Terms of Service

This Terms of Service ("Agreement") is a legally binding contract between Klarity Intelligence, Inc. ("Klarity"), and you, the customer ("Customer" or "You"). This Agreement becomes effective upon Customer's signing of an Order Form (as defined below) that references this Agreement ("Effective Date"). The Order Form, along with this Agreement, comprises the full and exclusive understanding between Customer and Klarity regarding the access to and use of the services provided by Klarity to Customer under the Order Form ("Services"), and it supersedes all prior and contemporaneous agreements or understandings between Klarity and Customer, whether written or oral, with respect to the Services. Klarity retains the right to amend this Agreement at any time. Your continued use of the Services after any such changes have been made constitute your acceptance of the revised terms.

This Agreement applies irrespective of the means of acquisition, whether you have subscribed to the Services directly from us or through our authorized resellers, partners or distributors ("Authorized Reseller").

1. DEFINITIONS

1.1 “Affiliate” means any present or future entity controlled by, or under common control with, a party.

1.2 “Customer Data” means any information provided by Customer to Klarity to enable the provision of the Services, including but not limited to information contained in any Customer document processed via the Services.

1.3 “Insulated Information” means any Customer Data to the extent it identifies: (i) any individual or household; (ii) any legal entity, including but not limited to Customer and its counterparties; or (iii) any price, product or service.

2. SERVICES AND SUPPORT

2.1 Customer and Klarity, or Klarity’s Authorized Reseller, may enter into one or more service orders in a mutually agreed upon form (“Order Form”). Upon execution, each Order Form will become effective and incorporate this Agreement. Klarity will provide Customer the services described in the applicable Order Form (“Services”) during the term specified therein (“Subscription Term”) in accordance with the terms of this Agreement, including the service level terms and technical support (Exhibit A), Data Processing Addendum (Exhibit B), and Artificial Intelligence Addendum (Exhibit C). The Services are provided on a non-exclusive basis. Klarity will not provide a physical or installed copy of the Services to Customer.

3. FEES

3.1 Customer agrees to pay Klarity or Klarity’s Authorized Reseller the fees described in the applicable Order Form (“Fees”) for the Services. The Fees are calculated based on the Documents, Architect Processes, and/or other units specified in the Order Form (“Service Capacity”). Unused Service Capacity will not carry over into subsequent Subscription Terms. Should Customer's use of the Services exceed the Service Capacity, Customer will be charged for such excess usage at the rates described in the Order Form without any discounts except as expressly provided in the Order Form. Klarity reserves the right to modify the Fees at the end of each Subscription Term. All Fees are quoted and payable in United States Dollars (USD).

3.2 Fees exclude all taxes, levies, duties, or similar charges, including but not limited to value-added, sales, use, or withholding taxes, imposed by any jurisdiction (“Taxes”). Customer is responsible for all Taxes related to its transactions under this Agreement. If Klarity is required to pay or collect Taxes on behalf of Customer, Klarity will invoice Customer, who agrees to pay, unless a valid tax exemption certificate is provided. Klarity is responsible only for its own income, property, and employee-related taxes.

4. TERM AND TERMINATION

4.1 This Agreement extends to all Subscription Terms under Order Forms entered into between Customer and Klarity, or Klarity’s Authorized Reseller, on or after the Effective Date. Each Order Form will automatically renew unless either party provides written notice of its intent not to renew at least thirty (30) days prior to the expiration of the then-current Subscription Term.

4.2 Either party may terminate this Agreement if the other: (i) materially breaches it and fails to remedy the breach within thirty (30) days of written notice; or (ii) becomes subject to bankruptcy, insolvency, liquidation, or similar proceedings. If Customer terminates due to Klarity’s material breach, Klarity will provide a prorated refund of any unused prepaid Fees. Termination of this Agreement also terminates all outstanding Order Forms. Any provisions which by their nature should survive, such as payment rights, confidentiality, warranty disclaimers, liability limits, and indemnities, will remain in effect.

