PLEASE READ THE FOLLOWING TERMS AND CONDITIONS (THE “TERMS”), WHICH ALONG WITH ANY APPLICABLE ORDER REFERENCING THESE TERMS (AN “ORDER”) AND ALL SUPPLEMENTAL TERMS THAT MAY BE PRESENTED TO YOU FOR YOUR REVIEW AND ACCEPTANCE (COLLECTIVELY, THE “AGREEMENT”) CONSTITUTE THE AGREEMENT BETWEEN THE ENTITY ACCESSING OR USING THE SERVICE (“YOU” OR “CUSTOMER”), AND BASETEN LABS, INC. (“BASETEN”). THIS AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE SERVICE BETWEEN THE PARTIES AND IT SUPERSEDES ANY PRIOR PROPOSAL, REPRESENTATION, OR UNDERSTANDING BETWEEN THE PARTIES WITH RESPECT THERETO. BASETEN AND CUSTOMER ARE HEREINAFTER JOINTLY DEFINED AS THE “PARTIES” OR INDIVIDUALLY A “PARTY”.
BY EXECUTING AN ORDER THAT REFERENCES THESE TERMS, OR BY ACCESSING OR USING, OR SUBSCRIBING TO USE, THE SERVICE, YOU ARE ACCEPTING AND AGREEING TO BE BOUND BY AND TO COMPLY WITH ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT (PERSONALLY AND ON BEHALF OF ANY COMPANY OR OTHER LEGAL ENTITY THAT YOU REPRESENT WHEN USING THE SERVICE OR THAT YOU NAME AS THE USER WHEN YOU CREATE AN ACCOUNT), AND YOU REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, AUTHORITY, AND CAPACITY TO ENTER INTO THIS AGREEMENT AND TO BIND ANY SUCH COMPANY OR LEGAL ENTITY TO THIS AGREEMENT. EACH ORDER IS INCORPORATED HEREIN BY REFERENCE. IF YOU DO NOT AGREE WITH ALL OF THE PROVISIONS OF THIS AGREEMENT, YOU MAY NOT ACCESS OR USE THE SERVICE.
Baseten may change these Terms from time to time at its sole discretion, and if it makes any material changes, it will attempt to notify You by sending You an email to the last email address You provided to Baseten and/or posting a notice on Baseten’s website. Therefore, You agree to promptly notify Baseten of any changes in your email address. Any material changes to these Terms will be effective upon the earlier of (1) your acceptance of the new Terms if Baseten provides a mechanism for Your immediate acceptance in a specified manner (such as a click-through review and acceptance mechanism) or (2) next renewal date of the Agreement pursuant to the applicable Order.
1. Definitions
Capitalized terms will have the meanings set forth in this section, or in the section where they are first used.
1.1 “Access Protocols” means the passwords, access codes, technical specifications, connectivity standards or protocols, or other relevant procedures, as may be necessary to allow Customer or any Authorized Users to access the Baseten Products & Services.
1.2 “Authorized User” means each of Customer’s employees, agents, and independent contractors who are authorized to access the Baseten Products & Services pursuant to Customer’s rights under this Agreement.
1.3 “Baseten Products & Services” means Baseten’s platform for deploying machine learning models and building and operating applications for machine learning identified in any Order that allows Authorized Users to access certain features and functions through a web interface.
1.4 “Customer Content” means any content and information provided or submitted by, or on behalf of, Customer, its Authorized Users or End Users for use with the Services. For the avoidance of doubt, Customer Content includes, without limitation, all Customer Models, Customer Model Output, and any source code, files, software, processes, interfaces, data, text, media or other information provided by or on behalf of Customer or any End User to Baseten for storage, hosting or processing by the Services.
1.5 “Customer Model” means Customer’s machine learning model(s) that Customer will be deploying through the Baseten Products & Services.
1.6 “Customer Model Output” means the output of any query received by the Customer Model through the Baseten Products & Services.
1.7 “Documentation” means the technical materials provided by Baseten to Customer in hard copy or electronic form describing the use and operation of the Baseten Products & Services.
1.8 “DPA” means the Data Processing Addendum attached hereto at Annex II.
1.9 “Effective Date” means the date you accept this Agreement, as set forth in the second paragraph of these Terms.
1.10 “End User” means a third-party that accesses or uses the Customer Model deployed through the Baseten Products & Services.
1.11 “Error” means a reproducible failure of the Baseten Products & Services to substantially conform to the Documentation.
1.12 “Hosting Party” means, for a particular Baseten Product & Service, the party responsible for hosting such Baseten Product & Service.
1.13 “Intellectual Property Rights” means any and all now known or hereafter existing (a) rights associated with works of authorship, including copyrights, mask work rights, and moral rights; (b) trademark or service mark rights; (c) trade secret rights; (d) patents, patent rights, and industrial property rights; (e) layout design rights, design rights, and other proprietary rights of every kind and nature other than trademarks, service marks, trade dress, and similar rights; and (f) all registrations, applications, renewals, extensions, or reissues of the foregoing, in each case in any jurisdiction throughout the world.
1.14 “Order” has the meaning set forth in the first paragraph of these Terms. For the avoidance of doubt, an Order may consist of an online order page pursuant to which Customer orders Services from Baseten.
1.15 “Professional Services” means professional services provided by Baseten to Customer as described in any Order (as may be further elaborated in any statement of work).
1.16 “Services” means any services provided by Baseten to Customer under this Agreement as set forth in an Order, including, but not limited to, provision of the Baseten Products & Services and Professional Services.
