Resources
Research & Perspectives
Frontier AI insights
FAQ
Common questions answered
EventsSoon
Upcoming conferences & webinars
NewsroomSoon
Latest announcements
Talk to UsTalk to Us
Legal

Data Processing Agreement

This DPA is established in accordance with applicable U.S. and Nevada data protection laws and forms part of the Agreement between UltraSafe AI and the Customer.

Ultrasafe AI Inc. — Nevada Corporation

Preamble

This data processing agreement (the "Data Processing Agreement" or the "DPA") is established in accordance with applicable U.S. and Nevada data protection laws and forms part of this Agreement (as defined below) between UltraSafe AI and the Customer. By accepting the applicable Service Agreement, the Customer also agrees to be bound by this DPA.

When Customer uses the Services available on the Platform:

  • The Customer is the Data Controller;
  • UltraSafe AI processes the Personal Data provided by the Customer as Data Processor. Such processing activities are described in Exhibit 1 of this DPA.

When Customer subscribes to Our Services through a Cloud Provider:

  • The Customer is the Data Controller;
  • The Cloud Provider processes the Personal Data provided by the Customer as Data Processor for the purpose of making the Models available to the Customer on the Cloud Provider's Infrastructure.
  • UltraSafe AI will only process Personal Data provided by the Customer as Data Processor for the purpose of providing technical support to the Customer, at the Customer's request, and only if the Customer grants UltraSafe AI access to such Personal Data. Such Processing activities are described in Exhibit 1 of this DPA.

1. Definitions

The capitalized words in this Agreement shall have the meaning given below:

AgreementThe service agreement entered into by and between the Parties, governing the provision of the Services by UltraSafe AI to the Customer.
Applicable Data Protection LawAll applicable data protection laws in the United States and the State of Nevada, including but not limited to the Nevada Revised Statutes (NRS) Chapter 603A and Section 5 of the Federal Trade Commission Act (FTC Act).
Authorized Recipient(i) UltraSafe AI's affiliates, (ii) UltraSafe AI's team members, (iii) UltraSafe AI's Sub-processors or (iv) any third party that is authorized by the Applicable Data Protection Law to access the Personal Data.
Authorized PurposeThe authorized purpose for the Processing as mentioned in Exhibit 1.
CustomerAny legal person who subscribes to the Services and, where applicable, its affiliates.
Data ControllerThe person who determines the purposes and the means of the Processing.
Data ProcessorThe person who carries out the Processing on behalf of the Data Controller and under its documented instructions.
Data SubjectsThe person whose Personal Data is processed.
UltraSafe AIUltraSafe AI, a U.S.-based corporation formed in Nevada with a business address at 10161 W Park Run Drive, STE 150, Las Vegas, NV 89145 and its affiliates.
Personal DataAny data relating to an identified or identifiable Data Subject.
Personal Data BreachAny breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, likely to result in a risk for the rights and freedoms of Data Subjects.
ProcessingThe processing of Personal Data described in Exhibit 1.
Restricted CountryAny jurisdiction outside the United States where applicable data privacy protections do not meet the standards required under U.S. federal and Nevada state law.
ServicesThe services provided by UltraSafe AI to the Customer under the Services Agreement.
Sub-processorAny Data Processor appointed by UltraSafe AI to carry out all or part of the Processing on behalf of the Customer.
Supervisory AuthorityA U.S. regulatory authority or court of competent jurisdiction overseeing data privacy compliance.

2. Role of the Parties

UltraSafe AI as Data Processor. With respect to the Processing described in Exhibit 1, the Customer shall act as the Data Controller and UltraSafe AI shall act as the Data Processor.

Description of the Processing. UltraSafe AI processes the Personal Data on behalf of the Customer in order to provide the Customer with the Services it ordered under the Agreement. A description of the Processing is available in Exhibit 1 of this DPA. The Customer agrees that UltraSafe AI may update the description of the Processing from time to time to reflect new Services, features or functionalities. UltraSafe AI will notify the Customer of any update no later than fifteen (15) days prior to the effective date of the modification.

