saf.ai - Data Processing Addendum ("DPA")

This Data Processing Addendum ("DPA") forms a part of the sāf.ai Terms of Service found at https://docs.saf.ai/policies/saf.ai-tos, unless you ("Customer" aka "Subscriber") has entered into a superseding written master subscription agreement with sāf.ai, Inc. ("sāf.ai"), in which case, it forms a part of such written agreement (in either case, the "Agreement").

By signing the DPA or executing an Agreement that explicitly states that the DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any Affiliates (defined below) who are authorized to use the sāf.ai Services. If you are entering into this DPA on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or legal entity to this DPA. In that case, "Customer" or "Subscriber" will refer to that company or other legal entity. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the sāf.ai Services under the Agreement, sāf.ai may process certain Customer Personal Data (such terms defined below) on behalf of Customer and where sāf.ai processes such Customer Personal Data on behalf of Customer the parties agree to comply with the terms and conditions in this DPA in connection with such Customer Personal Data.

HOW TO EXECUTE THIS DPA

  1. If you are an Azure sāf.ai user, please STOP and reach out to us at privacy@saf.ai.

  2. This DPA consists of two parts: the main body of the DPA, and Annexes A, B and C (including Appendices 1, 2 and 3 to Annex C).

  3. This DPA has been pre-signed on behalf of sāf.ai. The Standard Contractual Clauses in Annex C have been pre-signed by sāf.ai, Inc. as the data importer. This DPA will be null and void if any changes are made to it beyond filling out the sections described in 5, below.

  4. If you execute an Agreement that explicitly states that this DPA is incorporated, you do not need to take any further action to execute this DPA; your execution of the Agreement constitutes execution of the DPA.

  5. If you have not executed an Agreement that explicitly states this DPA is incorporated, to complete this DPA, Customer must:

    a. Complete the information and sign the main DPA [signature box]_.

    b. Complete the information as the data exporter in [Annex A]_.

    c. Complete the information and sign the [Appendix 1]_ and [Annex C]_.

  6. Send the completed and signed DPA to sāf.ai by email, directed to dpa@saf.ai.

Upon the earlier of (i) the execution of an Agreement that explicitly states that the DPA is incorporated into the Agreement by reference; and (ii) receipt of the validly completed DPA by sāf.ai at the above email address, this DPA will become legally binding.

HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES

If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the sāf.ai entity that is party to the Agreement is party to this DPA. If the Customer entity signing this DPA has executed an Order Form with sāf.ai pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the sāf.ai entity that is party to such Order Form is party to this DPA. If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.

