TERMS OF SERVICE
This agreement ("Agreement") is a legally binding contract between Klarity Intelligence, Inc. ("Klarity"), and you, the customer ("Customer" or "You"). This Agreement becomes effective upon your signing of an Order Form (as defined below) that references this Agreement ("Effective Date"). Klarity retains the right to amend this Agreement at any time. Your continued use of the Services after any such changes have been made constitutes your acceptance of the revised terms. This Agreement applies irrespective of the means of acquisition, whether you have subscribed to the Services directly from us or through our authorized resellers, partners or distributors.
1. DEFINITIONS
1.1. “Affiliate” means any present or future entity controlled by, or under common control with, a party.
1.2. “Customer Data” means any information provided by Customer to Klarity to enable the provision of the Services, including information contained in Customer documents processed via the Services.
2. SERVICES AND SUPPORT
2.1. Customer and Klarity may enter into one or more service orders in a mutually agreed upon form (“Order Form”). Upon execution, each Order Form will become effective and incorporate this Agreement. Klarity will provide Customer the services described in the applicable Order Form (“Services”) during the term specified therein (“Subscription Term”) in accordance with the terms of this Agreement, including the service level terms and technical support (Exhibit A), Data Processing Addendum (Exhibit B), and Artificial Intelligence Addendum (Exhibit C). The Services are provided on a non-exclusive basis and will not include a physical or installed copy.
3. FEES
3.1. Customer agrees to pay Klarity the fees described in the applicable Order Form (“Fees”) for the Services. The Fees are calculated based on the Documents, Processes, and/or other units specified in the Order Form (“Service Capacity”). Unused Service Capacity will not carry over into subsequent Subscription Terms. Should Customer's use of the Services exceed the Service Capacity, Customer will be charged for such excess usage at the rates described in the Order Form without any discounts except as expressly provided in the Order Form. Klarity reserves the right to modify the Fees at the end of each Subscription Term. All Fees are quoted and payable in United States Dollars (USD). Any late payments will accrue interest at 1% per month or the maximum rate permitted by law, whichever is less.
3.2. Fees exclude all taxes, levies, duties, or similar charges, including but not limited to value-added, sales, use, or withholding taxes, imposed by any jurisdiction (“Taxes”). Customer is responsible for all Taxes related to its transactions under this Agreement. If Klarity is required to pay or collect Taxes on behalf of Customer, Klarity will invoice Customer, who agrees to pay, unless a valid tax exemption certificate is provided. Klarity is responsible only for its own income, property, and employee-related taxes.
4. TERM AND TERMINATION
4.1. This Agreement extends to all Subscription Terms under Order Forms entered into between Customer and Klarity on or after the Effective Date. Each Order Form will automatically renew unless either party provides written notice of its intent not to renew at least thirty (30) days prior to the expiration of the then-current Subscription Term.
4.2. Either party may terminate this Agreement or any individual Order Form if the other: (i) materially breaches it and fails to remedy the breach within thirty (30) days of written notice; or (ii) becomes subject to bankruptcy, insolvency, liquidation, or similar proceedings. If Customer terminates due to Klarity’s material breach, Klarity will provide a prorated refund of any unused prepaid Fees for such Order Form(s). Either party may terminate an individual Order Form for material breach of that Order Form without necessarily terminating all other Order Forms, unless the breach fundamentally affects the entire Agreement. Termination of this Agreement also terminates all outstanding Order Forms. Any provisions which by their nature should survive, such as accrued rights to payment, confidentiality, warranty disclaimers, limitations of liability and indemnities, will remain in effect.