1.17 “Supported Environment” means the minimum hardware, software, and connectivity configuration specified from time to time by Baseten as required for use of the Baseten Products & Services. The current requirements are described in the Documentation.
2. Provision of Services
2.1 Access. Subject to Customer’s payment of the fees set forth in the Order (“Fees”), Baseten will provide Customer with access to the Baseten Products & Services. On or as soon as reasonably practicable after the Effective Date, Baseten will provide to Customer the necessary passwords, security protocols and policies and network links or connections and Access Protocols to allow Customer and its Authorized Users to access the Baseten Products & Services in accordance with the Access Protocols. Customer will use commercially reasonable efforts to prevent unauthorized access to, or use of, the Baseten Products & Services, and notify Baseten promptly of any such unauthorized access or use known to Customer.
2.2 Support Services. Subject to the terms and conditions of this Agreement, Baseten will exercise commercially reasonable efforts to (a) provide support for the use of the Baseten Products & Services to Customer, and (b) keep the Baseten Products & Services operational and available to Customer, in each case in accordance with its standard policies and procedures as set forth at https://www.baseten.co/service-level-agreement/ (as may be updated by Baseten from time to time) (the “SLA”). Customer’s sole remedy, and Baseten’s sole liability, in connection with any breach of the SLA shall be as set forth therein.
2.3 Hosting. The Hosting Party will, at its own expense, provide for the hosting of the applicable Baseten Products & Services, provided that nothing herein will be construed to require Baseten to provide, or bear any responsibility with respect to, any telecommunications or computer network hardware required by Customer or any Authorized User to access the Baseten Products & Services from the Internet.
2.4 Security Measures. Baseten will implement and maintain technical and organizational measures designed to protect Customer Content in the possession or under the control of Baseten against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access thereto as described in Annex I (the “Security Measures”). Baseten may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Customer Content in the possession or under the control of Baseten. With respect to any Baseten Products & Services for which the Customer is the Hosting Party, the Customer will be solely responsible for implementing and maintaining (i) technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the Baseten Products & Services hosted by Customer; and (ii) egress for the Baseten Products & Services hosted by Customer necessary for Baseten to provide the Services.
2.5 Personal Data. To the extent that Baseten “Processes” “Customer Personal Data” as part of the Services, the Parties shall comply with their respective obligations under the DPA (incorporated herein). The terms Processes and Customer Personal Data shall have the meanings set forth in the DPA.
3. Intellectual Property
3.1 Baseten License Grant. Subject to the terms and conditions of this Agreement, Baseten grants to Customer a non-exclusive, non-transferable (except as permitted under Section 12.5 (No Assignment)) license during the Term (as defined below) (a) to access and use the Baseten Products & Services solely for Customer’s internal business purposes and to make Customer’s Customer Models available to End Users in accordance with the Documentation and applicable limitations (if any) set forth in the Order; (b) to use and reproduce a reasonable number of copies of the Documentation solely to support Customer’s use of the Baseten Products & Services; and (c) if, and to the extent, Customer is the Hosting Party, to host the applicable Baseten Products & Services in Customer’s Supported Environment in accordance with the Documentation. Customer may permit any Authorized Users to access and use the features and functions of the Baseten Products & Services as contemplated by this Agreement.
3.2 Restrictions. Customer will not, and will not permit any Authorized User, End User or other party to: (a) allow any third party to access the Baseten Products & Services or Documentation, except as expressly allowed herein; (b) modify, adapt, alter or translate the Baseten Products & Services or Documentation; (c) sublicense, lease, sell, resell, rent, loan, distribute, transfer or otherwise allow the use of the Baseten Products & Services or Documentation for the benefit of any unauthorized third party; (d) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Baseten Products & Services, except as permitted by law; (e) interfere in any manner with the operation of the Baseten Products & Services or the hardware and network used to operate the Baseten Products & Services; (f) modify, copy or make derivative works based on any part of the Baseten Products & Services or Documentation; (g) access or use the Baseten Products & Services to build a similar or competitive product or service; (h) attempt to access the Baseten Products & Services through any unapproved interface; or (i) otherwise use the Baseten Products & Services or Documentation in any manner that exceeds the scope of use permitted under Section 3.1 (Baseten License Grant) or in a manner inconsistent with applicable law, the Documentation, or this Agreement. Customer acknowledges and agrees that the Baseten Products & Services will not be used, and is not licensed for use, in connection with any of Customer’s time-critical or mission-critical functions. Customer will not remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of Baseten or its licensors on the Documentation or any copies thereof.
3.3 Ownership. The Baseten Products & Services and Documentation, and all worldwide Intellectual Property Rights in each of the foregoing, are the exclusive property of Baseten and its suppliers. All rights in and to the Baseten Products & Services and Documentation not expressly granted to Customer in this Agreement are reserved by Baseten and its suppliers. Except as expressly set forth herein, no express or implied license or right of any kind is granted to Customer regarding the Baseten Products & Services, Documentation, or any part thereof. Customer acknowledges and agrees that Baseten has the right to compile deidentified, anonymized and/or aggregated statistical information related to the usage and performance of the Services (e.g., latency metrics) derived from the Customer’s and Authorized Users’ and End Users’ use thereof (collectively, “Statistical Data”). Baseten owns all Statistical Data and may use Statistical Data for Baseten’s lawful business purposes, including to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and any other Baseten offerings.
