global
Variables
Utilities
COMPONENTS
CUSTOM STYLES

Datagrid Master Service Agreement

Last updated:

March 4th, 2026

Datagrid Master Service Agreement

Effective Date: March 4, 2026

This Datagrid Master Service Agreement, including any Order Forms and SOWs, (“Agreement”) governs Customer’s use of Datagrid Service. This Agreement is between Datagrid and Customer, who may also be referred to herein individually as “Party” or together as the “Parties.” Capitalized terms used but not otherwise defined herein have the respective meanings designated in Section 12. The Parties hereby agree as follows:

1. PROVISION OF SERVICES

1.1.  Access to Subscription Services

Subject to Customer’s compliance with this Agreement, Datagrid shall make the Subscription Services available to Customer during the Subscription Term for Customer’s internal business use (including, for example, to coordinate vendors on Customer’s projects) in accordance with the applicable Order Form.

1.2.  Evolving Datagrid Technology

Subject to Section 8.2(b), Datagrid may issue Updates for the Services during the Subscription Term. Customer agrees, however, that its purchase and use of the Subscription Services are not contingent on any future functionality or features, or dependent on any oral or written statements made by Datagrid or any of its Affiliates regarding future functionality or features.

1.3.  Security and Data Privacy.

Datagrid shall maintain the administrative, technical, and physical safeguards set out in Appendix B of the Data Processing Addendum (“DPA”). Where Customer’s use of the Subscription Services includes the processing of Customer Personal Data, such use will be governed by the DPA. Customer shall only provide to Datagrid the minimum amount of personal data necessary to enable Customer to use the Datagrid Services in accordance with this Agreement.

1.4.  Beta Services

Customer may elect, at its option, to participate in any Beta Service. Customer’s use of any Beta Service is subject to additional restrictions Datagrid specifies. If Customer participates in a Beta Service, it agrees to test and provide ongoing feedback about the Beta Service. Beta Services are solely for Customer’s evaluation purposes and are subject to the use restrictions in Section 4.1. Unless otherwise stated, Customer’s use of any Beta Service will end on the earlier of the date of such Beta Service’s commercial release or the date Datagrid discontinues the Beta Service. Datagrid may change or discontinue Beta Services at any time without notice or liability. Datagrid may choose not to make Beta Services generally available. Beta Services are not “Services” and are provided “as is.” Any warranties or contractual commitments Datagrid makes for other Services do not apply to Beta Services. Datagrid and its Affiliates will have no liability or obligation for any damage or harm arising from or in connection with any Beta Service.

2. TERM; RENEWAL; TERMINATION

2.1 Term of Agreement

This Agreement is effective as of the Effective Date and will continue until the services described in the Order Form and any SOW(s) have been completed, expired, or terminated.

2.2 Term and Renewal of Order Forms

The Subscription Term described in each Order Form will commence on the Order Form’s effective date and continue for the “Initial Term” as specified therein. Upon expiration of the Initial Term, the Agreement will automatically renew for additional one (1) year periods (“Renewal Term”) unless either Party provides written notice of non-renewal at least ninety (90) days prior to the end of the Initial Term or any Renewal Term. Rates for Subscription Fees during Renewal Terms will not increase by more than the Consumer Price Index (All Urban Index, latest year available) plus five percent (5%), unless otherwise agreed in writing.

2.3 Termination

Either Party may terminate this Agreement or any Order Form or SOW upon notice if the other Party is in material breach of this Agreement, where such material breach is not cured (to the extent capable of being cured) within thirty (30) days after receiving notice of breach from the non-breaching Party, or with immediate effect where such material breach cannot be cured. For the avoidance of doubt and without limiting Datagrid’s rights, Customer’s noncompliance with Section 3.1, Section 3.2, or Section 4.1 will be deemed a material breach of this Agreement. Either Party may terminate this Agreement with immediate effect if the other Party becomes the subject of a petition in bankruptcy or other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors, and such petition or proceeding is not dismissed within forty-five (45) days.

2.4 Effect of Termination

Upon the termination of this Agreement for any reason (a) unless otherwise agreed by the Parties in writing, all outstanding Order Forms, SOWs, and access to the Subscription Services will automatically terminate; (b) Customer and its Authorized Users shall immediately cease access and use of the Subscription Services, and (c) all Customer’s outstanding payment obligations will become due and payable immediately. Following termination, Datagrid will have no obligation to maintain or provide any Customer Data, and thereafter may delete or destroy all copies of Customer Data. If Datagrid is required to retain a copy of Customer Data for legal purposes, such copy will remain subject to the confidentiality provisions of this Agreement.

2.5. Suspension

In the event of Customer’s or an Authorized User’s breach of this Agreement, including without limitation for Non-Payment Suspension or violation of the restrictions in Section 4.1, Datagrid may, in its reasonable discretion, suspend Customer’s or an Authorized User’s access to or use of the Subscription Services. Notwithstanding the foregoing, unless the circumstances dictate otherwise, Datagrid shall reasonably notify Customer and the Authorized User via email before taking the foregoing actions, and shall restore access once the breach has been remedied.

2.6 Surviving Provisions

The Sections titled “Term; Renewal; Termination” (Section 2), “Fees; Payment Terms” (Section 3), “Restrictions; Customer’s Responsibilities; Proprietary Rights; Affiliates” (Section 4), “Confidentiality” (Section 7), “Representations; Warranties; Exclusive Remedies; Disclaimers” (Section 8), “Limitation of Liability” (Section 9), “Indemnification” (Section 10), and “General Provisions” (Section 11) will survive any termination of this Agreement.

2.7 Plan Upgrade

Customer may request to upgrade its service plan during the term of this Agreement by providing written notice to Datagrid. If such a request is made, Customer shall pay the difference between the fees for the current service plan and those for the upgraded plan. Customer will be invoiced for the upgrade, with payment due in accordance with Section 3. Datagrid reserves the right to deny any upgrade request that does not align with the fee schedule attached to the Order Form. In the event of any dispute regarding upgrade fees, the Parties agree to attempt to resolve the matter amicably before resorting to formal dispute resolution. Upon mutual agreement, this Agreement will be deemed amended to reflect any approved upgrade.

3. FEES; PAYMENT TERMS

3.1 Payment

Customer shall pay for the Service at the Subscription Fees as set forth in the Order Form (“Fees”). Any discounts provided during the initial term do not carry over to renewal terms. All Fees are non-cancelable and non-refundable. Datagrid’s Fees are exclusive of all taxes, levies, or duties imposed by taxing authorities; Customer is responsible for all such taxes (excluding U.S. taxes based on Datagrid’s income). All charges will be paid in U.S. Dollars using the accepted methods of credit card or Automated Clearing House (ACH) transfer. Datagrid will invoice Customer at the time of the initial Order Form and, for annual subscriptions, approximately one month in advance of any renewal or subsequent billing period. All invoiced amounts are due and payable within thirty (30) days of the invoice date.

