AI and the Law

A Problem-Based Approach

  • Becka Rich (Drexel University)

7 Choosing an AI Tool: Terms of Use, Privacy Policies, and Tool Evaluation 7 Choosing an AI Tool: Terms of Use, Privacy Policies, and Tool Evaluation

7.1 Terms of Use 7.1 Terms of Use

7.1.1 Learning to Read Terms of Use 7.1.1 Learning to Read Terms of Use

One of the most important steps that you need to take when evaluating whether to buy or use an AI product is to read the terms of use. Here we're going to go through a terms of use step-by-step to see which clauses you should watch out for the most. 

Here's what you are looking for:
1) What is the privacy policy of the GAI tool's owner/creator? Does that privacy policy protect your company's staff?
2) What is the policy concerning intellectual property? Does your company own work created collaboratively with the GAI tool or does the GAI tools company own it?
3) Does the GAI company have any language about your output being potentially the same as someone else's output? How might that affect your company?
4) How does the company use the data that you put in? Is it used to train the model? If it  is, can your  company opt out?
5) If the GAI company does something that breaches their contract with your company, what remedies do you have under the user agreement? 
6) What does the GAI company say that you can't do with their software? Do those prohibited uses affect your company?
7) Does the GAI tool do anything to prevent hallucinations? 
8) What does the GAI tool company do to make sure that they are complying with all applicable laws?
If needed, run the confusing parts through Microsoft CoPilot asking for a Plain English translation.
While you wouldn't exclusively rely on what AI says for this when you are a practicing compliance officer, it can be useful while you're learning how to read an agreement.

Open AI Terms of Use

(Original here)

Published: December 11, 2024

Effective: December 11, 2024 (previous version)

Thank you for using OpenAI!

These Terms of Use apply to your use of ChatGPT, DALL·E, and OpenAI’s other services for individuals, along with any associated software applications and websites (all together, “Services”). These Terms form an agreement between you and OpenAI, L.L.C., a Delaware company, and they include our Service Terms and important provisions for resolving disputes through arbitration. By using our Services, you agree to these Terms. 

If you reside in the European Economic Area, Switzerland, or the UK, your use of the Services is governed by these terms.

Our Business Terms govern use of ChatGPT Enterprise, our APIs, and our other services for businesses and developers. 

Our Privacy Policy explains how we collect and use personal information. Although it does not form part of these Terms, it is an important document that you should read.

Who we are

OpenAI is an AI research and deployment company. Our mission is to ensure that artificial general intelligence benefits all of humanity. For more information about OpenAI, please visit https://openai.com/about.

Registration and access

Minimum age. You must be at least 13 years old or the minimum age required in your country to consent to use the Services. If you are under 18 you must have your parent or legal guardian’s permission to use the Services. 

Registration. You must provide accurate and complete information to register for an account to use our Services. You may not share your account credentials or make your account available to anyone else and are responsible for all activities that occur under your account. If you create an account or use the Services on behalf of another person or entity, you must have the authority to accept these Terms on their behalf.

Using our Services

What you can do. Subject to your compliance with these Terms, you may access and use our Services. In using our Services, you must comply with all applicable laws as well as our Sharing & Publication PolicyUsage Policies, and any other documentation, guidelines, or policies we make available to you. 

What you cannot do. You may not use our Services for any illegal, harmful, or abusive activity. For example, you may not:

  • Use our Services in a way that infringes, misappropriates or violates anyone’s rights.

  • Modify, copy, lease, sell or distribute any of our Services.

  • Attempt to or assist anyone to reverse engineer, decompile or discover the source code or underlying components of our Services, including our models, algorithms, or systems (except to the extent this restriction is prohibited by applicable law).

  • Automatically or programmatically extract data or Output (defined below).

  • Represent that Output was human-generated when it was not.

  • Interfere with or disrupt our Services, including circumvent any rate limits or restrictions or bypass any protective measures or safety mitigations we put on our Services.

  • Use Output to develop models that compete with OpenAI.

Software. Our Services may allow you to download software, such as mobile applications, which may update automatically to ensure you’re using the latest version. Our software may include open source software that is governed by its own licenses that we’ve made available to you.

Corporate domains. If you create an account using an email address owned by an organization (for example, your employer), that account may be added to the organization's business account with us, in which case we will provide notice to you so that you can help facilitate the transfer of your account (unless your organization has already provided notice to you that it may monitor and control your account). Once your account is transferred, the organization’s administrator will be able to control your account, including being able to access Content (defined below) and restrict or remove your access to the account. 

Third party Services. Our services may include third party software, products, or services, (“Third Party Services”) and some parts of our Services, like our browse feature, may include output from those services (“Third Party Output”). Third Party Services and Third Party Output are subject to their own terms, and we are not responsible for them. 