5. CONFIDENTIALITY

5.1 Each party ("Recipient") acknowledges that the other party ("Discloser") has disclosed or may disclose business, technical, or financial information relating to Discloser’s business ("Confidential Information"). For Klarity, Confidential Information includes non-public details regarding features, functionality, and performance of the Services. For Customer, Confidential Information includes all Customer Data. Recipient agrees to: (i) take reasonable precautions to protect such Confidential Information; (ii) use Confidential Information solely to perform obligations or exercise rights under this Agreement; (iii) not disclose any Confidential Information to third parties, except to its representatives who are bound by confidentiality obligations at least as restrictive as those contained herein. The obligations set forth above will not apply to any Confidential Information that: (a) becomes publicly known through no breach of this Agreement by Recipient; (b) was known to Recipient free of any confidentiality obligations before its disclosure by Discloser; (c) is received from a third party without breach of any confidentiality obligations and without restriction on disclosure; (d) is independently developed by Recipient without reference to Discloser’s Confidential Information. The confidentiality obligations under this Agreement will expire five (5) years after the date of disclosure. Recipient may disclose Confidential Information if required by law or court order but will, unless legally prohibited, provide prompt written notice to Discloser to allow for protective measures and will disclose only the minimum necessary information.

6. CUSTOMER’S RIGHTS AND RESPONSIBILITIES

6.1 Customer will retain ownership of all Customer Confidential Information, including but not limited to Customer Data.

6.2 Customer will not, except as expressly permitted by this Agreement or the applicable Order Form or as authorized within the Services: (i) reverse engineer, decompile, disassemble, or attempt to discover the source code, object code, or underlying structure, ideas, know-how, or algorithms of the Services or any related software, documentation, or data; (ii) modify, translate, or create derivative works from the Services; (iii) copy any features, functions, or graphics of the Services; (iv) allow any third party to access or use the Services; (v) publish any tests or benchmarks about the Services; (vi) use the Services for any purpose other than internal business use; (vii) use the Services for timesharing, service bureau purposes or for the benefit of any third party; or (viii) remove any proprietary notices or labels from the Services or any related documentation. Customer and any authorized users, including but not limited to Affiliates, employees, officers, directors, consultants, and auditors (“Users”), will comply with all applicable laws and regulations and this Agreement in their access and use of the Services. Customer and Users will not use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material or information. If Customer becomes aware of any User violating these obligations, Customer will immediately notify Klarity. Klarity may use the Services to monitor and enforce compliance with this Agreement.

6.3 Customer is solely responsible for procuring and maintaining all necessary equipment and ancillary services required to access and use the Services (“Equipment”), including, but not limited to, modems, hardware, servers, software, operating systems, networking, and web servers. Customer is also solely responsible for ensuring the security of the Equipment and any use of the Equipment.

7. KLARITY’S RIGHTS AND RESPONSIBILITIES

7.1 Klarity will own and retain all right, title and interest in and to: (i) Klarity Confidential Information; (ii) the Services, all improvements, enhancements or modifications thereto; (iii) any software, applications, inventions or other technology developed in connection with the Services; and (iv) any suggestions, requests, recommendations or other feedback provided by Customer or Users relating to the Services (“Feedback”) provided that Feedback will not contain any Insulated Information.

7.2 Klarity may: (i) collect and analyze information relating to the provision, use and performance of the Services and related systems and technologies (“Usage Data”); (ii) use Usage Data to improve and enhance the Services and for other development, diagnostic and corrective purposes; and (iii) disclose Usage Data in connection with its business, provided that Usage Data will not contain any Insulated Information.

8. WARRANTY AND DISCLAIMER

8.1 Each party represents and warrants that it has the authority to enter into and fulfill its obligations under this Agreement, and that doing so will not breach any binding agreement, order or legal process, nor require consent from any government, court or legal entity.

