Privacy Policy

Privacy Policy

Privacy Policy

Privacy Policy

Last updated on September 24th 2024

Our Privacy Policy outlines how Polyloop AI collects, stores, uses, discloses, and processes information about you as part of our business activities, including through websites that link to this notice (such as polyloop.ai), the “Polyloop AI Platform,” our software-as-a-service offering, as well as our marketing and sales initiatives (collectively referred to as our “Services”). It also provides essential details regarding your privacy rights.

  1. PERSONAL INFORMATION WE COLLECT.

    1. We collect information that, either alone or in combination with other data in our possession, could identify you (“Personal Information”) as follows:

      1. Personal Information You Provide: We may collect Personal Information when you create an account to use our Services or communicate with us.

      2. Communication Information: If you engage with us, we may collect your name, contact details, and the content of any messages you send (“Communication Information”).

      3. Payment Information: When you make a purchase or subscribe to our Services, we may collect billing information, such as your credit card number, expiration date, and billing address, or utilize a third-party payment processor to handle your payments (“Payment Information”).

      4. Personal Information We Collect Through Our Social Media Pages: We maintain posts on social media platforms like YouTube, LinkedIn, and X (“Social Media Pages”). When you interact with our Social Media Pages, we collect any Personal Information you voluntarily provide, such as contact details (“Social Information”). Additionally, the hosting companies for these Social Media Pages may supply us with aggregated data and analytics related to their usage.

      5. Personal Information We Receive Automatically From Your Use of our Services: When you visit, use, or interact with our Services, we may receive information about your visit, usage, or interactions (“Technical Information”), including the following: You can disable cookies if you prefer not to receive them or set your computer to notify you whenever cookies are being used. To do so, you will need to modify your browser settings (such as Chrome, Safari, Firefox, Edge, or other browsers). There are also software solutions available that manage cookies for you. However, rejecting cookies may limit the features and functionality of our Services.

        1. Log data: This is information automatically sent by your browser when you visit our Site (“Log Data”), which includes your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and how you interacted with the Site.

        2. Usage data: We may collect details about your use of our Services automatically, such as the types of content you view or engage with, the features you use, your time zone, country, access dates and times, user agent and version, device type, connection type, IP address, and similar information.

        3. Device information: Includes the name of your device, operating system, and browser. The information collected may vary depending on your device type and its settings.

        4. Cookies: Cookies are small strings of information that websites transfer to your computer for identification purposes. They can track your activity on the website, helping us to understand your preferences and improve your experience. Cookies are also used for functions like remembering your login credentials for our Services. In addition to cookies used by Polyloop AI and our service providers, some cookies are placed by third parties such as Google (for analytics, as described below). These third-party cookies are not under our control, so you should review the third-party service providers' websites for more details. By using our Services, you consent to the use of cookies for the following purposes:

          • Essential Cookies: These are necessary for enabling you to navigate the website and use features such as accessing secure areas.

          • Performance and Analytics Cookies: These include cookies such as Google Analytics that track the pages you visit and the content you access, allowing us to determine popular content and enhance website performance. These cookies primarily collect aggregate and anonymous statistical data, but they may capture minimal identifiable information, such as order IDs.

          • Functional Cookies: These remember choices you make, such as language preferences or your region, personalizing your visit. These cookies are automatically deleted when you close your browser or the session ends.

      6. Customer Support Information: When you reach out to us for customer support, feedback, or inquiries, we may collect your name, email address, phone number, and any other details you provide or that we request to assist or resolve your issue (“Support Information”).

      7. Analytics: We may use various online analytics tools that rely on cookies to help us analyze user behavior and improve your experience.

      8. Online Tracking and Do Not Track Signals: Our website does not currently respond to “Do Not Track” (“DNT”) signals and operates as outlined in this Privacy Policy, regardless of whether a DNT signal is received.

    2. The following table provides additional details about (1) the categories of Personal Information we collect (as defined above), (2) the sources of that Personal Information, (3) how we use each category of Personal Information, and (4) how we disclose it. These disclosures do not restrict our ability to use or disclose information as described above.

      Category of Personal Information Sources of Personal Information Use of Personal Information Disclosure of Personal Information Social Information Collected from you when you interact with our Social Media Pages. Used for analytics and communication purposes. Disclosed to our Affiliates. Payment Information Collected directly from you. Used to process payments via third-party payment processors. Disclosed to Affiliates and third-party payment processors. Communication Information Collected directly from you. Used for providing our Services and responding to inquiries. Disclosed to Affiliates and service providers. Technical Information Collected from your interactions with our Services. Used for analytics and fraud prevention. Disclosed to Affiliates and analytics providers. Support Information Collected from you while providing support. Used for support, improving Services, and responding to inquiries. Disclosed to Affiliates.

  2. HOW WE USE PERSONAL INFORMATION.

    1. We do not sell your Personal Information.

    2. We may use Personal Information for the following purposes:

      1. To provide, administer, maintain, improve, and analyze our Services;

      2. To provide support services;

      3. To communicate with you, including discussions about using the Polyloop AI Platform;

      4. To develop new features and services;

      5. To prevent fraud, criminal activity, or misuse of our services, and to ensure the security of our IT systems, architecture, and networks; and

      6. To comply with legal obligations, legal processes, and to protect our rights, privacy, safety, or property, and that of our Affiliates, you, or third parties.

    3. Aggregated Information: We may aggregate Personal Information to analyze the effectiveness of our Services, improve features, and share general user statistics with third parties, publish aggregated data, or make it publicly available.

  3. DISCLOSURE OF PERSONAL INFORMATION.

    1. In certain circumstances, we may share your Personal Information with third parties without further notice to you, unless required by law, including but not limited to the following situations:

      1. Vendors, Service Providers, and Subprocessors: To support our business needs and perform certain services, we may share Personal Information with vendors, service providers, and subprocessors, including those providing hosting, cloud services, event management, email communications, advertising, marketing, and web analytics. These parties will access, process, or store Personal Information based on our instructions.

      2. Business Transfers: If we are involved in a strategic transaction, reorganization, bankruptcy, receivership, or transition of services to another provider (collectively, a “Transaction”), your Personal Information may be shared in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or Affiliate as part of the Transaction, along with other assets.

      3. Legal Requirements: We may share Personal Information as necessary to (i) comply with legal obligations, including national security or law enforcement requirements, (ii) protect our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect personal safety, or (v) protect against legal liability.

      4. Affiliates: We may share Personal Information with our Affiliates (entities that control, are controlled by, or are under common control with Polyloop AI), which may use the Personal Information consistent with this Privacy Policy.

      5. Other Users: Certain actions you take may be visible to other users of our services.

  4. REQUEST FOR ACTION.

    1. To request access, deletion, rectification, restriction, or portability of your Personal Information, contact us at support@polyloop.ai. We reserve the right to limit our facilitation of such requests to what is required by applicable law.

    2. To protect your Personal Information from unauthorized access, deletion, rectification, or restriction, we may require you to verify your identity before processing your request. If we cannot verify your identity (and, where applicable, proof of residency

  5. SECURITY. We take reasonable and appropriate measures to safeguard your Personal Information and prevent its loss, misuse, unauthorized access, disclosure, alteration, or destruction. Our protective measures include physical access controls, encryption, intrusion detection, and network monitoring, depending on the nature of the information and the scope of its processing. Any staff members who may access your information are obligated to maintain its confidentiality.

  6. DATA RETENTION AND DELETION. We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. We may also retain your personal information for legitimate business interests, such as complying with legal obligations, resolving disputes, and maintaining our records. Once your Personal Information is no longer needed, we will either delete it or anonymize it in accordance with our data retention policies and applicable laws. If immediate deletion is not feasible (for instance, if your Personal Information is stored in backup archives), we will securely store it and isolate it from any further processing until deletion becomes possible.

  7. LINKS TO OTHER WEBSITES. Our Services may contain links to external websites not operated or controlled by Polyloop AI, including social media platforms ("Third Party Sites"). The information you share with Third Party Sites will be governed by their respective privacy policies and terms of service, not by this Privacy Policy. Providing these links does not imply that we endorse or have reviewed these sites. For information on their privacy practices and policies, please contact the Third Party Sites directly.

  8. INTERNATIONAL USERS.

    1. Data Transfers: By using our Services governed by this Privacy Policy, you understand and consent to the transfer of your Personal Information from your location to our facilities and servers in the United States, and possibly to other countries where our service providers operate.

    2. Privacy frameworks: We implement appropriate safeguards for cross-border transfers of Personal Information, including compliance with specific privacy frameworks related to data transfers. For example, we adhere to the European Commission, UK, and Swiss adequacy decisions.

    3. Questions: If you have any questions about our privacy practices, please contact us at support@polyloop.ai. You may also refer your concerns to your local data protection authority, and we will work with them to resolve your issue.

  9. DATA PRIVACY FRAMEWORK.

    1. We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as established by the U.S. Department of Commerce. Polyloop AI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) concerning the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. We have similarly certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) for processing personal data received from Switzerland in reliance on the Swiss-U.S. DPF. In case of any conflict between this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles will govern. To learn more about the Data Privacy Framework (DPF) Program and to view our certification, please visit here.

    2. Commitment to Cooperate: In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Polyloop AI commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding unresolved complaints concerning our handling of personal data received in reliance on these frameworks.