Feedback. We appreciate your feedback, and you agree that we may use it without restriction or compensation to you.

Content

Your content. You may provide input to the Services (“Input”), and receive output from the Services based on the Input (“Output”). Input and Output are collectively “Content.” You are responsible for Content, including ensuring that it does not violate any applicable law or these Terms. You represent and warrant that you have all rights, licenses, and permissions needed to provide Input to our Services.

Ownership of content. As between you and OpenAI, and to the extent permitted by applicable law, you (a) retain your ownership rights in Input and (b) own the Output. We hereby assign to you all our right, title, and interest, if any, in and to Output. 

Similarity of content. Due to the nature of our Services and artificial intelligence generally, output may not be unique and other users may receive similar output from our Services. Our assignment above does not extend to other users’ output or any Third Party Output. 

Our use of content. We may use Content to provide, maintain, develop, and improve our Services, comply with applicable law, enforce our terms and policies, and keep our Services safe. If you're using ChatGPT through Apple's integrations, see this Help Center article(opens in a new window) for how we handle your Content.

Opt out. If you do not want us to use your Content to train our models, you can opt out by following the instructions in this Help Center article(opens in a new window). Please note that in some cases this may limit the ability of our Services to better address your specific use case.

Accuracy. Artificial intelligence and machine learning are rapidly evolving fields of study. We are constantly working to improve our Services to make them more accurate, reliable, safe, and beneficial. Given the probabilistic nature of machine learning, use of our Services may, in some situations, result in Output that does not accurately reflect real people, places, or facts. 

When you use our Services you understand and agree:

  • Output may not always be accurate. You should not rely on Output from our Services as a sole source of truth or factual information, or as a substitute for professional advice.

  • You must evaluate Output for accuracy and appropriateness for your use case, including using human review as appropriate, before using or sharing Output from the Services.

  • You must not use any Output relating to a person for any purpose that could have a legal or material impact on that person, such as making credit, educational, employment, housing, insurance, legal, medical, or other important decisions about them. 

  • Our Services may provide incomplete, incorrect, or offensive Output that does not represent OpenAI’s views. If Output references any third party products or services, it doesn’t mean the third party endorses or is affiliated with OpenAI.

Our IP rights

We and our affiliates own all rights, title, and interest in and to the Services. You may only use our name and logo in accordance with our Brand Guidelines.

Billing. If you purchase any Services, you will provide complete and accurate billing information, including a valid payment method. For paid subscriptions, we will automatically charge your payment method on each agreed-upon periodic renewal until you cancel. You’re responsible for all applicable taxes, and we’ll charge tax when required. If your payment cannot be completed, we may downgrade your account or suspend your access to our Services until payment is received. 

Service credits. You can pay for some Services in advance by purchasing service credits. All service credits are subject to our Service Credit Terms.

Cancellation. You can cancel(opens in a new window) your paid subscription at any time. Payments are non-refundable, except where required by law. These Terms do not override any mandatory local laws regarding your cancellation rights. 

Changes. We may change our prices from time to time. If we increase our subscription prices, we will give you at least 30 days’ notice and any price increase will take effect on your next renewal so that you can cancel if you do not agree to the price increase.

Termination and suspension

Termination. You are free to stop using our Services at any time. We reserve the right to suspend or terminate your access to our Services or delete your account if we determine:

  • You breached these Terms or our Usage Policies.

  • We must do so to comply with the law.

  • Your use of our Services could cause risk or harm to OpenAI, our users, or anyone else.

We also may terminate your account if it has been inactive for over a year and you do not have a paid account. If we do, we will provide you with advance notice.

Appeals. If you believe we have suspended or terminated your account in error, you can file an appeal with us by contacting our Support team(opens in a new window).

Discontinuation of Services

We may decide to discontinue our Services, but if we do, we will give you advance notice and a refund for any prepaid, unused Services.

Disclaimer of warranties

OUR SERVICES ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS MAKE NO WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE SERVICES, AND DISCLAIM ALL WARRANTIES INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, NON-INFRINGEMENT, AND QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR TRADE USAGE. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ACCURATE OR ERROR FREE, OR THAT ANY CONTENT WILL BE SECURE OR NOT LOST OR ALTERED. 

YOU ACCEPT AND AGREE THAT ANY USE OF OUTPUTS FROM OUR SERVICE IS AT YOUR SOLE RISK AND YOU WILL NOT RELY ON OUTPUT AS A SOLE SOURCE OF TRUTH OR FACTUAL INFORMATION, OR AS A SUBSTITUTE FOR PROFESSIONAL ADVICE.