8.2 Klarity warrants to Customer that the Services will operate substantially in accordance with its documentation. Klarity will use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and will perform onboarding services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Klarity or by third-party providers, or because of other causes beyond Klarity’s reasonable control, but Klarity will use reasonable efforts to provide advance notice of any scheduled service disruption. Klarity is not a law firm, accounting firm or tax firm and is not engaged in the practice of law, accounting or tax services. Under no circumstance is an attorney-client relationship formed between Klarity and Customer or any of Customer clients (if applicable). Klarity work product will not constitute legal opinions or legal advice and are prepared at the direction of, and for review by, Customer. It is Customer’s sole responsibility to ensure the accuracy and completeness of the final product. Customer’s sole remedy for a breach of any warranty set forth in this Agreement will be as provided in the “Term and Termination” section of this Agreement. KLARITY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED “AS IS” AND KLARITY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

9. LIMITATION OF LIABILITY

9.1 EXCEPT WITH RESPECT TO CLAIMS BASED ON BODILY INJURY OF A PERSON, FRAUD, GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY NOR ITS SUPPLIERS, OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS OR EMPLOYEES WILL BE LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (i) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (ii) FOR ERROR OR INTERRUPTION OF USE, FOR LOSS, INACCURACY OR CORRUPTION OF DATA, FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR FOR LOSS OF BUSINESS; (iii) FOR ANY MATTER BEYOND A PARTY’S REASONABLE CONTROL; OR (iv) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO KLARITY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10. INDEMNITY

10.1 Klarity will defend and indemnify Customer and its Affiliates from and against all losses, damages, liabilities, costs and expenses (including reasonable attorneys’ fees) arising out of a third party claim, action or proceeding alleging that the Services, or the use thereof as permitted by this Agreement, infringes or otherwise violates any intellectual property rights or applicable law.

10.2 Customer will defend and indemnify Klarity and its Affiliates from and against all losses, damages, liabilities, costs and expenses (including reasonable attorneys’ fees) arising out of a third party claim, action or proceeding alleging that Customer’s or a User’s use of the Services in violation of this Agreement infringes or otherwise violates any intellectual property rights or applicable law.

10.3 The indemnified party will give the indemnifying party prompt written notice of any claim. The indemnifying party has the right to control the defense or settlement of the claim; provided, however, that the indemnifying party may not settle any claim if it imposes any liability or obligation on the indemnified party or its Affiliates without the indemnified party’s prior written consent. This section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim, action or proceeding described in this section.

11. MISCELLANEOUS

11.1 All notices under this Agreement will be via email and duly given when receipt is electronically confirmed. This Agreement may be executed in counterparts, which together will form one legal instrument. If any provision of this Agreement is found to be unenforceable, that provision will be limited to the minimum extent necessary to make it enforceable and the remainder of this Agreement will remain in full force and effect. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes all prior and contemporaneous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. Any waivers and modifications must be in a writing signed by both parties. To the extent of any conflict between this Agreement and any exhibit or addendum hereto and any Order Form, the terms of such exhibit, addendum or Order Form will prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation (excluding Order Forms) will be incorporated into or form any part of this Agreement, and all such terms or conditions will be null and void.

11.2 The parties are independent contractors. No agency, partnership, joint venture, fiduciary or employment is created as a result of this Agreement and neither party has any authority to bind the other party whatsoever.

11.3 Klarity may use Klarity Affiliates and/or subcontract third parties, in each case within or outside of the United States. Klarity will remain responsible for the provision of the Services. Neither party may assign this Agreement without the other party’s prior written consent; provided, however, that a party may assign this Agreement (a) to any Affiliate; (b) in connection with a merger or sale of all or substantially all of its stock or assets; or (c) in connection with any divestiture or spin-off of any entity or division, business unit or department within an entity. Any other purported assignment will be void. This Agreement will bind and benefit the parties, their respective successors and permitted assigns.