    3. Federal Trade Commission: The Federal Trade Commission has jurisdiction over Polyloop AI’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

    4. Right to Arbitrate: You may, under certain conditions, invoke binding arbitration for complaints regarding Data Privacy Framework compliance. More details can be found here.

    5. Accountability for Onward Transfers: We take responsibility for the processing of personal information we receive and subsequently transfer to a third party. In cases of onward transfer, Polyloop AI remains liable if the third party processes the personal information in a way that is inconsistent with the Data Privacy Framework Principles unless we can demonstrate that we were not responsible for the event that caused the damage.

  10. CHANGES TO OUR PRIVACY POLICY. We may periodically update this Privacy Policy. When we do, we will post the updated version on this page unless a different type of notice is required by law or contractual agreement. By continuing to use our services or by providing us with Personal Information after we have posted an updated Privacy Policy or notified you by other means, you consent to the revised Privacy Policy.

  11. HOW TO CONTACT US. If you have any questions about our Privacy Policy or privacy practices, please contact us at support@polyloop.ai.

Service Terms

These Service Terms form part of your agreement with Polyloop AI. Any capitalized terms used but not defined here will have the meaning assigned in the Terms. In the event of any conflict between these Service Terms and the Terms, these Service Terms will prevail for any features and services governed by them.

  1. PREVIEW FEATURES

    1. This section covers your use of services or features that Polyloop AI offers on a preview, beta, or early access basis (“Preview Features”). Any Feedback related to the Preview Feature may be used to enhance the Service.

    2. Preview Features are provided on an "as-is" and "as-available" basis. Your access to or use of Preview Features is at your own risk. To the extent permitted by law, Polyloop AI explicitly disclaims all warranties and conditions of any kind, whether express or implied, including, but not limited to, those related to merchantability, satisfactory quality, title, fitness for a particular purpose, and non-infringement.

    3. To the extent permitted by applicable law, Polyloop AI’s liability to you concerning Preview Features is limited to $50.00.

    4. Unless otherwise specified in these Service Terms, Preview Features will be measured and billed as part of normal usage of the Service.

    5. Polyloop AI reserves the right to make significant changes to Preview Features during the preview period and may choose to discontinue them.

  2. DATA STORAGE LOCATION

    1. By default, Customer Data is stored in the United States.

    2. Where supported by our underlying cloud service providers and in compliance with applicable laws and regulations, you may request to store your Customer Data outside the United States, and Polyloop AI will use commercially reasonable efforts to accommodate such requests.

    3. You acknowledge that storing Customer Data outside the United States may impact the performance and availability of the Services.

    4. You also acknowledge that processing of Customer Data will continue to take place within the United States.

  3. TARGETED SOURCE FEATURES

    1. Certain services and features require you to ingest documents into the Polyloop AI Platform or rely on the platform’s ability to target specific external data sources (such as publicly available web sources) (“Targeted Source Features”).

    2. Documents provided by an authorized user and ingested by the Service are specific to that user and remain accessible only during the user's session. All such ingested documents are classified as Customer Data.

    3. Content generated is unique to the user until shared with the other users in their organization and includes portions of data from customer and external data sources.


Acceptable Use Policy

This Acceptable Use Policy forms part of your agreement with Polyloop AI. Any capitalized terms used but not defined here will have the meaning assigned in the Terms.

You agree not to, and will not direct or allow third parties to use the Polyloop AI Platform:

  • to violate or encourage the violation of others' legal rights;

  • to engage in, promote, or encourage illegal activities;

  • for any unlawful, invasive, infringing, defamatory, or fraudulent purposes;

  • to falsely present or claim Output as solely human-generated;

  • to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other harmful or deceptive materials;

  • to interfere with anyone’s use of the Services or the equipment used to deliver the Services;

  • to disable, tamper with, or bypass any component of the Services;

  • to use the Services in breach of the Terms; and

  • to develop similar or competitive products or features based on the Polyloop AI Platform.


Security Addendum

  1. POLYLOOP AI AUDITS AND CERTIFICATIONS

    1. The information security management system supporting the Service will undergo independent third-party audits as outlined in the following certifications (“Third-Party Audits”) on at least an annual basis:

      1. SOC 2 Type II

      2. ISO 27001

    2. Third-Party Audit reports will be made available to You as specified in Section 10.1.

    3. If Polyloop AI discontinues any Third-Party Audit, it will adopt an equivalent, industry-recognized framework.

  2. HOSTING LOCATION OF CUSTOMER DATA

    1. Customer Data and Content will be stored and processed by Polyloop AI and its vendors in data centers located in the geographic region specified on Your current order form or as otherwise agreed in writing.

    2. You may request that Your Customer Data and Content be stored in a different geographic region. Polyloop AI will make commercially reasonable efforts to accommodate this request where supported by our cloud service providers and in compliance with applicable laws and regulations.

  3. ENCRYPTION

    1. Polyloop AI secures Customer Data and Content at-rest using AES 256-bit encryption (or better). For data in-transit over public or untrusted networks, Polyloop AI employs Transport Layer Security 1.2 (or better).

    2. Encryption keys are rotated at least annually and protected using hardware security modules. Polyloop AI logically separates encryption keys from Customer Data.

  4. SYSTEM AND NETWORK SECURITY

    1. Polyloop AI personnel access the Cloud Environment with unique user IDs, adhering to the principle of least privilege. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding length and complexity requirements.

    2. Polyloop AI personnel will not access Customer Data except (i) to provide or support the Service, or (ii) to comply with the law or a binding government order.

    3. Polyloop AI personnel access the Cloud Environment using company-issued laptops that employ security controls including encryption and endpoint detection tools to monitor suspicious activities, malicious code, and vulnerabilities as described in Section 4.7.

    4. The Cloud Environment utilizes industry-standard threat detection tools with daily signature updates to monitor and alert for suspicious activities, malware, viruses, and other malicious code (collectively, “Malicious Code”). Polyloop AI has no obligation to monitor Customer Data or Input for Malicious Code.

    5. Polyloop AI conducts annual penetration tests of the Service by an independent third party. Summary results, including details such as the testing organization, date(s), scope, approach, and findings, will be made available upon request as outlined in Section 10.1.

    6. Automated tools scan publicly available vulnerability databases (e.g., National Vulnerability Database) for potential issues in the software used by Polyloop AI. Vulnerabilities are categorized and addressed based on an internal rating system, with “critical” vulnerabilities resolved within 7 days, “high” within 30 days, and “medium” within 90 days.

    7. Polyloop AI engages third parties to conduct annual web application security assessments, testing for vulnerabilities identified in the OWASP framework, such as cross-site request forgery, cross-site scripting (XSS), and SQL injection (SQLi).

  5. ADMINISTRATIVE CONTROLS

    1. Polyloop AI provides security awareness and training programs for its personnel at onboarding and annually. This includes information on individual security responsibilities, company IT security policies, and emerging cyber threats like phishing.

    2. Polyloop AI software developers receive annual training on secure development practices tailored to their roles. Training topics include secure design principles, threat modeling, and the prevention of vulnerabilities such as cross-site scripting and request forgery attacks.

    3. Personnel are required to sign confidentiality agreements and are responsible for reporting any security incidents involving Customer Data.

    4. Access to critical systems, including those containing Customer Data, is removed within 1 day of personnel separation and to all systems within 3 days. Quarterly reviews of personnel access privileges are conducted to ensure compliance with the least privilege principle.

    5. Polyloop AI regularly reviews external threat intelligence, prioritizing vulnerabilities rated as critical or high for remediation as per Section 4.6.

    6. Background checks are conducted for all personnel with access to Customer Data, including ID verification, right-to-work checks, and criminal history reviews, subject to applicable laws.

    7. Highly-privileged accounts (e.g., administrator or root accounts) in systems containing Customer Data are reviewed quarterly to reduce access as needed.

  6. VENDORS AND SUB-PROCESSORS

    1. Polyloop AI ensures that any vendors processing Input or Customer Data maintain security measures consistent with the obligations outlined in this Security Addendum.

  7. PHYSICAL DATA CENTER CONTROLS

    1. Our Cloud Environment is hosted by one or more cloud service providers. These providers maintain appropriate controls as validated through third-party audits and certifications, such as SOC 2 Type II and ISO 27001. Controls include:

      1. Physical access to facilities is restricted at building ingress points.

      2. Visitors must present ID and sign in.

      3. Access to servers is managed by access control devices.

      4. Physical access privileges are reviewed regularly.

      5. Facilities are equipped with monitoring and alarm systems.

      6. CCTV is employed in facilities.

      7. Fire detection and protection systems are in place.

      8. Backup and redundancy systems are in place.

      9. Climate control systems are utilized.

    2. Polyloop AI does not maintain physical offices except for limited corporate purposes, and Customer Data is never stored or hosted in these offices.

  8. INCIDENT DETECTION AND RESPONSE

    1. Polyloop AI will notify You within 48 hours of becoming aware of a security breach involving Customer Data (“Security Incident”). Notifications will be sent to the security notice email address on Your current order form or as determined by Polyloop AI.

    2. Polyloop AI will take reasonable steps to contain, investigate, and mitigate any Security Incident. Relevant logs will be preserved for at least one year.

    3. Polyloop AI will provide timely updates on the nature and consequences of the Security Incident, the investigation's progress, and mitigation measures. Due to limited visibility into Customer Data, detailed analysis of impacted Customer Data may not be possible. Communications regarding a Security Incident will not imply Polyloop AI’s fault or liability.