3.4 Open Source Software. Certain items of software may be provided to Customer with the Baseten Products & Services and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Sections 3.1 (Baseten License Grant) or 10 (Indemnification). Instead, each item of Open Source Software is licensed under the terms of the end-user license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable end user license for the Open Source Software. If required by any license for particular Open Source Software, Baseten makes such Open Source Software, and Baseten’s modifications to that Open Source Software, available by written request at the notice address specified below.
3.5 Feedback. Customer hereby grants to Baseten a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into the Services any suggestions, enhancement requests, recommendations or other feedback provided by Customer, including Authorized Users, relating to the Services. Baseten will not identify Customer as the source of any such feedback.
4. Fees and Expenses; Payments
4.1 Fees. In consideration for the access rights granted to Customer and the Services performed by Baseten under this Agreement, Customer will pay to Baseten the Fees. Except as otherwise provided in the Order, all Fees are billed at the end of the month due and payable within thirty (30) days of the date of the invoice and all payments shall be made via ACH or wire transfer. In the event an Order provides for payment by credit card, all purchases over five thousand U.S. Dollars ($5,000) will be subject to credit card fees. Baseten will be reimbursed only for expenses that are expressly provided for in an Order or SOW (as defined below) or that have been approved in advance in writing by Customer, provided Baseten has furnished such documentation for authorized expenses as Customer may reasonably request. Baseten reserves the right (in addition to any other rights or remedies Baseten may have) to discontinue the Baseten Products & Services and suspend all Authorized Users’ and Customer’s access to the Services if any Fees are more than thirty (30) days overdue until such amounts are paid in full. Customer will maintain complete, accurate and up-to-date Customer billing and contact information at all times.
4.2 Taxes. The Fees are exclusive of all applicable sales, use, value-added and other taxes, and all applicable duties, tariffs, assessments, export and import fees, or other similar charges, and Customer will be responsible for payment of all such taxes (other than taxes based on Baseten’s income), fees, duties, and charges and any related penalties and interest, arising from the payment of the fees, the provision of the Services, or the license of the Baseten Products & Services to Customer. Customer will make all payments of Fees to Baseten free and clear of, and without reduction for, any withholding taxes; any such taxes imposed on payments of Fees to Baseten will be Customer’s sole responsibility, and Customer will provide Baseten with official receipts issued by the appropriate taxing authority, or such other evidence as Baseten may reasonably request, to establish that such taxes have been paid.
4.3 Interest. Any amounts not paid when due will bear interest at the rate of one and one half percent (1.5%) per month, or the maximum legal rate if less, from the due date until paid.
5. Customer Content and Responsibilities
5.1 License; Ownership. Customer is solely responsible for any and all obligations with respect to the accuracy, quality and legality of Customer Content. Customer will obtain all third party licenses, consents and permissions needed for Baseten to use the Customer Content to provide the Services. Without limiting the foregoing, Customer will be solely responsible for obtaining from third parties all necessary rights for Baseten to use the Customer Content submitted by or on behalf of Customer for the purposes set forth in this Agreement. Customer grants Baseten a non-exclusive, worldwide, royalty-free and fully paid license during the Term (a) to host, store, transfer, display, perform, reproduce, modify for the purpose of formatting for display, use and distribute the Customer Content as necessary for purposes of providing the Services and (b) to use the Customer trademarks, service marks, and logos as (collectively, the “Customer Marks”) required to provide the Services. As between the parties, Customer is the exclusive owner of the Customer Content and all worldwide Intellectual Property Rights therein. All rights in and to the Customer Content not expressly granted to Baseten in this Agreement are reserved by Customer.
5.2 Customer Warranty. Customer represents and warrants that any Customer Content will not (a) infringe any copyright, trademark, or patent; (b) misappropriate any trade secret; (c) be deceptive, defamatory, obscene, pornographic or unlawful; (d) contain any viruses, worms or other malicious computer programming codes intended to damage Baseten’s system or data; and (e) otherwise violate the rights of a third party. Baseten is not obligated to back up any Customer Content; the Customer is solely responsible for creating backup copies of any Customer Content at Customer’s sole cost and expense. If Customer processes the personal data of any third party in Customer’s use of the Services, Customer is responsible for providing legally adequate privacy notices and obtaining necessary consents for processing, storage, use and transfer of such data, and, without limitation to any other terms of this Agreement, Customer represents and warrants that Customer has provided all necessary privacy notices and obtained all necessary consents in connection with the foregoing. Customer agrees that any use of the Baseten Products & Services contrary to or in violation of the representations and warranties of Customer in this Section 5.2 (Customer Warranty) constitutes unauthorized and improper use of the Baseten Products & Services.
5.3 Customer Responsibility for Data and Security. Customer and its Authorized Users will have access to the Customer Content and will be responsible for all changes to and/or deletions of Customer Content and the security of all passwords and other Access Protocols required in order to access the Baseten Products & Services. Customer will have the ability to export Customer Content out of the Baseten Products & Services and is encouraged to make its own back-ups of the Customer Content. Customer has the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Content and for obtaining and maintaining the required Supported Environment.
6. Professional Services
Where the parties have agreed to Baseten’s provision of Professional Services, the details of such Professional Services will be set out in an Order or a mutually executed statement of work (“SOW”). The Order or SOW, as applicable, will include: (a) a description of the Professional Services; (b) the schedule for the performance of the Professional Services; and (c) the Fees applicable for the performance of the Professional Services. Each Order or SOW, as applicable, will incorporate the terms and conditions of this Agreement. To the extent that a conflict arises between the terms and conditions of an Order or SOW and the terms of this Agreement, the terms and conditions of this Agreement will govern, except to the extent that the Order or SOW, as applicable, expressly states that it supersedes specific language in the Agreement.