5. CONFIDENTIALITY
5.1. Each party ("Recipient") acknowledges that the other party ("Discloser") has disclosed or may disclose business, technical, or financial information relating to Discloser’s business ("Confidential Information"). For Klarity, Confidential Information includes non-public details regarding features, functionality, and performance of the Services. For Customer, Confidential Information includes all Customer Data. Recipient agrees to: (i) take reasonable precautions to protect such Confidential Information; (ii) use Confidential Information solely to perform obligations or exercise rights under this Agreement; and (iii) not disclose any Confidential Information to third parties, except to its representatives who are bound by confidentiality obligations at least as restrictive as those contained herein. The obligations set forth above will not apply to any Confidential Information that: (a) becomes publicly known through no breach of this Agreement by Recipient; (b) was known to Recipient free of any confidentiality obligations before its disclosure by Discloser; (c) is received from a third party without breach of any confidentiality obligations and without restriction on disclosure; (d) is independently developed by Recipient without reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information if required by law or court order but will, unless legally prohibited, provide prompt written notice to Discloser to allow for protective measures and will disclose only the minimum necessary information.
6. CUSTOMER’S RIGHTS AND RESPONSIBILITIES
6.1. Customer will retain ownership of all Customer Confidential Information, including but not limited to Customer Data.6.2. Customer will not, except as expressly permitted by this Agreement: (i) reverse engineer, decompile, disassemble, or attempt to discover the source code, object code, or underlying structure, ideas, know-how, or algorithms of the Services or any related software, documentation, or data; (ii) modify, translate, or create derivative works from the Services; (iii) copy any features, functions, or graphics of the Services; (iv) allow any third party to access or use the Services; (v) publish any tests or benchmarks about the Services; (vi) use the Services for any purpose other than internal business use; (vii) use the Services for timesharing, service bureau purposes or for the benefit of any third party; or (viii) remove any proprietary notices or labels from the Services or any related documentation. Customer and any authorized users, including but not limited to Affiliates, employees, officers, directors, consultants, and auditors (“Users”), will comply with all applicable laws and regulations and this Agreement in their access and use of the Services. Customer and Users will not use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material or information. If Customer becomes aware of any User violating these obligations, Customer will immediately notify Klarity. Klarity may use the Services to monitor and enforce compliance with this Agreement.6.3. Customer is responsible for ensuring its own access to the Services, including procuring and maintaining all equipment and ancillary services necessary to access the Services.
7. KLARITY’S RIGHTS AND RESPONSIBILITIES
7.1. Klarity will own and retain all right, title and interest in and to: (i) Klarity Confidential Information; (ii) the Services and all improvements or modifications thereto; (iii) any software, applications, inventions or other technology developed in connection with the Services; and (iv) any suggestions, requests, recommendations or other feedback provided by Customer or Users relating to the Services (“Feedback”).
7.2. Klarity may: (i) collect and analyze information relating to the provision, use and performance of the Services and related systems and technologies (“Usage Data”); (ii) use Usage Data to improve and enhance the Services and for other development, diagnostic and corrective purposes; and (iii) disclose Usage Data in connection with its business.
8. WARRANTY AND DISCLAIMER
8.1. Each party represents and warrants that it has the authority to enter into and fulfill its obligations under this Agreement, and that doing so will not breach any binding agreement, order or legal process, nor require consent from any government, court or legal entity.
8.2. Klarity warrants to Customer that the Services will operate substantially in accordance with its documentation. Klarity will use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and will perform onboarding services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Klarity or by third-party providers, or because of other causes beyond Klarity’s reasonable control, but Klarity will use reasonable efforts to provide advance notice of any scheduled service disruption. Klarity is not a law firm, accounting firm or tax firm and is not engaged in the practice of law, accounting or tax services. Under no circumstance is an attorney-client relationship formed between Klarity and Customer or any of Customer's clients (if applicable). Klarity work product will not constitute legal opinions or legal advice and is prepared at the direction of, and for review by, Customer. It is Customer’s sole responsibility to ensure the accuracy and completeness of the final product. Customer’s sole remedy for a breach of any warranty set forth in this Agreement will be as provided in the “Term and Termination” section of this Agreement. KLARITY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED “AS IS” AND KLARITY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
9. LIMITATION OF LIABILITY
9.1. EXCEPT WITH RESPECT TO CLAIMS BASED ON FRAUD, GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY NOR ITS SUPPLIERS, OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS OR EMPLOYEES WILL BE LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (i) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (ii) FOR ERROR OR INTERRUPTION OF USE, FOR LOSS, INACCURACY OR CORRUPTION OF DATA, FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR FOR LOSS OF BUSINESS; (iii) FOR ANY MATTER BEYOND A PARTY’S REASONABLE CONTROL; OR (iv) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO KLARITY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10. INDEMNITY
10.1. Klarity will defend and indemnify Customer and its Affiliates from and against all losses, damages, liabilities, costs and expenses (including reasonable attorneys’ fees) arising out of a third party claim, action or proceeding alleging that the Services or the use thereof as permitted by this Agreement, infringes or otherwise violates any intellectual property rights.