  1. DEFINITIONS

    1. "Affiliate" means, with respect to the identified party, any entity that is directly or indirectly controlled by, controlling or under common control with such party.
    2. "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data in question, including, where applicable and without limitation, EU Data Protection Law and the California Consumer Privacy Act of 2018.
    3. "Authorized Person(s)" means any person who processes Customer Personal Data on sāf.ai's behalf, including sāf.ai's employees, officers, partners, principals, contractors and Subprocessors.
    4. "California Consumer Privacy Act of 2018" or "CCPA" means Cal. Civ. Code §1798.100, et seq., as amended.
    5. "Cloud Provider" means, unless specified otherwise in an Order Form or the Agreement, Google Cloud Environment.
    6. "Customer Cloud Environment" has the meaning given to it in the Agreement, or if not therein defined, means the cloud environment provided by the Cloud Provider into which sāf.ai deploys the Customer Data Plane.
    7. "Customer Content" has the meaning given to it in the Agreement, or if not therein defined, means all Customer Data, Customer Instructional Input, and Customer Results.
    8. "Customer Data" means the data, other than Customer Instructional Input, made available by Customer and its Authorized Users for processing by, or use within, the Subscription Services, including without limitation Personal Data to the extent therein contained.
    9. "Customer Data Plane" has the meaning given to it in the Agreement, or if not therein defined, means the elements of the Platform Services deployed into the Customer Cloud Environment; the primary processing of Customer Data by the Platform Services occurs within the Customer Data Plane and this activity results in fees being charged to Customer by Cloud Provider (e.g., for EC2 compute resources in the Customer Cloud Environment). For the avoidance of doubt, the term Customer Data Plane does not include Customer-controlled storage, including but not limited to Customer's Google Cloud Storage, Big Query tables, (and for which Customer may incur separate charges).
    10. "Customer Instructional Input" has the meaning given to it in the Agreement, or if not therein defined, means information other than Customer Data that Customer inputs into the Platform Services to direct how the Platform Services process Customer Data, including without limitation the code and any libraries (including third party libraries) Customer utilizes within the Platform Services.
    11. "Customer Personal Data" means any Customer Content that is Personal Data.
    12. "Customer Results" has the meaning given to it in the Agreement, or if not therein defined, means any output Customer or its Authorized Users generate from their use of the Platform Services. For the avoidance of doubt, the term Customer Results does not include Usage Data.
    13. "Data Subject" means the identified or identifiable natural person to whom the Customer Personal Data relates, including 'consumers' (as defined in the CCPA) where applicable.
    14. "sāf.ai Control Plane" has the meaning given to it in the Agreement, or if not therein defined, means the elements of the Platform Services residing within sāf.ai's Cloud Provider account, including without limitation the user interface of the Platform Services.
    15. "sāf.ai Group" means sāf.ai, Inc. and its Affiliates.
    16. "sāf.ai Services" means the Subscription Services and other services sāf.ai provides under an Agreement.
    17. "EEA" means, for the purposes of this DPA, the European Economic Area and its member states, including the United Kingdom (regardless of whether the United Kingdom leaves the EU or the EEA), and Switzerland.
    18. "EU Data Protection Law" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").
    19. "Model Clauses" means the Standard Contractual Clauses (controller to processor) promulgated by the EU Commission Decision 2010/87/EU attached as Annex C.
    20. "Personal Data" means information relating to an identified or identifiable Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes, where applicable, personally identifiable information and personal information (as defined in the CCPA).
    21. "Platform Services" has the meaning given to it in the Agreement, or if not therein defined, means the subscription software data processing services to which Customer is subscribed.
    22. "Privacy Shield" means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 dated July 12, 2016 (as may be amended, superseded, or replaced).
    23. "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
    24. "Security Breach" means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration, or access to Customer Personal Data.
    25. "Sensitive Data" means any unencrypted (i) bank, credit card or other financial account numbers or login credentials, (ii) social security, tax, driver's license or other government-issued identification numbers, (iii) health information identifiable to a particular individual; (iv) information that could reasonably be used to determine the physical location of a particular individual or (v) any "special" or "sensitive" categories of data as those terms are defined according to EU Data Protection Law or any similar category under other Applicable Data Protection Laws. For the purposes of the prior sentence, "unencrypted" means a failure to utilize industry standard encryption methods to prevent sāf.ai, the Platform Services and sāf.ai's personnel, including any subcontractors, from accessing the relevant data in unencrypted form.
    26. "Subprocessor" means any third party (including any sāf.ai Affiliate) engaged by sāf.ai to process any Customer Personal Data on behalf of Customer or who may receive Customer Personal Data provided by Customer through the Subscription Services pursuant to the terms of the Agreement.
    27. "Subscription Services" has the meaning given to it in the Agreement. Subscription Services includes the Platform Services and subscription support services set forth in an Order Form.
    28. "Usage Data" means usage data and telemetry collected by sāf.ai relating to the use of the Subscription Services by Customer. Usage Data may occasionally contain Customer Instructional Input (e.g., it may contain the queries entered by an Authorized User) but will not contain Customer Data or Customer Results.
    29. The terms "Controller", "Processor," "process," and "processing," have the meanings given to them in Applicable Data Protection Laws. The term Controller also includes 'businesses' (as defined in the CCPA) and the term Processor includes 'service providers' (as defined in the CCPA) to the extent the rights and obligations described herein apply under the CCPA. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.
  2. SHARED RESPONSIBILITY DEPLOYMENT