  9. AUDIT LOGGING 9.1. Polyloop AI will maintain, protect, and retain system audit records to ensure integrity and allow monitoring, analysis, and investigation of inappropriate activity. All system user actions can be traced to specific users. 9.2. Audit logs are retained for at least one year and may be kept for up to ten years, protected from tampering.

  10. CUSTOMER AUDIT RIGHTS

    10.1. Upon request, Polyloop AI will provide You or a qualified third party (the “Auditor”) with access to documentation that demonstrates compliance with this Security Addendum, including SOC 2 Type II reports, penetration test summaries, data flow diagrams, and ISO 27001 certifications. Third-party Auditors must sign a confidentiality agreement, and Polyloop AI reserves the right to reject Auditors who are deemed unqualified. 10.2. You may submit annual security questionnaires (up to 100 questions) and requests for updated security documentation, which Polyloop AI will address in a timely manner at no additional cost. 10.3. In the event of a Security Incident involving Customer Data, Polyloop AI will hire an independent forensic specialist to investigate at its own cost. Findings will be provided to You if Your Customer Data or Content is impacted.

  11. CUSTOMER RESPONSIBILITIES

    11.1. You are responsible for ensuring that the Input and Customer Data used with the Service complies with relevant laws and regulations. 11.2. You must manage and secure access methods to the Service (e.g., passwords, SSO connections). Credentials must remain confidential and not be shared with unauthorized users. Promptly report suspicious account activity. 11.3. You are responsible for keeping Your IT systems, including browsers, up-to-date and properly patched.

  12. BUSINESS CONTINUITY AND DISASTER RECOVERY

    12.1. Polyloop AI maintains business continuity plans to ensure continued operations during service disruptions. These plans cover business processes, assets, personnel, and partners and are reviewed and tested annually, with senior management approval.


Evaluation Terms of Service

  1. IMPORTANT TERMS.

    1. These evaluation terms of service are between Polyloop AI and You, and they govern Your use of the Basic Service. If You are using the Service on behalf of another entity (such as your employer), You must have the authority to accept these Terms on their behalf.

    2. By using the Service, both parties agree to this Agreement, our Acceptable Use Policy, our Service Terms, our Security Addendum, and any executed Data Processing Addendum (if applicable), collectively referred to as the “Terms” and enforceable like a written contract.

    3. Polyloop AI may update the Terms by posting revised Terms on our website, which become effective upon posting. Changes are not retroactive, but Your continued use of the Service after such updates signifies Your acceptance of them. However, Polyloop AI will not modify these Terms in a way that reduces its obligations concerning Confidential Information, Customer Data, or Customer Content, without Your express written authorization.

    4. The Service is a research tool, and its Output is not legal advice. The Output from the Service is AI-generated and may contain errors, misstatements, or be incomplete.

  2. DEFINITIONS. Definitions in Section 11 (Defined Terms) apply to these Terms. All terms in quotation marks within this Agreement are defined terms.

  3. USAGE.

    1. You may access and are granted a non-exclusive right to use the Basic Service. Access credentials are personal and may not be shared, even within Your organization. You must take reasonable steps to prevent unauthorized access to the Service.

    2. Your usage of the Service is governed by these Terms. You will interact with the Service by providing Input and receiving Output. Your use of the Service is strictly for Your business purposes.

    3. You may not (a) use the Service in a manner that infringes on any person’s rights; (b) access the Service from any Embargoed Countries; (c) attempt to reverse engineer or discover the source code of the Service or Polyloop AI’s subcontractors; or (d) use automated means to scrape content or Output from the Service.

    4. If You provide Feedback, Polyloop AI may freely use and incorporate it into their products and services. Polyloop AI will not use Feedback in a way that identifies Customer, its users, or its data.

    5. Any third-party software, services, or products used in connection with the Service (e.g., Your browser) are subject to their own terms, and Polyloop AI is not responsible for them.

  4. CONTENT.

    1. You provide Input and receive Output from the Service. You retain ownership of Your Content.

    2. Input and Output may be similar or identical to those provided by or received from other users. Queries and responses provided to others do not constitute Your Content.

  5. CUSTOMER DATA.

    1. Certain features may require You to upload documents (“Customer Data”) into the Service.

    2. You retain ownership of Your Customer Data, granting Polyloop AI and its Affiliates a non-exclusive, worldwide, royalty-free right to process this data as necessary for Service provision, troubleshooting, or legal compliance.

    3. Your use of the Service and all Customer Data must comply with applicable laws and regulations, including data localization or sovereignty laws. You are responsible for the accuracy, content, and legality of all Customer Data.

  6. FEES AND PAYMENTS. You are using the Service under an authorized free trial. If we determine that You are not using the trial in good faith, we may terminate Your access. We reserve the right to limit resources and features available to trial users.

  7. TERM AND TERMINATION.

    1. These Terms take effect upon Your initial use of the Service and remain in effect until terminated. You may terminate at any time by discontinuing use of the Service. We may also terminate with notice.

    2. Upon termination, You will cease using the Service and return or destroy any Confidential Information. Provisions regarding confidentiality, unpaid fees, and other typical post-termination obligations will survive.

  8. WARRANTY AND DISCLAIMER.

    1. You warrant that You have the necessary rights to Your Customer Data and Input for use with the Service and that Your use complies with all applicable laws.

    2. The Service is provided "as-is" and "as-available." Polyloop AI disclaims all warranties, whether express or implied, including merchantability, title, non-infringement, or fitness for a particular purpose. Polyloop AI does not warrant uninterrupted or error-free use of the Service.

  9. LIMITATIONS OF LIABILITY.

    1. Neither party will be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, including loss of income, data, profits, or business interruption, arising out of or related to these Terms.

    2. Except for claims of liability that cannot be limited (e.g., gross negligence or intentional misconduct), the total liability of either party to the other or any third party for all claims under these Terms is limited to $1,000 (the “Liability Cap”).

  10. GENERAL TERMS.

    1. Assignment. Neither party may assign these Terms without written consent, except Polyloop AI may assign to an Affiliate or in connection with a merger or asset sale.

    2. Subcontracting. Polyloop AI may use subcontractors, remaining responsible for their performance.

    3. Severability and Interpretation. If a provision is deemed unenforceable, it will be limited as necessary to preserve the remaining Terms.

    4. Open Source Software. Polyloop AI will not use any software that would impose open-source licensing obligations on Your software.

    5. Confidentiality. Both parties will protect Confidential Information and only use it as permitted. If legally required to disclose such information, advance notice will be provided.

    6. Usage Data. Polyloop AI may collect and use Usage Data to enhance the Service but will not share it unless anonymized or as required under confidentiality obligations.

    7. No Training. Polyloop AI and its Subprocessors will not use Your Content or Customer Data to train AI models or log for human review.

    8. Privacy Policy. Users are subject to our Privacy Policy unless it conflicts with these Terms.

    9. Governing Law. These Terms are governed by the laws of California and the U.S., excluding the United Nations Convention on the International Sale of Goods.

    10. Arbitration. Any disputes will be resolved by arbitration in San Francisco, with cases over $250,000 handled by three arbitrators. This does not preclude provisional remedies from a court.

    11. Data Processing Addendum. Polyloop AI will abide by any applicable Data Processing Addendum regarding Customer Data. In case of conflict, the Data Processing Addendum takes precedence.

    12. Notice. All notices must be in writing via email to the addresses on file. Notices are considered received upon delivery.

    13. No Waiver. Failure to enforce rights does not constitute a waiver unless documented in writing.

    14. Entire Agreement. These Terms represent the entire agreement regarding the Service, superseding any prior agreements or communications.

    15. Export Control. Both parties will comply with all relevant export and import laws. The Service cannot be used in or for the benefit of any U.S.-embargoed countries or restricted parties.

    16. Force Majeure. Neither party is liable for delays or failures caused by unforeseen events beyond their reasonable control.

  11. Definitions.

    1. Acceptable Use Policy” means Polyloop AI’s policy governing the use of the Service.

    2. Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control,” for the purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests in the subject entity.

    3. Agreement” has the meaning set forth on the cover page.

    4. Basic Service” is the basic functionality of the Service made available to You under these Terms in which users provide Input and receive Output, and which does not include features such as Data Room/Vault, Customer-trained models, workflows, and certain research modules (such functionality is covered by an addendum that expressly references such functionality).

    5. Confidential Information” means all information that is identified as confidential at the time of disclosure by the Disclosing Party or reasonably should be known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. Content specific to You and Customer Data are Your Confidential Information.

    6. Content” means Input and Output collectively.

    7. “Polyloop AI” means Polyloop AI Corporation, a Delaware corporation as well as all of its Affiliates.

    8. Customer Data” has the meaning set forth in Section 5.1.

    9. Data Processing Addendum” means any operative Data Processing Addendum fully executed by the parties governing Polyloop AI’s processing of Customer Data.

    10. Disclosing Party” has the meaning set forth in Section 10.5.

    11. Embargoed Countries” has the meaning set forth in Section 10.15.

    12. Feedback” means any suggestions, enhancement requests, recommendations, corrections, or other feedback provided to Polyloop AI by You relating to our offerings.