10.2. Customer will defend and indemnify Klarity and its Affiliates from and against all losses, damages, liabilities, costs and expenses (including reasonable attorneys’ fees) arising out of a third party claim, action or proceeding alleging that Customer’s or a User’s use of the Services in violation of this Agreement infringes or otherwise violates any intellectual property rights.
10.3. The indemnified party will give the indemnifying party prompt written notice of any claim. The indemnifying party has the right to control the defense or settlement of the claim; provided, however, that the indemnifying party may not settle any claim if it imposes any liability or obligation on the indemnified party or its Affiliates without the indemnified party’s prior written consent. This section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim, action or proceeding described in this section.
11. MISCELLANEOUS
11.1. All notices under this Agreement will be via email and duly given when receipt is electronically confirmed. This Agreement may be executed in counterparts, which together will form one legal instrument. If any provision of this Agreement is found to be unenforceable, that provision will be limited to the minimum extent necessary to make it enforceable and the remainder of this Agreement will remain in full force and effect. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes all prior and contemporaneous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. Any waivers and modifications must be in a writing signed by both parties. To the extent of any conflict between this Agreement and any exhibit or addendum hereto and any Order Form, the terms of such exhibit, addendum or Order Form will prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation (excluding Order Forms) will be incorporated into or form any part of this Agreement, and all such terms or conditions will be null and void.
11.2. The parties are independent contractors. No agency, partnership, joint venture, fiduciary or employment is created as a result of this Agreement and neither party has any authority to bind the other party whatsoever.
11.3. Klarity may use Klarity Affiliates and/or subcontract third parties, in each case within or outside of the United States. Klarity will remain responsible for the provision of the Services. Neither party may assign this Agreement without the other party’s prior written consent; provided, however, that a party may assign this Agreement (a) to any Affiliate; (b) in connection with a merger or sale of all or substantially all of its stock or assets; or (c) in connection with any divestiture or spin-off of any entity or division, business unit or department within an entity. Any other purported assignment will be void. This Agreement will bind and benefit the parties, their respective successors and permitted assigns.
11.4. Neither party will be liable for or in breach of this Agreement for any delay or failure to perform as a result of fire, strike, war, terrorism, insurrection, government restriction or prohibition, pandemic disease or any other causes or conditions which are beyond such party’s reasonable control and which such party is unable to overcome by the exercise of reasonable diligence (“Force Majeure Events”).
11.5. Klarity may use Customer’s name and logo for marketing purposes and refer to Customer as Klarity’s customer.
11.6. This Agreement will be governed by the laws of California without regard to conflict of law provisions. All disputes and proceedings related to this Agreement will be maintained in state and federal courts in California and the parties consent to the personal jurisdiction of such courts. Each party waives any right to jury trial in connection with any dispute or proceeding related to this Agreement. In any action or proceeding relating to this Agreement, the prevailing party will be entitled to recover reasonable legal expenses including attorneys’ fees.
EXHIBIT A: SERVICE LEVEL AGREEMENT
This Service Level Agreement (“SLA”) forms a part of and is subject to the Agreement.
1. TECHNICAL SUPPORT
1.1. Klarity will provide technical support to Customer via email on weekdays during the hours of 8 am through 5 pm Pacific time, with the exclusion of federal holidays (“Support Hours”). Customer may initiate a helpdesk ticket during Support Hours by emailing support@klarity.ai or any time by opening a chat window in the Services.
