidence, restrict disclosure to those with need-to-know who are bound by equivalent confidentiality obligations, and use it only for purposes of this Agreement.

10.2 Exclusions. Confidential Information excludes information that: (a) is publicly available without breach; (b) was known prior to disclosure; (c) is independently developed; or (d) is received from a third party without restriction.

10.3 Compelled Disclosure. If compelled by law to disclose, the Receiving Party shall provide prompt notice (to the extent permitted), cooperate in seeking protective orders, and disclose only the minimum necessary.

10.4 Trade Secrets Protection. Certain Confidential Information may constitute trade secrets under the New Hampshire Uniform Trade Secrets Act (N.H. Rev. Stat. Chapter 350-B). Trade secrets shall receive the protections afforded under New Hampshire law, including the right to seek injunctive relief for misappropriation. The statute of limitations for trade secret misappropriation under New Hampshire law is three (3) years from the date the misappropriation was discovered or should have been discovered. Confidentiality obligations for trade secrets continue for so long as the information qualifies as a trade secret.

10.5 Return and Destruction. Upon termination or request, the Receiving Party shall return or destroy all Confidential Information, except for automated backup copies (which remain subject to confidentiality) and copies required by law. Written certification upon request.

10.6 Duration. Confidentiality obligations survive for [____] years after termination, except that trade secret obligations continue for so long as the information qualifies as a trade secret under New Hampshire law.

ARTICLE 11: WARRANTIES AND DISCLAIMERS

11.1 Mutual Warranties. Each Party warrants that: (a) it is duly organized and in good standing; (b) it has authority to enter into this Agreement; (c) performance does not conflict with other agreements; and (d) it shall comply with applicable law.

11.2 Provider Performance Warranty. Provider warrants that: (a) the Services shall perform materially in accordance with the Documentation; (b) Services shall be provided in a professional manner consistent with industry standards; and (c) Provider shall not materially decrease overall functionality.

11.3 AI Feature Warranties. Provider warrants that: (a) AI Features shall perform as described in Schedule AI-1; (b) AI Features have been developed using reasonable quality assurance practices; (c) reasonable measures to detect and mitigate Bias have been implemented; (d) Training Data has been lawfully obtained; (e) Explainability information shall be provided as required; and (f) AI Features shall support Consumer rights under the New Hampshire Consumer Expectation of Privacy Act.

11.4 Privacy Compliance Warranty. Provider warrants that it shall process Personal Data in compliance with the New Hampshire Consumer Expectation of Privacy Act and shall implement reasonable technical measures to support Customer's compliance obligations, including consumer rights request fulfillment and opt-out mechanisms.

11.5 Security Warranty. Provider warrants it shall maintain security measures described in Article 9 and shall not knowingly introduce malicious code.

11.6 Non-Infringement Warranty. Provider warrants that the Services do not infringe any third-party intellectual property right.

11.7 Disclaimer. EXCEPT FOR EXPRESS WARRANTIES IN THIS ARTICLE, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY NEW HAMPSHIRE LAW, PROVIDER DISCLAIMS ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT AI FEATURES WILL PRODUCE ACCURATE, COMPLETE, OR UNBIASED RESULTS IN ALL CIRCUMSTANCES.

11.8 Warranty Remedy. For warranty breaches, Customer may elect: (a) re-performance at no additional cost; (b) pro-rata credit; or (c) termination with refund of prepaid Fees for the unused Subscription Term.

ARTICLE 12: SERVICE LEVELS AND CREDITS

12.1 Service Level Commitments. Provider shall meet the SLA commitments in Schedule SLA-1.

12.2 Uptime Guarantee. Provider guarantees monthly uptime of at least [____]%, excluding scheduled maintenance and force majeure.

12.3 Service Credits.

12.4 Credit Request. Customer must request credits within [____] days of the affected month. Credits apply against future invoices.

12.5 Chronic Failure. If the Services fail to meet the Uptime Commitment for [____] or more months in any [____]-month period, Customer may terminate and receive a pro-rata refund.

12.6 AI Feature Performance. Provider shall maintain AI Feature performance metrics as specified in Schedule AI-1.

ARTICLE 13: INDEMNIFICATION

13.1 Indemnification by Provider. Provider shall indemnify Customer against third-party claims arising from:
(a) Provider's breach of this Agreement;
(b) Allegations that the Services infringe intellectual property rights;
(c) Provider's breach of data protection, security, or confidentiality obligations;
(d) Provider's violation of the New Hampshire Consumer Expectation of Privacy Act, the Consumer Protection Act (N.H. Rev. Stat. Chapter 358-A), or other applicable law;
(e) Bodily injury or property damage from Provider's gross negligence or willful misconduct; or
(f) Claims arising from Bias, Hallucination, or AI Feature defects attributable to Provider.

13.2 Indemnification by Customer. Customer shall indemnify Provider against third-party claims arising from:
(a) Customer Data;
(b) Customer's use of the Services in violation of this Agreement or law;
(c) Customer's breach of Acceptable Use restrictions; or
(d) Customer's failure to implement Human Override when required.

