SERVICE TERMS OF USE
Last Revised: October 1, 2025
These Service Terms of Use (the “Agreement”) contain the terms and conditions which govern the provision of the Services (as defined below) by Thinking Machines Lab ("Company", “we”, “us” or “our”) to you ("Customer", “you” or “your”).
You agree to be bound by this Agreement by: (i) clicking to accept this Agreement; or (ii) accessing or using any of the Services. For any individual who procures a right to use the Services on behalf of an entity or organization, such entity or organization is considered the Customer hereunder, and such individual represents and warrants that he or she is an authorized representative of the Customer with the authority to bind the Customer to of this Agreement.
1. ACCESS AND USE OF SERVICES
a. Access to Services
Subject to this Agreement, we hereby grant you and any individuals that have been authorized by you ("Authorized Users"), during the Term, a non-exclusive, limited, non-transferable, non-sublicensable, worldwide right to access and use the Services, including any APIs or other interfaces made available to you as part of the Services, in accordance with any Documentation, solely for your internal business purposes. “Services” means our online services and dashboards that allow you to train, develop, fine-tune and evaluate AI models, including our APIs, any inference services provided by the Company through its APIs and any related interfaces, dashboards, software, tools, API keys, Documentation, content and functionalities related to the foregoing. “Documentation” means any technical documentation or user manuals distributed or made available by Company in connection with the Services.
b. Models
The Services allow you to access, fine-tune and evaluate the performance of AI model(s), including (i) models from third-party providers ("Third-Party Models"), (ii) your own proprietary Models ("Customer Models") or (iii) proprietary models owned by the Company ("Company Models"). Any evaluation is done for your informational purposes only, and the Company makes no representations or warranties of any kind with respect to any Models (as defined below) that are provided for evaluation purposes. The Company may add or remove access to any Third-Party Models or Company Models at any time in its sole discretion. The Third-Party Models, Customer Models and Company Models are collectively referred to as “Models”, and any Models that we deploy on our Services for you to run inference from are referred to as “Hosted Models”. Any Models that you fine-tune via the Services are referred to as “Fine-Tuned Models.”
c. Fine-Tuning
Company has no responsibility or liability to you in connection with the creation of any Fine-Tuned Models via the Services. When you fine-tune a Model, the Services may allow you to upload your own data, prompts or other content ("Customer Datasets"), which shall be deemed “Customer Content” under this Agreement. You may also be able to fine-tune Models using our datasets that we provide to you ("Company Datasets"). You are responsible for all Customer Datasets, including that (a) such Customer Datasets are appropriate and sufficient for your fine-tuning purposes, and (ii) your use of such Customer Datasets complies with all applicable laws and does not violate any third-party rights. You grant us a limited license to access, use, host, copy and reproduce your Customer Datasets as needed to provide the Services and comply with applicable law (the “Purpose”). Company will use and process Customer Datasets in accordance with the Data Processing Agreement (as defined below).
d. Use of Hosted Models
Unless we have agreed otherwise (such as via a separate written agreement or license grant) you may only use the Services and any Hosted Models for your internal testing and evaluation purposes only, and you agree to not access, integrate or use any of our Hosted Models or our APIs within or for any of your products or services or for any other production use. Company may, but is not required to, implement functionality within the Services that allows you to download Fine-Tuned Models for use within your environment. For clarity, the foregoing restrictions on use for internal testing and evaluation purposes only do not apply to your own Company Models or to Fine-Tuned Models that you download from the Services and that you operate solely within your own environment, and not in an environment that is operated by us or our providers (i.e., are not Hosted Models).
e. Accounts
To use certain of the Services, each of your Authorized Users will need to create an account ("Account"). You shall ensure that your Authorized Users provide us with accurate, complete and updated information for their Accounts. You are solely responsible for any activity on your Authorized Users’ Accounts and shall ensure your Authorized Users maintain the confidentiality and security of their passwords. You or one of your Authorized Users shall immediately notify us if you know or have any reason to suspect that one of your Authorized Users’ accounts or passwords have been stolen, misappropriated or otherwise compromise or in case of any actual or suspected unauthorized use of any Accounts.