2. SERVICE LEVEL TERMS
2.1. During the Subscription Term, the Services will be available 99.7%, measured monthly, excluding scheduled maintenance (“Target Availability Percentage”). If Customer requests maintenance during the available hours, any Target Availability Percentage calculation will exclude periods affected by such maintenance. Downtime caused by events beyond Klarity’s control, including outages of third-party connections, utilities, or Force Majeure Events, will also be excluded from the Target Availability Percentage calculation.
2.2. If during any calendar month of the Subscription Term, the actual availability percentage (“Availability Percentage”) is lower than the Target Availability Percentage, and Customer notifies Klarity in writing about the downtime within thirty (30) days of its occurrence, Klarity will provide Customer with a credit for any verified downtime (“Service Credit”) as follows:
Availability Percentage: Service Credit
- 95% – 99.6%: 5% Monthly Subscription Fee
- 90% – 94.9%: 10% Monthly Subscription Fee
- 85% – 89.9%: 20% Monthly Subscription Fee
- below 85%: 25% Monthly Subscription Fee
2.3. Service Credits may not be transferred to another party or redeemed for cash and constitute liquidated damages, not a penalty. Service Credits may only be applied to the month in which the downtime occurred. If Customer does not provide written notice of downtime within the thirty (30) day period, Customer will forfeit the right to receive Service Credits. If Customer is current on its payment obligations, then Klarity will apply Service Credits to Customer’s next invoice. If Customer is not current on its payment obligations, then Klarity will apply Service Credits after Customer pays up any owed amount in full. If Customer will not receive a future invoice because their Subscription Term will not renew, Klarity will extend Customer’s then-current Subscription Term for a period of time corresponding to the amount of the credit (e.g. 5% Service Credit equals 5% Calendar Month extension). Service Credits are Customer’s sole remedy (and Klarity’s sole liability) for Services availability failures. Simultaneous availability events (e.g. simultaneous uptime and load time failures) do not accrue duplicate Service Credits. In no event will Service Credits in any calendar month exceed 25% of total monthly fees for that calendar month in case of System Uptime Availability.
EXHIBIT B: DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms a part of the Agreement and applies to Klarity’s Processing of Personal Data (as defined below) under the Agreement.
1. DEFINITIONS
1.1. “Affiliate” means any present or future entity controlled by, or under common control with a party.
1.2. “Business,” “Business Purpose,” “Consumer,” “Person,” “Personal Information,” “Sell,” “Service Provider,” and “Third Party” have the meanings given in U.S. Data Protection Law.
1.3. "Controller," "Data Subject," “Personal Data,” "Processing," "Process" and "Processor" have the meanings given in Data Protection Law.
1.4. "Data Protection Law" means: (i) the EU General Data Protection Regulation (GDPR); (ii) the EU Directive on Privacy and Electronic Communications; (iii) U.S. Data Protection Law; (iv) any related state, national or successor laws; and (v) any other applicable laws.
1.5. “U.S. Data Protection Law” means all applicable U.S. state and federal data protection laws and regulations, including the California Consumer Privacy Act (CCPA).
2. RELATIONSHIP OF THE PARTIES; SCOPE OF PROCESSING
2.1. Customer is the Controller of certain Customer Data that is Personal Data (“Customer Personal Data”) and appoints Klarity as a Processor to Process such Customer Personal Data. Each party will comply with the obligations that apply to it under Data Protection Law. Klarity will Process Customer Personal Data as a Processor only to perform its obligations under the Agreement and in accordance with the instructions of Customer ("Permitted Purpose"), except as required by law. Klarity will ensure that any person it authorizes to Process Customer Personal Data ("Authorized Person") Processes Customer Personal Data only as necessary for the Permitted Purpose and is subject to a duty of confidentiality requiring them to keep such Customer Personal Data confidential.