11.4 Neither party will be liable for or in breach of this Agreement on account of any delay or failure to perform as a result of fire, strike, war, terrorism, insurrection, government restriction or prohibition, pandemic disease or any other causes or conditions which are beyond such party’s reasonable control and which such party is unable to overcome by the exercise of reasonable diligence (“Force Majeure Events”).

11.5 Klarity may use Customer’s name and logo for marketing purposes and refer to Customer as Klarity’s customer.

11.6 This Agreement will be governed by the laws of California without regard to conflict of law provisions. All disputes and proceedings related to this Agreement will be maintained in state and federal courts in California and the parties consent to the personal jurisdiction of such courts. Each party waives any right to jury trial in connection with any dispute or proceeding related to this Agreement. In any action or proceeding relating to this Agreement, the prevailing party will be entitled to recover reasonable legal expenses including attorneys’ fees.

EXHIBIT A
SERVICE LEVEL AGREEMENT

This Service Level Agreement (“SLA”) forms a part of and is subject to the Agreement.

1. TECHNICAL SUPPORT

1.1 Klarity will provide technical support to Customer via email on weekdays during the hours of 8 am through 5 pm Pacific time, with the exclusion of federal holidays (“Support Hours”). Customer may initiate a helpdesk ticket during Support Hours by emailing support@klarity.ai or any time by opening a chat window in the Services.

2. SERVICE LEVEL TERMS

2.1 During the Subscription Term, the Services will be available 99.7%, measured monthly, excluding holidays, weekends and scheduled maintenance (“Target Availability Percentage”). If Customer requests maintenance during the available hours, any Target Availability Percentage calculation will exclude periods affected by such maintenance. Downtime caused by events beyond Klarity’s control, including outages of third-party connections, utilities, or Force Majeure Events, will also be excluded from the Target Availability Percentage calculation.

2.2 If during any calendar month of the Subscription Term, the availability percentage is lower than the Target Availability Percentage, and Customer notifies Klarity in writing about the downtime within thirty (30) days of its occurrence, Klarity will provide Customer with a credit for any verified downtime (“Service Credit”) as follows:

2.3 Service Credits may not be transferred to another party or redeemed for cash and constitute liquidated damages, not a penalty. Service Credits may only be applied to the month in which the downtime occurred. If Customer does not provide written notice of downtime within the thirty (30) day period, Customer will forfeit the right to receive Service Credits. If Customer is current on its payment obligations, then Klarity will apply Service Credits to Customer’s next invoice. If Customer is not current on its payment obligations, then Klarity will apply Service Credits after Customer pays up any owed amount in full. If Customer will not receive a future invoice because their Subscription Term will not renew, Klarity will extend Customer’s then-current Subscription Term for a period of time corresponding to the amount of the credit (e.g. 5% Service Credit equals 5% Calendar Month extension). Service Credits are Customer’s sole remedy (and Klarity’s sole liability) for Services availability failures. Simultaneous availability events (e.g. simultaneous uptime and load time failures) do not accrue duplicate Service Credits. In no event will Service Credits in any calendar month exceed 25% of total monthly fees for that calendar month in case of System Uptime Availability.

EXHIBIT B
DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms a part of the Agreement and applies to Klarity’s Processing of Personal Data (as defined below) under the Agreement.

1. Definitions.

1.1 “Affiliate” means any present or future entity controlled by, or under common control with a party.

1.2 “Business,” “Business Purpose,” “Consumer,” “Person,” “Personal Information,” “Sell,” “Service Provider,” and “Third Party” have the meanings given in U.S. Data Protection Law.

1.3 "Controller", "Data Subject", “Personal Data”, "Processing", "Process" and "Processor" have the meanings given in Data Protection Law.

1.4 "Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (ii) EU Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); (iii) U.S. Data Protection Law; (iv) any state or national legislation made under or pursuant to (i), (ii), or (iii); (v) any amendments or successor legislation to (i), (ii), (iii), or (iv); and (vi) any other applicable data protection law.