3.2 Overages

All overages will be due and payable within thirty (30) days following the end of the Subscription Term or as otherwise specifically agreed in the applicable Order Form.

3.3 Non-Payment Suspension

Customer may dispute in good faith the amount on an invoice in writing before the due date of such invoice, and shall work diligently with Datagrid to promptly resolve the dispute. If Customer fails to pay any undisputed portion of a past due invoice within ten (10) calendar days after receiving notice that its account is overdue, Datagrid may, without limiting its other rights and remedies, suspend the Services until such amounts are paid in full (“Non-Payment Suspension”). Datagrid is not obligated to continue to provide Services without payment of applicable Fees.

3.4 Datagrid’s Discretion in Service Continuation

Datagrid may, at its sole discretion, continue to provide the Service during periods of non-payment without waiving its right to suspend or terminate access in the future. If the Service continues during non-payment, Customer remains liable for all outstanding and future Fees. If the Service is suspended and later restored upon payment, Customer is not entitled to any extension of the Subscription Term or compensation for the period of suspension. If the Agreement is terminated due to non-payment, Datagrid may delete Customer data after a thirty (30)      day grace period, unless otherwise required by law.

3.5 Purchases Through a Reseller

If Customer purchases Services through a Reseller, the pricing and payment terms for such Services are between Customer and Reseller (“Reseller Terms”). Customer acknowledges that (a) all payments for Services procured via a Reseller will be made directly to the Reseller and in accordance with the Reseller Terms; and (b) if a Reseller notifies Datagrid of its right to terminate or suspend any Services, Datagrid may terminate or suspend such Services. Datagrid will not be liable to Customer or any third party for any liabilities, claims, or expenses arising from or relating to any applicable Reseller Terms, or Customer’s relationship with any Reseller

4. RESTRICTIONS; CUSTOMER’S RESPONSIBILITIES; PROPRIETARY RIGHTS; AFFILIATES

4.1 Restrictions

Customer shall not and shall not permit others to (a) make any Services available to any third party other than Customer or Authorized Users; (b) sell, resell, license, sublicense, distribute, rent, or lease any Services, or include any Services in a service bureau or outsourcing offering; (c) use the Services to store or transmit infringing, tortious, libelous, or otherwise unlawful material that violates the rights of any third party, or Harmful Code; (d) use the Services in a way that seeks to interfere with or disrupt the integrity or performance of the Services or any third-party data contained therein; (e) use the Services to exploit any Datagrid Intellectual Property Rights except as otherwise expressly permitted under this Agreement, an Order Form, or the Documentation; (f) frame or mirror any part of the Services, except as permitted by and in accordance with the Documentation; (g) access the Services in order to develop a competitive product or service, to benchmark with a non-Datagrid product or service, or to otherwise exploit for competitive purposes; (h) reverse engineer, copy, or modify any software included as part of the Services; (i) use the Services to store or transmit harmful, abusive, threatening, obscene, defamatory, bigoted, or otherwise objectionable material; (j) use the Services to send unsolicited communications, promotions, or advertisements in violation of any applicable anti-spam or e-privacy law, rule, or regulation; or (k) use any automated device or process, such as a robot, spider, datamining, web-scraping, or other means to circumvent, access, use, or integrate with the Services or its contents, including but not limited to other user account information.

4.2 Customer’s Responsibilities

Only Authorized Users are permitted to access and use the Services. Customer shall be solely responsible for (a) Authorized Users’ compliance with this Agreement, any Order(s) issued hereunder, and any activities that occur as a result of Authorized Users’ access to the Services; (b) the accuracy and quality of Customer Data, the means by which Customer acquired Customer Data, and obtaining appropriate usage rights with respect to Customer Data; (c) maintaining the confidentiality of Customer usernames, passwords, and other account information or access credentials (as applicable); and (d) ensuring Authorized Users use the Services only in accordance with the Documentation. Customer shall follow all requirements under applicable law, which may include providing notice and disclosures to Authorized Users and/or Data Subjects that Customer Personal Data (as defined in the DPA) is subject to Customer’s own privacy policy and other terms regarding the use or handling of Customer Personal Data as required by applicable Data Protection Law. Customer acknowledges that Datagrid does not assess the type or substance of Customer Data to identify whether it is Customer Personal Data and/or subject to any specific legal requirements. Customer shall notify Datagrid promptly upon learning of any unauthorized use of or access to the Services. 

4.3 Proprietary Rights

(a) Customer Data. As between the Parties, Customer Data and Customer’s Confidential Information are and will remain owned exclusively by Customer. Customer hereby grants Datagrid, its Affiliates, and its subprocessors a worldwide right and license to process and use Customer Data for the purposes of: (i) providing, maintaining, securing, analyzing, and updating the Services; (ii) collecting and compiling data, insights, and information in an aggregated and/or de-identified manner that does not identify Customer, Customer Confidential Information, Authorized Users, or any individual (“Aggregated Data”); and (iii) complying with legal or regulatory obligations, enforcements, investigations, or similar proceedings. Customer acknowledges that Datagrid or its Affiliates may review Customer’s use of the Subscription Services for the purpose of providing Services and verifying Customer’s compliance with this Agreement. Datagrid’s use of Customer Data will comply with Section 1.3 (Security and Data Privacy) and Section 7.2 (Protection of Confidential Information).

(b) Ownership; Reservation of Rights. As between the Parties, all Intellectual Property Rights, including Intellectual Property Rights in the Services, Updates, Beta Services, Documentation, Aggregated Data, and Datagrid’s Confidential Information, are and will remain owned exclusively by Datagrid and its Affiliates, as applicable. Datagrid may freely use and incorporate into Datagrid’s products and services any suggestions, enhancement requests, recommendations, corrections, or other feedback provided by Customer or by any Authorized Users relating to Datagrid’s products or services. Feedback and any other suggestions are provided by Customer exclusively “as is,” in Customer’s sole discretion, and will not be used in Datagrid in any way that identifies Customer or Authorized Users. Unless otherwise specified in an applicable SOW, all deliverables (excluding any Customer Data contained within a given deliverable), provided in the performance of Professional Services are owned by Datagrid and will be made available as part of the Subscription Services provided under this Agreement. Nothing in this Agreement will preclude or limit Datagrid from using or exploiting any concepts, ideas, techniques, or know-how of or related to the Services. Other than as expressly set forth in this Agreement, no license or other rights in or to the Services or other Datagrid Intellectual Property Rights are granted to Customer, and all such rights are expressly reserved to Datagrid and its Affiliates.

4.4 Affiliates

Customer may designate its Affiliates as Authorized Users. Additionally, Customer’s Affiliates may purchase Services by entering into a separate Order Form with Datagrid or Datagrid’s applicable Affiliate, in which case “Customer” as is defined herein will mean that Affiliate. Each Affiliate’s Order Form(s) are separate and distinct from Customer’s and its other Affiliates’ respective Order Forms, unless otherwise set forth on an applicable Order Form.