    13. Input” means the query provided by a user to the Service.

    14. Liability Cap” has the meaning set forth in Section 9.2

    15. Output” means the output provided by the Service to a user in response to such user’s Input.

    16. Privacy Policy” means Polyloop AI’s policy governing the privacy provisions related to the Service as located at http://polyloop.ai

    17. Receiving Party” has the meaning set forth in Section 10.5.

    18. Security Addendum” means Polyloop AI’s addendum governing the security provisions located at http://polyloop.ai

    19. Service” means the software-as-a-service offering made available by Polyloop AI at https://polyloop.ai

    20. Service Terms” means the additional terms that govern the use of preview features as well as other optional offerings and features of the Service as located at http://polyloop.ai

    21. Subprocessor” means any subcontractor or vendor of Polyloop AI that has access to or otherwise processes Customer Data or Your Content. Subprocessor is inclusive of any Subprocessor identified in any operative Data Processing Addendum.

    22. Terms” has the meaning set forth in Section 1.1.

    23. Usage Data” means information reflecting the access, interaction, or use of the Service by or on behalf of Customer including frequency, duration, volume, features, functions, visit, session, click through or click stream data, and statistical or other analysis, information, or data based on, or derivative works of, the forgoing. Other than as strictly required for billing purposes, Usage Data does not include Your Content, Customer Data, or Customer Confidential Information.

    24. You” or “Your” means either (1) in the case of an individual, the person contracting for the use of the Service; or (2) in the case of a legal entity, the organization contracting for the use of the Service.

    25. We” or “we” or “Our” or “our” means Polyloop AI.


Law Enforcement Requests

Polyloop AI may receive requests from law enforcement or other government agencies for certain information about our customers or data that our customers upload to our platform.

Should Polyloop AI ever receive a request for customer data from a U.S. or non-U.S. law enforcement or government agency, Polyloop AI will direct the requestor to contact the Polyloop AI customer directly to obtain the relevant data. If the requestor refuses to contact Polyloop AI’s customer directly for the data, Polyloop AI’s policy is to notify the customer of any such request unless Polyloop AI reasonably believes it is legally prohibited from doing so, in which case we will use best efforts to request a waiver of the prohibition and will document that request. Polyloop AI will notify the customer once the prohibition expires or has been lifted with the aim of providing as much relevant information as reasonably possible.

Polyloop AI will only disclose customer data or other custom information when required to do so in compliance with valid legal process. Polyloop AI’s lawyers will carefully review the legality of each such request and will challenge a request if we conclude there are reasonable grounds to consider it unlawful. If Polyloop AI receives a such request from a non-U.S. law enforcement or government agency, Polyloop AI will only respond to established legal mechanisms, such as a Mutual Legal Assistance Treaty request, letters rogatory or a request by a qualifying foreign government as defined by the CLOUD Act, depending on the nature of the request.

When challenging a request, Polyloop AI will seek interim measures with a view to suspending the effects of the request until it has been decided on its merits. We will not disclose customer data or other information until required to do so under applicable law, in which case we will provide only the minimum amount of information based on our reasonable interpretation of the request.

Support and Service Level Terms

Support:

Support Channels: Customers (except evaluation users) can receive support via documentation and email (support@polyloop.ai), with inquiries being addressed within two US business days. Improvements: Polyloop AI will notify users of any updates or enhancements to support resources.

Service Levels:

Availability Commitment: Polyloop AI aims for a 99.5% uptime each calendar month. Downtime and Uptime Calculation: Downtime refers to periods where the platform is unavailable due to issues under Polyloop AI’s control. The Monthly Uptime Percentage is calculated based on total downtime.

Exclusions

Customer equipment failure, internet connectivity issues, misuse of the platform, force majeure events, beta features, and use during unpaid/evaluation periods.

Data Processing Addendum

1. IMPORTANT TERMS.

This Polyloop AI Data Processing Addendum (the “DPA”) governs Polyloop AI’s processing of DPA Data that is required to provide the Service under Terms of Service or other agreement between You and Polyloop AI pertaining to the use of Polyloop AI’s software-as-a-service offering (the “Agreement”). This DPA is part of your Terms with Polyloop AI.  In the event of any conflicting language between the Agreement, the other Terms, or any operative Order Form, the terms of this DPA control.

You and Polyloop AI each agree to comply with their respective obligations under Data Protection Law.

Data Processing Roles

As between You and Polyloop AI, You are the Data Controller, and Polyloop AI is the Data Processor, processing DPA Data on Your behalf.

Data Processing Purposes

Polyloop AI will process DPA Data as your Data Processor to: (i) provide or maintain the Service; and (ii) for the purposes set forth in this DPA and the Agreement. Polyloop AI acknowledges that you are disclosing DPA Data for these limited and specific purposes.

2. DEFINITIONS.  The definitions in Section 15 (Defined Terms) apply to this DPA. All terms in quotation marks in the body of this DPA are also defined terms. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

3. PROCESSING REQUIREMENTS.  As a Data Processor, Polyloop AI will:

3.1 process DPA Data on Your behalf, according to Your instructions, and only in a manner that is necessary for the performance of the Service. Specifically, Polyloop AI agrees to process DPA Data: (i) for the purpose of providing, providing access to, servicing, and supporting Your use of the Service; and (ii) in compliance with the instructions received from You;

3.2 promptly notify You in writing if it cannot comply with the requirements of this DPA;

3.3 promptly inform You if, in Polyloop AI’s opinion, an instruction from You infringes  applicable Data Protection Law; and

3.4 ensure that all persons authorized by Polyloop AI to process DPA Data are subject to a duty of confidentiality.

4. SUBPROCESSORS. Polyloop AI will:

4.1 engage the organizations or persons listed on the “Subprocessor List”) as necessary to perform the Service. You consent to Polyloop AI’s use of its existing Subprocessors and You grant Polyloop AI a general written authorization to engage Subprocessors to perform all or part of the processing activities required to provide the Service. If You subscribe to receive email notifications at the Subprocessor List, then Polyloop AI will notify You if Polyloop AI intends to add one or more Subprocessors to the Subprocessor List at least 30 days before the change takes effect.  You may, within fifteen (15) days of receiving the notice of the change, reasonably object to Polyloop AI’s use of a Subprocessor on reasonable grounds relating to the protection of DPA Data (the “Objection”) by following the instructions set forth in the Subprocessor List or by contacting support@Polyloop.ai (the “Objection Notice”). In such case, Polyloop AI shall have the right to cure the Objection through one of the following options: (i) Polyloop AI will offer an alternative to provide its Service without such Subprocessor; (ii) Polyloop AI will take the corrective steps requested by You in the Objection Notice and proceed to use the Subprocessor; (iii) Polyloop AI may cease to provide, or You may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Service that would involve the use of such Subprocessor; or (iv) You may cease providing DPA Data to Polyloop AI for processing. If none of the above options are commercially feasible, in Polyloop AI’s reasonable judgment, and the Objection has not been resolved to the satisfaction of the parties within thirty (30) days of Polyloop AI’s receipt of the Objection, then either party may terminate any subscriptions, order forms or usage regarding the Service for cause and in such case, You will be refunded any pre­paid but unused fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Your sole and exclusive remedy if You object to any new Subprocessor;

4.2 enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for in this DPA. Polyloop AI will remain fully liable to You for the performance of each Subprocessor to the extent the Subprocessor fails to fulfill its data protection obligations under the applicable data processing agreement with Polyloop AI.

5. NOTICE TO CUSTOMER. Polyloop AI will inform You, to the extent legally permitted, if Polyloop AI receives:

5.1 any legally binding request for disclosure of DPA Data by a law enforcement authority. If Polyloop AI is legally prohibited from notifying You, Polyloop AI will use its best efforts to request a waiver of the prohibition and will document that request. Polyloop AI will notify You once the prohibition expires or has been lifted with the aim of providing as much relevant information to You as reasonably possible;

5.2 any notice, inquiry, or investigation by a Supervisory Authority with respect to DPA Data; or

5.3 any complaint or request from a Data Subject (including “verifiable consumer requests” as defined by CCPA) exercising their right under Data Protection Law to  (i) access their DPA Data; (ii) have their DPA Data corrected or erased; (iii) restrict or object to the Processing of their DPA Data; or (iv) data portability (collectively “Data Subject Request”). Other than to request further information or identify the Data Subject, Polyloop AI will not respond to any Data Subject Request without your prior written authorization from You.

6. PERSONAL DATA BREACH. If Polyloop AI experiences any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data (“Personal Data Breach”), Polyloop AI will notify you in accordance with the timeframe setout under the heading “Incident Detection and Response” in the Security Addendum which is incorporated into this DPA. Polyloop AI will provide you with all information about the Personal Data Breach as required by Data Protection Law including the information outlined under the heading “Incident Detection and Response”  in the Security Addendum.

7. ASSISTANCE TO CUSTOMER AND AUDITS.  Upon Your written request, Polyloop AI will provide reasonable assistance to You regarding:

7.1 Your obligations to respond to Data Subject Request relating to Polyloop AI’s Processing of DPA Data;

7.2 Your preparation of data protection impact assessments with respect to the processing of DPA Data by Polyloop AI and, where necessary, carrying out consultations with any Supervisory Authority with jurisdiction over the Processing; and

7.3 information, assessments or audits, to the extent required by Data Protection Law, and as necessary to confirm that Polyloop AI is processing Personal Data in a manner consistent with this DPA. All audits and assessments will be performed in the manner set out under the heading “Customer Audit Rights” in the Security Addendum. All reports and documentation provided to You are Polyloop AI’s Confidential Information.

