SCHEDULE 2: AI, DATA OWNERSHIP & INTELLECTUAL PROPERTY
These provisions supplement the Master Subscription Agreement and establish the parties' respective rights and obligations relating to artificial intelligence features, machine-generated content, data ownership, and intellectual property rights in metadata, performance data, usage analytics, and derived datasets.
1. DEFINITIONS AND INTERPRETATION
1.1. In addition to the definitions in the MSA and Data Processing Schedule, the following terms shall have the meanings set out below:
|
Term |
Definition |
|
AI Features |
Any artificial intelligence, machine learning, or generative AI capabilities integrated into or offered through the Platform, including but not limited to predictive analytics, automated recommendations, natural language processing, content generation, chatbots, and intelligent automation features. |
|
Aggregated Data |
Data that has been combined from multiple sources (including multiple Customer accounts) and presented in a summary or statistical format such that: (a) no individual Customer, Attendee, or Authorised User can be identified; (b) no Customer-specific information can be reverse-engineered or re-identified; and (c) the data provides aggregate insights across a sufficiently large dataset to prevent attribution to any single source. |
|
AI-Generated Content |
Any text, images, recommendations, predictions, insights, reports, or other output created or generated by AI Features, whether in response to Customer input, based on Customer Data, or otherwise. |
|
Anonymised Data |
Data from which all Personal Data and identifying information has been permanently and irreversibly removed such that: (a) the data cannot be attributed to any identified or identifiable individual or entity; (b) re-identification is not reasonably possible using available technology and resources; and (c) the data meets the standards for anonymisation under applicable Data Protection Law. |
|
Customer Data |
All data, information, and content provided, uploaded, input, created, or generated by or on behalf of Customer or its Authorised Users through use of the Platform, including but not limited to: (a) Attendee Data; (b) Event configurations and settings; (c) custom fields and forms; (d) email templates and communications; (e) reports created by Customer; and (f) any other data that Customer controls as a data controller. |
|
De-Identified Data |
Data from which direct identifiers (such as names, email addresses, and account identifiers) have been removed or obfuscated, but which may retain indirect identifiers that could potentially allow re-identification with additional information or effort. |
|
Derived Data |
New data, insights, analytics, scores, classifications, predictions, or other outputs created by Provider through processing, analysis, transformation, or enhancement of Customer Data using the Platform's algorithms, AI Features, or other proprietary methodologies. |
|
Model |
Any machine learning model, algorithm, neural network, statistical model, or other artificial intelligence system developed, trained, or deployed by Provider, including any weights, parameters, embeddings, or learned representations. |
|
Performance Data |
Technical and operational data generated by the Platform relating to system performance, availability, reliability, and operations, including but not limited to: server response times, uptime metrics, error rates, API call volumes, database query performance, and system resource utilization. |
|
Platform |
The event registration and management software-as-a-service platform provided by Provider, including all software, applications, interfaces, APIs, and related services. |
|
Platform Improvements |
Enhancements, modifications, updates, new features, bug fixes, optimizations, and other improvements to the Platform, including improvements to AI Features and Models. |
|
Provider IP |
All intellectual property owned by Provider or its licensors, including: (a) the Platform and all underlying software, code, algorithms, and technology; (b) all Models and AI Features; (c) Provider's brand names, trademarks, and logos; (d) all documentation, training materials, and methodologies; (e) all Platform Improvements; and (f) all intellectual property created by Provider independent of Customer Data. |
|
System Metadata |
Technical data automatically generated by the Platform regarding Customer's use of the Services, including but not limited to: login timestamps, feature usage frequency, click-through data, navigation patterns, session duration, browser and device information, IP addresses (when not constituting Personal Data), error logs, and API request/response logs. |
|
Training Data |
Data used to train, develop, test, validate, or improve Models and AI Features, including data used for supervised learning, unsupervised learning, reinforcement learning, or fine-tuning of Models. |
|
Usage Data |
System Metadata together with Performance Data and any other technical or operational data regarding Customer's use of the Platform that does not include the substance or content of Customer Data. |
2. DATA CATEGORISATION AND OWNERSHIP
2.1. Customer Data Ownership: Customer retains all right, title, and interest in and to Customer Data. Provider acquires no ownership rights in Customer Data except as expressly set forth in this Agreement. Customer grants Provider a limited, non-exclusive, non-transferable licence to use Customer Data solely to the extent necessary to provide the Services and exercise the rights expressly granted in this Agreement.