7. Warranties and Disclaimers
7.1 Limited Warranty. Baseten represents and warrants that it will provide the Services and perform its other obligations under this Agreement in a professional and workmanlike manner substantially consistent with general industry standards. Provided that Customer notifies Baseten in writing of the breach within thirty (30) days following performance of the defective Services, specifying the breach in reasonable detail, Baseten will, as Customer’s sole and exclusive remedy, for any breach of the foregoing, re-perform the Services which gave rise to the breach or, at Baseten’s option, refund the fees pre-paid by Customer for the impacted Services not yet received. Baseten further warrants to Customer that the Baseten Products & Services will operate free from Errors during the Term, provided that such warranty will not apply to failures to conform to the Documentation to the extent such failures arise, in whole or in part, from (a) any use of the Baseten Products & Services not in accordance with this Agreement or as specified in the Documentation; (b) any use of the Baseten Products & Services in combination with other products, equipment, software or data not supplied by Baseten; (c) any modification of the Baseten Products & Services by any person other than Baseten or its authorized agents; or (d) any Customer Content. Provided that Customer notifies Baseten in writing of any breach of the foregoing warranty during the Term, Baseten will, as Customer’s sole and exclusive remedy, provide the support described in Section 2.2 (Support Services).
7.2 Disclaimer. THE LIMITED WARRANTY SET FORTH IN SECTION 7.1 (LIMITED WARRANTY) IS MADE FOR THE BENEFIT OF CUSTOMER ONLY. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 7 (WARRANTIES AND DISCLAIMERS), AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND DOCUMENTATION ARE PROVIDED “AS IS,” AND BASETEN MAKES NO (AND HEREBY DISCLAIMS ALL) OTHER WARRANTIES, REPRESENTATIONS, OR CONDITIONS, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, COURSE OF DEALING, TRADE USAGE OR PRACTICE, SYSTEM INTEGRATION, DATA ACCURACY, MERCHANTABILITY, TITLE, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. BASETEN DOES NOT WARRANT THAT ALL ERRORS CAN BE CORRECTED, OR THAT OPERATION OF THE BASETEN PRODUCTS & SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.
8. Limitations of Liability
8.1 Types of Damages. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL BASETEN BE LIABLE TO CUSTOMER FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION, OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN BASETEN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION UPON DAMAGES AND CLAIMS IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE.
8.2 Amount of Damages. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE MAXIMUM LIABILITY OF BASETEN ARISING OUT OF OR IN ANY WAY CONNECTED TO THIS AGREEMENT WILL NOT EXCEED THE FEES PAID BY CUSTOMER TO BASETEN DURING THE TWELVE (12) MONTHS PRECEDING THE ACT, OMISSION OR OCCURRENCE GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL BASETEN’S SUPPLIERS HAVE ANY LIABILITY ARISING OUT OF OR IN ANY WAY CONNECTED TO THIS AGREEMENT.
8.3 Basis of the Bargain. The parties agree that the limitations of liability set forth in this Section 8 (Limitation of Liability) will survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the prices have been set and the Agreement entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.
9. Confidentiality
9.1 Confidential Information. “Confidential Information” means any nonpublic information of a party (the “Disclosing Party”), whether disclosed orally or in written or digital media, that is identified as “confidential” or with a similar legend at the time of such disclosure or that the receiving party (the “Receiving Party”) knows or should have known is the confidential or proprietary information of the Disclosing Party. The Services, Documentation, and all enhancements and improvements thereto will be considered Confidential Information of Baseten.
9.2 Protection of Confidential Information. The Receiving Party agrees that it will not use or disclose to any third party any Confidential Information of the Disclosing Party, except as expressly permitted under this Agreement. The Receiving Party will limit access to the Confidential Information to Authorized Users (with respect to Customer) or to those employees who have a need to know, who have confidentiality obligations no less restrictive than those set forth herein, and who have been informed of the confidential nature of such information (with respect to Baseten). In addition, the Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner that it protects its own proprietary information of a similar nature, but in no event with less than reasonable care. At the Disclosing Party’s request or upon termination or expiration of this Agreement, the Receiving Party will return to the Disclosing Party or destroy (or permanently erase in the case of electronic files) all copies of the Confidential Information that the Receiving Party does not have a continuing right to use under this Agreement, and the Receiving Party will, upon request, certify to the Disclosing Party its compliance with this sentence.
9.3 Exceptions. The confidentiality obligations set forth in Section 9.2 (Protection of Confidential Information) will not apply to any information that (a) is at the time of disclosure or becomes generally available to the public through no fault of the Receiving Party; (b) is lawfully provided to the Receiving Party by a third party free of any confidentiality duties or obligations; (c) was already known to the Receiving Party at the time of disclosure free of any confidentiality duties or obligations; or (d) the Receiving Party can demonstrate, by clear and convincing evidence, was independently developed by employees and contractors of the Receiving Party who had no access to the Confidential Information. In addition, the Receiving Party may disclose Confidential Information to the extent that such disclosure is necessary for the Receiving Party to enforce its rights under this Agreement or is required by law or by the order of a court or similar judicial or administrative body, provided that (to the extent legally permissible) the Receiving Party promptly notifies the Disclosing Party in writing of such required disclosure and cooperates with the Disclosing Party if the Disclosing Party seeks an appropriate protective order.