f. Restrictions on Access and Use
Your and your Authorized Users’ use of the Services and the Customer Content (as defined below) generated therefrom shall abide by and be consistent with our Acceptable Use Policy attached hereto as Exhibit A ("Acceptable Use Policy"). You are responsible for compliance with the Agreement by your Authorized Users and other representatives, and for the proper operation of your network and systems used to connect to the Services. Company has the right (but not the obligation) to monitor, including through automated or manual review, your use of the Services and any Customer Content to assess compliance with this Agreement and applicable laws and for other trust and safety purposes.
g. Changes to the Services
Company may, at its sole discretion, add, change, or remove the functionality, features, or other aspects of the Services, and throttle, limit, suspend or terminate your access to the Services at any time without notice to you, including as Company may deem necessary to promote the security, stability, availability, or integrity of the Services. Company may also disable or change some features, functionality, or other aspects of the Services based on your location or other factors.
2. FEES
a. Fees
The Services may be made available free of charge. Company reserves the right to require payment for access to the Services at any time. Company shall provide you with 30 days’ prior written notice before any such payment is required. Any such fees shall be paid in accordance with such documentation provided by the Company.
3. INTELLECTUAL PROPERTY AND DATA USAGE
a. Ownership of the Services
You agree that we or our licensors retain all right, title and interest in and to all Services (including any related updates and any Company Models and Company Datasets). Except for the limited rights set forth in the Agreement, no right, title or interest in or to any Services is granted to you. Company reserves all of its intellectual property and other proprietary rights not expressly granted to Customer herein.
b. Ownership of Models
Customer retains all right, title and interest in and to any Customer Models and Customer Datasets, and any improvements thereto. You grant us a limited license to access, use, host, copy and operate the Customer Models for the Purpose. Any Third-Party Models are owned by the applicable third-party provider. Company has no responsibility or liability under this Agreement in respect of any Customer Models or Third-Party Models or the compliance of any terms relating thereto (whether yours, or that of a third party), and you are solely responsible for your use of any Customer Models or Third-Party Models in connection with this Agreement and your compliance with any relevant terms. To the extent you use any Company Models or Company Datasets to create Fine-Tuned Models, Company retains ownership of all right, title and interest in and to the base Company Model used to create the Fine-Tuned Models, but Company does not claim ownership in any incremental changes you create to the base Company Model to create Fine-Tuned Models.
c. Prompts and Customer Content
As between you and Company, Company claims no ownership rights in or to the material, information or other communications you transmit or post to the Services or transfer to us for processing, storage or hosting by the Services, including any inputs you pass into the Services ("Prompts") and any responses generated thereby ("Outputs" and together with the Prompts, collectively, “Customer Content”). You agree that we may access, review, and use the Customer Content for the Purpose. We retain the Customer Content only to the extent necessary in connection with the Purpose, and we have the right (but not the obligation) to remove any Customer Content, in our sole discretion. You are solely responsible for your use of the Outputs, and you shall not, and will ensure that your Authorized Users do not (i) represent that Output was human-generated or (ii) use infringing Outputs after you become aware of such infringement. You acknowledge and agree that your use of the Services and the Output does not transfer to you ownership of any intellectual property rights in the Services.
d. Usage Data
We may collect, or you may provide to us, diagnostic, technical, usage or other similar information related to your use of the Services (collectively, “Usage Data”). Such Usage Data excludes Customer Content. All Usage Data is and will be owned solely and exclusively by us, and, to the extent any ownership rights in or to the Usage Data vest in you, you hereby assign to us all rights (including intellectual property rights), title and interest in and to the same. We may use, maintain or process the Usage Data or any portion thereof for any lawful purpose, including without limitation to (i) provide, evaluate and maintain the Service; (ii) improve our existing and develop new products and services and features thereof (including the Service); (iii) monitor your usage of the Service; (iv) conduct research or analytics; and (v) share analytics and other derived Usage Data with third parties, solely in de-identified or aggregated form.
e. API Rights
As part of the Services, Company may provide you with certain application programming interfaces (APIs), API access tokens, HTML scripts, data import tools or other software as applicable (collectively, “APIs”). Subject to this Agreement and to any limitations on use of the APIs specified in the Documentation for such APIs, we grant to you a non-exclusive, limited, non-transferable, non-sublicensable, worldwide, freely revocable right and license to use the APIs solely in connection with your use of the rest of the Services as permitted herein.
f. Feedback
To the extent you provide us any suggestions, recommendations or other feedback relating to the Services or any other Company products or services (collectively, “Feedback”), you hereby assign to us all right (including intellectual property rights), title and interest in and to the Feedback. We have the right (but not the obligation) to use the Feedback and any ideas, know-how, concepts, techniques or other intellectual property contained in the Feedback, without providing any attribution or compensation to you or to any third party, for any lawful purpose.