UltraSafe AI as Data Controller. The Customer authorizes UltraSafe AI to process the Prompts and the Outputs as Data Controller for the purpose of (a) monitoring abuse, (b) treating voluntary reports, (c) research purposes, and (d) to improve the training of the Models, subject to applicable opt-out rights described in the relevant Terms of Service. UltraSafe AI will inform the Data Subjects of such processing activities in its Privacy Policy.

3. General Obligations of the Parties

Each Party shall comply with their respective obligations under the Applicable Personal Data Protection Law and shall not, by any act or omission, cause the other to be in breach of any such obligations under the Applicable Data Protection Law.

3.1. General Obligations of UltraSafe AI

UltraSafe AI shall:

  • Process the Personal Data only in accordance with the documented lawful instructions of the Customer as set forth in this DPA, the Agreement or by email and for no other purpose, unless required to do so by the applicable laws.
  • Promptly inform the Customer if, in its opinion, the Customer's instructions infringe the Applicable Data Protection Law. In such an event, UltraSafe AI is entitled to refuse to perform the Processing of Personal Data that it believes to be in violation of the Applicable Data Protection Law.
  • Ensure that any person UltraSafe AI authorizes to process Personal Data (including UltraSafe AI team members and the Subprocessors), are subject to a duty of confidentiality, whether by contract or statutory.
  • Taking into account the nature of the Processing and the information available to UltraSafe AI, upon the Customer's written request and to the extent that is commercially reasonable and required by the Applicable Data Protection Laws, provide the Customer with reasonable and timely assistance in connection with investigations from a Supervisory Authority, data protection impact assessments, and compliance obligations.

3.2. General Obligations of the Customer

The Customer agrees that:

  • It will comply with its obligations under the Applicable Data Protection Law regarding the Processing and any Processing instruction it issues to UltraSafe AI.
  • It is responsible for providing guidance to Authorized users regarding the use of the Services, and in particular the use of Personal Data within the Services.
  • It is responsible for applying filters to prevent any unauthorized use of Personal Data by the Authorized Users.
  • UltraSafe AI's security obligations under this DPA apply without prejudice to the Customer's own security obligations under the Applicable Data Protection Law.
  • It has provided notice and obtained all consents and rights necessary under the Applicable Data Protection Law for UltraSafe AI to process Personal Data under this DPA.

4. Data Subjects

Information. As Data Controller, the Customer is solely responsible to provide the Data Subjects with any information required by the Applicable Data Protection Law.

Data Subject requests. Taking into account the nature of the Processing and upon the Customer's request, UltraSafe AI shall provide the Customer with commercially reasonable assistance to enable the Customer to respond to any request from Data Subjects to exercise any of their rights under the Applicable Data Protection Law.

Requests made directly to UltraSafe AI. In the event that any request is made directly to UltraSafe AI, UltraSafe AI will not respond to such request directly without the Customer's prior consent, unless required to do so by applicable law. Instead, UltraSafe AI will transfer that request to the Customer who will then be solely responsible to respond to such request.

5. Security and Personal Data Breach

5.1. Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, UltraSafe AI shall implement and maintain appropriate technical and organizational measures to protect Personal Data from any Personal Data Breach and to preserve the security and confidentiality of the Personal Data. The Customer acknowledges that such security measures are subject to technical progress and development and that UltraSafe AI may update them from time to time, provided that such updates do not materially decrease the overall security of the Processing.

5.2. Personal Data Breach

UltraSafe AI shall notify the Customer of any Personal Data Breach without undue delay and where feasible no later than seventy-two (72) hours after becoming aware of such Personal Data Breach. This notification shall include:

  • The name and contact details of UltraSafe AI's point of contact where more information can be obtained;
  • The nature of the Personal Data Breach, including the categories and number of Data Subjects concerned;
  • A description of the measures the Customer could take to mitigate the possible adverse effects;
  • The likely consequences of the Personal Data Breach;
  • The measures proposed or taken by the Company following the Personal Data Breach.

The Customer is solely responsible for notifying the Personal Data Breach to the Supervisory Authority and/or to the Data Subjects.