1.5 “U.S. Data Protection Law” means all laws and regulations of the United States of America, including the California Consumer Privacy Act of 2018, applicable to the processing of “Personal Information” (or an analogous variation of such term).

2. Relationship of the parties; Limitations on Processing.

Customer is the Controller of certain Customer Data that is Personal Data (“Customer Personal Data”) and appoints Klarity as a Processor to Process such Customer Personal Data. Each party will comply with the obligations that apply to it under Data Protection Law. Klarity will Process Customer Personal Data as a Processor only as necessary to perform its obligations under the Agreement and in accordance with the documented instructions of Customer ("Permitted Purpose"), except where otherwise required by Data Protection Law. In no event will Klarity Process Customer Personal Data for its own purposes or those of any third party except as set forth in the Agreement. Klarity will ensure that any person it authorizes to Process Customer Personal Data ("Authorized Person") Processes Customer Personal Data only as necessary for the Permitted Purpose and is subject to a duty of confidentiality requiring them to keep such Customer Personal Data confidential.

3. International Transfers.

‍Klarity will not transfer Customer Personal Data (nor permit Customer Personal Data to be transferred) outside of the European Economic Area ("EEA") unless (i) it has first obtained Customer's prior written consent; and (ii) enters into the standard contractual clauses for the transfer of personal data from these jurisdictions to processors established in third countries - as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“Standard Contractual Clauses”) available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. Klarity will not transfer Customer Personal Data (nor permit Customer Personal Data to be transferred) outside of the United Kingdom unless (i) it has first obtained Customer's prior written consent; and (ii) enters into the standard contractual clauses for the transfer of personal data from the United Kingdom to processors established in third countries (“UK Standard Contractual Clauses”) attached hereto.

4. Security.

Klarity will implement appropriate technical and organizational measures to protect Customer Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, and (iii) any act or omission that compromises either the security, confidentiality, or integrity of Customer Personal Data or the physical, technical, administrative, or organizational safeguards put into place by Klarity (a "Security Incident"). Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Klarity’s Processing of Customer Personal Data will comply with all Data Protection Law. Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate: (i) the anonymization and encryption of Customer Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a Security Incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

5. Security Incidents.

Upon becoming aware of a Security Incident, Klarity will inform Customer within 48 hours and will provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under Data Protection Law. Klarity will further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and will inform Customer of all material developments in connection with the Security Incident. Klarity agrees that it will not inform any third party of any Security Incident without first obtaining Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel or as required by Data Protection Law. Further, Klarity agrees that except as required by Data Protection Law Customer will have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in Customer’s discretion, and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

6. Subprocessing.

Customer authorizes the engagement of Klarity’s Affiliates as subprocessors. Customer authorizes Klarity to engage third party subprocessors to Process Customer Personal Data provided: (i) Klarity notifies Customer in writing (email sufficient), (ii) Klarity imposes data protection terms on any subprocessor substantially similar terms to the terms of this DPA; and (iii) Klarity remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Customer may object to Klarity's appointment of a third party subprocessor in writing within thirty (30) days after receiving Klarity’s notification, provided such objection is on reasonable grounds relating to the protection of Customer Personal Data. In such an event, Klarity will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate this DPA. Customer authorizes Klarity to use the subprocessors listed in Annex 3 to the Standard Contractual Clauses attached hereto.

7. Cooperation and Data Subjects' Rights.

Klarity will provide reasonable assistance to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Klarity, Klarity will promptly inform Customer providing details of the same.

8. Deletion.

Upon Customer’s written request, Klarity will delete all Customer Data in its possession or control. This requirement will not apply to the extent Klarity is required by Data Protection Law to retain Customer Data, in which event Klarity will protect Customer Data from any further Processing except to the extent required by such law.

