Commercial Terms

Welcome to Sudennian AI! Before accessing our Services, please read these Commercial Terms of Service.

These Commercial Terms of Service (“Terms”) are an agreement between Sudennian AI, PBC (“Sudennian AI”) and you or the organization, company, or other entity that you represent (“Customer”). They govern Customer’s use of any Sudennian AI API key, the Sudennian AI Console, or any other Sudennian AI offerings that references these Terms (the “Services”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“Effective Date”).

Please note: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., ArchLevel.ai) are governed by our Consumer Terms of Service instead.

A. Services

  1. Overview. Subject to these Terms, Customer may use the Services, including to make submissions to the Services (“Prompts”) and generate responses to its Prompts (“Outputs” and, together with Prompts, “Customer Content”).

  2. Beta Services. Sudennian AI may offer Services that are in pre-release, beta, or trial form (“Beta Services”). This means that they are not suitable for production use and provided “as-is” on a temporary basis. Sudennian AI is not responsible for Customer’s use of or reliance on Beta Services.

  3. Feedback. If Customer decides, in its sole discretion, to provide Sudennian AI with feedback regarding the Services, Sudennian AI may use that feedback at its own risk and without obligation to Customer.

  4. Customer Content. As between the Parties and to the extent permitted by applicable law, Sudennian AI agrees that Customer owns all Outputs, and disclaims any rights it receives to the Customer Content under these Terms. Sudennian AI does not anticipate obtaining any rights in Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Sudennian AI hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Sudennian AI may not train models on Customer Content from paid Services.

  5. Data Privacy. If Customer submits personal data or personally identifiable information (collectively, “PII”) to the Services, the Sudennian AI Data Processing Addendum in Exhibit A applies and is incorporated into these Terms by reference.

B. Trust and Safety; Restrictions

  1. Compliance. Each Party will comply with all laws applicable to the provision (for Sudennian AI) and use (for Customer) of the Services, including any applicable data privacy laws.

  2. Acceptable Use Policy. Customer may only use the Services in compliance with these Terms, including the Acceptable Use Policy (“AUP”), which is incorporated by reference into these Terms, and which may be updated by Sudennian AI. Customer must use reasonable efforts to ensure the same of its customers or other end users (“Users”). Customer must cooperate with reasonable requests for information from Sudennian AI to support compliance with its AUP, including to verify Customer’s identity and use of the Services.

  3. Limitations of Outputs; Notice to Users. It is Customer’s responsibility to evaluate whether Outputs are appropriate for Customer’s use case, including where human review is appropriate, before using or sharing Outputs. Customer acknowledges, and must notify its Users, that factual assertions in Outputs should not be relied upon without independently checking their accuracy, as they may be false, incomplete, misleading or not reflective of recent events or information. Customer further acknowledges that Outputs may contain content inconsistent with Sudennian AI’s views.

  4. Use Restrictions. Customer may not and must not attempt to (a) access the Services to build a competing product or service, including to train competing AI models except as expressly approved by Sudennian AI; (b) reverse engineer or duplicate the Services; or (c) support any third party’s attempt at any of the conduct restricted in this sentence. Customer and its Users may only use the Services in the countries and regions Sudennian AI currently supports.

  5. Security. Customer will promptly notify Sudennian AI if Customer believes or knows that (a) the account it uses to access the Services has been compromised, or (b) Customer is subject to a denial of service or similar malicious attack that may negatively impact the Services.

C. Confidentiality

  1. Confidential Information. The Parties may share information that is identified as confidential, proprietary, or similar, or that a Party would reasonably understand to be confidential or proprietary ("Confidential Information"). Customer Content is Customer’s Confidential Information.

  2. Obligations of Parties. The receiving Party ("Recipient") may only use the Confidential Information of the disclosing Party ("Discloser") to exercise its rights and perform its obligations under these Terms. Recipient may only share Discloser’s Confidential Information to Recipient’s employees, agents, and advisors that have a need to know such Confidential Information and who are bound to obligations of confidentiality at least as protective as those provided in these Terms ("Representatives"). Recipient will protect Discloser’s Confidential Information from unauthorized use, access, or disclosure in the same manner as Recipient protects its own Confidential Information, and with no less than reasonable care. Recipient is responsible for all acts and omissions of its Representatives. Recipient will promptly notify Discloser if it suspects or knows that Discloser’s Confidential Information was breached, and agrees to cooperate to mitigate further risks of loss or misuse.