Limitation of liability

NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA OR OTHER LOSSES, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OUR AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED ​​THE GREATER OF THE AMOUNT YOU PAID FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE OR ONE HUNDRED DOLLARS ($100). THE LIMITATIONS IN THIS SECTION APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

Some countries and states do not allow the disclaimer of certain warranties or the limitation of certain damages, so some or all of the terms above may not apply to you, and you may have additional rights. In that case, these Terms only limit our responsibilities to the maximum extent permissible in your country of residence.

OPENAI’S AFFILIATES, SUPPLIERS, LICENSORS, AND DISTRIBUTORS ARE INTENDED THIRD PARTY BENEFICIARIES OF THIS SECTION.

Indemnity

If you are a business or organization, to the extent permitted by law, you will indemnify and hold harmless us, our affiliates, and our personnel, from and against any costs, losses, liabilities, and expenses (including attorneys’ fees) from third party claims arising out of or relating to your use of the Services and Content or any violation of these Terms.

Dispute resolution

YOU AND OPENAI AGREE TO THE FOLLOWING MANDATORY ARBITRATION AND CLASS ACTION WAIVER PROVISIONS:

MANDATORY ARBITRATION. You and OpenAI agree to resolve any claims arising out of or relating to these Terms or our Services, regardless of when the claim arose, even if it was before these Terms existed (a “Dispute”), through final and binding arbitration. You may opt out of arbitration within 30 days of account creation or of any updates to these arbitration terms within 30 days after the update has taken effect by filling out this form(opens in a new window). If you opt out of an update, the last set of agreed upon arbitration terms will apply. 

Informal dispute resolution. We would like to understand and try to address your concerns prior to formal legal action. Before either of us files a claim against the other, we both agree to try to resolve the Dispute informally. You agree to do so by sending us notice through this form(opens in a new window). We will do so by sending you notice to the email address associated with your account. If we are unable to resolve a Dispute within 60 days, either of us has the right to initiate arbitration. We also both agree to attend an individual settlement conference if either party requests one during this time. Any statute of limitations will be tolled during this informal resolution process.

Arbitration forum. If we are unable to resolve the Dispute, either of us may commence arbitration with National Arbitration and Mediation (“NAM”) under its Comprehensive Dispute Resolution Rules and Procedures and/or Supplemental Rules for Mass Arbitration Filings, as applicable (available here(opens in a new window)). OpenAI will not seek attorneys’ fees and costs in arbitration unless the arbitrator determines that your claim is frivolous. The activities described in these Terms involve interstate commerce and the Federal Arbitration Act will govern the interpretation and enforcement of these arbitration terms and any arbitration. 

Arbitration procedures. The arbitration will be conducted by videoconference if possible, but if the arbitrator determines a hearing should be conducted in person, the location will be mutually agreed upon, in the county where you reside, or as determined by the arbitrator, unless the batch arbitration process applies. The arbitration will be conducted by a sole arbitrator. The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California. The arbitrator will have exclusive authority to resolve any Dispute, except the state or federal courts of San Francisco, California have the authority to determine any Dispute about enforceability, validity of the class action waiver, or requests for public injunctive relief, as set out below. Any settlement offer amounts will not be disclosed to the arbitrator by either party until after the arbitrator determines the final award, if any. The arbitrator has the authority to grant motions dispositive of all or part of any Dispute. 

Exceptions. This section does not require informal dispute resolution or arbitration of the following claims: (i) individual claims brought in small claims court; and (ii) injunctive or other equitable relief to stop unauthorized use or abuse of the Services or intellectual property infringement or misappropriation.

CLASS AND JURY TRIAL WAIVERS. You and OpenAI agree that Disputes must be brought on an individual basis only, and may not be brought as a plaintiff or class member in any purported class, consolidated, or representative proceeding. Class arbitrations, class actions, and representative actions are prohibited. Only individual relief is available. The parties agree to sever and litigate in court any request for public injunctive relief after completing arbitration for the underlying claim and all other claims. This does not prevent either party from participating in a class-wide settlement. You and OpenAI knowingly and irrevocably waive any right to trial by jury in any action, proceeding, or counterclaim. 

Batch arbitration. If 25 or more claimants represented by the same or similar counsel file demands for arbitration raising substantially similar Disputes within 90 days of each other, then you and OpenAI agree that NAM will administer them in batches of up to 50 claimants each (“Batch”), unless there are less than 50 claimants in total or after batching, which will comprise a single Batch. NAM will administer each Batch as a single consolidated arbitration with one arbitrator, one set of arbitration fees, and one hearing held by videoconference or in a location decided by the arbitrator for each Batch. If any part of this section is found to be invalid or unenforceable as to a particular claimant or Batch, it will be severed and arbitrated in individual proceedings.  