4. CONFIDENTIALITY
a. Confidential Information
“Confidential Information” means all information that is identified as confidential at the time of disclosure by the Disclosing Party or reasonably should be known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. All Services and the terms and conditions of the Agreement will be deemed our Confidential Information without any marking or further designation. Confidential Information shall not, however, include information that the Receiving Party can demonstrate: (i) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (ii) is or has become public knowledge through no fault of the Receiving Party; (iii) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (iv) is independently developed by employees of the Receiving Party.
b. Confidentiality
Each party (the “Receiving Party”) may receive Confidential Information of the other party (the “Disclosing Party”) in the course of the Agreement. Accordingly, the Receiving Party agrees to use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care), and further agrees to: (i) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of the Agreement; and (ii) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its affiliates’ employees and contractors who need that access for purposes consistent with the Agreement and who are bound by obligations of confidentiality to the Receiving Party not less protective of the Confidential Information than those herein. Receiving Party agrees to hold the Disclosing Party’s Confidential Information in confidence during the term of the Agreement and for a period of five (5) years after the termination or expiration of the Agreement (except that with respect to Confidential Information that qualifies as a trade secret under applicable law, the confidentiality obligations shall be perpetual).
c. Permitted Disclosures
If a Receiving Party is required by law, regulation or court order to disclose Confidential Information of the Disclosing Party, then the Receiving Party shall, to the extent legally permitted, provide the Disclosing Party with advance written notice and reasonably cooperate in any effort of the Disclosing Party to obtain confidential treatment of the Confidential Information, including the opportunity to seek appropriate administrative or judicial relief.
d. Injunctive Relief
The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone may not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party, the Disclosing Party may be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.
e. Return of Confidential Information
Upon written request of the Disclosing Party, except for electronic copies made in the course of normal network backups or as otherwise set forth in this Agreement, the Receiving Party will promptly return to the Disclosing Party or destroy (and provide written certification of such destruction) all materials containing or reflecting any of the Disclosing Party’s Confidential Information.
5. PRIVACY AND SECURITY
Notwithstanding anything to the contrary in this Agreement, personal information that you transmit, post, upload or otherwise provide pursuant to the Agreement and to the Services will be handled in accordance with our Data Processing Agreement available at Exhibit B ("DPA").
6. TERM AND TERMINATION
a. Term
The Agreement is effective as of the earlier of (i) the date you accepted this Agreement, or (ii) the date that you first access or use the Services and will remain in effect until terminated in accordance with the terms of the Agreement (the “Term”).
b. Right to Terminate
Either party may terminate the Agreement: (i) at any time for any reason upon written notice to the other party; or (ii) if the other party: (a) materially breaches the Agreement and fails to cure such material breach (including any related Services Suspension (as defined below) that is not cured) within 30 days after receiving written notice from the terminating party; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors’ arrangement, composition, or comparable proceeding, or if any such proceeding is instituted against that party and is not dismissed within 60 days.
c. Right to Suspend
Company may temporarily suspend your right to access or use any portion or all of the Services immediately (i) if we reasonably determine your or your Authorized Users’ use of the Services (a) poses a security risk to the Services or any third party; (b) could adversely impact our systems, the Services or the systems or content of any of our other customers; (c) could subject us, our affiliates, or any third party to liability; (d) is in violation of the Acceptable Use Policy or DPA; or (e) could be fraudulent; or (ii) in lieu of termination under Section 6.b above (any such suspension, a “Services Suspension”). Company shall use commercially reasonable efforts to (y) provide written notice of any Services Suspension to Customer and to provide updates regarding resumption of access to the Services, if applicable, and (z) to resume providing access to the Services after the event giving rise to the Services Suspension is cured. If we suspend your right to access or use the Services, you will be responsible for all fees and charges you incur during the period of suspension that we bill to you. Company will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any of its representatives may incur as a result of a Services Suspension.
d. Effect of Termination
Upon termination of the Agreement, your right to access or receive the Services (and our obligations to provide Services) will terminate, and you shall immediately cease using the Services.
e. Survival
Any provisions that by their nature are intended to survive the expiration or termination shall survive the expiration or termination of this Agreement.