2.2. Klarity will not transfer Customer Personal Data (nor permit Customer Personal Data to be transferred) outside of the European Economic Area ("EEA") unless it complies with the standard contractual clauses for the transfer of personal data from the EEA to processors established in third countries - as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“Standard Contractual Clauses”) available at:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
Klarity will not transfer Customer Personal Data (nor permit Customer Personal Data to be transferred) outside of the United Kingdom unless it enters into the standard contractual clauses for the transfer of personal data from the United Kingdom to processors established in third countries (“UK Standard Contractual Clauses”) attached hereto.
2.3. Klarity will provide reasonable assistance to Customer to enable Customer to respond to any request from a Data Subject to exercise any of its rights under Data Protection Law.
2.4. Upon Customer’s written request, Klarity will delete all Customer Data in its possession or control except as required by law.
2.5. Klarity may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other U.S. or EU judicial or regulatory body upon their request and that any such disclosure will not be deemed a breach of the Agreement or this DPA. Klarity may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate international, federal, state, or local law.
2.6. Customer authorizes Klarity to engage third party subprocessors to Process Customer Personal Data provided: (i) Klarity notifies Customer in writing (email sufficient); and (ii) Klarity imposes data protection terms on any subprocessor substantially similar to the terms of this DPA. Customer may object to Klarity's appointment of a third party subprocessor in writing within thirty (30) days after receiving Klarity’s notification, provided such objection is on reasonable grounds relating to the protection of Customer Personal Data. Customer authorizes Klarity to use its Affiliates and the subprocessors listed in Annex 3 to the Standard Contractual Clauses attached hereto.
3. SECURITY
3.1. Klarity will maintain an information security program that includes, at a minimum, those technical and organizational measures described in Annex 2 to the Standard Contractual Clauses attached hereto.
3.2. Klarity will implement appropriate technical and organizational measures to protect Customer Personal Data from a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed ("Security Incident"). Upon becoming aware of a Security Incident, Klarity will inform Customer within 48 hours. Klarity will take all necessary measures and actions to remedy or mitigate the effects of the Security Incident.
4. CCPA
4.1. Customer is a Business and authorizes Klarity as a Service Provider to process certain Personal Information on behalf of Customer (“Customer Personal Information”). Except as provided in this DPA, Customer will not Sell the Customer Personal Information to Klarity and Klarity will not Sell the Customer Personal Information. Unless otherwise required by law, Klarity will not retain, use or disclose the Customer Personal Information other than to provide the Services.
5. AUDIT
5.1. Klarity will permit upon Customer’s written request, when Customer has reasonable cause to believe Klarity is in non-compliance with its obligations under this DPA, a mutually agreed-upon third party auditor (“Auditor”) to audit Klarity's compliance with this DPA and will make available to such third-party auditor all information necessary for the Auditor to conduct such audit provided that Customer provides reasonable prior notice, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Klarity's operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except: (i) if and when required by Data Protection Law or instruction of a competent data protection authority; (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by Klarity, or (iii) as mutually agreed between the parties.
ANNEX 1: PARTIES AND DETAILS OF PROCESSING
A. LIST OF PARTIES
Data Exporter:
● Name: As specified in the Agreement
● Role: Controller
Data Importer:
● Name: Klarity Intelligence, Inc.
● Contact: infosec@klarity.ai
● Role: Processor
B. DESCRIPTION OF TRANSFER
Data Subjects: Individuals in the EEA and Switzerland.
Personal Data:
● First and last name
● Contact details (email, phone)
● Company, position
● Login credentials
Special Categories: None.
Processing Operations: Processing as needed to provide Klarity Services under the Agreement.
Purpose: Perform obligations under the Agreement, strictly as a Processor.
Retention: Until deletion as specified in the DPA.
Sub-processors: As described in the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Authority: Data Protection Commission of Ireland.
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
Measures of pseudonymisation and encryption of personal data
Klarity will maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, the anonymization and encryption of Customer Data. Klarity maintains Customer Data in an encrypted format in transit (HTTPS/TLS) and at rest (AES-256).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually, including appropriate technical and organizational measures to protect Customer Data from a Security Incident. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate: (i) the anonymization and encryption of Customer Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident. Klarity performs regular backups of Customer Data, which is hosted in AWS data centers. Backups are retained redundantly across multiple availability zones.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, to Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. Klarity maintains a risk-based assessment security program. The framework for Klarity’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for user identification and authorization
Klarity personnel are required to use unique user access credentials and passwords for authorization. Klarity follows the principles of least privilege through role-based and time-based access models when provisioning system access. Access is promptly removed upon role change or termination.