5. DATAGRID CONSUMPTION UNITS

5.1 Purchase and Utilization

Customer may purchase DGUs in pre-defined bundles, with specific terms and pricing outlined in a separate Order Form executed by both Parties. DGUs may be redeemed for the services described in the Datagrid Consumption Unit Table available at https://www.datagrid.com/credit-usage (“Datagrid Consumption Unit Table”), which includes the specific DGU cost for each service provided that is subject to the Datagrid Consumption Unit Table.

5.2 Reporting and Transparency

Datagrid will provide Customer with a consumption meter in the main dashboard of the Customer account, displaying overall DGU usage and a summary of services utilized. While the meter does not provide line-by-line transaction details, it offers sufficient granularity for Customer to understand its consumption.

5.3 Flexibility and Changes in DGU Pricing

Datagrid may update its Datagrid Consumption Unit Table periodically. Updates will be reflected on the Datagrid Consumption Unit Table’s “Effective Date,” and for material updates that increase the cost of items in the Datagrid Consumption Unit Tables by more than the Consumer Price Index plus 5% over a 12-month period, Datagrid will provide at least sixty (60) days’ written notice via email or through the Datagrid Service dashboard. Customers with an active subscription may purchase additional DGUs at the existing pricing in their Order Form until the end of their current Subscription Term. Upon renewal, updated pricing will apply. Any updates to pricing will take effect on Customer’s next billing cycle following the notice period, and Customer’s continued use of the Service constitutes acceptance of the new terms.

5.4 No Obligation for Line-by-Line Detailing

Datagrid is not obligated to provide line-by-line details of DGU consumption. The provided consumption meter balances transparency with administrative efficiency.

6. PUBLICITY

Customer agrees to participate in a press release following execution of this Agreement and upon successful implementation, naming Customer as a Datagrid customer. Customer further agrees to allow its name to be used in sales materials and user literature referencing Datagrid’s customers, and to permit the use of its name, without implying endorsement, in listings of Datagrid’s customers. Upon Datagrid’s reasonable request, Customer will make efforts to serve as a reference account and participate in case studies or other promotional activities.

7. CONFIDENTIALITY

7.1 Definition of Confidential Information

Confidential Information” means all information or data disclosed by a Party or any of its Affiliates (as applicable, the “Disclosing Party”) to the other Party or any of its Affiliates (as applicable, the “Receiving Party”) that is confidential, proprietary, or otherwise not publicly available, or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, whether oral or in writing, and disclosed during the Term in connection with the Services. Confidential Information includes (a) with respect to Customer, Customer Data; (b) with respect to Datagrid, the Services, pricing, and the Beta Services, including any discussions or information related to Beta Services; and (c) with respect to a Party, any technical, financial, economic, marketing, strategic, business, product, design, or operational information of such Party, including the terms of this Agreement and all Order Forms and SOWs. Confidential Information does not include any information that the Receiving Party can demonstrate (i) is or becomes generally known to the public without breach of this Agreement or any other agreement by the Receiving Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) is received from a third party without restriction on disclosure and without breach of any obligation owed to the Disclosing Party; or (iv) was independently developed by the Receiving Party without use of or reference to any Confidential Information, as demonstrated by contemporaneous written documentation.

7.2 Protection of Confidential Information

The Receiving Party shall (a) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care); (b) not use any Confidential Information for any purpose outside the scope of this Agreement; and (c) except as otherwise expressly consented to by an authorized representative of the Disclosing Party, limit access to Confidential Information to its legal counsel, accountants, and those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who are under obligations to maintain confidentiality no less restrictive than those herein (“Authorized Recipients”). Each Party shall remain responsible for such Authorized Recipients’ compliance with this “Confidentiality” Section. 

7.3 Compelled Disclosure

 To the extent compelled by law or legal process, the Receiving Party may disclose Confidential Information under the following conditions: (a) the Receiving Party shall give prior notice of the compelled disclosure to the Disclosing Party (to the extent legally permitted); (b) (i) if the Disclosing Party wishes to contest the compelled disclosure, the Receiving Party shall provide reasonable assistance to the Disclosing Party, at the Disclosing Party’s cost, or (ii) if the Disclosing Party does not contest the disclosure, or its attempts to contest the disclosure have failed, and the Receiving Party is compelled to disclose the Disclosing Party’s Confidential Information, then the Receiving Party shall disclose only the minimum information that is required to be disclosed; and (c) any Confidential Information so disclosed shall retain its confidentiality protections for all other purposes. Disclosing Party shall reimburse the Receiving Party for the reasonable costs and expenses related to the production of the Disclosing Party’s Confidential Information.

8. REPRESENTATIONS; WARRANTIES; EXCLUSIVE REMEDIES; DISCLAIMERS

8.1 General Warranty

Each Party represents and warrants that it has the necessary rights to enter into this Agreement and has the legal power to do so.

8.2 Datagrid Limited Warranties

Datagrid warrants that (a) the Subscription Services will perform materially in accordance with the applicable Documentation; (b) Datagrid will not materially reduce the core functionality of the Subscription Services during the current Subscription Term; and (c) Datagrid will perform the Professional Services in a diligent and professional manner. Customer’s exclusive remedy and Datagrid’s entire liability for a breach of the above warranties will be, at Datagrid’s option, (i) the correction of the deficient Service that caused the breach of warranty, or (ii) provision of comparable functionality. If Datagrid, as determined in its reasonable discretion, cannot accomplish (i) or (ii), then Datagrid shall terminate the deficient Service and refund to Customer any prepaid Fees for the terminated Service, prorated to cover the remaining portion of the Subscription Term following notice of the breach of warranty.

8.3 Disclaimers

Except as expressly provided herein, neither Party nor its licensors or subprocessors makes any warranty of any kind, whether express, implied, statutory, or otherwise, and each Party and its licensors and subprocessors specifically disclaim all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose, title, or non-infringement, to the maximum extent permitted by applicable law. Datagrid does not warrant that Services will be error-free or uninterrupted, or will meet Customer’s requirements or expectations.‍

9. LIMITATION OF LIABILITY

9.1 Exclusion of Damages

Except with regard to a Party’s indemnification obligations under Section 10 (“Indemnification”), neither Party nor its respective Affiliates will be liable for any loss of profits, revenues, goodwill, anticipated savings, or use, costs of substitute goods or services, business interruption, or work stoppage, or any indirect, special, incidental, exemplary, punitive, or consequential damages, however caused, and based on any theory of liability, arising out of or relating to this Agreement, whether for breach of contract, breach of warranty, tort (including negligence), product liability, or otherwise, even if such Party is advised of the possibility of such damages. The foregoing disclaimer will not apply to the extent prohibited by applicable law.