2.2. Provider IP Ownership: Provider retains all right, title, and interest in and to Provider IP. Nothing in this Agreement grants Customer any ownership rights in Provider IP. Customer receives only the limited licence rights expressly granted in the MSA.
2.3. Usage Data and System Metadata:
2.3.1. Subject to clause 2.3.2, Provider owns all Usage Data and System Metadata. Provider may collect, process, and use such data to: (a) operate, maintain, and support the Platform; (b) monitor Platform performance and security; (c) troubleshoot issues and provide customer support; (d) generate aggregated industry benchmarks and analytics; and (e) develop Platform Improvements.
2.3.2. To the extent Usage Data or System Metadata constitutes Personal Data under Data Protection Law, Provider shall process such data in accordance with the Data Processing Schedule and shall not use such data for purposes beyond those specified in clause 2.3.1 without Customer's prior written consent.
2.3.3. Customer acknowledges that certain System Metadata elements (such as feature usage patterns, session durations, and navigation flows) provide valuable insights for Platform Improvements but do not contain the substance of Customer Data or reveal specific Attendee information.
2.4. Performance Data: Provider owns all Performance Data. Provider may use Performance Data for: (a) monitoring and ensuring Platform availability and reliability; (b) capacity planning and infrastructure optimisation; (c) troubleshooting and incident response; (d) service level agreement compliance reporting; and (e) Platform Improvements. Provider may publish or disclose Performance Data in aggregated form (e.g., overall Platform uptime statistics) without Customer identification.
2.5. Derived Data Ownership:
2.5.1. Derived Data created by processing Customer Data remains subject to Customer's ownership of the underlying Customer Data. Customer owns Derived Data that is: (a) specifically generated at Customer's request through Platform features (such as custom reports, analytics dashboards, or data exports); or (b) inextricably linked to and identifiable with Customer's specific business operations.
2.5.2. Provider owns Derived Data that: (a) results from Provider's proprietary algorithms, Models, or analytical methodologies; (b) is based on cross-customer data analysis; (c) constitutes general methodologies, techniques, or insights not specific to Customer; or (d) has been Anonymised or Aggregated such that it is no longer attributable to Customer.
2.5.3. Where ownership of Derived Data is unclear under clauses 2.5.1 or 2.5.2, the parties shall negotiate in good faith to determine appropriate ownership or licensing arrangements.
3. AGGREGATED AND ANONYMISED DATA
3.1. Provider's Right to Create: Subject to compliance with Data Protection Law and the restrictions in this clause 3, Provider may create Aggregated Data and Anonymised Data from Customer Data, Usage Data, System Metadata, and Performance Data.
3.2. Anonymisation Standards: For data to qualify as Anonymised Data under this Agreement, Provider must:
3.2.1. Remove all direct identifiers (names, email addresses, account IDs, Customer-specific identifiers);
3.2.2. Remove or generalise quasi-identifiers (such as detailed timestamps, precise geographic data, rare attribute combinations) to prevent re-identification;
3.2.3. Apply appropriate technical measures (such as k-anonymity, differential privacy, or other recognised anonymisation techniques) based on the sensitivity of the data;
3.2.4. Ensure that the anonymisation is irreversible and that re-identification is not reasonably possible using available technology, considering both current and anticipated future capabilities;
3.2.5. Document the anonymisation methodology and maintain records of the techniques applied; and
3.2.6. Conduct periodic reviews to ensure anonymisation remains effective as technology evolves.
3.3. Aggregation Standards: For data to qualify as Aggregated Data under this Agreement, Provider must:
3.3.1. Present data only in statistical, summary, or aggregate form;
3.3.2. Ensure no individual Customer can be identified or singled out from the aggregate;
3.3.3. Ensure Customer-specific patterns, trends, or insights cannot be reverse-engineered; and
3.3.4. Not combine Customer's data with public or third-party data in a manner that would enable re-identification of Customer.