Severability. If any part of these arbitration terms is found to be illegal or unenforceable, the remainder will remain in effect, except that if a finding of partial illegality or unenforceability would allow class arbitration, class action, or representative action, this entire dispute resolution section will be unenforceable in its entirety.

Copyright complaints

If you believe that your intellectual property rights have been infringed, please send notice to the address below or fill out this form. We may delete or disable content that we believe violates these Terms or is alleged to be infringing and will terminate accounts of repeat infringers where appropriate.

OpenAI, L.L.C.
1455 3rd Street
San Francisco, CA 94158
Attn: General Counsel / Copyright Agent

Written claims concerning copyright infringement must include the following information:

  • A physical or electronic signature of the person authorized to act on behalf of the owner of the copyright interest

  • A description of the copyrighted work that you claim has been infringed upon

  • A description of where the allegedly infringing material is located on our site so we can find it

  • Your address, telephone number, and e-mail address

  • A statement by you that you have a good-faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law

  • A statement by you that the above information in your notice is accurate and, under penalty of perjury, that you are the copyright owner or authorized to act on the copyright owner’s behalf

General Terms

Assignment. You may not assign or transfer any rights or obligations under these Terms and any attempt to do so will be void. We may assign our rights or obligations under these Terms to any affiliate, subsidiary, or successor in interest of any business associated with our Services.

Changes to these Terms or our Services. We are continuously working to develop and improve our Services. We may update these Terms or our Services accordingly from time to time. For example, we may make changes to these Terms or the Services due to:

  • Changes to the law or regulatory requirements.

  • Security or safety reasons.

  • Circumstances beyond our reasonable control.

  • Changes we make in the usual course of developing our Services.

  • To adapt to new technologies.

We will give you at least 30 days advance notice of changes to these Terms that materially adversely impact you either via email or an in-product notification. All other changes will be effective as soon as we post them to our website. If you do not agree to the changes, you must stop using our Services.

Delay in enforcing these Terms. Our failure to enforce a provision is not a waiver of our right to do so later. Except as provided in the dispute resolution section above, if any portion of these Terms is determined to be invalid or unenforceable, that portion will be enforced to the maximum extent permissible and it will not affect the enforceability of any other terms.

Trade controls. You must comply with all applicable trade laws, including sanctions and export control laws. Our Services may not be used in or for the benefit of, or exported or re-exported to (a) any U.S. embargoed country or territory or (b) any individual or entity with whom dealings are prohibited or restricted under applicable trade laws. Our Services may not be used for any end use prohibited by applicable trade laws, and your Input may not include material or information that requires a government license for release or export. 

Entire agreement. These Terms contain the entire agreement between you and OpenAI regarding the Services and, other than any Service-specific terms, supersedes any prior or contemporaneous agreements between you and OpenAI. 

Governing law. California law will govern these Terms except for its conflicts of laws principles. Except as provided in the dispute resolution section above, all claims arising out of or relating to these Terms will be brought exclusively in the federal or state courts of San Francisco, California.

-------------------------------------------------------------------------------------------------------------------------------

Sample Commercial Terms of Service (Anthropic)

Commercial Terms of Service

Effective May 14, 2024
Previous Version

Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.

These Commercial Terms of Service (“Terms”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“Customer”). "Anthropic" means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“EEA”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of any Anthropic API key, the Anthropic Console, Team or enterprise tools, or any other Anthropic offerings that references these Terms (the “Services”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“Effective Date”). These Terms incorporate by reference our Service Specific Terms.

Please note: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our Consumer Terms of Service instead.

A. Services

  1. Overview. Subject to these Terms, Customer may use the Services, including to make submissions to the Services (“Prompts”) and generate responses to its Prompts (“Outputs” and, together with Prompts, “Customer Content”).
  2. Beta Services. Anthropic may offer Services that are in pre-release, beta, or trial form (“Beta Services”). This means that they are not suitable for production use and provided “as-is” on a temporary basis. Anthropic is not responsible for Customer’s use of or reliance on Beta Services.
  3. Feedback. If Customer decides, in its sole discretion, to provide Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer.
  4. Customer Content. As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer owns all Outputs, and disclaims any rights it receives to the Customer Content under these Terms. Anthropic does not anticipate obtaining any rights in Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from paid Services.
  5. Data Privacy. If Customer submits personal data or personally identifiable information (collectively, “PII”) to the Services, the Anthropic Data Processing Addendum in Exhibit A applies and is incorporated into these Terms by reference.