9. CCPA Compliance.

Customer is a Business and authorizes Klarity as a Service Provider to process certain Personal Information on behalf of Customer (“Customer Personal Information”). Except as provided in this DPA, Customer will not Sell the Customer Personal Information to Klarity and Klarity will not Sell the Customer Personal Information. Unless otherwise required by law, Klarity will not retain, use or disclose the Customer Personal Information other than to provide the Services and as part of the direct relationship between Klarity and Customer.

10. Audit.

Klarity will permit upon Customer’s written request, when Customer has reasonable cause to believe Klarity is in non-compliance with its obligations under this DPA, a mutually agreed-upon third party auditor (the “Auditor”) to audit Klarity's compliance with this DPA and will make available to such third-party auditor all information, systems and staff necessary for the Auditor to conduct such audit. Klarity acknowledges that the Auditor may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Klarity's operations. Such audit will not occur more than once in any twelve (12) calendar month period, except: (i) as required by Data Protection Law or instruction of a competent data protection authority; (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by Klarity, or (iii) as mutually agreed between the parties.

11. Mandatory Disclosure.

Klarity may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other U.S. or EU judicial or regulatory body upon their request and that any such disclosure will not be deemed a breach of the Agreement or this DPA. Notwithstanding anything in the Agreement or this DPA to the contrary, Klarity may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate international, federal, state, or local law.

ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES PARTIES AND DETAILS OF PROCESSING

1. LIST OF PARTIES

Data Exporter

The data exporter is Customer or its employees or affiliates.

• ‍Name: Customer as specified in the Agreement‍
• Address: Contact person’s name, position and contact details: Activities relevant to the data transferred under these Clauses: as per the Agreement, the DPA and this Annex 1‍
• Signature and date: As set forth in the DPA‍
• Role (controller/processor): Controller

Data Importer

The data importer is Klarity Intelligence, Inc.

• ‍Name: Klarity Intelligence, Inc. ‍
• Address: As specified in the Agreement ‍
• Contact details: infosec@klarity.ai‍
• Activities relevant to the data transferred under these Clauses: as per the Agreement, the DPA and this Annex 1‍
• Signature and date: As set forth in the DPA‍
• Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The personal data transferred concern data subjects residing in the European Economic Area and Switzerland.

Categories of personal data transferred

The personal data transferred concern the following categories of data:
Data exporter may transfer Personal Data to data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, and is not limited to the following categories of personal data:

• First and last name
• Contact information (telephone number & email address)
• Company, position
• Login credentials

Special categories of data (if appropriate)

None

Processing operations

The objective of the processing of personal data by data importer is the access and use of Klarity Services.

Notification Obligation

If Klarity begins collecting additional categories of data or changes the processing operations it will immediately notify data exporter to modify or amend this Appendix.

The frequency of the transfer

A continuous basis for the duration of the Agreement in accordance with the terms of the DPA.

Nature of the processing

Klarity will Process Personal Data as in accordance with the terms of the Agreement and the DPA.

Purpose(s) of the data transfer and further processing

Klarity will Process Personal Data as a Processor only as necessary to perform its obligations under the Agreement, and strictly in accordance with the Permitted Purpose, except where otherwise required by any applicable EU (or any EU Member State) law. In no event will Klarity Process Personal Data for its own purposes or those of any third party except as set forth in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Until deletion in accordance with the provisions of the DPA.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

As described in the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

‍

ANNEX 2 TO THE STANDARD CONTRACTUAL CLAUSES TECHNICAL AND ORGANISATIONAL MEASURES

Measures of pseudonymisation and encryption of personal data

Klarity will maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, the anonymization and encryption of Customer Data. Klarity maintains Customer Data in an encrypted format in transit (HTTPS/TLS) and at rest (AES-256).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually, including appropriate technical and organizational measures to protect Customer Data from a Security Incident. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate: (i) the anonymization and encryption of Customer Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident. Klarity performs regular backups of Customer Data, which is hosted in AWS data centers. Backups are retained redundantly across multiple availability zones.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Klarity will implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Such measures may include, as appropriate, to Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. Klarity maintains a risk-based assessment security program. The framework for Klarity’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.