7. WARRANTY; SUPPORT AND MAINTENANCE
a. Mutual Warranty
Each party represents and warrants to the other party that it has validly entered into the Agreement and has the legal power to do so and, in connection with its performance of the Agreement, shall comply with all laws applicable to it.
b. Customer Warranty
Customer represents, warrants and covenants that (i) Customer’s use of the Services, including any fine-tuning done pursuant to this Agreement, shall comply with all applicable laws, rules and regulations; (ii) Customer shall not use the Services to develop a Model that violates any applicable laws or third party rights; and (iii) Customer has all necessary rights, licenses and permissions to use any Customer Models, Prompts or Customer Datasets with the Services.
c. Warranty Disclaimer
OTHER THAN AS EXPRESSLY PROVIDED ABOVE, TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICES, INCLUDING ANY MODELS, THIRD-PARTY SERVICES, AND THE MATERIALS PROVIDED THROUGH THE SERVICES, INCLUDING THE OUTPUTS, ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT ANY WARRANTIES OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. COMPANY DOES NOT WARRANT THAT YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE OR THE ACCURACY AND COMPLETENESS OF THE MATERIALS PROVIDED BY THE SERVICES, INCLUDING THE OUTPUTS. COMPANY MAY MAKE CHANGES TO THE SERVICES AT ANY TIME, WITHOUT NOTICE.
8. INDEMNIFICATION
a. Indemnification by Customer
You agree to indemnify, defend and hold Company and each of our affiliates and licensors harmless from and against all claims, actions, or demands, and all losses, damages, liabilities, fees, fines, penalties, costs, and expenses (including without limitation reasonable attorneys’ fees and legal costs) arising from or relating to (i) your breach or violation of this Agreement, including the Acceptable Use Policy and DPA; (ii) your access to or use of the Services, including with respect to your fine-tuning, development, access, or use of any Models by way of the Services or your use of any Output; (iii) any Customer Datasets or Customer Content; (iv) your violation of applicable law; or (v) your gross negligence or willful misconduct.
9. LIMITATION OF LIABILITY
a. Excluded Claims
YOUR USE OF ANY MODELS, THIRD-PARTY SERVICES, AND CUSTOMER CONTENT (INCLUDING ANY OUTPUTS) IS AT YOUR OWN RISK. IN ADDITION, EXCEPT FOR (I) EITHER PARTY’S GROSS NEGLIGENCE, FRAUD, WILLFUL MISCONDUCT, OR VIOLATION OF APPLICABLE LAW, (II) CUSTOMER’S OBLIGATIONS UNDER SECTION 8 (INDEMNIFICATION), AND (III) INFRINGEMENT BY A PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, NEITHER YOU NOR COMPANY NOR OUR RESPECTIVE AFFILIATES AND LICENSORS WILL BE LIABLE UNDER THIS AGREEMENT FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING LOST PROFITS, LOST DATA OR BUSINESS INTERRUPTION) UNDER ANY LEGAL THEORY, EVEN IF THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
b. Liability Cap
EXCEPT FOR (I) EITHER PARTY’S GROSS NEGLIGENCE, FRAUD, WILLFUL MISCONDUCT, OR VIOLATION OF APPLICABLE LAW, (II) CUSTOMER’S OBLIGATIONS UNDER SECTION 8 (INDEMNIFICATION), AND (III) INFRINGEMENT BY A PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, EACH PARTY AND ITS AFFILIATES’ TOTAL LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED ONE HUNDRED DOLLARS ($100).