8. REQUIRED PROCESSING.  If Polyloop AI is required by Data Protection Law to Process DPA Data outside of Your instructions, Polyloop AI will inform you of this requirement in advance of any processing, unless Polyloop AI reasonably believes it is legally prohibited from informing you of such processing.

9. SECURITY.  Polyloop AI will:

9.1 implement and maintain a written information security program with  the data security measures set out in the Security Addendum to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of DPA Data and to protect the rights of the Data Subject; and

9.2 take appropriate steps to confirm that all Polyloop AI personnel and persons or entities authorized to Process DPA Data are protecting the security, privacy and confidentiality of DPA Data consistent with the requirements of this DPA.

10. US SPECIFIC DATA PROTECTION OBLIGATIONS. To the extent applicable under US State Privacy Law, Polyloop AI certifies that it understands and will comply with its obligations under US State Privacy Law to:

10.1 only process DPA Data for the purposes set out in this DPA, the Agreement, and unless otherwise permitted by law;

10.2 not “sell” or “share” (as defined by CCPA) DPA Data;

10.3 not retain, use or disclose DPA Data outside of the direct business relationship between Polyloop AI and Customer unless otherwise required or permitted by law;

10.4 Process DPA Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law;

10.5 not combine any personal data with DPA Data that Polyloop AI receives from or on behalf of any other third party or collects from Polyloop AI’s own interactions with individuals, provided that Polyloop AI may so combine personal data as permitted under US State Privacy Laws, or if directed to do so by Customer;

10.6 not attempt to reidentify any deidentified data You provide to Polyloop AI, except for the sole purpose of determining whether the deidentification processes are compliant with applicable Data Protection Law; and

10.7 grant You the right to (i) take reasonable and appropriate steps to ensure that Polyloop AI uses DPA Data in a manner consistent with Data Protection Law; and (ii) stop and remediate unauthorized use of DPA Data.

11. OBLIGATIONS OF CUSTOMER.

11.1 You represent, warrant and covenant that You have and shall maintain throughout the term all necessary rights, consents and authorizations to provide the DPA Data to Polyloop AI and to authorize Polyloop AI to Process DPA Data as contemplated by this DPA, the Agreement, the Terms and/or other instructions provided to Polyloop AI.

11.2 You shall reasonably cooperate with Polyloop AI to assist Polyloop AI in performing any of its obligations with regard to any requests from Customer’s data subjects.

11.3 You acknowledge and agree that You, rather than Polyloop AI, are responsible for certain configurations and design decisions for the services and that You are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Law. Without limitation to the above, You represent, warrant and covenant that You shall only transfer DPA Data to Polyloop AI using secure, reasonable and appropriate mechanisms.

11.4 You shall not provide DPA Data to Polyloop AI except through agreed mechanisms. For example, You shall not include DPA Data other than technical contact information, in technical support tickets or transmit DPA Data to Polyloop AI by email.

11.5 You shall not provide to Polyloop AI any personally identifiable genetic, biometric or health data; or payment card industry data (such as credit card numbers).

12. CROSS-BORDER DATA TRANSFERS.

12.1 You acknowledge that You may transfer Personal Data to Polyloop AI in the United States, in order for Polyloop AI to provide the Service. If the transfer comprises DPA Data that requires a Data Transfer Mechanism, the Data Transfers Addendum which is incorporated into this DPA, will apply.

13. FUTURE REGULATIONS ON ARTIFICIAL INTELLIGENCE.

13.1 In the event that new legislation and regulations are implemented that specifically govern the use of artificial intelligence solutions, both parties agree to review this DPA to ensure compliance with such legislation and regulations.

13.2 If the implementation of the new regulations requires substantial modifications to the terms and conditions of this DPA, both parties shall negotiate in good faith to make necessary amendments.

13.3 Should the new regulations render the continued provision of services under this contract infeasible or unlawful, either party may initiate termination by providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.

13.4 The termination of this DPA due to the aforementioned regulations shall not relieve either party from any outstanding obligations or liabilities incurred prior to the termination.

13.5 If any provision of this DPA is found to be inconsistent with future regulations governing artificial intelligence, such provision shall be interpreted in a manner consistent with the applicable laws, or if necessary, deemed null and void without affecting the validity of the remaining provisions.

14. RETENTION PERIOD.  This DPA shall remain in effect as long as Polyloop AI  Processes DPA Data on your behalf or until the termination of the Agreement (and all DPA Data has been returned or deleted in accordance with the Agreement). On the termination of the Services or upon your reasonable request, Polyloop AI shall, and shall direct each Subprocessor to, return to you or delete the DPA Data, unless Polyloop AI is required by law to retain  DPA Data.

15. DEFINED TERMS

15.1 “Data Controller” means the person or entity that determines the purposes and means of Processing DPA Data, which may include, as applicable, equivalent concepts under Data Protection Law (for example, “Business” as defined by CCPA).

15.2 “Data Processor” means the person or entity that Processes DPA Data on behalf of the Data Controller, which may include, as applicable, equivalent concepts under Data Protection Law (for example, “Service Provider” as defined by CCPA).

  1. 3 “Data Protection Law” means applicable privacy and data protection law in connection with your use of the Service. Data Protection Law may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended and its implementing regulations (“CCPA”) and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

15.4 “Data Subject” means an identified or identifiable natural person to which DPA Data relates and only to the extent their Personal Data is protected by Data Processing Law.

15.5 “Data Transfer Addendum” means the data transfer addendum located on this page.

15.6 “Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of DPA Data under Data Protection Law. This includes transfer mechanisms that are required under Data Protection Law in the EEA, UK, and Switzerland such as the Data Privacy Framework, the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under Data Protection Law that is incorporated into this DPA.

15.7 “DPA Data” means Customer Data or Your Content that is Personal Data.

15.8 “EEA” means the European Economic Area.

15.9 “EEA SCCs” means Module 2 (Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.

15.10 “Personal Data” means any information relating to an identifiable natural person which is protected under Data Protection Law and Processed in connection with Your use of the Service. This includes equivalent concepts as defined by Data Protection Law (for example, “personal information” as defined under the CCPA).

15.11 “Processing” means any operation or set of operations which is performed on Your behalf on DPA Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination. “Process”, “Processes” and “Processed” will be interpreted accordingly.

15.12 “Security Addendum” means the Security Addendum located on this page.

15.13 “Subprocessor” means an entity Polyloop AI engages to Process DPA Data on Polyloop AI’s behalf, to carry out specific processing activities on Your behalf.

15.14 “Supervisory Authority” means an independent public authority which is (i) established by a member state pursuant to Article 51 of the GDPR; (ii) the public authority governing data protection that has supervisory jurisdiction over You.

15.15 “Terms of Service” means the Terms of Service located on this page.

15.16 “UK International Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office which came into force in accordance with s119A of the UK Data Protection Act on 21 March 2022.

15.17 “You” means the organization  contracting for the use of the Service.

15.18 “US State Privacy Law” means all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

  1. Introduction

This Data Transfers Addendum is incorporated by reference into the Data Processing Addendum between you and Polyloop AI, which governs Polyloop AI’s and its Affiliates’ Processing of Personal Data (“DPA”). You may be referred to as “You” or “Customer” in your Polyloop AI Platform Agreement, or any other agreement signed by you and Polyloop AI pertaining to your use of Polyloop AI’s software-as-a-service offering (“Agreement”) and the DPA.  Any capitalized terms not defined in this Data Transfers Addendum have the meanings given to them in your DPA or Agreement.

2. Order of Precedence

If, in connection with Polyloop AI providing the Services to you, more than one of the following Data Transfer Mechanisms could apply to a transfer of DPA Data, you and Polyloop AI agree that the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence:

(a) the Data Privacy Framework;

(b) the EU SCCs;

(c) the UK International Data Transfer Addendum; and

(d) any other data transfer mechanism available under DP Law that is incorporated into your DPA.

3. Data Privacy Framework

Polyloop AI is self-certified under the Data Privacy Framework.

When you transfer DPA Data originating from the EEA, the UK or Switzerland to Polyloop AI, Polyloop AI will receive the DPA Data under the Data Privacy Framework and, when processing that DPA Data, will comply with the data privacy principles and relevant supplemental principles set out in the Data Privacy Framework.

Polyloop AI will notify you without undue delay if its self-certification under the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, an alternative Data Transfer Mechanism will apply according to this Data Transfers Addendum).

4. The EU Standard Contract Clauses

Module 2 (Controller to Processor) of the EEA SCCs, as completed  in this Data Transfer Addendum, applies to a transfer by you to Polyloop AI of DPA Data that is subject to DP Law in the EEA and Processed under your DPA.

a. Module 2 (Controller to Processor)

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third­party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third­party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 –Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9 –Clause 9(a), (c), (d) and (e);

(iv) Clause 12 –Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.4

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay, and in no event more than 72 hours, after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non­compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub­processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub­processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub­processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub­processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub­processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third­party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub­processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub­processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the subprocessor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub­processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third­party beneficiary clause with the sub­processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub­processor contract and to instruct the sub­processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third­party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not­for­profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non­material damages the data importer or its sub­processor causes the data subject by breaching the third­party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non­material damages the data exporter or the data importer (or its sub­processor) causes the data subject by breaching the third­party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub­processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub­processor to avoid its own liability.