3.4. Permitted Uses of Aggregated and Anonymised Data: Provider may use Aggregated Data and Anonymised Data for the following purposes only:
3.4.1. Internal product development, testing, and Platform Improvements;
3.4.2. Training and improving Models and AI Features (subject to clause 4);
3.4.3. Creating and publishing industry benchmarks, trends, and insights;
3.4.4. Marketing and promotional materials (e.g., "80% of event organisers report increased attendance");
3.4.5. Academic or industry research and publications;
3.4.6. Demonstrating Platform capabilities to prospective customers; and
3.4.7. Other lawful business purposes that do not compromise Customer confidentiality or competitive position.
3.5. Ownership of Aggregated and Anonymised Data: Provider owns all Aggregated Data and Anonymised Data created in accordance with this clause 3. Such data is Provider IP and Provider may use, license, or otherwise exploit such data without restriction, provided such use complies with this Agreement.
3.6. Prohibition on Sale to Competitors: Notwithstanding clause 3.5, Provider shall not: (a) sell, license, or otherwise provide Aggregated Data or Anonymised Data derived substantially or exclusively from Customer Data to Customer's direct competitors notified to Provider in writing; or (b) create data products consisting substantially of insights derived from Customer's specific event management practices for sale to third parties, where such products would give competitors a material advantage over Customer.
3.7. Opt-Out Rights:
3.7.1. Customer may, upon thirty (30) days' prior written notice, opt out of Provider's use of Customer Data for creating Aggregated Data or Anonymised Data for external publication, marketing, or licensing to third parties. Such opt-out shall not affect Provider's use of Aggregated Data or Anonymised Data for internal purposes including Platform Improvements.
3.7.2. If Customer exercises the opt-out right under clause 3.7.1, Provider may charge Customer an additional fee of 25% to reflect the reduced value Provider derives from Customer's data. The parties shall negotiate such fees in good faith.
3.7.3. Verification Rights: Upon reasonable written request, but no more than once per calendar year, Customer may request that Provider demonstrate its anonymisation and aggregation methodologies and confirm that Customer Data has been appropriately anonymised or aggregated. Provider shall provide reasonable evidence of compliance within thirty (30) days of such request, subject to protection of Provider's confidential methodologies.
4. AI TRAINING DATA AND MODEL DEVELOPMENT
4.1. Prohibition on Raw Customer Data for Training: Provider shall NOT use Customer Data (including Attendee Data, event content, email templates, or any other Customer-specific data) as Training Data for Models or AI Features without Customer's express prior written consent, which Customer may withhold in its sole discretion.
4.2. Permitted Use of Aggregated and Anonymised Data for Training: Provider may use Aggregated Data and Anonymised Data (created in accordance with clause 3) as Training Data for Models and AI Features, provided that:
4.2.1. The data has been properly anonymised or aggregated in accordance with clauses 3.2 or 3.3;
4.2.2. The resulting Models do not memorise, reproduce, or enable reconstruction of Customer Data;
4.2.3. The Models are tested to ensure they do not generate outputs that inadvertently reveal Customer-specific information;
4.2.4. Provider maintains technical and organizational measures to prevent overfitting or data leakage; and
4.2.5. Customer has not exercised opt-out rights under clause 3.7.
4.3. Model Ownership: All Models (including their architecture, weights, parameters, and learned representations) are and shall remain the exclusive property of Provider, even where such Models have been trained in part using Aggregated Data or Anonymised Data derived from Customer Data. Customer has no ownership rights in Models.