10. GENERAL TERMS
a. Assignment
The Agreement will bind and inure to the benefit of each party and their permitted successors and assigns. Neither party may assign or transfer the Agreement without the other party’s written consent, unless it is to an affiliate or in connection with a merger, reorganization, sale of substantially all of assignor’s assets, or other change of control transaction. Notwithstanding the foregoing, if you assign or transfer the Agreement to, or undergo a change of control transaction with, (i) a competitor of ours or (ii) a party that uses the Services in a manner or quantity materially different from your use prior to the assignment, transfer, or change of control, we may terminate the Agreement upon written notice.
b. Publicity
Neither party may use the other party’s trademarks, trade names, logos, domain names and other distinctive brand features ("Brand Features") in any promotion, marketing, publication or press release without the prior written consent of the other party; provided, that Company may state publicly that Customer is a Company customer and display Customer Brand Features in connection with such statement. With prior written consent, the parties may engage in joint marketing activities, such as customer testimonials, public speaking events and interviews.
c. Governing Law & Dispute Resolution
This Agreement will be governed by and construed in accordance with the laws of the State of California, without giving effect to any principles of conflicts of laws. Any dispute arising out of, in connection with, or under this Agreement or its subject matter will be resolved by confidential binding arbitration, under the commercial rules of the Judicial Arbitration and Mediation Service ("JAMS"), with one (1) arbitrator mutually agreed upon by the parties. If the parties are unable to agree upon an arbitrator, JAMS will appoint the arbitrator in accordance with its rules. The arbitration will be conducted in San Francisco, California, unless you and Company agree otherwise. Disputes must be brought on an individual basis only; class arbitrations, class actions, private attorney general actions, and consolidation with other arbitrations are not allowed. If for any reason a dispute proceeds in court rather than through arbitration, each party knowingly and irrevocably waives any right to trial by jury in any action, proceeding, or counterclaim, and agrees that such claims will be brought exclusively in the federal and state courts of San Francisco, California.
d. Force Majeure
Neither party will have any liability for failures or delays resulting from conditions beyond each party’s reasonable control, including but not limited to governmental actions or acts of terrorism, natural disasters or other acts of God, labor conditions, supply chain disruptions, and network, power, utility, or other technical failures.
e. Notice
Any notice, approval or other communication required or otherwise provided for under the Agreement will be in writing and deemed to have been given when (i) personally delivered; (ii) sent by email; or (iii) sent by a commercial overnight courier. You will provide such notices to [email protected]. Such notices to you will be sent to the address or email address used to sign up for this Agreement. Each party may modify its recipient of such notices by providing notice to the other party.
f. Entire Agreement & Order of Precedence
This Agreement, the Acceptable Use Policy, the DPA and all exhibits, appendices, addenda, or annexes attached, referenced and/or linked herein, constitutes the entire agreement between the parties with respect to the subject matter hereof. In the event of a conflict, other than the terms of the DPA as related to the subject matter of the DPA, this Agreement will take precedence over any exhibits, appendices or addenda attached, referenced and/or linked herein. The Agreement supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter and is entered into without reliance on any promise or representation other than those contained in the Agreement. In the event of a conflict between the English version of the Agreement and any other version or translation of the Agreement, the English version shall control.
g. Relationship of the Parties
For all purposes under this Agreement, you and Company will be and act as independent contractors and will not bind nor attempt to bind the other to any contract. There are no intended third-party beneficiaries of the Agreement.
h. Trade Controls
You acknowledge that the Services are subject to applicable import, export, and sanctions laws and regulations (collectively, “Trade Controls”), including without limitation those of the United States (e.g., the sanctions administered by the Office of Foreign Assets Control ("OFAC") (31 CFR part 500 et seq.) and the Export Administration Regulations ("EAR") (15 CFR part 730 et seq.)). You agree to abide by all applicable Trade Controls. You confirm that (i) you are not a restricted or sanctioned party on a U.S. Department of Commerce or OFAC restricted party list, or similar lists maintained by other countries such as the EU’s Consolidated Financial Sanctions List and the UK’s Consolidated Lists of Financial Sanctions Targets, (ii) you are not 50% or more owned or otherwise controlled by any such party, (iii) you are not located, organized or resident in a country that is or becomes subject to comprehensive Trade Controls or prohibited from receiving Services under applicable Trade Controls, and (iv) you are not using the Services for any end-use prohibited by applicable Trade Controls.