9.2 Limitation of Liability

A Party’s and its respective Affiliates’ aggregate cumulative liability for all damages arising out of or related to this Agreement will not exceed the applicable Fees paid or payable to Datagrid in an Order Form or SOW for the applicable Services and attributable to the twelve (12) month period immediately preceding the event giving rise to the liability. The existence of more than one claim will not expand this limit. The liability limitations under this Section 9.2 will not apply to (a) Customer’s obligations to pay Fees due under this Agreement; (b) either Party’s indemnity obligation amounts under Section 10; (c) either Party’s gross negligence, willful misconduct, or fraud; or (d) either Party’s negligence on-site during the performance of Professional Services that results in death or personal injury. Nothing in this Agreement excludes or limits any liability that cannot be excluded or limited under applicable law. 

10. INDEMNIFICATION

10.1 Indemnification by Datagrid

(a) Datagrid shall defend any claim brought against Customer by a third party to the extent such claim alleges that Customer’s use of the Subscription Services (as authorized in this Agreement, and as provided by Datagrid to Customer) (1) infringes any valid and enforceable third-party patent, copyright, or trademark, or (2) misappropriates a third-party trade secret (a “Claim”). If a third party makes a Claim against Customer, Datagrid shall pay all damages (including reasonable attorneys’ fees) finally awarded against Customer by a court of competent jurisdiction, or the settlement agreed to by Datagrid with respect to such Claim. 

(b) If any Claim is brought or threatened, or if Datagrid reasonably believes that the Subscription Services may become the subject of a Claim, Datagrid may, at its sole option and expense (1) procure for Customer the right to continue to use the applicable Subscription Service; (2) modify the Subscription Service to make it non-infringing; (3) replace the affected aspect of the Subscription Service with non-infringing technology having substantially similar capabilities; or (4) if Datagrid determines none of the foregoing is commercially practicable, terminate the affected Subscription Service and refund Customer any prepaid Fees related to the applicable Subscription Services prorated for the remainder of the Subscription Term. 

(c) Datagrid’s defense and indemnity obligations do not apply to, and Datagrid will have no liability with respect to, any Claim arising in whole or part due to (1) any modification of the Subscription Services made by anyone other than Datagrid; (2) any use of the Subscription Services in combination with software, products, or services not provided by Datagrid; (3) Beta Services or Services under an Order Form for which there is no charge (other than discounted Services); (4) Customer’s use of the Subscription Services not in compliance with this Agreement; or (5) Customer’s failure to use any Update provided by Datagrid, to the extent such Update would make the Services non-infringing.

This indemnity states Datagrid’s entire liability, and Customer’s exclusive remedy, for any Claims as described in Section 10.1.

10.2 Indemnification by Customer

Customer shall defend any claim or regulatory action brought against Datagrid by a third party to the extent such claim relates to the Customer Data (if used by Datagrid in accordance with this Agreement) or use of the Services under this Agreement. If a third party makes such a claim against Datagrid, Customer shall pay all damages (including reasonable attorneys’ fees) finally awarded against Datagrid by a court of competent jurisdiction or the settlement agreed to by Customer with respect to such claim. This indemnity states Customer’s entire liability, and Datagrid’s exclusive remedy, for any third-party claims as described in this Section 10.2.

10.3 Procedure

The defense and indemnity obligations above are conditioned upon the indemnified Party providing the indemnifying Party with (a) prompt notice; (b) sole control over the defense and any settlement negotiations; and (c) all information and assistance reasonably requested by the indemnifying Party in connection with the defense or settlement of the indemnifiable claim. The indemnifying Party shall not agree to a settlement that imposes any obligation or liability on the indemnified Party without the indemnified Party’s prior written consent, which will not be unreasonably withheld, conditioned, or delayed. The indemnified Party may appear in connection with such claims, at its own expense, through counsel reasonably acceptable to the indemnifying Party.

11. GENERAL PROVISIONS

11.1 Independent Contractor

The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.

11.2 Notices

Notices to Customer will be delivered via email or overnight delivery at the address associated with the Order Form. Notices to Datagrid will be delivered via email to legalnotice@procore.com or by overnight delivery to Datagrid AI, Inc. (a subsidiary of Procore Technologies, Inc.), Attention Chief Legal Officer, 6309 Carpinteria Ave., Carpinteria, CA 93013 USA. All notices must be in writing and will be effective when received.

11.3 Assignment

Each Party shall not assign this Agreement, in whole or part, or any right or interest herein, without the other Party’s prior written consent, not to be unreasonably withheld, and any purported assignment without such consent will be void. However, either Party may assign this Agreement without consent to an Affiliate, or in connection with a merger, consolidation, corporate reorganization, sale of all or substantially all of its assets or business, or other change-of-control transaction. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns. Assignment will not relieve Customer of its obligation to pay Fees incurred before the assignment.

11.4 Applicable Law and Anti-Corruption

Each Party shall comply with applicable laws in performance of this Agreement. Neither Party has promised, made, or received any bribe, kickback, or other similar payment or transfer of value from or to any director, officer, employee, agent, or other representative of the other Party in connection with this Agreement. Reasonable and lawful gifts, entertainment, sponsorships, and donations do not violate the above restriction.

11.5 Export Control and Sanctions

Each Party shall comply with all applicable Export Control and Sanctions Laws and Regulations in connection with providing and using the Services. Without limiting the foregoing, (a) each Party represents that it is not listed on any list of entities or individuals who are restricted from receiving U.S. services or items subject to jurisdiction of U.S. Export Controls or U.S. persons transacting with it (including but not limited to the Specially Designated Nationals and Blocked Persons List and the Entity List) nor is it owned or controlled by any such listed entity or individual; (b) Customer shall not, and shall ensure that Authorized Users do not, violate any Export Control and Sanctions Laws and Regulations, or cause any such violation to occur; and (c) Customer shall not use or cause any person to use the Services to store, retrieve, or transmit technical data controlled under the U.S. International Traffic in Arms Regulations.

11.6 U.S. Government Rights

If Customer, or any Authorized User, is a branch, agency, or instrumentality of the United States Government, the following provision applies: The Services and Documentation comprise “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 and are provided to the Government (a) for acquisition by or on behalf of civilian agencies, consistent with the policy in 48 C.F.R. 12.212; or (b) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies in 48 C.F.R. 227.7202-1 and 22.7202-3. The rights of the U.S. Government to use, commercial computer software, commercial computer software documentation, and technical data furnished in connection with this Agreement are solely as provided in this Agreement. No additional rights are provided to the Government unless set forth in a separate written addendum.

11.7 Force Majeure

Neither Party will be liable for any failure or delay in its performance under this Agreement to the extent due to any cause beyond its reasonable control (a “Force Majeure Event”). The Party suffering a Force Majeure Event shall use reasonable efforts to mitigate against the effects of such Force Majeure Event and shall resume performance as soon as practicable following the Force Majeure Event. 