  3. Exclusions. Recipient’s obligations with respect to Confidential Information do not apply if Recipient demonstrates that Discloser’s Confidential Information was (a) already known to Recipient at the time of disclosure by Discloser, (b) disclosed to Recipient by a third party without a duty of confidentiality, (c) publicly available through no fault of Recipient, or (d) independently developed by Recipient without use of or access to Discloser’s Confidential Information. Recipient may disclose Discloser’s Confidential Information to the extent it is required by law, or court or administrative order, but will, except where expressly prohibited, notify Discloser of the required disclosure promptly and fully cooperate with Discloser.

  4. Destruction Request. Recipient will destroy Discloser’s Confidential Information promptly upon request, except copies in Recipient’s automated back-up systems, which will remain subject to these obligations of confidentiality while maintained.

D. Intellectual Property

Except as expressly stated in these Terms, these Terms do not grant either Party any rights to the other’s content or intellectual property, by implication or otherwise.

E. Publicity

Neither Party may make public statements about Customer’s use of the Services without the other Party’s permission.

F. Fees

  1. Payment of Fees. Customer is responsible for fees incurred by its account, at the rates specified on the Model Pricing Page, unless otherwise agreed by the Parties. Sudennian AI may require prepayment for the Services in the form of credits or offer other types of credits, all of which are subject to Sudennian AI’s Supplemental Credits Terms. Sudennian AI may update the published rates, to be effective the earlier of 30 days after the updates are posted by Sudennian AI or Customer otherwise receives Notice.

  2. Taxes. Fees do not include any taxes, duties, or assessments that may be owed by Customer for use of the Services ("Taxes"), unless otherwise specified in the applicable invoice.

  3. Billing. Failure to pay Sudennian AI all amounts owed when due may result in suspension or termination of Customer’s access to the Services. Sudennian AI reserves any other rights of collection it may have.

G. Termination and Suspension

  1. Term. These Terms start on the Effective Date and continue until terminated (the “Term”).

  2. Termination.

    1. Each Party may terminate these Terms at any time for convenience with Notice, except Sudennian AI must provide 30 days prior Notice.

    2. Either Party may terminate these Terms for the other Party’s material breach by providing 30 days prior Notice detailing the nature of the breach unless cured within that time.

    3. Sudennian AI may terminate these Terms immediately with Notice if Sudennian AI reasonably believes or determines that Sudennian AI’s provision of the Services to Customer is prohibited by applicable law.

  3. Suspension.

    1. Sudennian AI may suspend Customer’s access to any portion or all of the Services if: (a) Sudennian AI reasonably believes or determines that (i) there is a risk to or attack on any of the Services; (ii) Customer or any User is using the Services in violation of Sections B.1 (Compliance), B.2 (Acceptable Use Policy) or B.4 (Use Restrictions); or (iii) Sudennian AI’s provision of the Services to Customer is prohibited by applicable law or would result in a material increase in the cost of providing the Services; or (b) any vendor of Sudennian AI has suspended or terminated Sudennian AI’s use of any third-party services or products required to enable Customer to access the Services (each, a “Service Suspension”).

    2. Sudennian AI will use reasonable efforts to provide written notice of any Service Suspension to Customer, and resume providing access to the Services, as soon as reasonably possible after the event giving rise to the Service Suspension is cured, where curable. Sudennian AI will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur because of a Service Suspension.

  4. Effect of Termination. Upon termination, Customer may no longer access the Services. The following provisions will survive termination or expiration of these Terms: (a) Sections C (Confidentiality), E (Publicity), F (Fees), G.4 (Effect of Termination), H (Disputes), I (Indemnification), J.2 (Disclaimer of Warranties), J.3 (Limits on Liability), and K (Miscellaneous); (b) any provision or condition that must survive to fulfill its essential purpose.