4.4. Custom Models: If Provider develops a Model specifically for Customer using Customer Data pursuant to a separate written agreement:
4.4.1. Provider shall own the underlying Model architecture, training methodology, and any general-purpose capabilities.
4.4.2. Customer shall own the Customer-specific training data and the specific fine-tuning or customization applied to the Model using Customer Data.
4.4.3. The parties shall define ownership and usage rights for such custom Models in the separate written agreement.
4.5. Third-Party AI Models: Where Provider uses third-party AI Models or services (such as large language models from OpenAI, Google, Anthropic, or other providers):
4.5.1. Provider shall not send Customer Data to third-party AI providers without Customer's express prior written consent;
4.5.2. Provider shall use enterprise or API tiers of third-party AI services that include protections against training on customer data;
4.5.3. Provider shall disclose to Customer which third-party AI providers are used in the Platform; and
4.5.4. Provider shall provide Customer with the ability to opt out of features that use specific third-party AI providers if Customer has objections based on the provider's data practices.
4.6. Training Data Retention: To the extent Provider creates Training Data from Customer Data pursuant to clause 4.2, such Training Data shall be governed by the same retention and deletion obligations that apply to Customer Data under the Data Processing Schedule, except that:
4.6.1. Once properly Anonymised or Aggregated in accordance with clause 3, the data is no longer Customer Data and is not subject to deletion upon termination.
4.6.2. Provider need not delete or retrain Models after Customer Data deletion, provided the Models were trained in accordance with this clause 4.
5. AI-GENERATED CONTENT
5.1. Ownership of AI-Generated Content:
5.1.1. To the maximum extent permitted by applicable law, Customer owns all AI-Generated Content created in response to Customer's prompts, instructions, or use of AI Features, including but not limited to: (a) email subject lines and body text generated by AI; (b) event descriptions and marketing copy; (c) recommendations for event settings or features; (d) data insights and predictive analytics; (e) automated responses to attendee inquiries; and (f) any other content generated by AI Features for Customer's use.
5.1.2. The parties acknowledge that under current law, purely machine-generated works may not be eligible for copyright protection in certain jurisdictions. If any AI-Generated Content is determined not to be protectable by intellectual property rights, the parties agree that such content shall be treated as confidential information of Customer subject to Provider's confidentiality obligations.
5.2. Licence to Provider: Customer grants Provider a limited, non-exclusive licence to: (a) generate, display, transmit, and store AI-Generated Content as necessary to provide the Services; and (b) use AI-Generated Content in Anonymised or Aggregated form in accordance with clause 3.
5.3. Non-Exclusivity and Similarity:
5.3.1. Customer acknowledges that AI Features may generate similar or identical content for different customers in response to similar prompts or situations.
5.3.2. Provider does not warrant that AI-Generated Content will be unique to Customer or that identical or similar content has not been or will not be generated for other customers.
5.3.3. If Customer requires unique, non-replicable content, Customer should engage Provider for custom development services under a separate statement of work.
5.4. Accuracy and Liability for AI-Generated Content:
5.4.1. AI Features may produce inaccurate, incomplete, biased, or inappropriate content ("Hallucinations"). Provider makes no representation or warranty regarding the accuracy, completeness, reliability, suitability, or quality of AI-Generated Content.
5.4.2. Customer acknowledges and agrees that:
5.4.2.1. AI-Generated Content is provided "as-is" for informative purposes only;
5.4.2.2. Customer is solely responsible for reviewing, verifying, editing, and approving all AI-Generated Content before use in any business-critical or external-facing context;
5.4.2.3. Customer shall not rely on AI-Generated Content for legal advice, medical advice, financial advice, or other professional services;
5.4.2.4. Customer is responsible for ensuring AI-Generated Content complies with applicable laws, regulations, and Customer's own policies before use; and
5.4.2.5. Customer assumes all risk associated with use of AI-Generated Content.
5.4.3. Provider shall not be liable for any damages, losses, or liabilities arising from: (a) Customer's use or reliance on AI-Generated Content; (b) inaccuracies, errors, or Hallucinations in AI-Generated Content; (c) offensive, biased, or inappropriate AI-Generated Content; or (d) Customer's failure to review or verify AI-Generated Content before use.