11.8 Governing Law, Venue, and Dispute Resolution

This Agreement is governed by and construed in accordance with the laws of the State of California, without reference to conflict of law rules of any jurisdiction. Any disputes will subject to the exclusive jurisdiction of the federal and state courts located in Los Angeles County, California, and the Parties consent to such jurisdiction. The provisions of the United Nations Convention of Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Acts will not apply to this Agreement in any manner whatsoever.

Notwithstanding the foregoing, the Parties shall attempt in good faith to promptly resolve any disputes arising out of or relating to this Agreement by negotiation between representatives of each Party with the authority to resolve such dispute. If the Parties are unsuccessful in reaching resolution after a reasonable time, such dispute will be submitted to final and binding arbitration. Notwithstanding the foregoing, neither Party is required to arbitrate claims (a) where all named parties seek monetary relief which, in the aggregate, qualifies as a claim that meets the requirements of an applicable small claims court; or (b) seeking injunctive relief. However, if a small claim is transferred, removed, or appealed to a different court, either Party may require that the claim be submitted to final binding arbitration. Any arbitration will take place on an individual basis. If the Parties participate in arbitration, the Parties waive the right to participate in a class, consolidated, or representative action or arbitration, and the right to a trial by jury. If this class action waiver is deemed unenforceable, the class claim will be brought in a court of competent jurisdiction. Arbitration will be conducted in English and administered in accordance with the International Arbitration Rules of the International Centre for Dispute Resolution in Los Angeles County, California. Except as required by law, each Party, and its representatives, shall not disclose the existence, content, or results of any arbitration without the other Party’s prior written consent. The arbitrator is not empowered to award damages in excess of compensatory damages and each Party hereby irrevocably waives any right to recover such damages with respect to any dispute resolved by arbitration. The decision of the arbitrator will be in accordance with this Agreement and will be binding upon the Parties. Each Party hereby waives any right it may otherwise have under the laws of any jurisdiction to any form of appeal. Judgment upon the award rendered may be entered in and enforced by any court of competent jurisdiction having jurisdiction over both Parties. This Agreement governs if there is a conflict with the International Arbitration Rules of the International Centre for Dispute Resolution.

11.9 Entire Agreement; Order of Precedence

This Agreement (together with any Order Forms, SOWs, and linked terms) contains the entire understanding and agreement of the Parties concerning the subject matter hereof and supersedes all prior or contemporaneous communications, representations, agreements, and understandings, either oral or written, between the Parties with respect to its subject matter. This Agreement will only be amended or waived by a writing signed by both Parties; however, the Parties may update and modify this Agreement upon renewal of the Subscription Term. In the event of any conflict or inconsistency between or among the following documents, the order of precedence will be: (1) the DPA, (2) the Order Form, (3) SOW, (4) this Agreement, and (5) any links provided herein. Any amendment will take precedence over the document it amends.

11.10 Miscellaneous

If a provision of this Agreement is unenforceable or invalid, the provision will be revised so as to best accomplish the objectives of the Parties as evidenced by this Agreement, and the remainder of this Agreement will continue in full force. The English language version of this Agreement will be the version used when interpreting or construing this Agreement. Any notices in connection with this Agreement must be provided in English. Either Party’s failure to enforce any right under this Agreement will not waive that right. There are no third-party beneficiaries to this Agreement, and Customer acknowledges that Datagrid will have no obligations or liability whatsoever to any third parties with which Customer does business.

12. DEFINITIONS

“Affiliate” means an entity that controls, is controlled by, or is under common control of a Party, where “control” means ownership or control, directly or indirectly, of more than fifty percent (50%) of the voting interest of such entity or party (but only for so long as such control exists) or the right to otherwise control the decision making of the subject entity. 

“Authorized User” means any individual or agent authorized by Customer to access or use the Services.

“Beta Services” means Datagrid services, features, or functionality that Datagrid may make available to Customer that have not been made generally available to customers and have been designated as beta, pilot, limited release, preview, non-production, pre-release, or a similar designation. 

“Customer” means the legal entity that has entered into this Agreement with Datagrid.

Customer Data means any content, data, information, Personal Data, and other materials submitted by Customer or an Authorized User to the Services. Customer Data excludes Aggregated Data, any content from publicly available sources, and any suggestion, enhancement request, recommendation, correction, or other feedback relating to the Services.

“Datagrid” means Datagrid AI, Inc. and its affiliated entities.

“DGU(s)” or “Datagrid Consumption Unit(s)” means the units purchased by Customer that may be consumed during the Subscription Term for applicable Subscription Services described in the Datagrid Consumption Unit Table or as otherwise agreed to between the Parties, including AI agent interactions, data import and learning, searches, and automations.

“Documentation” means all the official Datagrid-provided user guides applicable to the Services, whether in electronic, paper, or equivalent form, as updated from time to time, accessible at https://docs.datagrid.com/ or other websites designated by Datagrid.

Export Control and Sanctions Laws and Regulations” means all applicable laws and regulations controlling or regulating the export, re-export, or in-country transfer of goods, technology, software, or services, or those that impose other trade or financial sanctions against targeted countries, territories, individuals, or entities, collectively including, but not limited to, all laws administered by the U.S. Department of State and its Directorate of Defense Trade Controls, the Office of Foreign Assets Control of the U.S. Department of the Treasury, and the U.S. Department of Commerce and its Bureau of Industry and Security.

Intellectual Property Rights” means all rights, title, and interest in all intellectual property, including patents, copyrights, trade secrets, mask works, trademarks, and other intellectual property rights of any sort throughout the world.

“Order Form” or “Order” means the proposal, quote, or order document specifying the services and fees for which Customer is subscribing.

Professional Services means the implementation, technical, consulting, training, and similar services provided by or through Datagrid or its Affiliates, as described in the relevant Order Form or SOW.

Reseller” means a third party authorized by Datagrid or its Affiliates to promote, distribute, and/or resell the Services.

“Service(s)” means collectively, as applicable, the Subscription Services, Support Services, and Professional Services Customer has ordered, and Datagrid has agreed to provide, as indicated on the applicable Order Form or SOW.

“SOW” means a statement of work executed by the Parties describing Professional Services purchased by Customer pursuant to an Order Form, herein incorporated by reference.

Subscription Fees” means the amount listed in an Order Form for the Subscription Services.

Subscription Services means the Datagrid software-as-a-service, and all associated Updates, offered on a subscription basis by Datagrid via an Order Form that provides the functionality described in the Documentation.

Subscription Term” means the entire period during which Customer is entitled to use the Subscription Services, including the Initial Term and any applicable Renewal Terms.

Support Services” means Datagrid’s customer support for the Subscription Services described in Exhibit A, and as may be specified or purchased within an Order Form.

Updates” means all updates, enhancements, and other modifications that Datagrid makes generally available, at no additional charge, to its customers of the Subscription Services identified in an Order Form.

 

 

 

 

Exhibit A – Subscription Support and Service Level Policy

SUPPORT

Datagrid support consists of Preventive Support and Error Correction during normal business hours.