10. Indemnification
10.1 By Baseten. Baseten will defend at its expense any suit brought against Customer, and will pay any settlement Baseten makes or approves, or any damages finally awarded in such suit, insofar as such suit is based on a claim by any third party alleging that the Baseten Products & Services infringes such third party’s patents, copyrights or trade secret rights under applicable laws of any jurisdiction within the United States of America. If any portion of the Baseten Products & Services becomes, or in Baseten’s opinion is likely to become, the subject of a claim of infringement, Baseten may, at Baseten’s option: (a) procure for Customer the right to continue using the Baseten Products & Services; (b) replace the Baseten Products & Services with non-infringing software or services which do not materially impair the functionality of the Baseten Products & Services; (c) modify the Baseten Products & Services so that it becomes non-infringing; or (d) terminate this Agreement and refund any unused prepaid Fees for the remainder of the term then in effect, and upon such termination, Customer will immediately cease all use of the Baseten Products & Services and Documentation. Notwithstanding the foregoing, Baseten will have no obligation under this section or otherwise with respect to any infringement claim based upon (i) any use of the Baseten Products & Services not in accordance with this Agreement or as specified in the Documentation; (ii) any use of the Baseten Products & Services in combination with other products, equipment, software or data not supplied by Baseten; (iii) any modification of the Baseten Products & Services by any person other than Baseten or its authorized agents; or (iv) any Customer Content (collectively, the “Exclusions” and each, an “Exclusion”). This section states the sole and exclusive remedy of Customer and the entire liability of Baseten, or any of the officers, directors, employees, shareholders, contractors or representatives of the foregoing, for infringement claims and actions.
10.2 By Customer. Customer will defend at its expense any suit brought against Baseten, and will pay any settlement Customer makes or approves, or any damages finally awarded in such suit, insofar as such suit is based on a claim arising out of or relating to (a) an Exclusion, (b) the Customer Marks, or (c) Customer’s breach or alleged breach of Sections 5.2 (Customer Warranty).
10.3 Procedure. The indemnifying party’s obligations as set forth above are expressly conditioned upon each of the foregoing: (a) the indemnified party will promptly notify the indemnifying party in writing of any threatened or actual claim or suit; (b) the indemnifying party will have sole control of the defense or settlement of any claim or suit; and (c) the indemnified party will cooperate with the indemnifying party to facilitate the settlement or defense of any claim or suit.
11. Term and Termination
11.1 Term. This Agreement will begin on the Effective Date and continue in full force and effect as long as any Order remains in effect, unless earlier terminated in accordance with the Agreement (the “Term”). Unless otherwise stated in the applicable Order, (a) the term of an Order will begin on the Effective Date and continue in full force and effect for one (1) year, unless earlier terminated in accordance with the Agreement; and (b) the Order will automatically renew for additional terms of one (1) year unless either party gives written notice of non-renewal to the other party at least sixty (60) days prior to the expiration of the then-current term.
11.2 Termination for Breach. Either party may terminate this Agreement immediately upon notice to the other party if the other party materially breaches this Agreement, and such breach remains uncured more than thirty (30) days after receipt of written notice of such breach.
11.3 Effect of Termination. Upon termination or expiration of this Agreement for any reason: (a) all licenses granted hereunder will immediately terminate and, to the extent Customer is the Hosting Party, for the avoidance of doubt Customer shall cease hosting such Baseten Products & Services under this Agreement; (b) promptly after the effective date of termination or expiration, each party will comply with the obligations to return all Confidential Information of the other party, as set forth in Section 9 (Confidentiality); and (c) any amounts owed to Baseten under this Agreement will become immediately due and payable. Sections 1 (Definitions), 3.2 (Restrictions), 3.3 (Ownership), 3.4 (Open Source Software), 3.5 (Feedback), 4 (Fees and Expenses; Payments), 5.2 (Customer Warranty), 7.2 (Disclaimer), 8 (Limitation of Liability), 9 (Confidentiality), 10 (Indemnification), 11.3 (Effect of Termination), and 12 (Miscellaneous) will survive expiration or termination of this Agreement for any reason.
11.4 Data Extraction. For twenty (20) days after the end of the Term, as applicable, Baseten will make Customer Content available to Customer through the Baseten Products & Services on a limited basis solely for purposes of Customer retrieving Customer Content, unless Baseten is instructed by Customer to delete such data before that period expires. After such period, Baseten will discontinue all use of Customer Content and destroy all copies of Customer Content in its possession.
12. Miscellaneous
12.1 Governing Law and Venue. This Agreement and any action related thereto will be governed and interpreted by and under the laws of the State of Delaware, without giving effect to any conflicts of laws principles that require the application of the law of a different jurisdiction. Customer hereby expressly consents to the personal jurisdiction and venue in the state and federal courts for New Castle County, Delaware for any lawsuit filed there against Customer by Baseten arising from or related to this Agreement. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.
12.2 Export. Customer agrees not to export, reexport, or transfer, directly or indirectly, any U.S. technical data acquired from Baseten, or any products utilizing such data, in violation of the United States export laws or regulations.
12.3 Severability. If any provision of this Agreement is, for any reason, held to be invalid or unenforceable, the other provisions of this Agreement will remain enforceable and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.