B. Trust and Safety; Restrictions

  1. Compliance. Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws.
  2. Acceptable Use Policy. Customer may only use the Services in compliance with these Terms, including the Acceptable Use Policy (“AUP”), which is incorporated by reference into these Terms, and which may be updated by Anthropic. Customer must use reasonable efforts to ensure the same of its customers or other end users (“Users”). Customer must cooperate with reasonable requests for information from Anthropic to support compliance with its AUP, including to verify Customer’s identity and use of the Services.
  3. Limitations of Outputs; Notice to Users. It is Customer’s responsibility to evaluate whether Outputs are appropriate for Customer’s use case, including where human review is appropriate, before using or sharing Outputs. Customer acknowledges, and must notify its Users, that factual assertions in Outputs should not be relied upon without independently checking their accuracy, as they may be false, incomplete, misleading or not reflective of recent events or information. Customer further acknowledges that Outputs may contain content inconsistent with Anthropic’s views.
  4. Use Restrictions. Customer may not and must not attempt to (a) access the Services to build a competing product or service, including to train competing AI models except as expressly approved by Anthropic; (b) reverse engineer or duplicate the Services; or (c) support any third party’s attempt at any of the conduct restricted in this sentence. Customer and its Users may only use the Services in the countries and regions Anthropic currently supports.
  5. Security. Customer will promptly notify Anthropic if Customer believes or knows that (a) the account it uses to access the Services has been compromised, or (b) Customer is subject to a denial of service or similar malicious attack that may negatively impact the Services.

C. Confidentiality

  1. Confidential Information. The parties may share information that is identified as confidential, proprietary, or similar, or that a party would reasonably understand to be confidential or proprietary ("Confidential Information"). Customer Content is Customer’s Confidential Information.
  2. Obligations of Parties. The receiving party ("Recipient") may only use the Confidential Information of the disclosing party ("Discloser") to exercise its rights and perform its obligations under these Terms. Recipient may only share Discloser’s Confidential Information to Recipient’s employees, agents, and advisors that have a need to know such Confidential Information and who are bound to obligations of confidentiality at least as protective as those provided in these Terms ("Representatives"). Recipient will protect Discloser’s Confidential Information from unauthorized use, access, or disclosure in the same manner as Recipient protects its own Confidential Information, and with no less than reasonable care. Recipient is responsible for all acts and omissions of its Representatives. Recipient will promptly notify Discloser if it suspects or knows that Discloser’s Confidential Information was breached, and agrees to cooperate to mitigate further risks of loss or misuse.
  3. Exclusions. Recipient’s obligations with respect to Confidential Information do not apply if Recipient demonstrates that Discloser’s Confidential Information was (a) already known to Recipient at the time of disclosure by Discloser, (b) disclosed to Recipient by a third party without a duty of confidentiality, (c) publicly available through no fault of Recipient, or (d) independently developed by Recipient without use of or access to Discloser’s Confidential Information. Recipient may disclose Discloser’s Confidential Information to the extent it is required by law, or court or administrative order, but will, except where expressly prohibited, notify Discloser of the required disclosure promptly and fully cooperate with Discloser.
  4. Destruction Request. Recipient will destroy Discloser’s Confidential Information promptly upon request, except copies in Recipient’s automated back-up systems, which will remain subject to these obligations of confidentiality while maintained.

D. Intellectual Property

Except as expressly stated in these Terms, these Terms do not grant either party any rights to the other’s content or intellectual property, by implication or otherwise.

E. Publicity

Anthropic may use Customer's name and logo to publicly identify Customer as a customer of the Services. Customer will consider in good faith any request by Anthropic to (1) provide a quote from a Customer executive regarding Customer’s motivation for using the Services that Anthropic may use publicly and (2) participate in a public co-marketing activity.

F. Fees

  1. Payment of Fees. Customer is responsible for fees incurred by its account, at the rates specified on the Model Pricing Page, unless otherwise agreed by the parties. Anthropic may require prepayment for the Services in the form of credits or offer other types of credits, all of which are subject to Anthropic’s Supplemental Credits Terms. Anthropic may update the published rates, to be effective the earlier of 30 days after the updates are posted by Anthropic or Customer otherwise receives Notice.
  2. Taxes. Fees do not include any taxes, duties, or assessments that may be owed by Customer for use of the Services ("Taxes"), unless otherwise specified in the applicable invoice. Customer is responsible for remitting any necessary withholding Taxes to the relevant authority on a timely basis and providing Anthropic with evidence of the same upon request. Where law provides for the reduction or elimination of withholding taxes, including via Tax treaty, the parties will collaborate in good faith to do so. For clarity, Customer must pay Anthropic the amount ("Gross-up Payment") that will ensure that Anthropic receives the same total amount that it would have received if no such withholding or reduction by Customer had been required (taking into account any and all applicable Taxes (including any Taxes imposed on the Gross-up Payment)).
  3. Billing. Failure to pay Anthropic all amounts owed when due may result in suspension or termination of Customer’s access to the Services. Anthropic reserves any other rights of collection it may have.