Preventive Support.

Datagrid will use reasonable efforts to prevent Service failures by (i) advising Customer of relevant issues affecting other users; (ii) performing necessary remedial work; (iii) proactively remedying security vulnerabilities; and (iv) reviewing Service data to preempt potential problems.

Error Correction.
Customer may report defects via email at support@datagrid.com. Defects are classified as follows:

Severity Level

1 - Critical

Defect causing the Service to be unusable.

Initial response within 4 hours; immediate management escalation; status update if unresolved within 4 hours.

2 - Significant

Defect materially impacting Service use.

Initial response within 8 hours; management escalation within 16 hours; status update within 24 hours.

3 - Other

Non-critical, non-significant issues.

Initial response within 48 hours; management escalation within 5 business days; status update within 72 hours.

 

 

Exhibit B - Datagrid Data Processing Addendum

This Data Processing Addendum (this “DPA”) supplements and forms part of the services agreement between Customer and Datagrid AI, Inc. about the provision of Services by Datagrid to Customer (“Agreement”) when Data Protection Law applies to Customer’s access and use of the Services to Process Customer Personal Data (defined below).

Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) (“Customer”).  For the purposes of this DPA only, and except as otherwise indicated, the term “Customer” shall include Customer and Data Controller Affiliates.

  1. Data Processing
    1. Scope and Roles. This DPA applies when Customer Personal Data is processed by Datagrid under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and Datagrid shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly.  
    2. Details of Data Processing.  
      1. Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data.
      2. Duration. The duration of the Processing under this DPA is determined by the Agreement.  Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Datagrid deletes or anonymizes all Customer Personal Data as described in the Agreement.
      3. Purpose. The purpose of the processing under the DPA is the provision of the Services by Datagrid to Customer as specified in the Agreement.
      4. Nature of the Processing. Customer Personal data is processed by Datagrid in connection with the Services under the Agreement and/or any applicable Order. 
      5. Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.  
      6. Categories of data. Identifiers (contact detail including name, email, phone number  and addresses); Employment Data (professional data, contact details, hours worked, site access); Internet and Network Activity Data (such as IP addresses, log files, and login information); Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses or GPS); and other Personal Data that Customer or its Authorized Users elect to submit to the Services.
      7. Special categories of data (if appropriate). Datagrid and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements.
    3. Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
  2. Documented Instructions.
    1. Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to Datagrid for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Datagrid’s Processing of Customer Personal Data (“Documented Instructions”).  Datagrid will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Datagrid and Customer, including agreement on any additional fees payable by Customer to Datagrid for carrying out such instructions. 
    2. Obligations. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Datagrid by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Datagrid regarding the Processing of such Personal Data. Customer shall not provide or make available to Datagrid any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services. 
  3. Confidentiality of Customer Personal Data. Datagrid will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Datagrid a demand for Customer Personal Data, Datagrid will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Datagrid may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Datagrid will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Datagrid is legally prohibited from doing so. 
  4. Authorized persons. Datagrid shall ensure that all persons authorized to Process Customer Personal Data on behalf of Datagrid are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g. by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
  5. Authorized Subprocessors. Customer hereby generally authorizes Datagrid to engage Subprocessors in accordance with this Section 5.  Customer approves the Subprocessors currently disclosed in  Appendix A. Datagrid may remove, replace, or appoint suitable and reliable Subprocessors, provided that Datagrid shall notify Customer of any updates to its Subprocessors. Datagrid will provide Customer with an opportunity to object to any change in its Subprocessors where required under applicable Data Protection Law.
    1. Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, Datagrid shall have the right to cure the objection through one of the following options (to be selected at Datagrid’s sole discretion): (a) Datagrid cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Datagrid will take the corrective steps requested by Customer in its objection  (which removes  Customer's objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Datagrid may cease to provide or Customer may agree not to use (temporarily or  permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Datagrid provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Datagrid, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Datagrid and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Datagrid for Services provided up to the effective date of the termination under the Agreement. In the event that Datagrid elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Datagrid for such Services after the effective date of the suspension.  If Customer does not object to a new Subprocessor's engagement within ten (10) days of notice by Datagrid, that new Subprocessor shall be deemed accepted. 
    2. Subprocessor Obligations.  Where Datagrid authorizes a Subprocessor as described in Section 5.1:

  1. Datagrid will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Datagrid will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
  2. Datagrid will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Datagrid under this DPA, Datagrid will impose on the Subprocessor the same contractual obligations that Datagrid has under this DPA; and 
  3. Datagrid will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Datagrid to breach any of Datagrid obligations under this DPA.
  1. Security; Audits; Personal Data Breach.
    1. Security. Datagrid’s provision of the Services will be consistent with the Security Measures and Controls described in Appendix B and any security measures described in the Agreement..   
      1. Updates to Security Measures and Controls. Customer is responsible for reviewing the information made available by Datagrid relating to data security and making an independent determination as to whether the Security Measures and Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Measures and Controls are subject to technical progress and development and that Datagrid may update or modify the Security Measures and Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.
    2. Confidential Security Reports and Audits.  For the duration of its processing of Customer Personal Data, Datagrid will maintain compliance with appropriate security standards for its industry.  Upon request, Datagrid shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) ("Report") that reflects such compliance, a request may be made by emailing Datagrid.  Customer acknowledges and agrees that such Reports are Datagrid’s Confidential Information. Datagrid shall also provide a requesting Customer with a Report and/or confirmation of Datagrid's own audits and/or a report of third party auditors' audits of its Subprocessors that have been provided by those Subprocessors to Datagrid, to the extent such reports or evidence may be shared with Customer (“Third-party Subprocessor Audit Reports”). Customer acknowledges that (a) Reports and Third-party Subprocessor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Subprocessor and (b) certain third-party Subprocessors to Datagrid may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
    3. Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, Datagrid shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below.  In addition, Datagrid shall, taking into account the nature of the Processing and the information available to Datagrid assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
      1. Practices.  Datagrid does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Datagrid becomes aware, and, within the scope of the Services, and take such steps as Datagrid in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Datagrid to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Datagrid’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Datagrid of any fault or liability of Datagrid with respect to the Personal Data Breach. 
  2. Datagrid Assistance with Data Subject Requests. Datagrid will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Datagrid regarding Customer Personal Data. Datagrid shall not respond to such Data Subject requests itself, except that Customer authorizes Datagrid to redirect such requests to Customer to allow Customer to respond directly. Upon a written request for assistance by Customer, Datagrid will reasonably assist Customer with handling such Data Subject requests.
  3. International Transfers of Personal Data
    1. U.S. Based Processing; Notification of Changes.  Customer acknowledges and agrees that Datagrid may transfer and process Customer Personal Data to and in the United States and where Datagrid, its Affiliates, or its Subprocessors maintain global data processing operations. Datagrid shall ensure that such  transfers are made in compliance with applicable Data Protection Law and this DPA.
    2. Application of SCCs. The applicable SCC Controller-to-Processor Clauses,  will apply to Customer Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Personal Data. 
      1. For purposes of this DPA, if the SCCs apply,  this DPA fully incorporates the SCCs. If Customer submits Customer Personal Data to the Services for Processing by Datagrid, Customer and Datagrid will be deemed to have entered into the SCCs, where applicable, and the submission of such Customer Personal Data to the Services will constitute Customer’s prior written consent to the transfer and Processing by Datagrid if such consent is required under the SCCs.  The SCCs, will not apply where the Customer Personal Data is transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.
    3. Alternative Transfer Mechanisms.  If necessary, Datagrid may designate a valid  Alternative Transfer Mechanism to any mechanism designated in this DPA.
    4. Explicit Consent and Notice.  Where required, Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Datagrid in a manner consistent with the applicable Data Protection Law.
  4. Effect of Termination. Upon termination or expiration of the Agreement, Datagrid shall (at Customer's written request) anonymize or delete all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Datagrid is required by applicable law to retain some or all of the Customer Personal Data. Customer acknowledges that Datagrid may be required to be retain Customer Personal under applicable laws for the establishment, exercise or defense of legal claims. 
  5. Indemnification by Customer.  To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend and indemnify Datagrid, its Affiliates and Datagrid’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Datagrid Indemnitee”) from and against any and all Losses resulting from Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
  6. Limitation of Liability
    1. Exclusion of Damages.  UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION SHALL THE DATAGRID INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA. 
    2. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Datagrid, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.  For the avoidance of doubt, the Datagrid Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA.  To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.
  7. Survival of the DPA.      This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA shall continue to apply for so long as Datagrid processes Customer Personal Data. 
  8. Severance.  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  9. Jurisdiction Specific Terms.  Certain global jurisdictions require other specific terms.  Where required, Customer and Datagrid agree to amend this DPA to incorporate such specific terms as may be required under applicable Data Protection Law. This DPA fully incorporates the specific terms below: 
    1. United States: The definition of “Data Protection Law” includes (without limitation) any federal or state data protection laws in effect and applicable to Datagrid’s Processing of Customer Personal Data in the United States (including The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act).Datagrid’s obligations to Customer under the DPA are only those express obligations imposed by applicable Data Protection Law that require that a “Business” and a “Service Provider” to have in place.  Each party is responsible for fulfilling its respective obligations set out in applicable Data Protection Law. 