12.4 Waiver. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
12.5 No Assignment. Neither party will assign, subcontract, delegate, or otherwise transfer this Agreement, or its rights and obligations herein, without obtaining the prior written consent of the other party, and any attempted assignment, subcontract, delegation, or transfer in violation of the foregoing will be null and void; provided, however, that either party may assign this Agreement in connection with a merger, acquisition, reorganization or sale of all or substantially all of its assets, or other operation of law, without any consent of the other party. The terms of this Agreement will be binding upon the parties and their respective successors and permitted assigns.
12.6 Compliance with Law. Customer will always comply with all international and domestic laws, ordinances, regulations, and statutes that are applicable to its license and use of the Services and Documentation.
12.7 Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of Fees owed) will not be considered a breach of this Agreement if such delay is caused by a labor dispute, shortage of materials, fire, earthquake, flood, or any other event beyond the control of such party, provided that such party uses reasonable efforts, under the circumstances, to notify the other party of the cause of such delay and to resume performance as soon as possible.
12.8 Independent Contractors. Customer’s relationship to Baseten is that of an independent contractor, and neither party is an agent or partner of the other. Customer will not have, and will not represent to any third party that it has, any authority to act on behalf of Baseten.
12.9 Notices. All notices required or permitted under this agreement must be delivered in writing, if to Baseten, by emailing vendors@baseten.co or mailing notice to 201 Spear Street Suite 1600 San Francisco, CA 94105 and if to Customer by emailing the Customer at the email address then-associated with the Customer’s account. Each party may change its email address and/or address for receipt of notice by giving notice of such change to the other party.
12.10 Counterparts. This Agreement may be executed in one or more counterparts, each of which will be deemed an original and all of which will be taken together and deemed to be one instrument.
12.11 Entire Agreement. This Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matters hereof and supersedes and merges all prior discussions between the parties with respect to such subject matters. No modification of or amendment to this Agreement, or any waiver of any rights under this Agreement, will be effective unless in writing and signed by an authorized signatory of Customer and Baseten.
Annex I - Security Measures
Organizational management and staff responsible for the development, implementation and maintenance of Baseten’s information security program.
Audit and risk assessment procedures designed for the purposes of periodic review and assessment of risks to Baseten.
Data security controls which may include, as appropriate to the relevant data, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for personal data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
System audit or event logging and related monitoring procedures designed to proactively record user access and system activity.
Operational procedures and controls designed to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Baseten’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor material changes to Baseten’s technology and information assets.
Incident management procedures designed to allow Baseten to investigate, respond to, mitigate and notify of events related to the Baseten’s technology and information assets.
Network security controls that designed to provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Annex II - Baseten Labs Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) Baseten Labs, Inc., a U.S. corporation with its principal business address at 201 Spear Street, Suite 1600, San Francisco, CA 94105 (“Baseten”); and (2) the entity or other person (“Customer”) who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part, together the “Parties” and each a “Party”.
INTERPRETATION
In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
“Addendum Effective Date” means the effective date of the Agreement.
“Agreement” means the Customer Agreement under which Baseten has agreed to provide services to Customer entered into by and between the Parties.
“Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of the relevant Customer Personal Data under the Agreement, including, without limitation, GDPR and the CCPA (as and where applicable).
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any binding regulations promulgated thereunder.
“Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the CCPA.
“Customer Personal Data” means any Personal Data comprised within Customer Content and Processed by Baseten or its Sub- Processors on behalf of Customer to perform the Services under the Agreement.
“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
“Personal Data Breach” means a breach of Baseten’s security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Baseten’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
“Personnel” means a person’s employees, agents, consultants or contractors.
“Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
“Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by Baseten from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
“Services” means those services and activities to be supplied to or carried out by or on behalf of Baseten for Customer pursuant to the Agreement.
“Sub-Processor” means any third party appointed by or on behalf of Baseten to Process Customer Personal Data.
“Supervisory Authority” means any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
SCOPE OF THIS DATA PROCESSING ADDENDUM
The DPA applies only applies to Baseten’s Processing of Customer Personal Data under the Agreement to the extent such Customer Personal Data is subject to Applicable Data Protection Laws.
Annex 2 (European Annex) to this DPA applies only if and to the extent Baseten’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
Annex 3 (California Annex) to this DPA applies only if and to the extent Baseten’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA).
PROCESSING OF CUSTOMER PERSONAL DATA
Baseten shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws.
Customer instructs Baseten to Process Customer Personal Data as necessary to provide the Services to Customer under and in accordance with the Agreement.
The Parties acknowledge and agree that the details of Baseten’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
BASETEN PERSONNEL
Baseten shall take commercially reasonable steps to ascertain the reliability of any Baseten Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Baseten Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
SECURITY
Baseten shall implement and maintain technical and organizational measures in relation to Customer Personal Data described in Annex 4 (Security Measures) (the “Security Measures”), which are designed to protect Customer Personal Data against a Personal Data Breach.
Baseten may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
SUB-PROCESSING
Customer generally authorizes Baseten to appoint Sub-Processors in accordance with this Section 6.
Baseten may continue to use those Sub-Processors already engaged by Baseten as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations, in the SubProcessor list shown in Annex 5 (the “Sub-Processor List”).
Baseten shall give Customer prior notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by updating the effective date of the Sub-Processor List. If, within ten (10) days of the date of update, Customer notifies Baseten in writing of any objections (on reasonable grounds) to the proposed appointment:
Baseten shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and
where: (i) such a change cannot be made within thirty (30) days from Baseten’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Services which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.