    1. Customer acknowledges that the Platform Services are implemented in a manner that divides the Platform Services between the Customer Cloud Environment and the sāf.ai Control Plane, and that accordingly each party must undertake certain technical and organizational measures in order to protect the Platform Services and the Customer Content.
    2. Without limiting the foregoing, and except to the extent otherwise set forth in the Agreement, Customer acknowledges and agrees that (1) in order to utilize the Platform Services, Customer must have an account with the Cloud Provider; (2) sāf.ai does not host the Customer Cloud Environment into which the Platform Services are deployed or the systems in which your Customer Data may be stored (e.g., an AWS S3 bucket); (3) while certain Customer Data may occasionally be present within the Platform Services (e.g., within the Customer Results), the Platform Services are not designed to archive or permanently retain Customer Data, but merely to provide an environment to facilitate Customer's processing of Customer Data within the Customer Cloud Environment by permitting Customer to generate and execute Customer Instructional Input and view Customer Results; (4) sāf.ai and the Platform Services do not provide backup services or disaster recovery to enable recovery of Customer Data; and (5) subject to any limitations under the DPA or the Agreement regarding what Customer Data may contain, the choice of which Customer Data you process within sāf.ai and manner in which you choose to process it are under the control of Customer and that accordingly sāf.ai will generally be unaware of the types of or details regarding the Customer Personal Data you may process within the Subscription Services.
    3. Customer acknowledges that the Subscription Services are data-type agnostic, and that sāf.ai does not have any knowledge of the actual data or types of data contained in the Customer Data. Accordingly, Customer shall notify sāf.ai prior to providing any Sensitive Data. Additionally, if reasonably required by Customer, sāf.ai shall enter into a Business Associate Agreement to enable Customer to comply with its obligations under HIPAA/HITECH ACT ("BAA"). sāf.ai may impose additional requirements on Customer prior to the use of the Subscription Services by Customer to process any Sensitive Data, which may include additional fees.
  3. PURPOSE; SCOPE; OWNERSHIP OF DATA

    1. Customer and sāf.ai have entered into the Agreement pursuant to which Customer is being provided sāf.ai Services, including the Subscription Services. In using the Subscription Services, Customer may submit through the Subscription Services or otherwise provide access to sāf.ai certain Customer Data. This DPA applies where and only to the extent that sāf.ai processes Customer Personal Data on behalf of Customer as a Processor in the course of providing sāf.ai Services pursuant to the Agreement. Additionally, Sections 4.3, 4.4, 4.5, 5.1, and 9 shall only apply to Customer Personal Data within the scope of the DPA to the extent such rights are set forth in or required by Applicable Data Protection Laws.
    2. As between the parties, Customer is either the Controller of Customer Personal Data or, if Customer is acting on behalf of a third-party Controller, then a Processor. All Customer Data (including all Customer Personal Data) processed under the terms of this DPA and the Agreement shall remain, as between the parties, the property of Customer.
    3. Accordingly, sāf.ai shall process Customer Personal Data (i) submitted to sāf.ai by Customer through the Subscription Services only as a Processor acting on behalf of Customer (whether as Controller or itself a Processor on behalf of third party Controllers); and (ii) in accordance with Customer's documented instructions as set forth in this DPA, the Agreement(s) or as otherwise necessary to provide the Subscription Services; provided that sāf.ai shall inform Customer if, in its opinion, Customer's processing instructions infringe any law or regulation; in such event, sāf.ai is entitled to refuse processing of Personal Data that it believes to be in violation of any law or regulation. Without limiting the foregoing, sāf.ai will not 'sell' Customer Personal Data (as such term is defined in the CCPA).
    4. Additionally, when using the Subscription Services, sāf.ai will collect Usage Data. Where Usage Data contains Customer Personal Data (e.g., within Customer Instructional Input), sāf.ai shall act as Customer's Processor under Applicable Data Protection Laws and such Usage Data will be subject to the applicable terms and conditions of this DPA. Otherwise, to the extent any Usage Data is considered Personal Data under Applicable Data Protection Laws, sāf.ai is the Controller of such Usage Data and shall process such Usage Data in accordance with the Agreement and Applicable Data Protection Laws. sāf.ai will not share (other than with Subprocessors or third parties providing services to sāf.ai who agree to terms at least as restrictive regarding the processing of Usage Data as those set forth herein) or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers, nor use any Usage Data in a manner that derives its value from the unique aspects of your Customer Instructional Input. Without limiting the foregoing, sāf.ai will not 'sell' any Usage Data (as such term is defined in the CCPA) that contains any Personal Data subject to the CCPA.
  4. SUBPROCESSING

    1. Customer agrees that sāf.ai may appoint Subprocessors to assist it in providing the sāf.ai Services by processing Customer Personal Data solely for the purpose of providing the sāf.ai Services, provided that such Subprocessors:

      (a) agree to act only on sāf.ai's instructions when processing the Customer Personal Data (which instructions shall be consistent with Customer's processing instructions to sāf.ai); and

      (b) agree to protect the Customer Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Customer Personal Data they process consistent with the Security Standards described in Annex B.