Datagrid will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, including to provide services to a different customer; (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Datagrid and Customer; or (d) combine Customer Personal Data with other Personal Data that Datagrid receives from another entity or collects from individuals, except as permitted by applicable law or as authorized by Customer.

The terms used in the applicable provisions of the DPA shall be replaced as follows: “Personal Data” shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer" (collectively, the “replaced terms”).  Further, the replaced terms shall have the definitions ascribed to in the applicable Data Protection Law.

  1. Entire Agreement; Order of Precedence.  Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
  2. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
    1. Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
    2. Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
    3. Affiliates”, “Customer Data”, “Datagrid”, and “Services” shall each have the meaning ascribed to it in the Agreement.
    4. Alternative Transfer Mechanism” means an alternative Personal Data export solution that has been approved pursuant to applicable Data Protection Law. This can include Binding Corporate Rules, any new version of or successor to the SCCs, or an existing certification mechanism adopted pursuant to applicable Data Protection Law for the international transfer of Personal Data.
    5. Competent Supervisory Authority'' means (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner's Office. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
    6. Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Customer. 
    7. Customer”, as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.
    8. Customer Personal Data” means Personal Data within Customer Data submitted to Datagrid for Processing in connection with the Services pursuant to the Agreement.
    9. Data Controller Affiliates” means any of Customer's Affiliates that have not signed or otherwise accepted their own Order with Datagrid and therefore would not be a "customer" as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Datagrid Services pursuant to the Agreement between Customer and Datagrid.  For the avoidance of doubt, no third-party beneficiaries are intended.
    10. Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Datagrid, including, where applicable, the laws listed in Datagrid’s Jurisdiction Specific Terms, as may be amended, superseded or replaced from time to time. Data Protection Law includes (without limitation) i) any federal or state data protection laws in effect and applicable to Datagrid’s Processing of Customer Personal Data in the United States (including The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act), ii) the GDPR, and ii) the UK GDPR.
    11. Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.
    12. Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.
    13. GDPR " means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
    14. including” and its derivatives mean “including but not limited to.”
    15. Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
    16. “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
    17. Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Datagrid or Datagrid’s Subprocessors.
    18. Datagrid Indemnitee” shall have the meaning ascribed to it in Section 10, above.
    19. “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 
    20. “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Datagrid.
    21. Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information. 
    22. Services” means Datagrid’s services as set forth in the Agreement.
    23. "Standard Contractual Clauses" or “SCCs” means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant  to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs"). 
    24. "Subprocessor" means any Processor engaged by Datagrid to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA.  Subprocessors may include Datagrid’s Affiliates, but shall exclude Datagrid employees, contractors, and consultants.  
    25. "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.

Appendix A – List of Datagrid Subprocessors

%%TABLE_1%%

*Country of processing is the United States unless Datagrid’s services are accessed from outside of the applicable region in which case Customer traffic is processed globally at the data center applicable to the end user.

Appendix B – Security Measures and Controls

Datagrid will implement and maintain technical and organizational measures designed to secure Customer Data (including Customer Personal Data). Datagrid will maintain and follow a written information security program (including the adoption and enforcement of internal policies and procedures) designed to (i) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (ii) identify reasonably foreseeable risks to Customer Data and unauthorized access to the Services,  (iii) minimize Customer Data risks, including through risk assessment and regular testing and iv) monitor, detect, and mitigate attacks or intrusions into Customer Data. Datagrid will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following Security Measures (as updated from time to time):