G. Termination and Suspension

  1. Term. These Terms start on the Effective Date and continue until terminated (the “Term”).
  2. Termination.
    1. Each party may terminate these Terms at any time for convenience with Notice, except Anthropic must provide 30 days prior Notice.
    2. Either party may terminate these Terms for the other party’s material breach by providing 30 days prior Notice detailing the nature of the breach unless cured within that time.
    3. Anthropic may terminate these Terms immediately with Notice if Anthropic reasonably believes or determines that Anthropic’s provision of the Services to Customer is prohibited by applicable law.
  3. Suspension.
    1. Anthropic may suspend Customer’s access to any portion or all of the Services if: (a) Anthropic reasonably believes or determines that (i) there is a risk to or attack on any of the Services; (ii) Customer or any User is using the Services in violation of Sections B.1 (Compliance), B.2 (Acceptable Use Policy) or B.4 (Use Restrictions); or (iii) Anthropic’s provision of the Services to Customer is prohibited by applicable law or would result in a material increase in the cost of providing the Services; or (b) any vendor of Anthropic has suspended or terminated Anthropic’s use of any third-party services or products required to enable Customer to access the Services (each, a “Service Suspension”).
    2. Anthropic will use reasonable efforts to provide written notice of any Service Suspension to Customer, and resume providing access to the Services, as soon as reasonably possible after the event giving rise to the Service Suspension is cured, where curable. Anthropic will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur because of a Service Suspension.
  4. Effect of Termination. Upon termination, Customer may no longer access the Services. The following provisions will survive termination or expiration of these Terms: (a) Sections C (Confidentiality), E (Publicity), F (Fees), G.4 (Effect of Termination), H (Disputes), I (Indemnification), J.2 (Disclaimer of Warranties), J.3 (Limits on Liability), and K (Miscellaneous); (b) any provision or condition that must survive to fulfil its essential purpose.

H. Disputes

  1. Disputes. In the event of a dispute, claim or controversy relating to these Terms (“Dispute”), the parties will first attempt in good faith to informally resolve the matter. The party raising the Dispute must notify the other party (“Dispute Notice”), who will have 15 days from the date of delivery of the Dispute Notice to propose a time for the parties to meet with appropriately leveled executives to attempt to resolve the Dispute. If the parties have not resolved the dispute within 45 days of delivery of the Dispute Notice, either party may seek to resolve the dispute through arbitration as stated in Section H.2 (Arbitration).
  2. Arbitration. Any Dispute will be determined in English by final, binding arbitration according to the region-specific processes below. Judgment on any award issued through the applicable arbitration process in this Section H.2 (Arbitration) may be entered in any court having jurisdiction. EACH PARTY AGREES THEY ARE WAIVING THE RIGHT TO A TRIAL BY JURY, AND THE RIGHT TO JOIN AND PARTICIPATE IN A CLASS ACTION, TO THE FULLEST EXTENT PERMITTED UNDER THE LAW IN CONNECTION WITH THESE TERMS.
    1. For Customers residing in the EEA, Switzerland, or UK, Disputes will be determined by a sole arbitrator in Dublin, Ireland pursuant the UNCITRAL Arbitration Rules as at present in force. The appointing authority shall be the President for the time being of the Law Society
      of Ireland.
    2. For Customers residing anywhere else, Disputes will be determined by a sole arbitrator in San Francisco, CA pursuant to the Comprehensive Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc.
  3. Equitable Relief. This Section H (Disputes) does not limit either party from seeking equitable relief.