i. Modification
Company may update the Agreement, including the DPA, at any time in which case we will update the “Last Revised” date at the top of this Agreement. Your continued use of, or access to, the Services after the modifications have become effective will be deemed your acceptance of the modified Agreement. If we make changes that are material, we will use reasonable efforts to attempt to notify you, such as by email and/or placing a prominent notice on the Services. The updated Agreement will be effective as of the time of posting, or such later date as may be specified in the updated Agreement. If you do not agree with any modifications, you may stop using the Services and terminate this Agreement pursuant to Section 6 (Term and Termination).
j. Miscellaneous
Section headings are inserted for convenience only and shall not affect interpretation of the Agreement. If any provision of the Agreement is held by a court of competent jurisdiction to be contrary to law or otherwise unenforceable, the provision will be modified by the court and interpreted so as to best accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of the Agreement will remain in effect. A waiver of any right under the Agreement is only effective if it is in writing and only against the party who signed such writing.
EXHIBIT A: ACCEPTABLE USE POLICY
Acceptable Use. The Services are available for access and use by you solely for lawful and permitted purposes, in accordance with the Agreement.
Restrictions. You shall not do, and shall not assist, permit or enable your representatives or any third party to do, any of the following:
- Disassemble, reverse engineer, decode or decompile any part of the Service;
- Modify any document or other content that you receive from the Services, except for modifications to Outputs in accordance with this Agreement;
- Use any robot, spider, scraper, off-line reader, data mining tool, data gathering or extraction tool, or any other automated means to access the Services in a manner that sends more request messages to the servers running the Services than a human can reasonably produce in the same period of time by using a conventional online web browser, except for use of the APIs in accordance with the Documentation therefor;
- Violate any third-party terms, including the use of any content available on or via the Services (including any Customer Content, caption information, keywords, or other metadata) in a way that violates any third-party terms;
- Buy, sell or transfer API keys without our prior written consent in each case;
- Attempt to defraud, deceive or impersonate any other person or entity, misrepresent your affiliation with a person or entity, hide or attempt to hide your identity, or otherwise use the Services for any invasive or fraudulent purpose;
- Copy, rent, lease, sell, loan, transfer, assign, license or purport to sublicense, resell, distribute, modify, alter, or create derivative works of any part of the Services or any of our intellectual property, including, without limitation by any automated or non-automated “scraping;”
- Take any action that imposes, or may impose (as determined by us, in our sole discretion), an unreasonable or disproportionately large load on our infrastructure;
- Use the Services or any Customer Content in any manner or for any purpose that (i) violates, or promotes the violation of, any applicable law, contractual obligation, or right of any person, including, but not limited to, intellectual property rights, privacy rights, and/or rights of personality, (ii) is fraudulent, false, deceptive, or defamatory, (iii) promotes hatred, violence, or harm against any individual or group, or (iv) otherwise may be harmful or objectionable (in our sole discretion) to us or to our providers, our suppliers, users, or any other third party;
- Post or transmit to or from the Services any unlawful, threatening, libelous, defamatory, obscene, pornographic, or other material that would violate any law;
- Submit or upload to the Services any information or data that is subject to safeguarding and/or limitations on distribution pursuant to applicable laws and/or regulations, including information that you know or reasonably should know is from or about children under the age of 13 or other age of online minority in the applicable jurisdiction or that includes health information, financial information, or other categories of sensitive information (including any information defined as sensitive, special category, or similar terms under applicable laws and/or regulations);
- Intentionally make the Services generate Outputs that infringe intellectual property rights, third-party rights or applicable law;
- Use or display the Services in competition with us, to develop competing products or services, for benchmarking or competitive analysis of the Service, or otherwise to our detriment or disadvantage;
- Access any content available on or via the Services through any technology or means other than those provided by the Services or authorized by us;
- Bypass the measures we may use to prevent or restrict access to the Services, including, without limitation, features that prevent or restrict use or copying of any content or that enforce limitations on use of the Services or any portion thereof;
- Attempt to interfere with, compromise the system integrity or security of, or decipher any transmissions to or from, the servers running the Service;
- Use the Services to transmit spam, chain letters, or other unsolicited email;
- Use the Services for any commercial solicitation purposes;
- Transmit invalid data, viruses, Trojan horses, worms, time bombs, cancelbots, corrupted files or other malicious code or other software agents through the Service;
- Collect or harvest any personal information from the Services; or
- Identify or refer to us or to the Services in a manner that could reasonably imply a relationship that involves endorsement, affiliation, or sponsorship between you (or a third party) and us without our prior express written consent.