    2. sāf.ai remains fully liable for any breach of this DPA or the Agreement that is caused by an act, error or omission of such Subprocessor to the extent sāf.ai would have been liable for such act, error or omission had it been caused by sāf.ai.

    3. sāf.ai shall maintain an up-to-date list at saf.ai/subprocessors (also available upon request to privacy@saf.ai) of all Subprocessors used in the provision of the sāf.ai Services who may have access to or process Customer Personal Data received by sāf.ai from Customer through the Subscription Services under the Agreement ("Subprocessor List").

    4. Prior to the addition or change of any Subprocessors, sāf.ai shall provide notice to Customer, which may include by updating the Subprocessor List on the website listed above, not less than 30 days prior to the date on which the Subprocessor shall commence processing Customer Personal Data. sāf.ai will make available a means by which Customer may subscribe to receive notifications of changes to the Subprocessor List (which may include without limitation the provision of an RSS feed). It is Customer's responsibility to check this website for changes.

    5. In the event that Customer objects to the processing of Customer Personal Data by any newly appointed Subprocessor as described in Section 4.4, it shall inform sāf.ai in writing within 10 calendar days after notice has been provided by sāf.ai. In the event that Customer timely objects on reasonable grounds relating to the protection of Customer Personal Data sāf.ai will either, at sāf.ai option (a) work with Customer to address Customer's reasonable objections and thereafter proceed to use the Subprocessor to perform such processing; (b) instruct the Subprocessor to not process Customer Personal Data, which Customer acknowledges and agrees may result in new or improved Subscription Services features enabled by the Subprocessor not being available to Customer; or (c) allow Customer to terminate this DPA and the Agreement with sāf.ai immediately on notice and upon receipt of such notice provide Customer with a pro rata reimbursement of any sums Customer may have paid in advance for Subscription Services to be provided but not yet received by Customer. :::

    6. Customer acknowledges that any third party services that may be linked to or used within the sāf.ai Services (e.g., Customer may use GitHub to backup Customer's notebooks) ("Non-sāf.ai Services") are governed solely by the terms and conditions and privacy policies of such Non-sāf.ai Services, and sāf.ai does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Non-sāf.ai Services, including, without limitation, their content or the manner in which they handle your Customer Data (including Customer Personal Data) or any interaction between Customer and the provider of such Non-sāf.ai Services. sāf.ai is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer's enablement, access or use of any such Non-sāf.ai Services, or Customer's reliance on the privacy practices, data security processes or other policies of such Non-sāf.ai Services. The providers of Non-sāf.ai Services shall not be deemed Subprocessors for any purpose under this DPA.

  5. COOPERATION

    1. Customer acknowledges that the Subscription Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under Applicable Data Protection Laws, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is required to respond to a DSR (as defined below) under Applicable Data Protection Laws and is unable to access the relevant Customer Data within the Subscription Services using such controls or otherwise, sāf.ai shall reasonably cooperate with Customer (at Customer's request and expense) to enable Customer (or its third party Controller) to respond to any requests, complaints or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Customer Personal Data under the Agreement(s), including requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (a 'data subject request' or "DSR") insofar as this is possible In the event that any such DSR, complaint or communication is made directly to sāf.ai, sāf.ai shall promptly pass such communication on to Customer and shall not respond to such communication without Customer' express authorization. For the avoidance of doubt, the foregoing shall not prohibit sāf.ai from communicating with a Data Subject if it is not reasonably apparent on the face of the communication to which customer of sāf.ai the DSR relates.

    2. If sāf.ai receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Customer Personal Data, sāf.ai shall not disclose any information but shall, to the extent permitted by applicable laws, promptly notify Customer in writing of such request and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure.

    3. To the extent required under Applicable Data Protection Laws, sāf.ai will assist Customer (or its third party Controller), at Customer's request and expense, to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to Data Subjects. Because the need for a data protection impact assessment, if any, will arise from the choices made by Customer regarding what Customer Data is to be processed and the processing activities performed, Customer shall be responsible for any costs arising from sāf.ai's provision of such assistance.