H. Disputes

  1. Disputes. In the event of a dispute, claim or controversy relating to these Terms (“Dispute”), the Parties will first attempt in good faith to informally resolve the matter. The Party raising the Dispute must notify the other Party (“Dispute Notice”), who will have 15 days from the date of delivery of the Dispute Notice to propose a time for the Parties to meet with appropriately leveled executives to attempt to resolve the Dispute. If the Parties have not resolved the dispute within 45 days of delivery of the Dispute Notice, either Party may seek to resolve the dispute through arbitration as stated in Section H.2.

  2. Arbitration. Any Dispute will be determined by final, binding arbitration in San Francisco, California by a sole arbitrator pursuant to the Comprehensive Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc. ("JAMS"). Judgment on any award issued through the JAMS arbitration process may be entered in any court having jurisdiction. EACH PARTY AGREES THEY ARE WAIVING THE RIGHT TO A TRIAL BY JURY, AND THE RIGHT TO JOIN AND PARTICIPATE IN A CLASS ACTION, TO THE FULLEST EXTENT PERMITTED UNDER THE LAW IN CONNECTION WITH THESE TERMS.

  3. Equitable Relief. This Section H (Disputes) does not limit either Party from seeking equitable relief.

I. Indemnification

  1. Claims Against Customer. Sudennian AI will defend Customer and its personnel, successors, and assigns from and against any Customer Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Customer Claim or that an arbitrator awards a third party under any Sudennian AI-approved settlement of such Customer Claim. "Customer Claim" means a third-party claim, suit, or proceeding alleging that Customer’s paid use of the Services (which includes data Sudennian AI has used to train a model that is part of the Services) in accordance with these Terms or Outputs generated through such authorized use violates third-party patent, trade secret, trademark, or copyright rights.

  2. Claims Against Sudennian AI. Customer will defend Sudennian AI and its personnel, successors, and assigns from and against any Sudennian AI Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Sudennian AI Claim or that an arbitrator awards a third party under any Customer-approved settlement of such Sudennian AI Claim. “Sudennian AI Claim” means any third-party claim, suit, or proceeding related to Customer’s or its Users’ (a) Prompts or (b) use of the Services in violation of the AUP or Section B.4 (Use Restrictions). Sudennian AI Claims and Customer Claims are each a “Claim”, as applicable.

  3. Exclusions. Neither Party’s defense or indemnification obligations will apply to the extent the underlying allegation arises from the indemnified Party’s fraud, willful misconduct, violations of law, or breach of the Agreement. Additionally, Sudennian AI’s defense and indemnification obligations will not apply to the extent the Customer Claim arises from: (a) modifications made by Customer to the Services or Outputs; (b) the combination of the Services or Outputs with technology or content not provided by Sudennian AI; (c) Prompts or other data provided by Customer; (d) use of the Services or Outputs in a manner that Customer knows or reasonably should know violates or infringes the rights of others; (e) the practice of a patented invention contained in an Output; or (f) an alleged violation of trademark based on use of an Output in trade or commerce.

  4. Process. The indemnified Party must promptly notify the indemnifying Party of the relevant Claim, and will reasonably cooperate in the defense. The indemnifying Party will retain the right to control the defense of any such Claim, including the selection of counsel, the strategy and course of any litigation or appeals, and any negotiations or settlement or compromise, except that the indemnified Party will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to an ongoing affirmative obligation. The indemnifying Party’s obligations will be excused if either of the following materially prejudices the defense: (a) failure of the indemnified Party to provide prompt notice of the Claim; or (b) failure to reasonably cooperate in the defense.

  5. Sole Remedy. To the extent covered under this Section I (Indemnification), indemnification is each Party’s sole and exclusive remedy under these Terms for any third-party claims.

J. Warranties and Limits on Liability

  1. Warranties. Each Party represents and warrants that (a) it is authorized to enter into these Terms; and (b) entering into and performing these Terms will not violate any of its corporate rules, if applicable. Customer further represents and warrants that it has all rights and permissions required to submit Prompts to the Services.