6. Sub-processing

The Customer provides a prior and general authorization allowing UltraSafe AI to appoint any Subprocessors to assist in the provision of the Services and in the Processing, subject to the following:

  • UltraSafe AI will maintain an up-to-date list of its Sub-processors on the Platform.
  • UltraSafe AI will notify the Customer of any changes to this list.
  • UltraSafe AI will enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the same standards provided by this DPA.
  • UltraSafe AI will remain liable to the Customer if such Subprocessor fails to fulfill its data protection obligations.

UltraSafe AI will provide notice to the Customer of any changes to the list of Sub-processors no later than thirty (30) days prior to engaging such Sub-processor. The Customer may object in writing on reasonable grounds relating to the Applicable Data Protection Laws during this notice period.

7. Transfers of Personal Data to a Restricted Country

Where Personal Data is transferred outside the United States to a jurisdiction that lacks substantially similar privacy protections, the parties agree to implement appropriate safeguards consistent with Section 5 of the FTC Act and Nevada Revised Statutes Chapter 603A.

The Customer provides a prior and general authorization allowing UltraSafe AI to transfer Personal Data to any Authorized Recipients located in a jurisdiction outside the United States, provided that such transfers are subject to appropriate safeguards. If such safeguards are no longer deemed sufficient, UltraSafe AI will promptly notify the Customer and suspend the applicable transfer until an alternative lawful basis or safeguard has been implemented.

8. Audit

Documentary audit. Upon the Customer's written request, UltraSafe AI will make available all documents and information to demonstrate that the Processing complies with this DPA in a timely manner, to the extent that is commercially reasonable and required by the Applicable Data Protection Laws.

Audit on UltraSafe AI's premises. The Customer may conduct up to one (1) audit per year, subject to:

  • Reasonable advance written notice of at least thirty (30) calendar days.
  • The audit shall be carried out by an independent auditor selected jointly by the Parties that is not a direct or indirect competitor of UltraSafe AI.
  • The selected auditor shall be bound by a confidentiality agreement and/or by professional secrecy.
  • The audit shall be conducted during UltraSafe AI's regular business hours and shall not unreasonably impair or slow down the Services.
  • An identical copy of the audit report shall be given to both Parties. Each Party may make observations regarding the audit report.
  • The costs of this audit shall be borne exclusively by the Customer.

9. Return or Destruction of Personal Data

After the end of the provision of the Services, UltraSafe AI will delete or return to the Customer all Personal Data processed on the Customer's behalf, in accordance with UltraSafe AI's deletion policies and procedures. The Customer acknowledges that the Personal Data will no longer be accessible upon the expiry of a thirty (30) days period following the termination of the Customer's access to and use of the Services.

10. Term

This DPA shall commence on the effective date of the Agreement and will continue for the duration of the Agreement.

11. Limitation of Liability

The liability of each Party and each Party's affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

Exhibit 1 — Description of the Processing

UltraSafe AI may update the description of the Processing from time to time to reflect new Services, features or functionality.

  • Privacy contact: [email protected]
  • Categories of Data Subjects: The Customer, the Authorized Users and any other natural person whose Personal Data is used by the Customer or the Authorized User as User Data.
  • Categories of Personal Data: Account data and UltraSafe AI ID; API Key (where applicable); any Personal Data used by Customer to generate an Output, as part of User Input Data, or that may be accessed by UltraSafe AI as part of the Services, including associated metadata.
  • Special categories of Personal Data: None. Customer shall not process sensitive data under this DPA. To process sensitive data, please contact [email protected].
  • Authorized Purposes: Subject to the Customer's Subscription — provision of the API Services (Technical Support, Generation of Outputs, Fine-Tuning, Agent Building, Account management) and provision of the Chat Services (Technical Support, Generation of Outputs, history display, Agent use, Account management).
  • Duration of the Processing: The term of this DPA.
  • Retention Periods: For API Services, Prompts and Outputs are processed only for the duration of generation; User Input Data is retained until deletion by Customer. For Chat Services, Prompts and Outputs are stored for the term of this DPA or until deleted by Customer. Technical support data is stored for the duration of the request plus five (5) years for evidential purposes.
  • Sub-processors: Azure — hosting provider. Personal Data is stored in Sweden.