If Customer does not object to Baseten’s appointment of a Sub-Processor during the objection period referred to in Section 6.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
With respect to each Sub-Processor, Baseten shall maintain a written contract between Baseten and the Sub-Processor that includes terms which offer at least a level of protection for Customer Personal Data substantially similar to those set out in this DPA (including the Security Measures). Baseten shall remain liable for any breach of this DPA caused by a Sub-Processor to the same extent as Baseten would have been had it performed the Processing itself.
DATA SUBJECT RIGHTS
Baseten, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests, to the extent required by Applicable Data Protection Laws. If Baseten receives a Data Subject Request, Customer will be responsible for responding to any such request.
If required by Applicable Data Protection Laws, Baseten shall:
promptly notify Customer if it receives a Data Subject Request; and
not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.
Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Baseten (at Baseten’s then-current professional services rates) for Baseten’s cooperation and assistance provided to Customer under this Section 7, and shall on demand reimburse Baseten any such costs incurred.
PERSONAL DATA BREACH
Baseten shall notify Customer without undue delay upon Baseten’s discovering a Personal Data Breach affecting Customer Personal Data. Baseten shall provide Customer with information (insofar as such information is within Baseten’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Baseten) to assist Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Baseten’s notification of or response to a Personal Data Breach shall not be construed as Baseten’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
Baseten shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Baseten, where permitted by applicable laws, Customer agrees to:
notify Baseten in advance; and
in good faith, consult with Baseten and consider any clarifications or corrections Baseten may reasonably recommend or request to any such notification, which: (i) relate to Baseten’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
RETURN AND DELETION
Subject to Sections 9.2 and 9.3, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Baseten shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.
Subject to Section 9.4, to the extent technically possible in the circumstances (as determined in Baseten’s sole discretion), on written request to Baseten (to be made no later than fourteen (14) days after the Cessation Date (“Post-cessation Storage Period”)), Baseten shall within thirty (30) days of such request:
return a complete copy of all Customer Personal Data within Baseten’s possession to Customer by secure file transfer, promptly following which Baseten shall delete or anonymize all other copies of such Customer Personal Data; or
either (at its option) delete or anonymize all Customer Personal Data within Baseten’s possession.
In the event that during the Post-cessation Storage Period, Customer does not instruct Baseten in writing to either delete or return Customer Personal Data pursuant to Section 9.2, Baseten shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all Customer Personal Data then within Baseten’s possession to the fullest extent technically possible in the circumstances.
Baseten may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Baseten shall:
maintain the confidentiality of all such Customer Personal Data; and
Process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
AUDIT RIGHTS
Baseten shall make available to Customer on request, such information as Baseten (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with Applicable Data Protection Laws.
Subject to Sections 10.3 to 10.8, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Baseten pursuant to Section 10.1 is not sufficient in the circumstances to demonstrate Baseten’s compliance with this DPA, Baseten shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Baseten.
Customer shall give Baseten reasonable notice of any audit or inspection to be conducted under Section 10.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Baseten’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Baseten’s other customers or the availability of Baseten’s services to such other customers).
Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Baseten will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Baseten’s security, privacy, employment or other relevant policies). Baseten will work cooperatively with Customer to agree on a final audit plan.
If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Baseten has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
Baseten need not give access to its premises for the purposes of such an audit or inspection:
where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 10.6;
to any individual unless they produce reasonable evidence of their identity;
to any auditor whom Baseten has not approved in advance (acting reasonably);
to any individual who has not entered into a non-disclosure agreement with Baseten on terms acceptable to Baseten;
outside normal business hours at those premises; or
on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out under Applicable Data Protection Laws or by a Supervisory Authority.
Nothing in this DPA shall require Baseten to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers.
Nothing in this Section 10 shall be construed to obligate Baseten to breach any duty of confidentiality.
Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Baseten (at Baseten’s then-current professional services rates) in Baseten’s provision of any cooperation and assistance provided to Customer under this Section 10 (excluding any costs incurred in the procurement, preparation or delivery of Audit Reports to Customer), and shall on demand reimburse Baseten any such costs incurred.
CUSTOMER’S RESPONSIBILITIES
Customer agrees that, without limiting Baseten’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Baseten uses to provide the Services; and (d) backing up Customer Personal Data.
Customer shall ensure:
that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Baseten of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Baseten of Customer Personal Data.
Customer agrees that the Service, the Security Measures, and Baseten’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
Unless otherwise agreed upon with Baseten in writing, Customer shall not provide or otherwise make available to Baseten any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offenses or related security measures (together, “Restricted Data”).
LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
SERVICE DATA
Customer acknowledges that Baseten may collect, use and disclose Service Data for its own business purposes, such as:
for accounting, tax, billing, audit, and compliance purposes;
to provide, improve, develop, optimize and maintain the Services;
to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
as otherwise permitted or required by applicable law.
In respect of any such Processing described in Section 13.1, Baseten:
independently determines the purposes and means of such Processing;
shall comply with Applicable Data Protection Laws (if and as applicable in the context);
shall Process such Service Data as described in Baseten’s relevant privacy notices/policies, as updated from time to time; and
where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
For the avoidance of doubt, this DPA shall not apply to Baseten’s collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.
CHANGE IN LAWS
Baseten may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.3 of Annex 2 (European Annex).