I. Indemnification

  1. Claims Against Customer. Anthropic will defend Customer and its personnel, successors, and assigns from and against any Customer Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Customer Claim or that an arbitrator awards a third party under any Anthropic-approved settlement of such Customer Claim. "Customer Claim" means a third-party claim, suit, or proceeding alleging that Customer’s paid use of the Services (which includes data Anthropic has used to train a model that is part of the Services) in accordance with these Terms or Outputs generated through such authorized use violates third-party patent, trade secret, trademark, or copyright rights.
  2. Claims Against Anthropic. Customer will defend Anthropic and its personnel, successors, and assigns from and against any Anthropic Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Anthropic Claim or that an arbitrator awards a third party under any Customer-approved settlement of such Anthropic Claim. “Anthropic Claim” means any third-party claim, suit, or proceeding related to Customer’s or its Users’ (a) Prompts or (b) use of the Services in violation of the AUP, the Service Specific Terms, or Section B.4 (Use Restrictions). Anthropic Claims and Customer Claims are each a “Claim”, as applicable.
  3. Exclusions. Neither party’s defense or indemnification obligations will apply to the extent the underlying allegation arises from the indemnified party’s fraud, willful misconduct, violations of law, or breach of the Agreement. Additionally, Anthropic’s defense and indemnification obligations will not apply to the extent the Customer Claim arises from: (a) modifications made by Customer to the Services or Outputs; (b) the combination of the Services or Outputs with technology or content not provided by Anthropic; (c) Prompts or other data provided by Customer; (d) use of the Services or Outputs in a manner that Customer knows or reasonably should know violates or infringes the rights of others; (e) the practice of a patented invention contained in an Output; or (f) an alleged violation of trademark based on use of an Output in trade or commerce.
  4. Process. The indemnified party must promptly notify the indemnifying party of the relevant Claim, and will reasonably cooperate in the defense. The indemnifying party will retain the right to control the defense of any such Claim, including the selection of counsel, the strategy and course of any litigation or appeals, and any negotiations or settlement or compromise, except that the indemnified party will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to an ongoing affirmative obligation. The indemnifying party’s obligations will be excused if either of the following materially prejudices the defense: (a) failure of the indemnified party to provide prompt notice of the Claim; or (b) failure to reasonably cooperate in the defense.
  5. Sole Remedy. To the extent covered under this Section I (Indemnification), indemnification is each party’s sole and exclusive remedy under these Terms for any third-party claims.

J. Warranties and Limits on Liability

  1. Warranties. Each party represents and warrants that (a) it is authorized to enter into these Terms; and (b) entering into and performing these Terms will not violate any of its corporate rules, if applicable. Customer further represents and warrants that it has all rights and permissions required to submit Prompts to the Services.
  2. Disclaimer of Warranties. EXCEPT TO THE EXTENT EXPRESSLY PROVIDED FOR IN THESE TERMS, TO THE MAXIMUM EXTENT PERMITTED UNDER LAW (A) THE SERVICES AND OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND; AND (B) ANTHROPIC MAKES NO WARRANTIES, EXPRESS OR IMPLIED, RELATING TO THIRD-PARTY PRODUCTS OR SERVICES, INCLUDING THIRD-PARTY INTERFACES. ANTHROPIC EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING OR PERFORMANCE, OR TRADE USE. ANTHROPIC DOES NOT WARRANT, AND DISCLAIMS THAT, THE SERVICES OR OUTPUTS ARE ACCURATE, COMPLETE OR ERROR-FREE OR THAT THEIR USE WILL BE UNINTERRUPTED. REFERENCES TO A THIRD PARTY IN THE OUTPUTS MAY NOT MEAN THEY ENDORSE OR ARE OTHERWISE WORKING WITH ANTHROPIC.
  3. Limits on Liability.
    1. Except as stated in Section J.3.b, the liability of each party, and its affiliates and licensors, for any damages arising out of or related to these Terms (i) excludes damages that are consequential, incidental, special, indirect, or exemplary damages, including lost profits, business, contracts, revenue, goodwill, production, anticipated savings, or data, and costs of procurement of substitute goods or services and (ii) is limited to Fees actually paid by Customer for the Services in the previous 12 months.
    2. The limitations of liability in this Section J.3 (Limits on Liability) do not apply to either party’s obligations under Section I (Indemnification).
    3. THE LIMITATIONS OF LIABILITY IN THIS SECTION J.3 (LIMITS ON LIABILITY) APPLY: (A) TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW; (B) TO LIABILITY IN TORT, INCLUDING FOR NEGLIGENCE; (C) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT PRODUCT LIABILITY, OR OTHERWISE; (D) EVEN IF THE BREACHING PARTY IS ADVISED IN ADVANCE OF THE POSSIBILITY OF THE DAMAGES IN QUESTION AND EVEN IF SUCH DAMAGES WERE FORESEEABLE; AND (E) EVEN IF THE INJURED PARTY'S REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.
    4. The parties agree that they have entered into these Terms in reliance on the terms of this Section J.3 (Limits on Liability) and those terms form an essential basis of the bargain between the parties.