  2. Disclaimer of Warranties. EXCEPT TO THE EXTENT EXPRESSLY PROVIDED FOR IN THESE TERMS, TO THE MAXIMUM EXTENT PERMITTED UNDER LAW (A) THE SERVICES AND OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND; AND (B) SUDENNIAN AI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, RELATING TO THIRD-PARTY PRODUCTS OR SERVICES, INCLUDING THIRD-PARTY INTERFACES. SUDENNIAN AI EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING OR PERFORMANCE, OR TRADE USE. SUDENNIAN AI DOES NOT WARRANT, AND DISCLAIMS THAT, THE SERVICES OR OUTPUTS ARE ACCURATE, COMPLETE OR ERROR-FREE OR THAT THEIR USE WILL BE UNINTERRUPTED. REFERENCES TO A THIRD PARTY IN THE OUTPUTS MAY NOT MEAN THEY ENDORSE OR ARE OTHERWISE WORKING WITH SUDENNIAN AI.

  3. Limits on Liability.

    1. Except as stated in Section J.3.b, the liability of each Party, and its affiliates and licensors, for any damages arising out of or related to these Terms (i) excludes damages that are consequential, incidental, special, indirect, or exemplary damages, including lost profits, business, contracts, revenue, goodwill, production, anticipated savings, or data, and costs of procurement of substitute goods or services and (ii) is limited to Fees actually paid by Customer for the Services in the previous 12 months.

    2. The limitations of liability in this Section J.3 (Limits on Liability) do not apply to either Party’s obligations under Section I (Indemnification).

    3. THE LIMITATIONS OF LIABILITY IN THIS SECTION J.3 (LIMITS ON LIABILITY) APPLY: (A) TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW; (B) TO LIABILITY IN TORT, INCLUDING FOR NEGLIGENCE; (C) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT PRODUCT LIABILITY, OR OTHERWISE; (D) EVEN IF THE BREACHING PARTY IS ADVISED IN ADVANCE OF THE POSSIBILITY OF THE DAMAGES IN QUESTION AND EVEN IF SUCH DAMAGES WERE FORESEEABLE; AND (E) EVEN IF THE INJURED PARTY'S REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.

    4. The Parties agree that they have entered into these Terms in reliance on the terms of this Section J.3 (Limits on Liability) and those terms form an essential basis of the bargain between the Parties.

K. Miscellaneous

  1. Notices. All notices, demands, waivers, and other communications under these Terms (each, a "Notice") must be in writing. Except for notices related to demands to arbitrate or where equitable relief is sought, any Notices provided under these Terms may be delivered electronically to the Customer’s address or other authorized addresses provided to Sudennian AI; and to notices@sudennian.com if to Sudennian AI. Notice is effective only: (i) upon receipt by the receiving Party, and (ii) if the Party giving the Notice has complied with all requirements of this Section K.1 (Notices).

  2. Electronic Communications. Customer agrees to receive electronic communications from Sudennian AI based on Customer’s use of the Services and related to these Terms. Except where prohibited by applicable law, electronic communications may include email, through the Services or Customer’s management dashboard, or on Sudennian AI’s website. Sudennian AI may also provide electronic communications via text or SMS about Customer’s use of the Services or as Customer otherwise requests from Sudennian AI. If Customer wishes to stop receiving such messages, Customer may request it from Sudennian AI or respond to any such texts with “STOP.”

  3. Amendment and Modification. Sudennian AI may update these Terms at any time, to be effective 30 days after the updates are posted by Sudennian AI or Customer otherwise receives Notice, except that updates made in response to changes to law or regulation take effect immediately upon posting or Notice. Changes will not apply retroactively. No other amendment to or modification of these Terms is effective unless it is in writing and signed by both Parties. Failure to exercise or delay in exercising any rights or remedies arising from these Terms does not and will not be construed as a waiver; and no single or partial exercise of any right or remedy will preclude future exercise of such right or remedy.

  4. Assignment and Delegation. Neither Party may assign its rights or delegate its obligations under these Terms without the other Party’s prior written consent, except that Sudennian AI may assign its rights and delegate its obligations as part of a sale of all or substantially all its business. Any purported assignment or delegation is null and void except as permitted above. No permitted assignment or delegation will relieve the contracting Party or assignees of their obligations under these Terms. These Terms will bind and inure to the benefit of the Parties and their respective permitted successors and assigns.