  1. Physical Access Controls:  Datagrid takes measures, such as security personnel and secured buildings, designed to (i) prevent unauthorized persons from gaining access to Customer Data, (ii) manage, monitor and log movement of persons into and out of Datagrid facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage. 
  2. System Access Controls:  Datagrid takes measures designed to prevent unauthorized use of Customer Data. These controls may vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and two-factor authentication, documented authorization processes, documented change management processes, logging of access on several levels, system audit or event logging, and related monitoring procedures to proactively record user access and system activity for routine review.
  3. Data Access Controls:  Datagrid takes measures designed to ensure that Customer Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Data to which they have privilege of access, and that Customer Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
  4. Access Policy: In addition to the access control rules set forth in Subsections 1-3 above, Datagrid implements an access policy under which access to its system environment, to Personal Data, and to other Customer Data is restricted to authorized personnel only.
  5. Input Controls: Datagrid takes measures to ensure that: (i) the Customer Data source is under the control of Customer; and (ii) Customer Data integrated into Datagrid’s systems is managed by secured file transfer from Customer and the Authorized User subject.
  6. Data Backup:  Datagrid ensures that backups are made on a regular basis, are secured, and are encrypted when storing data to protect against accidental destruction or loss when hosted by Datagrid. 
  7. Organizational Management: Datagrid maintains a dedicated staff responsible for the development, implementation, and maintenance of Datagrid’s data privacy and information security programs.
  8. Audit: Datagrid maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance, and reporting the condition of its information security and compliance to senior internal management.
  9. Policies: Datagrid maintains data protection and information security policies and makes sure that policies and measures are regularly reviewed and where necessary, improve them.
  10. Integration: Datagrid communicates with Customer applications utilizing cryptographic protocols such as TLS 1.2 or above to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
  11. Operations: Datagrid maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal. or release from Controller possession.
  12. Incident Response: Datagrid maintains incident procedures designed to investigate, respond to, mitigate and notify of events related to Customer’s data. or information assets. A dedicated network operations and security operations staff performs rapid monitoring and response capabilities to address alerts. 
  13. Network Security: Datagrid engages in network security controls such as providing for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  14. Risk Management: Datagrid utilizes vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  15. Business Continuity: Datagrid maintains business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Testing is performed to evaluate the plans and recovery capabilities.

Additional information: For additional information on Datagrid’s security measures and compliance please refer to the information made available and updated periodically at the following link: https://www.datagrid.com/data-security-standards.

Appendix C – Annexes to the Standard Contractual Clauses

ANNEX I 

A. List of Parties

Data exporter(s): 

Name: The entity identified as “Customer” in the Agreement. 

Address: The address for Customer specified in the Agreement. 

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement. 

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1.2 of the DPA. 

Role (controller / processor): Controller 

Data importer(s): 

Name: Datagrid AI, Inc.

Address: 6309 Carpinteria Ave., Carpinteria, CA 93013, United States

Contact person’s name, position and contact details: Chief Legal Officer, legalnotice@procore.com      

Activities relevant to the data transferred under these Clauses: The Services as described in the Agreement.          

Role (controller / processor): Processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer Controller to Processor

Categories of Data Subjects whose Personal Data is transferred/Processed

The Personal Data transferred/Processed concern the following categories of Data Subjects:

  • Authorized Users as defined in the Subscription Services Agreement.
  • Customers’ employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by the data importer for use in connection with the Services.  

Categories of personal data transferred/Processed

The Personal Data transferred/Processed concern the following categories of data:

Customer Personal Data as defined in the DPA.  It includes: 

  • Identifiers (contact detail including name, email, phone number  and addresses); 
  • Employment Data (professional data, contact details, hours worked, site access);
  • IT Data (IP addresses, browser type, language preferences, cookies data);
  • Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses or GPS);
  • Other data Controller elects to upload to Processor’s system.

Datagrid does not knowingly process Sensitive Data, as defined by applicable law, on behalf of the Controller.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous basis as needed for performance of Services and throughout the Subscription Term until the DPA’s Termination Date, provided that the data protection obligations of the DPA and the SCCs shall continue to apply for so long as the data importer processes Customer Personal Data.

Nature of the processing

  • Personal data is processed by Datagrid in connection with the Services under the Agreement and/or any applicable Order. 

Purpose(s) of the data transfer and further Processing

  • Datagrid will Process Personal Data as necessary to perform Services pursuant to the Agreement and/or any applicable Order and/or as further specified by Controller’s lawful Documented Instructions.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period.

  • For the duration of the Subscription Term as defined in the Agreement, pursuant to the terms stated in the DPA, unless otherwise required by applicable law. 

For transfers to Subprocessors, also specify subject matter, nature, and duration of the Processing.

  • Datagrid uses its Affiliates and a range of third party Subprocessors to assist in providing the Services.  These Subprocessors provide cloud hosting and storage services; content delivery and analytic services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services. The Processing activity will take place during the Subscription Term, unless otherwise required in accordance with the DPA and/or applicable laws or regulations.
  • Personal Data transfers to Subprocessors are based upon Standard Contractual Clauses unless an Alternative Transfer Mechanism is in place.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Module 2 SCC:

  •  Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Irish Data Protection Commission - 21 FITZWILLIAM SQUARE SOUTH, DUBLIN 2, D02 RD28, IRELAND
  •  shall act as the competent supervisory authority. 
  • Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority. 
  • Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations. 

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational measures implemented by Datagrid (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. 

  • Please see Appendix B to the DPA. 

Transfers to Subprocessors: For transfers to subprocessors, also describe the specific technical and organisational measures to be taken by the subprocessor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter.

  • Please see Appendix B to the DPA.
  • For additional information on assistance with rights to the Controller and with transfer measures, please see Annex III - Subprocessors.

ANNEX III - SUBPROCESSORS

This Annex III to the Standard Contractual Clauses sets out the Subprocessors’ Processing of Personal Data under the Agreement.

  • Please see Appendix A in DPA.
[ { "id": "TABLE_1", "html": "<table> <thead> <tr> <th>Name</th> <th>Nature/Description of Processing</th> <th>Subject of Processing/Customer Personal Data</th> <th>Country of Processing</th> </tr> </thead> <tbody> <tr> <td>Amazon Web Services</td> <td>Cloud infrastructure, RDS Instances (user/customer data), GuardDuty (vulnerability monitoring), Secrets Manager (credentials), CloudWatch (log data, monitoring), S3 (data persistence, backups), Analytics (customer activity assessment)</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services</td> <td>United States</td> </tr> <tr> <td>Google, LLC</td> <td>Large Language Model and AI services, Google Cloud Storage (blobs, files), Kubernetes (monitoring services), Big Query (datasets), Vertex AI (AI platform monitoring)</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services</td> <td>United States*</td> </tr> <tr> <td>Anthropic</td> <td>Large Language Model and AI services</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services</td> <td>United States</td> </tr> <tr> <td>OpenAI</td> <td>Large Language Model and AI services</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services</td> <td>United States</td> </tr> <tr> <td>Stripe</td> <td>Billing subscription information, customer subscription and credit card payments</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, Credit Card Processing Data as processed by Stripe</td> <td>United States*</td> </tr> <tr> <td>Sentry</td> <td>Application Performance and error monitoring</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data and Identifiers based on error</td> <td>United States</td> </tr> <tr> <td>Github</td> <td>Codebase &amp; CICD/Pipeline, Dependabot (supply chain vulnerability scanning)</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data</td> <td>United States*</td> </tr> <tr> <td>LaunchDarkly</td> <td>Feature flags</td> <td>i.e.: Authorized User Identifiers, Employment Data, Internet and Network Activity Data</td> <td>United States</td> </tr> <tr> <td>Mixpanel</td> <td>Customer activity assessment in a product</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data</td> <td>United States</td> </tr> <tr> <td>Zilliz</td> <td>Milvus (Vector store database)</td> <td>i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services</td> <td>United States</td> </tr> </tbody> </table>" } ]