5.5. Third-Party Intellectual Property:
5.5.1. Provider represents and warrants that its Models have been trained using lawful means and that Provider has appropriate rights or licenses for all Training Data.
5.5.2. Provider does not warrant that AI-Generated Content will be free from claims of third-party intellectual property infringement, as generative AI may inadvertently produce content similar to copyrighted works in its training data.
5.5.3. Provider shall: (a) implement reasonable technical measures to reduce the risk of copyright infringement in AI-Generated Content; (b) provide Customer with tools or methods to check AI-Generated Content for potential infringement where reasonably available; and (c) indemnify Customer against third-party claims of intellectual property infringement arising from AI-Generated Content, subject to the indemnification procedures and limitations in the MSA.
5.6. Prohibited Uses of AI Features: Customer shall not use AI Features to:
5.6.1. Generate content that violates applicable laws, regulations, or third-party rights;
5.6.2. Reverse engineer, extract, or attempt to reconstruct Provider's Models;
5.6.3. Train competing AI models or services;
5.6.4. Generate large volumes of content for purposes unrelated to event management;
5.6.5. Systematically test or probe the limitations or biases of AI Features for competitive purposes;
5.6.6. Generate content for use in high-risk applications (such as medical diagnosis, legal determinations, or financial trading) without appropriate human oversight; or
5.6.7. Attempt to manipulate or "jailbreak" AI Features to produce prohibited content.
6. AI REGULATORY COMPLIANCE
6.1. Transparency and Disclosure:
6.1.1. Provider shall disclose to Customer which Platform features use AI, including the type of AI technology employed (e.g., rule-based systems, machine learning, generative AI).
6.1.2. Where AI Features interact directly with Customer's Attendees (such as chatbots or automated email responses), Provider shall provide Customer with appropriate disclosure language that Customer can include in its communications to inform Attendees they are interacting with an AI system.
6.1.3. Provider shall maintain documentation describing: (a) the purpose and functionality of AI Features; (b) the types of data used to train Models; (c) known limitations, biases, or risks; and (d) recommended human oversight procedures. Such documentation shall be made available to Customer upon reasonable request.
6.2. Bias and Fairness:
6.2.1. Provider shall implement reasonable measures to detect, mitigate, and monitor bias in AI Features, including bias related to protected characteristics under anti-discrimination laws.
6.2.2. Provider shall conduct periodic testing of AI Features for fairness and bias, and shall share high-level results of such testing with Customer upon request.
6.2.3. If Customer reasonably believes an AI Feature is producing biased or discriminatory outputs, Customer shall promptly notify Provider, and Provider shall investigate and take appropriate corrective action.
6.3. Human Oversight: For AI Features that make or significantly influence decisions affecting individuals (such as automated attendee segmentation, pricing recommendations, or content moderation), Provider shall provide Customer with: (a) explanations of how such decisions are made; (b) the ability for Customer to review and override AI decisions; and (c) audit logs of AI-generated decisions where technically feasible.
6.4. Regulatory Changes:
6.4.1. Provider shall monitor developments in AI regulation (including but not limited to UK AI regulation, the EU AI Act, and U.S. state AI laws) and shall make reasonable efforts to ensure AI Features comply with applicable AI laws.
6.4.2. If new AI regulations require changes to AI Features or impose additional obligations on Customer, Provider shall: (a) notify Customer within thirty (30) days of the regulatory change taking effect; (b) work with Customer to implement necessary changes; and (c) use reasonable efforts to maintain functionality while ensuring compliance.