  5. Severability. If a provision of these Terms is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will neither affect any other term or provision of these Terms nor invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties will negotiate in good faith to modify these Terms to reflect the Parties’ original intent as closely as possible.

  6. Interpretation. These Terms will be construed mutually, with neither Party considered the drafter. Document and section titles are provided for convenience and will not be interpreted. The phrases “for example” or “including” or “or” are not limiting.

  7. Governing Law. These Terms are governed by and construed in accordance with the laws of the State of California, without giving effect to any choice of law provision. Subject to Section H (Disputes), all suits, action, or proceedings related to these Terms will be instituted exclusively in federal or state courts located in San Francisco, California, and each Party irrevocably submits to their exclusive jurisdiction.

  8. Export and Sanctions. Customer may not export or provide access to the Services to persons or entities or into countries or for uses where it is prohibited under U.S. or other applicable international law. Without limiting the foregoing sentence, this restriction applies (a) to countries where export from the US or into such country would be prohibited or illegal without first obtaining the appropriate license, and (b) to persons, entities, or countries covered by U.S. sanctions.

  9. Integration. These Terms (including the AUP, DPA, Model Pricing Page and other documents or terms that are incorporated by reference by these Terms) constitute the Parties’ entire understanding as to the Services’ provision and use. These Terms supersede all other understandings or agreements between the Parties regarding the Services. If Customer has also agreed to our Terms of Service, these Terms control.

  10. Force Majeure. Neither Party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

Exhibit A: Sudennian AI Data Processing Addendum

This Data Processing Addendum (“DPA”) applies to Sudennian AI PBC, a Public Benefit Corporation (“Sudennian AI”) and its processing of Personal Data in relation to the provision of Sudennian AI’s Services to the Customer (as defined in the contract referencing this DPA under which Sudennian AI has agreed to provide Services). Unless otherwise expressly stated in the Agreement, this DPA shall be effective and remain in force for the full term of the Agreement. Sudennian AI and the Customer each may be referred to herein as a “Party” or collectively as the “Parties.”

1. DEFINITIONS

  • "Customer Affiliate" means an affiliate of Customer who is a beneficiary to the Agreement.

  • "Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.

  • "Controller" will have the following meaning (as applicable): (a) the meaning given to “controller” under Applicable Data Protection Laws; or (b) the meaning given to “business” under Applicable Data Protection Laws.

  • "Covered Data" means Personal Data shared by Customer or a Customer Affiliate in relation to the provision of the Services. “Data Subject” means a natural person whosePersonal Data is part of the Covered Data.

  • Data Subject Requests” means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws. "GDPR" means Regulation (EU) 2016/679.

  • Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information underApplicable Data Protection Laws.

  • "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and“Processed” will be interpreted accordingly.

  • Processor” will have the following meaning (as applicable): (a) the meaning given to“processor” under Applicable Data Protection Laws; or (b) the meaning given to “service provider” under Applicable Data Protection Laws.

  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to(including unauthorized internal access to), Covered Data.

  • "Services" means the services to be provided by Sudennian AI pursuant to the Agreement.

  • "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor)and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

  • "Sub-processor" means an entity appointed by Sudennian AI, as a Processor, toProcess Covered Data on its behalf.

  • UK GDPR” has the meaning given under the Data Protection Act 2018 (UK).

2. GENERAL

  1. This DPA is incorporated into and forms an integral part of the Agreement. If there is any conflict between this DPA and the Agreement relating to the Processing of Covered Data, this DPA shall govern. Customer acknowledges and agrees that Sudennian AI may amend this DPA from time to time on reasonable notice to Customer where such changes are required because of changes in Applicable Data Protection Laws.

  2. Clauses 3 to 9 of this DPA apply to the extent Sudennian AI acts as a Processor on behalf of Customer with respect to the Covered Data.

3. DETAILS OF DATA PROCESSING

  1. The details of the Processing of Covered Data (such as subject matter, duration, nature, and purpose of the Processing, categories of Personal Data and DataSubjects) are described in the Agreement and in Part B of Schedule 1 to this DPA.