Clause 13

Supervision

(a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1   Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimization

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity.

The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the  data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non­compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non­compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third party beneficiary rights.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of the EU Member State in which the data exporter is established.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

Appendix to Module 2 (Controller to Processor)

A. LIST OF PARTIES

Data exporter:

Name: The party to the Agreement with Polyloop AI.

Address: The data exporter’s address.

Contact Person’s name, position and contact details: The name, position and contact details provided by the data exporter.

Activities relevant to the data transferred under these Clauses: Processing Personal Data as described in the DPA.

Signature and date: By using the Services to transfer Personal Data to the data importer, the data exporter will be deemed to have signed this Annex I.

Role (controller/processor): Controller

Data importer:

Name: Polyloop Corporation

Address: 185 Wythe Ave f2, Brooklyn, NY 11249

Contact Person’s name, position and contact details:

Ralf Alwani

support@polyloop.ai

Activities relevant to the data transferred under these Clauses: The performance of the services described in the Agreement.

Signature and date: The data importer will be deemed to have this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.

Role (controller/processor): Processor

B.   DESCRIPTION OF TRANSFER

  • Categories of data subjects whose personal data is transferred

Users of data exporters applications.

  • Categories of personal data transferred

Name, contact information, demographic information, or other user-generated, text-based information provided by the user in an unstructured data-format.

  • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Any sensitive personal data which may be included in a query input into the Polyloop platform or contained in an output generated by the Polyloop platform.

  • The frequency of the transfer (e.g. whether the data is transferred on a one­off or continuous basis).

Continuous.

  • Nature of the processing

The performance of the services described in the Agreement.

  • Purpose(s) of the data transfer and further processing

The performance of the services described in the Agreement .

  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The term of the Agreement, and any such additional period stated the Agreement.

  • For transfers to (sub­) processors, also specify subject matter, nature and duration of the processing

The performance of the services described in the Agreement.

C.  COMPETENT SUPERVISORY AUTHORITY

  • Identify the competent supervisory authority/ies in accordance with Clause 13

The data protection authority of the EU Member State in which the exporter is established.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer will maintain and implement the technical and organizational measures set out in the Data Security Exhibition of the Agreement.

https://www.polyloop.ai/legal/terms-of-service

Terms of Service

1 IMPORTANT TERMS.

1.1 These Terms of Service (the “Agreement”) are between Polyloop AI and You and govern Your use of the Service.  If You are using the Service on behalf of another entity (such as your employer), You must have the authority to accept these Terms on their behalf.

1.2 By using the Service, the parties are agreeing to this Agreement, our Acceptable Use Policy, our Support and Service Level Terms, our Service Terms, our Security Addendum, and our Data Processing Addendum which are collectively referred to as our “Terms” and which are enforceable like any written contract.  In the event of any conflict between this Agreement and the remainder of the Terms, this Agreement controls except regarding the DPA which will govern with respect to its subject matter.

1.3 Polyloop AI may update the Terms by posting updated Terms on our website.  All updates become effective when posted.

1.3.1 Other than for updates that, at Polyloop AI’s discretion, are deemed non-material, updates made relating to new functionality and Preview Features,  or updates to the  extent required by applicable law, Polyloop AI will provide notice of any update at least 15 days in advance of the update being posted.  Such updates are not retroactive, but Your continued use of the Service after any such updates means You agree to such updates.

1.3.2 Notwithstanding Sections 1.2 and 1.3.1 above, in no event may Polyloop AI alter the Terms in a way that detracts from its obligations with respect to Confidential Information, Customer Data, or Customer Content as agreed to in this Agreement without express written authorization from You.

1.3.3 If Polyloop AI updates the Terms pursuant to this Section 1.3 in a manner that You reasonably consider negatively impacts You, You have 15 days after notification or posting of such update to bring such matter to our attention.  If we are unable to resolve Your issue (including by reverting You to our prior language for the balance of Your operative order form) within 15 days of You bringing such issue to our attention, You may terminate this Agreement and any operative Order Form upon 3 business days’ notice (and Polyloop AI will refund to You any prepaid unused Fees for the applicable Service).

1.4 The Service is a research tool.  The Output of Polyloop is AI-generated, and it may contain errors and misstatements or may be incomplete.

2 DEFINITIONS.  The definitions in Section 12 (Defined Terms) apply to these Terms. All terms in quotation marks in the body of this Agreement are also defined terms.

3 USAGE.

3.1 You may access, and we grant You the non-exclusive right to use, the Service.  Access credentials are specific to the user to whom they are issued and may not be shared, including within the same organization.  You will take reasonable steps to prevent unauthorized use of the Service.

3.2 You may not (i) use the Service in a way that infringes, misappropriates, or violates any person’s rights; (ii) access or use the Service from any Embargoed Countries; (iii) attempt to reverse engineer or attempt to discover the source code or engineering of the underlying model and systems of the Service or Polyloop AI’s subcontractors; (iv) attempt automated means to scrape content or Output from the Service.

3.3 To the extent that You provide us with any Feedback, we may freely use and incorporate any Feedback into our products and services.  Polyloop AI may not utilize Feedback in a way that identifies, or could be used to identify, Customer, its users, Customer Data, Content, or Customer's Confidential Information.

3.4 Any third party software, services, or other products You use in connection with the Service (for example, Your internet browser) are subject to their own terms, and we are not responsible for such third party products.

4 CONTENT.

4.1 You may provide Input to the Service and receive Output from the Service.  As between the parties, You own Your Content.

4.2 You may provide Input that is similar or identical to a third party’s user’s Input or may receive Output that is similar or identical to Output provided to other third party  users.  Queries that are requested by other third party users and responses provided to other third party users are not Your Content.

5 CUSTOMER DATA.

5.1 To utilize certain features, You may be required to upload documents (“Customer Data”) into the Service for the purpose of enabling certain features.

5.2 As between the parties, You retain all right, title and interest (including any and all intellectual property rights) in and to the Customer Data. You grant to Polyloop AI and its Affiliates a non-exclusive, worldwide, royalty-free right to process the Customer Data and Your Input to the extent necessary to provide the Service to You, to prevent or address service or technical problems with the Service, or as may be required by law.

6 FEES AND PAYMENTS.

6.1 Payment terms and fees payable by You (“Fees”) are as set forth in Your order form(s).  We have the right to correct invoicing errors or mistakes within 45 days of the relevant invoice being received by You.

6.2 Unless otherwise stated, Fees do not include federal, state, local, and foreign taxes, duties, and other similar assessments (“Taxes”).  You are responsible for all Taxes associated with Your purchase and we may invoice You for such Taxes. You agree to timely pay such Taxes and provide us with documentation showing the payment, or additional evidence that we may reasonably require. If Polyloop AI has the legal obligation to pay or collect Taxes for which You are responsible, we will invoice You and You will pay that amount unless You provide us with a valid tax exemption certificate authorized by the appropriate taxing authority. Taxes will not be deducted from payments to Polyloop AI, except as required by applicable law, in which case You will increase the amount payable as necessary so that, after making all required deductions and withholdings, Polyloop AI receives and retains (free from any liability for Taxes) an amount equal to the amount it would have received had no such deductions or withholdings been made. Where applicable, You will provide Your VAT/GST Registration Number(s) or similar.  We use the name and address in Your account registration as the place of supply for tax purposes, so You must keep this information accurate and up-to-date.

6.3 If You want to dispute any Fees or Taxes, please contact support@polyloop.ai within thirty (30) days of the date of the disputed invoice. Undisputed amounts past due may be subject to a finance charge of the unpaid balance per month, accruing daily and compounding monthly at the rate of the prevailing Federal Funds Rate (subject to a minimum of zero) plus 1.5% per annum. If any undisputed amount of Your Fees are past due, we may suspend Your access to the Services after we provide You written notice of late payment.  In the event of a billing dispute, any undisputed amounts must be paid in full.

7 TERM AND TERMINATION.

7.1 These Terms take effect as of the Effective Date and remain in effect until terminated.  Either party may terminate these Terms by providing notice to the other party. Notwithstanding the above, termination (either by Polyloop AI or You) does not become effective until the expiration or termination of all operative order forms or as otherwise indicated in your order form or this Agreement.  In the case of termination, You remain obligated to pay for any used but unpaid Fees charged to Your account.

7.2 Within 30 days of termination, Polyloop AI will securely delete any remaining Customer Data or Content unless otherwise instructed by You.

7.3 The sections of these terms that customarily would survive such an agreement will survive (for example, provisions around confidentiality, obligation to pay unpaid fees, etc.)

8 INDEMNIFICATION.

8.1 Polyloop AI will defend You against any claim by a third party alleging that the Service, when used in accordance with these Terms and the documentation, infringes any intellectual property right of such third party and will indemnify You for any damages, costs, and, if applicable, attorneys’ fees finally awarded against You or agreed in settlement by us resulting from such claim. If Your use of the Service results (or in Polyloop AI’s opinion is likely to result) in an infringement claim, Polyloop AI may either: (a) substitute functionally similar products or services; (b) procure for You the right to continue using the Service; or if (a) and (b) are not commercially reasonable, (c) terminate this Agreement, or the applicable order form, and refund to You any prepaid unused Fees for the applicable Service.  Polyloop AI will not have an obligation to indemnify and defend to the extent the applicable claim is attributable to any materials not provided by Polyloop AI either alone or in combination with the Service.  Notwithstanding the above, Polyloop AI does not have any obligation to defend or indemnify with respect to Output that results from Input or Customer Data that is in violation of our Terms or results from Input or Customer Data that You knew or reasonably should have known was likely to lead to infringing Output.