6.4.3. If compliance with new AI regulations would require substantial changes to the Platform at material cost, the parties shall negotiate in good faith regarding allocation of costs and any necessary amendments to this Agreement.
6.5. High-Risk AI Systems: If any AI Feature is classified as a "high-risk AI system" under applicable law (such as AI used for biometric identification, critical infrastructure, or employment decisions), Provider shall: (a) notify Customer immediately; (b) provide Customer with all necessary information to comply with applicable regulatory requirements; (c) implement additional technical and organizational measures required by law; and (d) assist Customer with any required regulatory filings or assessments.
7. PLATFORM IMPROVEMENTS AND FEEDBACK
7.1. Provider's Right to Platform Improvements: Provider may use Usage Data, System Metadata, Performance Data, Aggregated Data, and Anonymised Data to develop Platform Improvements. All Platform Improvements are owned by Provider and constitute Provider IP.
7.2. Customer Feedback:
7.2.1. If Customer provides feedback, suggestions, ideas, enhancement requests, recommendations, or other input regarding the Platform ("Feedback"), Customer grants Provider a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, transferable, sublicensable licence to use, reproduce, modify, create derivative works from, and otherwise exploit such Feedback for any purpose without attribution or compensation to Customer.
7.2.2. Customer represents and warrants that: (a) it has the right to provide such Feedback; (b) the Feedback does not violate any third-party rights; and (c) the Feedback does not contain Customer's confidential information unless Customer explicitly identifies it as confidential at the time of submission.
7.2.3. Feedback shall not create any obligation for Provider to implement, develop, or deliver any particular feature or functionality.
7.3. Feature Requests vs. Custom Development: If Customer requests a specific feature or functionality that Provider chooses to develop as a general Platform feature:
7.3.1. Provider owns all intellectual property in such feature, and clause 7.2 applies.
7.3.2. If Customer requires exclusive rights to a feature, the parties must enter into a separate custom development agreement with appropriate compensation to Provider for the exclusivity.
8. DATA PORTABILITY AND TERMINATION RIGHTS
8.1. Data Export: Customer may export Customer Data at any time during the Term in commonly used machine-readable formats (CSV, JSON, or XML) through the Platform interface or APIs.
8.2. Scope of Exported Data: Exported data shall include:
8.2.1. All Customer Data, including Attendee Data, event configurations, custom fields, and communications;
8.2.2. Customer-owned Derived Data (as defined in clause 2.5.1);
8.2.3. Metadata describing data structures and relationships; and
8.2.4. AI-Generated Content created for Customer (where technically feasible to export).
8.3. Exclusions from Export: Exported data shall NOT include:
8.3.1. Provider IP, including software code, algorithms, Models, or Provider's proprietary methodologies;
8.3.2. Aggregated Data or Anonymised Data that has been combined with other customers' data;
8.3.3. System Metadata, Performance Data, or Usage Data (except to the extent such data constitutes Personal Data that Customer is entitled to under Data Protection Law);
8.3.4. Internal system logs or technical infrastructure data; or
8.3.5. Data relating to other customers.
8.4. Termination Data Transition:
8.4.1. Upon termination or expiry of this Agreement, Provider shall provide Customer with sixty (60) days to export all Customer Data.
8.4.2. Provider shall, at Customer's written request and expense, provide reasonable assistance with data migration to a new platform, including providing data in alternative formats or assisting with bulk export, at Provider's then-current professional services rates.
8.4.3. After the sixty (60) day transition period, Provider shall delete all Customer Data in accordance with the Data Processing Schedule, except: (a) Aggregated Data and Anonymised Data created in accordance with clause 3, which Provider may retain; and (b) data Provider is required to retain by law.
8.5. Models and Platform Improvements Post-Termination: Termination of this Agreement shall not affect: (a) Provider's ownership of Models, even if such Models were trained in part using Anonymised or Aggregated Data derived from Customer Data; (b) Provider's right to continue using Aggregated Data and Anonymised Data; or (c) Provider's ownership of Platform Improvements developed during the Term.