  2. Sudennian AI will only Process Covered Data in accordance with Applicable DataProtection Laws and on the documented instructions of Customer (including as set out in the Agreement and this DPA), unless required to do otherwise by applicable law to which Sudennian AI is subject, in which case Sudennian AI will, unless prohibited by applicable law, inform Customer of such legal requirement before Processing. Without limiting the foregoing, Sudennian AI is prohibited from:

    1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

    2. sharing Covered Data with any third party for cross-context behavioural advertising;

    3. retaining, using, or disclosing Covered Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and

    4. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Sudennian AI receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

  3. To the extent that any of the instructions provided by Customer to Sudennian AI in accordance with clause 3.b require Processing of Covered Data in a manner that falls outside the scope of the Services, Sudennian AI may:

    1. notify Customer that such instructions fall outside the scope of Services under theAgreement and not carry out such instructions, or at Sudennian AI’s election, make the performance of any such instructions subject to the payment by Customer of any costs and expenses incurred by Customer or such additional charges asCustomer may reasonably determine; or

    2. immediately terminate the Agreement and the Services.

  4. Sudennian AI will promptly inform Customer if, in its opinion, an instruction from Customer relating to the Processing of Covered Data infringes Applicable Data Protection Law.

  5. Customer hereby authorises and instructs Sudennian AI to Process Covered Data anywhere that Sudennian AI or its Sub-processors maintain facilities.

  6. Sudennian AI will, at the request of Customer, provide assistance that is reasonable necessary for Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws.

  7. Customer will have the right to take reasonable and appropriate steps to ensure that Sudennian AI uses Covered Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws.

  8. Sudennian AI will ensure that each person authorised to process Covered Data is subject to a duty of confidentiality.

  9. Customer acknowledges that Sudennian AI’s Services are not designed, intended, or provided for the purpose of making predictions regarding any Data Subject, determining creditworthiness, or any other manner of automated decision-making regarding Data Subject(s) to which the Covered Data relates.

  10. Sudennian AI may charge Customer, and Customer will reimburse Sudennian AI, for any assistance provided by Sudennian AI to Customer in relation to this DPA, including with respect to any TIAs or consultation with any supervisory authority of Customer.

4. SUB-PROCESSORS

  1. Customer grants Sudennian AI the general authorisation to engage the Sub-processors listed in Schedule 5, and any additional Sub-processors in accordance with clause 4.c.

  2. Sudennian AI will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantively no less protective of Covered Data than Sudennian AI’s obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.

  3. In the event that Sudennian AI wishes to appoint an additional Sub-processor: (a) Sudennian AI will provide Customer reasonable notice; and (b) Customer may, on the basis of reasonable data privacy and data security concerns, object to Sudennian AI’s use of such Sub-processor by providing Sudennian AI with written notice of the objection within ten (10) days of the date of such notice, otherwise the additional Sub-processor shall be deemed approved. In the event Customer objects to Sudennian AI’s use of a newSub-processor, Customer and Sudennian AI will work together in good faith to find a mutually acceptable resolution to address any objections raised by Customer.

5. DATA SUBJECT RIGHTS REQUESTS

  1. Sudennian AI will forward to Customer promptly any Data Subject Request received by Sudennian AI relating to the Covered Data and may advise the Data Subject to submit their request directly to Customer.

  2. Sudennian AI will, taking into account the nature of the Processing of Covered Data, provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

6. SECURITY

  1. Accounting for the state of the art, costs of implementation and the nature, scope and context and purposes of the relevant Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sudennian AI will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for theCovered Data appropriate to the risk of the relevant Processing.

  2. The Parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Covered Data, accounting for the risks presented by theProcessing outlined in the Agreement and this DPA.

7. AUDITS AND RECORDS

  1. Upon request, Sudennian AI will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

  2. To the extent required by Applicable Data Protection Legislation, Sudennian AI will permitCustomer (or a suitably qualified, independent third-party auditor which is not a competitor of Sudennian AI) to audit Sudennian AI’s compliance with this DPA no more than once per calendar year on at least thirty (30) days’ written notice to Sudennian AI (an “Audit”), provided that Customer (or Customer’s third-party auditor, as applicable):

    1. may only conduct an Audit during Sudennian AIs normal business hours;

    2. will conduct the Audit in a manner that does not disrupt Sudennian AI’s business;

    3. enters into a confidentiality agreement reasonably acceptable to Sudennian AI prior to conducting the Audit;

    4. pays any reasonably incurred costs and expenses incurred by Sudennian AI in the event of an Audit;

    5. ensures that its personnel comply with any policies and procedures notified by Sudennian AI to Customer when attending Sudennian AI’s premises;

    6. submits, as part of the written notice provided by Customer to Sudennian AI, a detailed proposed audit plan which is agreed by Sudennian AI (an “Audit Plan”); and

    7. conducts the Audit in compliance with the final agreed Audit Plan.