Measures for user identification and authorization

Klarity personnel are required to use unique user access credentials and passwords for authorization. Klarity follows the principles of least privilege through role-based and time-based access models when provisioning system access. Access is promptly removed upon role change or termination.

Measures for the protection of data during transmission

Customer Data is encrypted using HTTPS/TLS during transmission . Klarity will ensure that any person that it authorizes to Process Customer Data including Klarity's Authorized Persons will be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and will not permit any person to Process Customer Data who is not under such a duty of confidentiality. Klarity will ensure that all Authorized Persons Process Customer Data only as necessary for the Permitted Purpose. Klarity will not transfer Customer Data (nor permit Customer Data to be transferred) outside of the EEA unless (i) it has first obtained Customer's prior written consent; and (ii) enters into the Standard Contractual Clauses attached hereto.

Measures for the protection of data during storage

Customer Data is encrypted using AES-256 during storage.

Measures for ensuring physical security of locations at which personal data are processed

The Services operate on Amazon Web Services (“AWS”) and are protected by the security controls of AWS.

Measures for ensuring events logging

Klarity monitors access to applications, tools, and resources that process or store Data, including cloud services. Monitoring of security logs is centralized by the security team.

Measures for ensuring system configuration, including default configuration

New account configurations are approved by each customer. Klarity adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. The Klarity system maintains an audit trail of all changes to contract review rules and account settings. Changes to contract review rules are initiated by the customer and restricted to authorized personnel.

Measures for internal IT and IT security governance and management

Biannual security meetings are held with the entire company and are led by the CTO to review all information security policies and to communicate specific security related topics. Klarity’s enterprise Mobile Device Management solution, Rippling, is installed on all employee workstations. Amongst other things, it allows for password complexity enforcements, encryption enforcement and remote locking/wiping. VPN connection is required in order for employees to access all internal IT systems. Separate VPN connections are required for the Production and QA environments. User access to systems and data is based on the “Principle of Least Privilege”, wherein users are given only the minimum amount of access privileges required to satisfy their role. Passwords to all IT systems (including employee workstations) follow these rules: password length must be at least 32 characters. Passwords and IT system credentials are stored only on Bitwarden, Klarity’s self-hosted password management system. Wherever possible (and particularly with systems with access to live customer data) multi-factor authentication must be enabled when logging into IT systems. All employees are required to complete a security awareness seminar immediately upon joining and twice a year thereafter.

Measures for certification/assurance of processes and products

Klarity is SOC 1 Type II and SOC 2 Type II certified. Penetration tests are conducted after any major changes to the system’s functionality, however, not less than annually.

Measures for ensuring data minimization

When setting up integrations, Klarity recommends the following best practices to customers to minimize data transfer: restricting the access of the Klarity API user to “Read” permissions for only the objects and metadata fields Klarity will need to import and (ii) configuring triggers/webhooks within the source application as narrowly as possible so that Klarity is only notified of documents it needs to process and nothing additional.

Measures for ensuring data quality

New customer accounts are approved by management prior to account set up and based upon customer specifications within the business requirements agreement. Klarity performs manual annotation and validates results against system results before production go-live. The information system is reviewed at a defined frequency to identify and eliminate unnecessary functions, ports, protocols, and/or services.

Measures for ensuring limited data retention

Upon Customer’s written request, Klarity will delete all Customer Data in its possession or control. This requirement will not apply to the extent Klarity is required by Applicable Data Protection Law to retain some or all of Customer Data, in which event Klarity will isolate and protect Customer Data from any further Processing except to the extent required by such law.

Measures for ensuring accountability

Compliance to infosec policies is tracked centrally through Vanta (SOC 2 compliance), Avast Pro Plus (Antivirus) and Rippling (MDM). All infosec policies detail consequences for violation, administered by the CTO.