8.2 Indemnification by You. You will defend Polyloop AI against any claim by a third party arising from or relating to: (i) Your Input and (ii) Your Customer Data.  You will indemnify Polyloop AI for any damages, costs, and, if applicable, attorneys’ fees finally awarded against Polyloop AI or agreed in settlement by You resulting from such claim.

8.3 Indemnification Procedures. In the event of a potential indemnity obligation under this section, each party (the “Indemnified Party”) will: (i) promptly notify the other party (the “Indemnifying Party”) in writing of the claim; (ii) allow the Indemnifying Party the right to control the investigation, defense and settlement (if applicable) of such claim at the Indemnifying Party’s cost and expense; and (iii) upon request of the Indemnifying Party, provide all necessary cooperation at the Indemnifying Party’s expense. Failure by the Indemnified Party to notify the Indemnifying Party of a claim under this section will not relieve the Indemnifying Party of its obligations under this section. However, the Indemnifying Party will not be liable for any litigation expenses that the Indemnified Party incurred prior to the time when notice is given or for any damages and/or costs resulting from any material prejudice caused by the delay or failure to provide notice to the Indemnifying Party. The Indemnifying Party may not settle any claim that would bind the Indemnified Party to any obligation (other than payment covered by the Indemnifying Party or ceasing to use infringing materials) or require any admission of fault by the Indemnified Party, without the Indemnified Party’s prior written consent, such consent not to be unreasonably withheld, conditioned, or delayed. Any indemnification obligation under this Section 8 will not apply if the Indemnified Party settles or makes any admission with respect to a claim without the Indemnifying Party’s prior written consent.

9 WARRANTY AND DISCLAIMER

9.1 You warrant that You have the necessary rights in Your Customer Data and Input to use it with the Service and that Your use of the Service will comply with all applicable laws and regulations.

9.2 Polyloop AI warrants that (i) the Services will conform in all material respects with the specifications provided by Polyloop AI, including in our documentation, (ii) it will perform the Services in a professional and workmanlike manner with employees having a level of skill commensurate with the requirements of this Agreement, and (iii) the Services do not to our knowledge infringe any third party intellectual property right.

9.3 Except for the warranties in this section, the parties disclaim all warranties, express or implied, including all implied warranties of merchantability, fitness for a particular purpose and title.  Polyloop AI does not represent or warrant that the use of the Service will be uninterrupted or error-free.

10 LIMITATIONS ON LIABILITY

10.1 In no event will either party be liable to the other party or any third party for any indirect, incidental, special, exemplary, punitive, or consequential damages, including loss of income, profits, revenue, or business interruption, or the cost of substitute services or other economic loss, arising out of or in connection with these Terms, whether such liability arises from any claim based on contract, warranty, tort (including negligence), strict liability or otherwise, and whether or not such party has been advised of the possibility of such loss or damage.

10.2 Other than with respect to (i) either party’s payment obligations under these Terms, (ii) the parties’ obligations under Section 8 (Indemnification), (iii) the claims indicated in Section 10.3 below, and (iv) claims based on liability which, by law, cannot be limited (for example, tort claims for gross negligence and intentional misconduct), in no event will either party’s total liability to the other party or any third party for all claims in the aggregate (for damages or liability of any type) in connection with these Terms exceed the amount actually paid or payable to Polyloop AI by You in the prior 12 months relating to Your use the Service (the “Liability Cap”).

10.3 For claims relating to data breaches of Your Customer Data caused by Polyloop AI’s breach of its obligations under our Security Addendum or the DPA, as well as either party’s breach of its obligations relating to confidentiality, total liability to the other party for any third party for all claims in the aggregate (for damages or liability of any type) in connection with these Terms will not exceed two times the amount actually paid or payable to Polyloop AI by You in the prior 12 months relating to Your use of the Service (the “Data Breach Cap”).

11 GENERAL TERMS.

11.1 Assignment. Neither party may assign these Terms without the advance written consent of the other party, except that Polyloop AI may (i) assign these Terms in their entirety to any Affiliate and (ii) assign these Terms in connection with a consolidation, merger or sale of all or substantially all of our assets.

11.2 Subcontracting. Polyloop AI may use subcontractors and other third-party providers in connection with the performance of its activities under these Terms as it deems appropriate, provided that it remains responsible for the performance of any such subcontractors or third-party providers.

11.3 Severability and Interpretation. If a court of competent jurisdiction holds any provision of these Terms to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that these Terms will otherwise remain in effect.

11.4 Open Source Software.  We warrant that we will not use any software in the Service that would cause Your software to become subject to an open source license that would require, as a condition of use, Your software to be disclosed or distributed in source code form or would give others the right to modify Your software.

11.5 Confidentiality.  Each party (as the “Receiving Party”) will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to: (i) not use any Confidential Information of the other party (the “Disclosing Party”) for any purpose outside the scope of these Terms; and (ii) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with these Terms and who are bound by confidentiality obligations to the Receiving Party containing protections not materially less protective than this section. If the Receiving Party is required by law or court order to disclose Confidential Information, then the Receiving Party will, to the extent legally permitted, provide the Disclosing Party with advance written notification and cooperate in any effort to obtain confidential treatment of the Confidential Information. The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party, the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.

11.6 Usage Data.  Polyloop AI may collect and use Usage Data to develop, improve, support, and operate its Service.  Polyloop AI may not share Usage Data that includes Your Confidential Information with a third party (for example, auditors) except (a) in accordance with Section 11.5 (Confidentiality) of this Agreement, or (b) to the extent the Usage Data is aggregated and anonymized such that You cannot be identified.

11.7 No Training.  Polyloop AI will not train any AI models using Your Content or Customer Data.  Subprocessors will not train any AI models using Your Content or Customer Data.  Subprocessors will not retain or log for human review Your Content or Customer Data.   ****

11.8 Privacy Policy.  Your users will be subject to our Privacy Policy to the extent not in conflict with the Terms in using the Service.

11.9 Data Processing Addendum.  Polyloop AI will at all times abide by the Terms as well as the Data Processing Addendum with respect to the handling and processing of Customer Data and Content.  To the extent of any conflict between the Terms and the Data Processing Addendum, as to the subject matter covered by the Data Processing Addendum, the Data Processing Addendum controls.

11.10 Insurance.  Polyloop AI will maintain insurance provided by companies with a minimum A.M. Best rating of A-, VI or better.  Polyloop AI agrees to maintain at least the following insurance policies and minimums:

General Aggregate $4,000,000 Products/Completed Operations $4,000,000 Workers Compensation Statutory Limits Employers Liability $1,000,000 Umbrella Liability $6,000,000 Professional Liability $2,000,000 Cyber Liability $5,000,000

11.11 Use of Name.  You grant us the right to reference You as a customer of the Service and to use Your logo for that purpose.  You may terminate such right at any time by providing us with notice.

11.12 Governing Law. These Terms will be governed by the laws of the State of California and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods.

11.13 Arbitration.  Any dispute, claim or controversy arising out of or relating to this Agreement or its breach, including the determination of the scope or applicability of this agreement to arbitrate, will be determined by arbitration in San Francisco.  For matters with a disputed amount in controversy of more than $250,000, the matter will be heard before a panel of three arbitrators subject to JAMS’ Comprehensive Arbitration Rules and Procedures, and for other matters before a single arbitrator subject to JAMS’ Streamlined Arbitration Rules and Procedures. Judgment on the Award may be entered in any court having jurisdiction. This clause will not preclude parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.

11.14 Notice. All notices must be in writing (in English) and at the email addresses set forth on this Agreement’s cover page. Either party may update its email address for notices under these Terms by providing the other party notice in accordance with this section.

11.15 No Waiver. No waiver will be implied from conduct or failure to enforce or exercise rights under these Terms, nor will any waiver be effective unless in a writing signed by the waiving party.

11.16 Entire Agreement. These Terms are the complete and exclusive statement of the mutual understanding of the parties in connection with Your use of the Service and supersede and cancel all previous written and oral agreements, understandings, and communications relating to the subject matter in these Terms. Each party represents that, in connection with the Service, it has not relied on any term or representation not contained in these Terms.

11.17 Export Control. The parties agree to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. The Services may not be used in or for the benefit of, exported, or re-exported (a) into any U.S. embargoed countries or that has been designated by the U.S. government as a “terrorist supporting” country (collectively, the “Embargoed Countries”) or (b) to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals, any other restricted party lists (existing now or in the future) identified by the Office of Foreign Asset Control, or the U.S. Department of Commerce Denied Persons List or Entity List, or any other restricted party lists. You represent and warrant that You are not located in any Embargoed Countries and not on any such restricted party lists.

11.18 Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under these Terms (except for failure to pay applicable Fees and expenses) if the delay or failure results from any cause beyond such party’s reasonable control that could not have been prevented through the use of commercially reasonable safeguards, including acts of God, labor disputes, or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war.

12 DEFINED TERMS.

12.1 “Acceptable Use Policy” means Polyloop AI’s policy governing the use of its Service.

12.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control,” for the purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests in the subject entity.

12.3 “Agreement” has the meaning set forth on the cover page.