Measures for the protection of data during transmission
Customer Data is encrypted using HTTPS/TLS during transmission. Klarity will ensure that any person that it authorizes to Process Customer Data including Klarity's Authorized Persons will be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and will not permit any person to Process Customer Data who is not under such a duty of confidentiality. Klarity will ensure that all Authorized Persons Process Customer Data only as necessary for the Permitted Purpose. Klarity will not transfer Customer Data (nor permit Customer Data to be transferred) outside of the EEA unless (i) it has first obtained Customer's prior written consent; and (ii) enters into the Standard Contractual Clauses attached hereto.
Measures for the protection of data during storage
Customer Data is encrypted using AES-256 during storage.
Measures for ensuring physical security of locations at which personal data are processed
The Services operate on Amazon Web Services (“AWS”) and are protected by the security controls of AWS.
Measures for ensuring events logging
Klarity monitors access to applications, tools, and resources that process or store Data, including cloud services. Monitoring of security logs is centralized by the security team.
Measures for ensuring system configuration, including default configuration
New account configurations are approved by each customer. Klarity adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. The Klarity system maintains an audit trail of all changes to contract review rules and account settings. Changes to contract review rules are initiated by the customer and restricted to authorized personnel.
Measures for internal IT and IT security governance and management
Biannual security meetings are held with the entire company and are led by the CTO to review all information security policies and to communicate specific security related topics. Klarity’s enterprise Mobile Device Management solution, Rippling, is installed on all employee workstations. Amongst other things, it allows for password complexity enforcements, encryption enforcement and remote locking/wiping. VPN connection is required in order for employees to access all internal IT systems. Separate VPN connections are required for the Production and QA environments. User access to systems and data is based on the “Principle of Least Privilege”, wherein users are given only the minimum amount of access privileges required to satisfy their role. Passwords to all IT systems (including employee workstations) follow these rules: password length must be at least 32 characters. Passwords and IT system credentials are stored only on Bitwarden, Klarity’s self-hosted password management system. Wherever possible (and particularly with systems with access to live customer data) multi-factor authentication must be enabled when logging into IT systems. All employees are required to complete a security awareness seminar immediately upon joining and twice a year thereafter.
Measures for certification/assurance of processes and products
Klarity is SOC 1 Type II and SOC 2 Type II certified. Penetration tests are conducted after any major changes to the system’s functionality, however, not less than annually.
Measures for ensuring data minimization
When setting up integrations, Klarity recommends the following best practices to customers to minimize data transfer: restricting the access of the Klarity API user to “Read” permissions for only the objects and metadata fields Klarity will need to import and (ii) configuring triggers/webhooks within the source application as narrowly as possible so that Klarity is only notified of documents it needs to process and nothing additional.
Measures for ensuring data quality
New customer accounts are approved by management prior to account set up and based upon customer specifications within the business requirements agreement. Klarity performs manual annotation and validates results against system results before production go-live. The information system is reviewed at a defined frequency to identify and eliminate unnecessary functions, ports, protocols, and/or services.
Measures for ensuring limited data retention
Upon Customer’s written request, Klarity will delete all Customer Data in its possession or control. This requirement will not apply to the extent Klarity is required by Applicable Data Protection Law to retain some or all of Customer Data, in which event Klarity will isolate and protect Customer Data from any further Processing except to the extent required by such law.
Measures for ensuring accountability
Compliance to infosec policies is tracked centrally through Vanta (SOC 2 compliance), Avast Pro Plus (Antivirus) and Rippling (MDM). All infosec policies detail consequences for violation, administered by the CTO.