INCORPORATION AND PRECEDENCE
This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
In the event of any conflict or inconsistency between:
this DPA and the Agreement, this DPA shall prevail; or
any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Annex 1 - Data Processing Details
BASETEN / ‘DATA IMPORTER’ DETAILS
Name:
Baseten Labs, Inc., a U.S. corporation
Address:
As set out in the pre-amble to the DPA
Contact Details for Data Protection:
Role: Amir Haghighat, CTO
Email: data-protection@baseten.co
Baseten Activities:
Baseten builds products for engineering and machine learning teams to easily deploy and scale machine learning models in production.
Role:
Processor
CUSTOMER / ‘DATA EXPORTER’ DETAILS
Name:
The entity or other person who is a counterparty to the Agreement
Address:
Customer’s address is the address shown in the Agreement entered into by and between the Customer and Baseten; or if the Agreement does not include the address, the Customer’s principal business trading address unless otherwise notified to data-protection@baseten.co.
Contact Details for Data Protection:
Customer’s contact details are:
the contact details shown in the Agreement; or
Customer’s contact details shown in the Agreement entered into by and between the Customer and Baseten; or if the Agreement does not include the contact details, the Customer’s general business contact details unless otherwise notified to data-protection@baseten.co.
Customer Activities:
Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role:
Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates if and where applicable).
Categories of Data Subjects:
Relevant Data Subjects include any Data Subjects Customer causes Baseten to process as part of the provisions of the Service, including:
End-users and other users of Customer’s products and services, including employees or contractors of Customer.
Where any of the above is a business or organization, it includes their staff, namely, employees and non-employee workers; students, interns, apprentices and volunteers; directors and officers; advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers, together with applicants and candidates for any one or more of the foregoing roles or positions (collectively, “Staff”).
Each category includes current, past and prospective Data Subjects.
Categories of Personal Data:
Relevant Personal Data includes any Categories of Customer Personal Data Customer causes Baseten to process as part of the provisions of the Service, including:
Personal details – for example any information that identifies the Data Subject, including name, and contact information.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of sensitive data:
None – as noted in Section 11.4 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services.
Additional safeguards for sensitive data:
N/A
Frequency of transfer:
Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing:
Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing:
Customer Personal Data will be processed:
(i) as necessary to provide the Services as initiated by Customer in its use thereof, and
(ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period:
For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors:
Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.
Annex 2 - European Annex
1. PROCESSING OF CUSTOMER PERSONAL DATA
Where Baseten receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Baseten shall inform Customer.
Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Baseten pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Baseten, taking into account the nature of the Processing and the information available to Baseten, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Baseten.
Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Baseten (at Baseten’s then-current professional services rates) in Baseten’s provision of any cooperation and assistance provided to Customer under Paragraph 2.1, and shall on demand reimburse Baseten any such costs incurred by Baseten.
RESTRICTED TRANSFERS
EU Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to Baseten, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Baseten, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
Baseten may on notice vary this DPA and replace the relevant SCCs with:
any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism, other than the SCCs, that enables the lawful transfer of Customer Personal Data to Baseten under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Baseten shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
Operational clarifications
When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Baseten’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Baseten to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/ or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
The terms and conditions of Section 6 of the DPA apply in relation to Baseten’s appointment and use of Sub-Processors under the SCCs. Any approval by Customer of Baseten’s appointment of a Sub- Processor that is given expressly or deemed given pursuant to that Section 6 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.
The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 10 of the DPA.
Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request.
Attachment 1
To Annex 2 (European Annex)
POPULATION OF SCCs
Note
In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA).
In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA).
PART 1: POPULATION OF THE SCCs
1. SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
POPULATION OF THE BODY OF THE SCCs
For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
In Clause 9:
OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 6.3 of the DPA; and
OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
In Clause 11, the optional language is not used and is deleted.
In Clause 13, all square brackets are removed and all text therein is retained.
In Clause 17:
OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
OPTION 2 is not used and that optional language is deleted.
For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:
Customer being ‘data exporter’; and
Baseten being ‘data importer’.
Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Baseten’s contact point for data protection identified in Attachment 1 to Annex 2 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
Annex II to the Appendix to the SCCs is populated as below:
General:
Please refer to Section 5 of the DPA and Annex 4 (Security Measures) to the DPA.
In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Baseten, Customer should email Baseten’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
Sub-Processors: When Baseten engages a Sub-Processor under these Clauses, Baseten shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
applicable information security measures;
notification of Personal Data Breaches to Baseten;
return or deletion of Customer Personal Data as and where required; and engagement of further Sub-Processors.
PART 2: UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
Where relevant in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
Annex 3 - California Annex
1. Definitions. In this Annex, the terms “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” shall have the respective meanings given thereto in the CCPA. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.
Baseten’s Obligations.
The business purposes and services for which Baseten is Processing personal information are for Baseten to provide the services to and on behalf of Customer as set forth in the Agreement.
It is the Parties’ intent that with respect to any personal information, Baseten is a service provider. Baseten (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 10 (Audit Rights) of this DPA to help ensure that Baseten’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Baseten that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Baseten shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Baseten and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Baseten’s own interaction with any consumer to whom such personal information pertains.
Annex 4 - Security Measures
As from the Addendum Effective Date, Baseten will implement and maintain the Security Measures as set out in this Annex 4.
Data security controls which may include segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available encryption for Customer Personal Data.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Password controls.
System audit or event logging.
Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems, including secure disposal of systems and media designed to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Baseten’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Baseten’s technology and information assets.
Incident management procedures designed to allow Baseten to investigate, respond to, mitigate, and notify of events related to Baseten’s technology and information assets.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Baseten may update or modify these Security Measures from time to time provided that such updates and modifications do not decrease the overall security of Customer Personal Data.