12.4 “Basic Service” is the basic functionality of the Service used for general legal research purposes in which users provide Input and receive Output, and which does not include features such as Data Room/Vault, Customer-trained models, workflows, and certain research modules (such functionality is covered by an order form that expressly reference such functionality).

12.5 “Confidential Information” means all information that is identified as confidential at the time of disclosure by the Disclosing Party or reasonably should be known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure.  Content specific to You and Customer Data are Confidential Information.

12.6 “Content” means Input and Output collectively.

12.7 “Polyloop AI” means Polyloop AI Corporation, a Delaware corporation as well as all of its Affiliates.

12.8 “Customer Data” has the meaning set forth in Section 5.1

12.9 “Data Breach Cap” has the meaning set forth in Section 10.3

12.10 “Data Processing Addendum” or “DPA” means the Data Processing Addendum governing Polyloop AI’s processing of Customer Data as located at http://polyloop.ai/legal.

12.11 “Disclosing Party” has the meaning set forth in Section 11.5.

12.12 “Effective Date” means the date which is the earlier of (1) when You first use the Service or (2) the effective date of the first Order Form referencing this Agreement.

12.13 “Embargoed Countries” has the meaning set forth in Section 11.16.

12.14 “Feedback” means any suggestions, enhancement requests, recommendations, corrections, or other feedback provided to Polyloop AI by You relating to our offerings.  Feedback excludes Customer Data and Content.

12.15 “Fees” has the meaning set forth in Section 6.1.

12.16 “Indemnified Party” has the meaning set forth in Section 8.3.

12.17 “Indemnifying Party” has the meaning set forth in Section 8.3.

12.18 “Input” means the query provided by a user to the Service.

12.19 “Liability Cap” has the meaning set forth in Section 10.2

12.20 “Output” means the output provided by the Service to a user in response to such user’s Input.

12.21 “Privacy Policy” means Polyloop AI’s policy governing the privacy provisions related to its Service as located at http://polyloop.ai.

12.22 “Receiving Party” has the meaning set forth in Section 11.5.

12.23 “Security Addendum” means Polyloop AI’s addendum governing the security provisions related to its Service.

12.24 “Service” means the software-as-a-service offering made available by Polyloop AI at https://app.polyloop.ai.

12.25 “Service Terms” means the additional terms that govern the use of Preview Features as well as other optional offerings and features of the Service.

12.26 “Subprocessor” means any subcontractor or vendor of Polyloop AI that has access to or otherwise processes Customer Data or Content.  Subprocessor is inclusive of any Subprocessor identified in the Data Processing Addendum.

12.27 “Support and Service Level Terms” means Polyloop AI’s terms governing support and Service Level arrangements.

12.28“Taxes” has the meaning set forth in Section 6.2.

12.29 “Terms” has the meaning set forth in Section 1.1.

12.30 “Usage Data” means information reflecting the access, interaction, or use of the Service by or on behalf of Customer including frequency, duration, volume, features, functions, visit, session, click through or click stream data, and statistical or other analysis, information, or data based on, or derivative works of, the forgoing.  Usage Data does not include any Customer Data or Content.

12.31You” or “Your” means (1) the organization contracting for the use of the Service and (2) the respective authorized users from Your organization as appropriate.

Infrastructure Security

CONTROL POLYLOOP STATUS Unique production database authentication enforced Authentication to production datastores is required via authorizeed secure mechanisms like unique Secure Socket Shell (SSH) keys. YES Encryption key access restricted Access to encryption keys is limited to authorized personnel with a justified business need. YES Unique account authentication enforced Authentication to systems and applications requires unique usernames and passwords or authorized SSH keys. YES Production application access restricted Access to production applications is limited to authorized personnel only. YES Production database access restricted Access to production databases is restricted to authorized users with a business need. YES Firewall access restricted Firewall access is limited to authorized personnel with a business justification. YES Production OS access restricted Privileged access to the operating system is restricted to authorized personnel with a business need. YES Production network access restricted Access to the production network is restricted to authorized personnel. YES Unique network system authentication enforced Authentication to the production network requires unique usernames and passwords or authorized SSH keys. YES Remote access MFA enforced Remote access to production systems is only granted to authorized employees using multi-factor authentication (MFA). YES Intrusion detection system utilized An intrusion detection system is in place to continuously monitor the network and detect potential security breaches. YES Log management utilized A log management tool is utilized to monitor and identify events that could impact the company’s security objectives. YES

Organizational Security

CONTROL STATUS Production inventory maintained The company maintains a formal inventory of production system assets. YES Portable media encrypted Portable and removable media devices are encrypted when used. YES Anti-malware technology utilized The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. YES Confidentiality agreement acknowledged by contractors Contractors are required to sign a confidentiality agreement upon engagement. YES Confidentiality agreement acknowledged by employees The company requires employees to sign a confidentiality agreement during onboarding. YES Performance evaluations conducted The company managers are required to complete performance evaluations for direct reports at least annually. YES Password policy enforced Password policy enforced The company requires passwords for in-scope system components to be configured according to the company's policy. YES

Product Security

CONTROL STATUS Data encryption utilized Datastores containing sensitive customer data are encrypted at rest. YES Control self-assessments conducted Control self-assessments are performed annually to ensure controls are in place and effective, with corrective actions taken within SLAs. YES Penetration testing performed Penetration tests are conducted annually, and remediation plans are developed and implemented as per SLAs. YES Data transmission encrypted Sensitive data transmitted over public networks is encrypted using secure protocols. YES Vulnerability and system monitoring procedures established Formal policies govern vulnerability management and system monitoring within IT/Engineering. YES

Internal Security Procedures

CONTROL STATUS Cybersecurity insurance maintained Cybersecurity insurance is being maintained to mitigate the financial impact of business disruptions. YES Configuration management system established A configuration management system in place to ensure consistent deployment of system configurations. YES Change management procedures enforced The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. YES Production deployment access restricted The company restricts access to migrate changes to production to authorized personnel. YES SOC 2 - System Description Complete a description of your system for Section III of the audit report YES Whistleblower policy established The company has established a formalized whistleblower policy, with an anonymous channel for reporting potential issues or fraud. YES Board oversight briefings conducted Senior management briefs the board or a relevant subcommittee annually on cybersecurity and privacy risks. The board provides feedback and direction to management as needed. YES Board charter documented The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control. YES Board expertise developed Board members have sufficient expertise to oversee the design and operation of information security controls, engaging third-party experts as needed. YES Board meetings conducted The board meets at least annually, maintaining formal minutes and includes independent directors/advisors. YES System changes externally communicated Customers are notified of critical system changes that may affect their processing. YES Organizational structure documented An organizational chart outlining structure and reporting lines is maintained. YES Roles and responsibilities specified Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. YES Support system available The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. YES System changes communicated System changes are communicated to authorized internal users. YES Access requests required The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. YES Incident response plan tested The company tests their incident response plan at least annually. YES Incident response policies established Security and privacy incident response policies and procedures exist and are documented and communicated to authorized users. YES Company commitments externally communicated Security commitments are communicated to customers in the company’s Terms of Service (TOS). YES External support resources available Guidelines and technical support resources are provided to customers for system operations. YES Service description communicated A description of the company’s products and services is provided to both internal and external users. YES Risk assessment objectives specified Risk assessment objectives are specified to identify and assess risks related to service commitments. YES Risk assessments performed Risk assessments are performed annually, considering environmental, regulatory, and technological changes, including fraud risks. YES Third-party agreements established Written agreements with vendors and third parties include confidentiality and privacy commitments. YES

Data and Privacy

CONTROL STATUS Customer data deleted upon leaving The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service. YES

How does Polyloop approach security?
Polyloop’s approach to security is multi-faceted, emphasizing both preventive measures and rapid response capabilities. This includes strong internal authentication and access control, with unique user identifiers and hardware-backed FIDO2 multi-factor authentication for all personnel. Employee devices are centrally managed to enforce security policies, and data backup is redundantly stored across multiple data centers in the United States, unless elected otherwise. Polyloop's secure development lifecycle incorporates best practices in coding, code reviews, and both static and dynamic application security testing. Network segmentation, firewalls, and Web Application Firewalls (WAFs) protect against unauthorized access, while security monitoring and intrusion detection systems guard against potential threats. In the event of a security incident, Polyloop has established incident response policies and playbooks that are tested annually. We also conduct regular offensive security assessments through third parties to evaluate our security posture end-to-end.

FAQ Page

Which information does Polyloop have available to accelerate the IT Security/Risk Review process?

Under NDA, we can provide you with our “Security Welcome Packet”, which contains more detailed information on our security program.

How do you authenticate customers?

We leverage Single-Sign-On (SSO) through Microsoft with SAML to authenticate customers. This way, our administrators can centrally control who gets access to Polyloop and enforce security policies. Users can leverage their organizations credentials and do not need to remember an additional password.

Where are your servers located?

We utilize Amazon Web Services, with all data processing and storage occurring in the United States. We also support data storage in other countries upon request.

Do you conduct pen tests?

Yes, we conduct penetration tests with reputable security firms at least annually. Summaries can be shared under NDA.

How do you handle data Polyloop collects?

We encrypt all customer data at rest and in transit. We also support encryption with customer-managed keys (BYOK), store and process all data within the United States by default, and have the capacity to store data in other countries. You can learn more about our privacy and security practices, including within our Privacy Policy and Security Addendum.

© Policy Platforms Ltd