    4. At Customer's written request, sāf.ai will make reasonable efforts to provide Customer with all information necessary to demonstrate its compliance with Applicable Data Protection Laws.

    5. Customer acknowledges that sāf.ai may be required under Applicable Data Protection Laws to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which sāf.ai is acting and, where applicable, of such Processor's or Controller's local representative and data protection officer; and (b) make such information available to the applicable data protection authorities. Accordingly, Customer will, where requested, provide such information to sāf.ai via the Services or other means provided by sāf.ai, and will ensure that all information provided is kept accurate and up-to-date.

    6. If the Applicable Data Protection Laws and corresponding obligations related to the processing of Personal Data change, the parties shall discuss in good faith any necessary amendments.

  6. DATA ACCESS & SECURITY MEASURES

    1. sāf.ai shall ensure that any Authorized Person is subject to a duty of confidentiality (whether a contractual or statutory duty) and that they process Customer Personal Data only for the purpose of delivering the sāf.ai Services under the Agreement(s) to Customer.
    2. sāf.ai will implement and maintain appropriate technical and organizational security measures to protect against Security Breaches and to preserve the security, availability, integrity and confidentiality of Customer Personal Data ("Security Measures") and will review such Security Measures on at least an annual basis. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
    3. Because Customer rather than sāf.ai chooses what Customer Personal Data may be processed within the sāf.ai Services, Customer acknowledges its obligation to review the Security Measures prior to providing sāf.ai with access to such Customer Personal Data and represents, as of the date of this DPA, in light of the Customer Personal Data that Customer intends to process through the sāf.ai Services, that it has no reason to believe, provided the Security Measures identified at Annex B have been properly implemented by sāf.ai, that such Security Measures are insufficient to adequately protect the Customer Personal Data according to Applicable Data Protection Laws.
  7. SECURITY INCIDENTS

    1. In the event of a Security Breach, sāf.ai shall inform Customer without undue delay and provide written details of the Security Breach, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to sāf.ai.

    2. Furthermore, in the event of a Security Breach, sāf.ai shall:

      (a) provide timely information and cooperation as Customer may reasonably require to fulfill Customer's data breach reporting obligations under Applicable Data Protection Laws; and

      (b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Breach and shall keep Customer up-to-date about all developments in connection with the Security Breach.

    3. The decision whether to provide notification, public/regulatory communication or a press release (each, a "Notification") concerning the Security Breach shall be solely at Customer's discretion, but the content of any Notification that names sāf.ai or from which sāf.ai's identity could reasonably be determined shall be subject to the prior approval of sāf.ai, which approval shall not be unreasonably withheld, conditioned or delayed, except as otherwise required by applicable laws and provided that conditioning of the Notification on sāf.ai's approval shall not prevent Customer from complying with Applicable Data Protection Laws.

  8. SECURITY REPORTS & INSPECTIONS; AUDITS

    1. The parties acknowledge that sāf.ai uses internal auditors to verify the adequacy of its Security Measures. This audit:

      (a) will be performed at least annually;

      (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001;

    2. At Customer's written request, sāf.ai will provide Customer with copies of its Report so that Customer can reasonably verify sāf.ai's compliance with the security and audit obligations under this Agreement. The Report and any summaries thereof will constitute sāf.ai's Confidential Information under the confidentiality provisions of the Agreement.

    3. sāf.ai will respond in a commercially reasonable time-frame to any requests for additional information or clarification from Customer related to such Report.

  9. DATA TRANSPORT

    1. Customer acknowledges that sāf.ai and its Subprocessors may maintain data processing operations in countries that are outside of the country in which the Platform Services are deployed. As such, both sāf.ai and its Subprocessors may process Customer Personal Data in non-EEA and non-Swiss countries. This will apply even where Customer has agreed with sāf.ai to use cloud instances of the Subscription Services located in the EEA if such non-EEA processing is necessary to provide support-related or other services requested by Customer.