  3. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA. Nothing in this clause 7 will require Sudennian AI to breach any duties of confidentiality it owes to third parties.

8. SECURITY INCIDENTS

  1. Sudennian AI will notify Customer in writing without undue delay after becoming aware of any Security Incident. Sudennian AI will, to the extent reasonably necessary, cooperate with Customer’s investigation of the Security Incident. Sudennian AI’s notification of, or response to, a Security Incident will not be construed as an acknowledgement by Sudennian AI of any fault or liability with respect to the Security Incident.

9. DELETION AND RETURN

  1. Sudennian AI will, in any event, within thirty (30) days of the date of termination or expiry of the Agreement (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Sudennian AI or any Sub-processors.

10. STANDARD CONTRACTUAL CLAUSES

The Parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the Standard Contractual Clauses Module 1 (Controller to Controller),Module Two (Controller to Processor) and/or Module Three (Processor to Processor),each as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the Parties.

  1. To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the Parties.

  2. To the extent that there is any conflict between the terms of this DPA and the terms of the Standard Contractual Clauses, the Standard Contractual Clauses shall govern.

  3. Sudennian AI will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Covered Data. Sudennian AI will, upon Customer’s request and at Customer’s cost, provide information toCustomer which is reasonably necessary for Customer to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.

SCHEDULE 1 - DETAILS OF PROCESSING AND TRANSFERS

PART A – List of Parties

The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws, additional information regarding the data exporter and data importer is set out below.

  1. Data Exporter
    The data exporter is: Customer and/or Customer Affiliates exporting Covered Data to which the GDPR applies.The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Sudennian AI upon request.

  2. Data Importer
    The data importer is: Sudennian AI PBC. The data importer’s contact person and contact details are included in the Agreement or will be disclosed to Customer upon request.

PART B – Description of Processing

  1. Categories of Data Subjects - Determined by Customer (in accordance with the Agreement).

  2. Categories of Personal Data - Determined by the Customer (in accordance with the Agreement).

  3. Special categories of Personal Data (if applicable) - None.

  4. Duration and Frequency of the Processing - The Processing is performed on a continuous basis for the duration of the Agreement and is determined by Customer’s configuration of the Services.

  5. Subject matter and nature of the Processing - Performing the Services on behalf of Sudennian AI which involves Processing (including collection, storage, organisation and structuring) of Personal Data as part of a natural language-based, machine-learning tool, as further described in the Agreement; undertaking activities to verify or maintain the quality of the Services; debugging to identify and repair errors that impair existing intended functionality; helping to ensure security and integrity of the Services.

  6. Purpose(s) of the data transfer and further Processing - To provide the Services to Customer pursuant to the Agreement and as may be further agreed upon by Customer and Sudennian AI.

  7. Storage Limitation - The duration is the term of the Agreement.

  8. Sub-processor (if applicable) - To provide Processing system capability to Sudennian AI (as described in Schedule 4) to provide the Services described in theAgreement.

PART C – Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Sudennian AI has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, accounting for the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Sudennian AI’s information security program.

  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Sudennian AI’s organization, monitoring and maintaining compliance with Sudennian AI’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

  3. Utilization of commercially available and industry standard encryption technologies for Covered Data that is:

    1. being transmitted by Sudennian AI over public networks (i.e., the Internet) or when transmitted wirelessly; or

    2. at rest or stored on portable or removable media (i.e., laptop computers,CD/DVD, USB drives, back-up tapes).

  4. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

  5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Sudennian AI’s passwords that are assigned to its employees; controls include appropriate password security requirements, and specific time and use limitations for passwords.