9. ADDITIONAL WARRANTIES AND DISCLAIMERS
9.1. Provider's AI Warranties: Provider warrants that:
9.1.1. AI Features will perform substantially in accordance with the documentation provided to Customer;
9.1.2. Provider has obtained all necessary rights and licenses for Training Data used to train Models (excluding Customer Data);
9.1.3. Provider has implemented reasonable security measures to protect Models from unauthorized access, extraction, or misuse;
9.1.4. Provider will comply with applicable AI regulations in the jurisdictions where the Platform is offered; and
9.1.5. Provider will not intentionally introduce backdoors, trojans, or other malicious code into AI Features.
9.2. Disclaimers: EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, PROVIDER MAKES NO WARRANTIES REGARDING:
9.2.1. THE ACCURACY, COMPLETENESS, RELIABILITY, OR QUALITY OF AI-GENERATED CONTENT OR DERIVED DATA;
9.2.2. THE ABSENCE OF BIAS, ERRORS, OR HALLUCINATIONS IN AI FEATURES;
9.2.3. THE SUITABILITY OF AI FEATURES FOR ANY PARTICULAR PURPOSE OR USE CASE;
9.2.4. THAT AI FEATURES WILL MEET CUSTOMER'S SPECIFIC REQUIREMENTS OR EXPECTATIONS;
9.2.5. THAT MODELS WILL REMAIN STATIC OR THAT MODEL UPDATES WILL NOT AFFECT OUTPUT QUALITY; OR
9.2.6. THAT AI-GENERATED CONTENT WILL BE FREE FROM THIRD-PARTY INTELLECTUAL PROPERTY CLAIMS (EXCEPT AS PROVIDED IN CLAUSE 5.5.3).
9.3. Customer Acknowledgments: Customer acknowledges and agrees that:
9.3.1. AI technology is evolving and imperfect, and AI Features may produce unexpected, inaccurate, or inappropriate outputs;
9.3.2. Customer is responsible for implementing appropriate human oversight for AI Features, particularly for decisions affecting individuals or business-critical operations;
9.3.3. Customer should not use AI Features for high-stakes decisions without appropriate verification and human review;
9.3.4. Models may be updated periodically, which may affect the quality or characteristics of outputs; and
9.3.5. The legal and regulatory landscape for AI is rapidly evolving, and Customer may need to adapt its use of AI Features to comply with new laws.
10. AUDIT AND INSPECTION RIGHTS
10.1. Customer Audit Rights: Customer may, upon thirty (30) days' prior written notice and no more than once per calendar year (unless Provider has materially breached this Agreement), audit Provider's compliance with clauses 3 (Aggregated and Anonymised Data) and 4 (AI Training Data), provided that:
10.1.1. The audit is conducted during Provider's normal business hours;
10.1.2. The auditor is a qualified independent third party approved by Provider (such approval not to be unreasonably withheld);
10.1.3. The auditor signs a confidentiality agreement protecting Provider's confidential information;
10.1.4. The audit does not unreasonably interfere with Provider's business operations;
10.1.5. The scope is limited to verifying compliance with this Agreement and does not extend to Provider's general business practices; and
10.1.6. Customer bears all costs of the audit unless the audit reveals a material breach, in which case Provider shall reimburse reasonable audit costs.
10.2. Audit Report: The auditor shall provide a written report to both parties summarizing findings. The report shall identify any non-compliance but shall not disclose Provider's confidential technical methodologies unless necessary to substantiate a material breach.
10.3. Remediation: If an audit reveals non-compliance, Provider shall: (a) promptly remedy the non-compliance; (b) provide Customer with a written remediation plan within thirty (30) days; and (c) implement the remediation plan within ninety (90) days or such other timeframe as the parties may agree.
[ends]
REF: AI_data_clauses Version 1 08-02-2026