Measures for allowing data portability and ensuring erasure
Klarity maintains a comprehensive list of locations containing customer data, as well as scripts that systematically delete customer data from said locations when needed. Production and QA environments are completely logically separated from each other. No customer data is ever stored in any non-Production environment.
For transfers to (sub-) processors
Customer authorizes Klarity to engage third party subprocessors to Process Customer Data provided: (i) Klarity notifies Customer in writing (email sufficient), (ii) Klarity imposes data protection terms on any subprocessor substantially similar terms to the terms of this DPA; and (iii) Klarity remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Customer may object to Klarity's appointment of a third party subprocessor within thirty (30) days after receiving Klarity’s notification, provided such objection is on reasonable grounds relating to the protection of Customer Data. In such event, Klarity will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate this DPA.
ANNEX 3: LIST OF SUBPROCESSORS
Customer specifically consents to Klarity using the following subprocessors:
Amazon Web Services, Inc.
MongoDB, Inc.
Asana, Inc.
Google LLC
Slack Technologies, LLC
Elasticsearch, B.V.
Klarity Intelligence (India) Private Limited
Microsoft Corporation
Workato, Inc.
ZoomInfo Technologies Inc.
OpenAI, L.P.
Pinecone Systems, Inc.
Okta, Inc.
Connor Group Global Services, LLC
Gong.io Inc.
Anthropic PBC
Superhuman Labs, Inc.
Linear Orbit, Inc.
Daily, Co.
ANNEX 4: INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU STANDARD CONTRACTUAL CLAUSES
PART 1: PARTIES
Table 1: Parties
● Start Date: As defined in the Agreement
● Exporter: Customer (as defined in the Agreement)
● Importer: Klarity Intelligence, Inc.
● Klarity Contact: infosec@klarity.ai
Table 2: Selected Standard Contractual Clauses and Clauses
● Addendum to EU Standard Contractual Clauses: Includes all modules and appendix details as required.
Table 3: Appendix Information
● Annex 1A: List of Parties – See Agreement and DPA.
● Annex 1B: Description of Transfer – Refer to Annex 1 of the Standard Contractual Clauses.
● Annex II: Technical and Organizational Measures – Refer to Annex 2 of the Standard Contractual Clauses.
● Annex III: Sub-processors – Refer to Annex 3 of the Standard Contractual Clauses.
Table 4: Changes to Approved Addendum
● Termination Rights: Importer may terminate if changes occur.
PART 2: MANDATORY CLAUSES
By agreeing to this Addendum, both Parties are bound by the UK ICO International Data Transfer Agreement and applicable Standard Contractual Clauses. This Addendum has the same legal effect as signing the Standard Contractual Clauses.
EXHIBIT C: ARTIFICIAL INTELLIGENCE ADDENDUM
This Artificial Intelligence Addendum (“AI Addendum”) will apply to the extent that Klarity uses any artificial intelligence system, algorithm or other software (“AI”) to provide the Services. The obligations herein will apply whether the AI is proprietary to Klarity or a tool made available by any third party that uses AI to Process Customer Data on behalf of Klarity (“Third Party AI Provider”).
1. FLOW DOWN REQUIREMENTS
1.1. To the extent Klarity uses any Third Party AI Providers to Process Customer Data, it will ensure such Third Party AI Providers agree to confidentiality, privacy, security, and data ownership obligations substantially similar to those in this DPA. Klarity will remain responsible for any acts or omissions by such Third Party AI Providers to the same extent as if Klarity were Processing the Customer Data directly.
2. MODEL TRAINING
2.1. Klarity and Third Party AI Providers will not process any Customer Data for any purpose other than those described in this DPA. For the avoidance of doubt, Klarity and Third Party AI Providers will not collect, use or retain any Customer Data as training data for any AI model, whether directly or indirectly.
3. CUSTOMER DATA
3.1. Customer has the right to disclose Customer Data to Klarity and will not disclose Customer Data to Klarity that violates applicable law or any third party intellectual property rights.
4. DATA DELETION
4.1. Upon written request by Customer, Klarity will delete any Customer Data except as required by law.