  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

  7. Physical and environmental security of data center, server room facilities and other areas containing Covered Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of
    Sudennian AI facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Sudennian AI’s possession.

  9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Sudennian AI’s technology and information assets.

  10. Incident / problem management procedures designed to allow Sudennian AI to investigate, respond to, mitigate, and notify of events related to Sudennian AI’s technology and information assets.

  11. Network security controls that provide for the use of firewall systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

  12. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

  13. Business resiliency/continuity plan and procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

SCHEDULE 3 - INTERNATIONAL TRANSFERS

EU SCCS

Elections for the purposes of Module 1, Module Two and Module Three of the Standard ContractualClauses:

  1. Clause 7 (Docking clause) – does not apply.

  2. Clause 11 (Redress) – optional wording does not apply.

  3. Clause 17 (Governing Law) – Option 1 will apply and the governing law will be the law of the Republic of Ireland.

  4. Clause 18 (Choice of forum and jurisdiction) – the applicable choice of forum and jurisdiction will be the Republic of Ireland.

  5. For the purpose of Annex I of the Standard Contractual Clauses, Part A of Schedule 1contains the specifications regarding the parties, Part B of Schedule 1 contains the description of transfer for Module Two and Module Three, and Part B of Schedule 1 contains the description of transfer for Module 1 except that the purpose, nature and subject matter of the processing shall be as set out in clause 2.3, and Part C of Schedule1 contains the competent supervisory authority.

  6. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.

Additional elections for the purposes of Module Two and Module Three of the Standard ContractualClauses:

  1. Clause 9 (Use of sub-processors) – Option 2 (General written authorization) will apply, and the time period is as specified in clause 4.c of the DPA.

  2. For the purpose Annex III of the Standard Contractual Clauses, the list of Sub-processors are set out in Schedule 4 or as otherwise determined by clause 4.c of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Sudennian AI upon request.

UK ADDENDUM

This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

  1. With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Customer (as data exporter) to Sudennian AI (as data importer):

    1. to the extent necessary under Applicable Data Protection Law, the ApprovedAddendum as further specified in this UK Addendum of this Schedule 3 will be incorporated into and form part of this DPA;

    2. for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Part A of Schedule 1;

    3. for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Schedule 3 including the Appendix Information are the selected SCCs; and

    4. for the purposes of Table 4 of Part 1 of the Approved Addendum, Sudennian AI (as data importer) may end the Approved Addendum.

SWISS ADDENDUM

This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

  1. Interpretation of this Addendum

    1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

      1. This Addendum: This Addendum to the Clauses

      2. Clauses: The Standard Contractual Clauses as further specified in this Schedule

      3. Swiss Data Protection Laws: The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

    2. This Addendum will be read and interpreted in the light of the provisions of SwissData Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

    3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

  2. HierarchyIn the event of a conflict or inconsistency between this Addendum and the provisions of theClauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

  3. Incorporation of the Clauses

    1. In relation to any Processing of Personal Data subject to Swiss Data ProtectionLaws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:

      1. for transfers made by the data exporter to the data importer, to the extent thatSwiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and

      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

    2. To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):

      1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as itamends the SCCs.

      2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."

      3. References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s)
        of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.

      4. References to Regulation (EU) 2018/1725 are removed.

      5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".

      6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data ProtectionLaws;

      7. Clause 17 is replaced to state: "These Clauses are governed by the laws ofSwitzerland insofar as the transfers are governed by Swiss Data Protection Laws".

      8. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts ofSwitzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protectPersonal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

  1. To the extent that any Processing of Personal Data is subject to both Swiss DataProtection Laws and the GDPR, the DPA including the Clauses as further specified in this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 3.1 and 3.3 of this SwissAddendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under clause 3.3(b)(g) of this Swiss Addendum.

  2. Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

SCHEDULE 4 - SUB-PROCESSORS

Sudennian AI’s list of sub-processors is available at https://www.sudennian.com/subprocessors.

Sudennian AI

Careers
Commercial Terms
Privacy Policy
Responsible Disclosure Policy
Documentation
Compliance

© 2024 Sudennian AI .Inc

Acceptable Use Policy
Support
Cookie Policy