13.3 Procedures. The Indemnified Party shall: (a) provide prompt notice; (b) grant the Indemnifying Party control of defense (subject to consent for settlements imposing obligations on the Indemnified Party); and (c) cooperate reasonably.

13.4 IP Remedies. If the Services become subject to an infringement claim, Provider shall: (a) procure continued use rights; (b) modify the Services to be non-infringing; (c) replace the infringing component; or (d) terminate and refund prepaid Fees.

ARTICLE 14: LIMITATION OF LIABILITY

14.1 Consequential Damages Exclusion. TO THE MAXIMUM EXTENT PERMITTED BY NEW HAMPSHIRE LAW, NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA.

14.2 Liability Cap. EACH PARTY'S TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED [____] TIMES THE FEES PAID OR PAYABLE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, EXCEPT FOR EXCLUDED CLAIMS.

14.3 Excluded Claims. The limitations do not apply to:
(a) Indemnification obligations;
(b) Breach of data protection or security obligations;
(c) Breach of confidentiality;
(d) Gross negligence or willful misconduct;
(e) IP infringement;
(f) Violations of the New Hampshire Consumer Expectation of Privacy Act; or
(g) Customer's payment obligations.

14.4 Essential Purpose. THE LIMITATIONS REFLECT THE PARTIES' INFORMED ALLOCATION OF RISK AND SHALL APPLY EVEN IF ANY LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

ARTICLE 15: TERM AND TERMINATION

15.1 Agreement Term. This Agreement continues until all Order Forms expire or are terminated.

15.2 Renewal. Order Forms automatically renew for successive equal periods unless either Party provides [____] days' written notice of non-renewal.

15.3 Termination for Cause. Either Party may terminate for material breach not cured within thirty (30) days of written notice, insolvency, or cessation of business.

15.4 Termination for Convenience. Customer may terminate upon [____] days' notice, subject to payment for the remainder of the current term.

15.5 Termination for AI or Privacy Non-Compliance. Customer may terminate immediately if:
(a) Provider materially breaches AI governance obligations and fails to cure within fifteen (15) days;
(b) A regulatory authority determines the AI Features violate applicable law;
(c) Provider fails to comply with the New Hampshire Consumer Expectation of Privacy Act; or
(d) Provider fails to support consumer rights requests within required timeframes.

15.6 Effects of Termination.
(a) Customer ceases use; Provider disables access.
(b) Customer Data available for export for [____] days.
(c) Surviving provisions: Articles 7, 10, 11.7, 13, 14, 16, 17.
(d) Secure deletion of Customer Data after the export period.
(e) Provider shall cooperate with transition to a successor provider.

ARTICLE 16: DISPUTE RESOLUTION

16.1 Governing Law. This Agreement shall be governed by the laws of the State of New Hampshire, without regard to conflict of laws principles.

16.2 Venue. Exclusive jurisdiction and venue in the state and federal courts in [Hillsborough County / Merrimack County], New Hampshire.

16.3 Escalation. Before formal proceedings (except injunctive relief or time-barred claims):
(a) Operational contacts attempt resolution within fifteen (15) business days;
(b) Executive escalation within fifteen (15) additional business days;
(c) Non-binding mediation in Concord, New Hampshire, within thirty (30) days, costs shared equally.

16.4 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY NEW HAMPSHIRE LAW, EACH PARTY IRREVOCABLY WAIVES ANY RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF OR RELATED TO THIS AGREEMENT. //GUIDANCE: New Hampshire courts generally enforce contractual jury waivers in commercial agreements between sophisticated parties. Ensure the waiver is conspicuous and mutual.

16.5 Injunctive Relief. Either Party may seek injunctive relief in any competent court to prevent irreparable harm without posting bond or proving actual damages.

16.6 Prevailing Party. The prevailing Party shall recover reasonable attorneys' fees and costs.

ARTICLE 17: GENERAL PROVISIONS

17.1 Notices. Written notices deemed given when: (a) delivered personally; (b) sent by confirmed email; (c) one (1) business day after overnight courier deposit; or (d) three (3) business days after certified mail. Notices sent to addresses on the first page.

17.2 Assignment. No assignment without prior written consent, except in connection with merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound.

17.3 Subcontracting. No subcontracting of material obligations without Customer's consent. Provider remains responsible for subcontractors.

17.4 Force Majeure. Neither Party liable for delays due to causes beyond reasonable control (excluding payment obligations). If force majeure continues for [____] days, either Party may terminate the affected Order Form.

17.5 Non-Compete Considerations. To the extent any provision restricts competitive activities of Party employees, such provisions shall comply with New Hampshire law, which enforces non-compete agreements under a traditional reasonableness analysis considering geographic scope, duration, and scope of restricted activities. //GUIDANCE: New Hampshire evaluates non-competes using a multi-factor test including whether the restriction is necessary to protect legitimate business interests, is reasonable in scope and duration, and does not impose undue hardship.