Any action by you that we determine, in our sole discretion, violates this Acceptable Use Policy is prohibited.
EXHIBIT B: DATA PROCESSING AGREEMENT
1. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.
a. “Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) ("EU SCCs"); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner ("UK Addendum"), in each case as amended, updated or replaced from time to time.
b. “EU/UK Privacy Laws” means, as applicable: (i) the General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the Privacy and Electronic Communications Directive 2002/58/EC; (iii) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
c. “Personal Data” means any information within User Content that Company processes on behalf of Customer to provide the Services and that is defined as “personal data” or “personal information” under an applicable Privacy Law.
d. “Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
e. “Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
f. “Services” mean the services provided under and described further in the Agreement.
g. “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.
h. “US Privacy Laws” means, as applicable, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Florida Digital Bill of Rights, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, New Hampshire Data Privacy Act, Nebraska Data Privacy Act, New Jersey Data Privacy Act, Minnesota Consumer Data Privacy Act, Maryland Online Data Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and any similar comprehensive privacy law of any other US state related to the processing of Personal Data.
2. Details of Processing
The parties agree that the details of processing are as described in Annex 1, and acknowledge that for purposes of Privacy Laws, Customer is the “controller” or “business” and Company is the “service provider” or “processor” for the processing of Personal Data pursuant to this DPA.
3. Customer Obligations
Customer shall comply with all Privacy Laws in providing Personal Data to Company in connection with the Services. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent Company from fulfilling the instructions received from Customer and performing Company’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to Company and enabling Company to process the Personal Data as set out in this DPA. Customer shall notify Company without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Company shall not be required to continue processing such Personal Data.
4. Processing of Personal Data
In processing Personal Data under the Agreement, Company shall:
a. only process Personal Data on documented instructions from Customer, for the limited and specific purpose described in Annex 1, and at all times in compliance with Privacy Laws, unless required to process such Personal Data by applicable law to which Company is subject; in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b. notify Customer (i) without undue delay if it makes a determination that it can no longer meet its obligations under applicable US Privacy Laws, and (ii) immediately if Company, in its opinion, on the instruction of Customer, infringes applicable EU/UK Privacy Laws;
c. to the extent required by US Privacy Laws, and upon reasonable written notice that Customer reasonably believes Company is using Personal Data in violation of Privacy Laws or this DPA, grant Customer the right to take reasonable and appropriate steps to help ensure that Company uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and
d. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.
5. Anonymized Data
Company may aggregate, deidentify and/or anonymize Personal Data and process such data for its own purposes. To the extent Company receives de-identified data (as such term is defined under applicable US Privacy Laws) from Customer, Company shall: (a) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (b) maintain and use the data only in a de-identified form and not attempt to re-identify the data; and (c) otherwise comply with relevant requirements under applicable US Privacy Laws with respect to such de-identified data.
6. US Privacy Law Requirements
To the extent that the Personal Data is subject to the CCPA, and except to the extent permitted by the CCPA, Company agrees not to (a) “sell” or “share” (as such terms are defined in the CCPA) the Personal Data, (b) retain, use, or disclose the Personal Data outside of the direct business relationship between Company and Customer and for any purpose other than for the specific purpose of performing the Services, and (c) combine the Personal Data received from, or on behalf of, Customer with any personal data that may be collected from Company’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources.
7. Use of Subcontractors
To the extent Company engages any subcontractors to process Personal Data on its behalf:
a. Customer hereby grants Company general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 7.
b. If Company appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with 14 days’ prior written notice, during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy Laws (and if Customer does not so object, Company may proceed with the appointment or replacement).
c. Company shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Company under this DPA.
d. In the event Company engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Company shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.
8. Assistance
To the extent required by Privacy Laws, and taking into account the nature of the processing, Company shall provide reasonable assistance to Customer through appropriate technical and organizational measures, in:
a. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;
b. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure;
c. conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and
d. notifying relevant competent authorities and/or affected individuals of Personal Data breaches.
9. Security Measures
Company shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Company from time to time. To the extent required by Privacy Laws, Company shall without undue delay notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.