    2. To the extent that sāf.ai processes any Customer Personal Data subject to EU Data Protection Law ("EEA Data") on behalf of Customer, the parties agree that sāf.ai makes available the transfer mechanisms listed below for any transfers of EEA Data from the EEA to sāf.ai located in a country which does not ensure an adequate level of protection (within the meaning of Applicable Data Protection Laws) and to the extent such transfers are subject to such EU Data Protection Law:

      (a) (i) sāf.ai will be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for EEA Data by virtue of having self-certified its compliance with the Privacy Shield; (ii) sāf.ai agrees to process EEA Data in compliance with the Privacy Shield Principles; (iii) if sāf.ai is unable to comply with its obligations under this sub-Section, sāf.ai will inform the Customer; and (iv) sāf.ai will promptly cease (and cause its Subprocessors to promptly cease) processing such EEA Data if in Customer's sole discretion, Customer determines that sāf.ai has not or cannot correct any non-compliance with this sub-Section in accordance with the Privacy Shield Principles within a reasonable time frame.

      (b) To the extent the transfer mechanism identified in Section 9.2(a) does not apply to the transfer, is invalidated and/or sāf.ai is no longer self-certified to the Privacy Shield, sāf.ai agrees to abide by and process EEA Data in compliance with the Model Clauses attached as Annex C, including the appendices attached thereto, and subject to the interpretations set forth in Appendix 3, and for these purposes sāf.ai agrees that it is a "data importer" and Customer and/or its Affiliates, as applicable is/are the "data exporter" under the Model Clauses (notwithstanding that Customer and/or its Affiliates may be an entity or entities located outside of the EEA).

  10. OBLIGATIONS OF CUSTOMER

    Customer acknowledges that sāf.ai does not provide data backup services, and that it is Customer's obligation to backup any Customer Data that Customer may process through the Subscription Services. As part of Customer receiving the sāf.ai Services under the Agreement, Customer agrees and declares as follows:

    (i) that the processing of Personal Data by Customer, including instructing processing by sāf.ai in accordance with this Agreement, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Laws, particularly with respect to the security, protection and disclosure of Personal Data;

    (ii) if Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants to sāf.ai that Customer's instructions and actions with respect to that Personal Data, including its appointment of sāf.ai as another Processor, have been authorized by the relevant Controller;

    (iii) that if processing by Customer involves any Sensitive Data, Customer has collected such Sensitive Data in accordance with Applicable Data Protection Laws;

    (iv) that Customer will inform its Data Subjects as legally required:

    (a) about its use of Processors to process their Personal Data, including sāf.ai; and

    (b) that their Personal Data may be processed outside of the European Economic Area;

    (v) that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the processing of their Personal Data by Customer, and to give appropriate instructions to sāf.ai in a timely manner; and

    (vi) that it shall respond in a reasonable time to enquiries from an applicable data protection authority regarding the processing of relevant Personal Data by Customer.

  11. DELETION & RETURN.

    Upon Customer's request upon termination or expiry of the Agreement, sāf.ai shall destroy all Customer Data (including Customer Personal Data) in its possession or control. This requirement shall not apply to the extent that sāf.ai is required by any applicable law to retain some or all of the Customer Data (including Customer Personal Data), in which event sāf.ai shall isolate and protect such data from any further processing except to the extent required by such law.

  12. GENERAL.

    1. The parties agree that this DPA shall replace any existing DPA (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the sāf.ai Services.
    2. This DPA shall be effective on the date of the last signature set forth below. The obligations placed upon sāf.ai under this DPA shall survive so long as sāf.ai and/or its Subprocessors processes Customer Personal Data on behalf of Customer.
    3. This DPA may not be modified except by a subsequent written instrument signed by both parties.
    4. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
    5. In the event of any conflict between this DPA and any data privacy provisions set out in any Agreements the parties agree that the terms of this DPA shall prevail. Notwithstanding the foregoing, if there is any conflict between this DPA and a BAA applicable to any patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state laws, rules or regulations applicable to health information, then the BAA shall prevail to the extent the conflict relates to such data.
    6. Notwithstanding anything to the contrary in the Agreement or this DPA, each party's and all of its affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, any Order or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the 'Limitation of Liability' section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including all Annexes hereto. Without limiting either of the parties' obligations under the Agreement, Customer agrees that any regulatory penalties incurred by sāf.ai in relation to the Customer Personal Data that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this DPA or any Applicable Data Protection Laws shall count toward and reduce sāf.ai's liability under the Agreement as if such penalties were liabilities to the Customer under the Agreement.
    7. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
    8. This DPA and the Model Clauses will terminate simultaneously and automatically with the termination or expiry of the Agreement.

[signature page follows]

By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them.

ANNEXES and APPENDICES