Measures for allowing data portability and ensuring erasure

Klarity maintains a comprehensive list of locations containing customer data, as well as scripts that systematically delete customer data from said locations when needed. Production and QA environments are completely logically separated from each other. No customer data is ever stored in any non-Production environment.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Customer authorizes Klarity to engage third party subprocessors to Process Customer Data provided: (i) Klarity notifies Customer in writing (email sufficient), (ii) Klarity imposes data protection terms on any subprocessor substantially similar terms to the terms of this DPA; and (iii) Klarity remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Customer may object to Klarity's appointment of a third party subprocessor within thirty (30) days after receiving Klarity’s notification, provided such objection is on reasonable grounds relating to the protection of Customer Data. In such event, Klarity will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate this DPA.

‍

ANNEX 3 TO THE STANDARD CONTRACTUAL CLAUSES LIST OF SUBPROCESSORS

Customer specifically consents to Klarity using the following subprocessors:

‍

ANNEX 4 TO THE STANDARD CONTRACTUAL CLAUSES
INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU STANDARD CONTRACTUAL CLAUSES

PART 1: PARTIES

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the
Parties), and which for this Addendum is set out in:

• Annex 1A: List of Parties: Please refer to the Agreement and the DPA.
• Annex 1B: Description of Transfer: Annex 1 to the Standard Contractual Clauses
• Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex 2 to the Standard
  Contractual Clauses
• Annex III: List of Sub processors (Modules 2 and 3 only): Annex 3 to the Standard Contractual Clauses

Table 4: Ending this Addendum when the Approved Addendum Changes

PART 2: MANDATORY CLAUSES

Entering into this Addendum

Each Party agrees to be bound by the terms and conditions set out in at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/, in exchange for the other Party also agreeing to be bound by this Addendum. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

‍

EXHIBIT C
ARTIFICIAL INTELLIGENCE ADDENDUM

This Artificial Intelligence Addendum (“AI Addendum”) will apply to the extent that Klarity uses any artificial intelligence system, algorithm
or other software (“AI”) to provide the Services. The obligations herein will apply whether the AI is proprietary to Klarity or a tool made
available by any third party that uses AI to Process Customer Data on behalf of Klarity (“Third Party AI Provider”).

1. FLOW DOWN REQUIREMENTS

1.1. Klarity warrants that, to the extent it uses any Third Party AI Providers to Process Customer Data, it will ensure such Third Party AI Providers agree to confidentiality, privacy, security, and data ownership obligations at least as restrictive as those in this Agreement. Klarity will remain responsible for any acts or omissions by such Third Party AI Providers to the same extent as if Klarity were Processing the Customer Data directly.

2. MODEL TRAINING

2.1. Klarity and Third Party AI Providers will not process any Customer Data for any purpose other than those described in this Agreement. For the avoidance of doubt, Klarity and Third Party AI Providers will not collect, use or retain any Customer Data as training data for any AI model, whether directly or indirectly.

3. CUSTOMER DATA

3.1. Customer warrants that Customer has the right to provide Customer Data to Klarity and that Customer Data will not infringe upon or otherwise violate any third party intellectual property rights or applicable law.

4. DATA DELETION

4.1. Upon written request by Customer, Klarity will delete any Customer Data unless otherwise required by applicable law.

5. INDEMNITY

5.1. Subject to the terms of the Agreement, Klarity will indemnify, hold harmless, and at Customer’s request, defend Customer and its employees, representatives, agents and officers, against all third party claims, liabilities, damages, losses and expenses, including regulatory fines and reasonable attorneys’ fees arising from or relating to any violations of Klarity’s confidentiality, data ownership, privacy and security requirements included herein. Notwithstanding the foregoing, Klarity will not be liable to Customer for third party claims arising out of Customer’s use of the Services in a manner inconsistent with Klarity’s documented use guidelines or in breach of this Agreement.