10. Access and Audits
Upon reasonable request of Customer, Company shall make available to Customer such information in its possession as is reasonably necessary to demonstrate Company’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by Company. Customer shall be permitted to conduct such an assessment no more than once every 12 months, upon 30 days’ advance written notice to Company, and only after the parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, Company may arrange for a qualified and independent auditor to conduct, at Company’s expense, an assessment of Company’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall Company be required to give Customer access to information, facilities or systems to the extent doing so would cause Company to be in violation of confidentiality obligations owed to other customers or its legal obligations.
11. Deletion of Personal Data
At Customer’s written direction, Company shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.
12. Data Transfers
To the extent Company processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Company shall comply with the data importer’s obligations and Customer shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:
a. for the purposes of Annex I of the EU SCCs or Part 1 of the UK Addendum (as relevant), Customer is a controller and Company is a processor, and the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the start date is the effective date of the Agreement;
b. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 12;
c. for the purposes of Annex II of the EU SCCs or Part 1 of the UK Addendum (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Company to assist Customer, as each are set out in Annex 3, shall apply; and
d. if applicable, for the purposes of: (i) Clause 9 of the EU SCCS, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 7 shall apply; (ii) Clause 11(a) of the EU SCCS, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C of the EU SCCS, the competent supervisory authority shall be Ireland; (iv) Clauses 17 and 18 of the EU SCCS, Option 1 is deemed to be selected and the governing law and the competent courts shall be Ireland; (vi) Part 1 of the UK Addendum, Company as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.
Customer acknowledges and agrees that Company may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Company shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.
ANNEX 1: DETAILS OF PROCESSING
Nature of the processing
Access, use, collection, organization, modification, retrieval, disclosure, storage, deletion and other processing activities in connection with Company’s provision of the Services to Customer as set out in the Agreement.
Purpose(s) of the processing
For the purposes of Company providing the Services to Customer as set out in the Agreement which, for avoidance of doubt include Customer’s instructions to Company to (a) use User Content and for the purpose of creating and providing Fine-Tuned Models to Customer and (b) anonymize Personal Data for the purpose of training Company Models or for any other purpose consistent with applicable Privacy Laws.
Categories of individuals whose Personal Data is processed
Authorized Users of the Services and any other individuals whose Personal Data may be inadvertently included in User Content to the Services.
Categories of Personal Data processed
Data provided by the Customer in unstructured data.
Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws
No sensitive data is intended to be transferred.
Frequency (e.g. one-off or continuous) and duration of the processing
Continuous.
Subprocessors
The subject matter, nature and duration of processing carried out by any subprocessors authorized pursuant to Section 7 is as set out in this Annex 1 and in Annex 2.
ANNEX 2: AUTHORIZED SUBCONTRACTORS
| Name of Subcontractor | Type of Service | Location of Processing Activity |
|---|---|---|
| Google Cloud | Cloud computing | Global |
| Cloudflare | Content Delivery Network | Global |
| WorkOS | Authentication | USA |
ANNEX 3: SECURITY MEASURES
Company maintains an information security program implementing administrative, technical, and physical security measures designed to protect Personal Data. These measures include:
Data Encryption. Company encrypts Personal Data at rest and in transit using industry-standard cryptographic protocols appropriate to the sensitivity of the data.
Authentication and Access Control. Company enforces multi-factor authentication for access to systems processing Personal Data. Access to production environments requires hardware-based authentication tokens and endpoint posture verification.
Network Security. Company maintains network security measures including segmentation to isolate production systems that process Personal Data and controls designed to detect and prevent unauthorized access.
Secrets and Credentials Management. Company implements secure storage and management of passwords, cryptographic keys, and authentication credentials using dedicated secrets management systems according to security best practices.
Vulnerability Management. Company undertakes regular security assessments of systems processing Personal Data, applies security patches based on risk assessment in a timely manner, and utilizes endpoint protection software.
Audit Logging and Monitoring. Company implements comprehensive audit logging for systems that process Personal Data. Logs are retained for a commercially reasonable period and monitored through security information and event management systems to detect potential security incidents.
Physical Security. Company restricts physical access to information systems that process Personal Data through appropriate access controls at processing locations controlled by the Company.
Compliance and Assurance. Company regularly reviews its security measures to ensure alignment with industry standards and conducts periodic security assessments to validate the effectiveness of its controls.