17.6 Electronic Signatures. This Agreement may be executed electronically in accordance with the New Hampshire Uniform Electronic Transactions Act (N.H. Rev. Stat. Chapter 294-E). Electronic signatures have the same legal effect as original signatures.

17.7 Consumer Protection Compliance. The Parties shall comply with the New Hampshire Consumer Protection Act (N.H. Rev. Stat. Chapter 358-A) in all dealings related to this Agreement. Unfair or deceptive acts or practices in trade or commerce are prohibited.

17.8 Entire Agreement. This Agreement, with all Order Forms, Schedules, and Exhibits, constitutes the entire agreement and supersedes all prior agreements.

17.9 Amendments. Amendments only by written instrument signed by both Parties.

17.10 Severability. Invalid provisions reformed to the minimum extent necessary; remaining provisions continue in force.

17.11 Waiver. No waiver by failure or delay; waivers must be in writing.

17.12 Independent Contractors. The Parties are independent contractors.

17.13 Third-Party Beneficiaries. No third-party beneficiaries.

17.14 Counterparts. May be executed in counterparts.

17.15 Order of Precedence. (a) Data Processing Addendum; (b) this Agreement; (c) Order Forms; (d) Statements of Work; (e) other Schedules.

17.16 Publicity. No use of the other Party's name or trademarks without prior consent.

17.17 Export Compliance. Each Party shall comply with export control laws including EAR and ITAR.

17.18 Anti-Corruption. Each Party shall comply with anti-corruption laws including the FCPA.

SCHEDULES AND EXHIBITS

• Schedule OF-1: Order Form Template
• Schedule SLA-1: Service Level Agreement
• Schedule SUP-1: Support Policy
• Schedule PS-1: Professional Services Statement of Work
• Schedule DPA-1: Data Processing Addendum
• Schedule AI-1: AI Feature Description, Risk Classification, and Controls
• Schedule SEC-1: Security Controls and Compliance Certificates

EXECUTION BLOCK

☐ Provider has reviewed and agrees to the terms of this Agreement
☐ Customer has reviewed and agrees to the terms of this Agreement
☐ Legal counsel review completed
☐ AI Feature Schedule (Schedule AI-1) has been reviewed and accepted
☐ Data Processing Addendum (Schedule DPA-1) has been executed
☐ New Hampshire Consumer Expectation of Privacy Act compliance verified

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

EXHIBIT A: AI FEATURE SCHEDULE TEMPLATE

AI Feature Name: [________________________________]
Version: [________________________________]
Risk Tier: ☐ Tier 1 ☐ Tier 2 ☐ Tier 3 ☐ Tier 4
Description: [________________________________]
Data Inputs: [________________________________]
Output Type: [________________________________]
Training Data Sources: [________________________________]
Human Override Available: ☐ Yes ☐ No
Explainability Level: ☐ Full ☐ Partial ☐ Limited
Bias Testing Completed: ☐ Yes ☐ No
Last Assessment Date: [__/__/____]
Profiling Involved (NH Privacy Act): ☐ Yes ☐ No
Targeted Advertising Involved: ☐ Yes ☐ No
Sensitive Data Processed: ☐ Yes ☐ No
Data Protection Assessment Required: ☐ Yes ☐ No
Known Limitations: [________________________________]

EXHIBIT B: ORDER FORM TEMPLATE

Order Form No.: [________________________________]
Effective Date: [__/__/____]
Subscription Term: [________________________________]
Services: [________________________________]
Number of Authorized Users: [____]
Monthly/Annual Fees: $[________________________________]
Payment Terms: [________________________________]
Data Storage Location: [________________________________]
AI Features Included: ☐ Yes ☐ No (If yes, complete Schedule AI-1)
New Hampshire Sales Tax: Not applicable (no state sales tax)

EXHIBIT C: SLA SUMMARY

EXHIBIT D: DATA PROCESSING ADDENDUM SUMMARY

Data Controller: Customer
Data Processor: Provider
Categories of Data Subjects: [________________________________]
Types of Personal Data Processed: [________________________________]
Sensitive Data Categories: [________________________________]
Purpose of Processing: [________________________________]
Duration of Processing: Duration of Subscription Term plus export period
Subprocessors Authorized: ☐ Yes (see list) ☐ No
Consumer Rights Response Timeline: 45 days (per NH Consumer Expectation of Privacy Act)
Data Breach Notification Timeline: As expedient as possible (N.H. Rev. Stat. §§ 359-C:19-21)
Data Deletion Timeline Post-Termination: [____] days
Cross-Border Transfer Mechanisms: [________________________________]

This template is provided for informational purposes only and does not constitute legal advice. This template should be reviewed and customized by a qualified attorney licensed in New Hampshire before use. Laws and regulations change frequently; verify all statutory citations and legal requirements are current at the time of execution.