K. Miscellaneous

  1. Notices. All notices, demands, waivers, and other communications under these Terms (each, a "Notice") must be in writing. Except for notices related to demands to arbitrate or where equitable relief is sought, any Notices provided under these Terms may be delivered electronically to the Customer’s address or other authorized addresses provided to Anthropic; and to notices@anthropic.com if to Anthropic. Notice is effective only: (i) upon receipt by the receiving party, and (ii) if the party giving the Notice has complied with all requirements of this Section K.1 (Notices).
  2. Electronic Communications. Customer agrees to receive electronic communications from Anthropic based on Customer’s use of the Services and related to these Terms. Except where prohibited by applicable law, electronic communications may include email, through the Services or Customer’s management dashboard, or on Anthropic’s website. Anthropic may also provide electronic communications via text or SMS about Customer’s use of the Services or as Customer otherwise requests from Anthropic. If Customer wishes to stop receiving such messages, Customer may request it from Anthropic or respond to any such texts with “STOP.”
  3. Amendment and Modification. Anthropic may update these Terms at any time, to be effective 30 days after the updates are posted by Anthropic or Customer otherwise receives Notice, except that updates made in response to changes to law or regulation take effect immediately upon posting or Notice. Changes will not apply retroactively. No other amendment to or modification of these Terms is effective unless it is in writing and signed by both parties. Failure to exercise or delay in exercising any rights or remedies arising from these Terms does not and will not be construed as a waiver; and no single or partial exercise of any right or remedy will preclude future exercise of such right or remedy.
  4. Assignment and Delegation. Neither party may assign its rights or delegate its obligations under these Terms without the other party’s prior written consent, except that Anthropic may assign its rights and delegate its obligations as part of a sale of all or substantially all its business. Any purported assignment or delegation is null and void except as permitted above. No permitted assignment or delegation will relieve the contracting party or assignees of their obligations under these Terms. These Terms will bind and inure to the benefit of the parties and their respective permitted successors and assigns.
  5. Severability. If a provision of these Terms is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will neither affect any other term or provision of these Terms nor invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the parties will negotiate in good faith to modify these Terms to reflect the parties’ original intent as closely as possible.
  6. Interpretation. These Terms will be construed mutually, with neither party considered the drafter. Document and section titles are provided for convenience and will not be interpreted. The phrases “for example” or “including” or “or” are not limiting.
  7. Governing Law; Venue.
    1. These Terms are governed by and construed in accordance with the Governing Laws, without giving effect to any choice of law provision. "Governing Laws" means (i) for Customers in the EEA, Switzerland or UK, the Laws of Ireland; and (ii) for all other Customers, the laws of the State of California.
    2. Any suits, actions, or proceedings related to these Terms that are not required to be resolved via arbitration pursuant to Section H (Disputes) will be instituted exclusively in the Venue, and each party irrevocably submits to their exclusive jurisdiction. "Venue" means (i) for Customers in the EEA, Switzerland or UK, the courts of Ireland; and (ii) for all other Customers, federal or state courts located in California.
  8. Export and Sanctions. Customer may not export or provide access to the Services to persons or entities or into countries or for uses where it is prohibited under U.S. or other applicable international law. Without limiting the foregoing sentence, this restriction applies (a) to countries where export from the US or into such country would be prohibited or illegal without first obtaining the appropriate license, and (b) to persons, entities, or countries covered by U.S. sanctions.
  9. Integration. These Terms (including the AUP, DPA, Model Pricing Page and other documents or terms that are incorporated by reference by these Terms) constitute the parties’ entire understanding as to the Services’ provision and use. These Terms supersede all other understandings or agreements between the parties regarding the Services. If Customer has also agreed to our Consumer Terms of Service, these Terms control.
  10. Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

 

 

Exhibit A: Anthropic Data Processing Addendum

This Data Processing Addendum (“DPA”) applies to Anthropic and its processing of Personal Data in relation to the provision of Anthropic’s Services to the Customer (as defined in the Agreement). Unless otherwise expressly stated in the Agreement, this DPA shall be effective and remain in force for the full term of the Agreement. Anthropic and the Customer each may be referred to herein as a “Party” or collectively as the “Parties.”

1. DEFINITIONS

  • "Agreement" means the contract referencing this DPA under which Anthropic has agreed to provide Services.
  • "Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.
  • "Controller" will have the following meaning (as applicable): (a) the meaning given to “controller” under Applicable Data Protection Laws; or (b) the meaning given to “business” under Applicable Data Protection Laws.
  • "Covered Data" means Personal Data shared by Customer or a Customer Affiliate in relation to the provision of the Services. “Data Subject” means a natural person whose Personal Data is part of the Covered Data.
  • "Customer Affiliate" means an affiliate of Customer who is a beneficiary to the Agreement.
  • Data Subject Requests” means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws. "GDPR" means Regulation (EU) 2016/679.
  • Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
  • "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and“Processed” will be interpreted accordingly.
  • Processor” will have the following meaning (as applicable): (a) the meaning given to“processor” under Applicable Data Protection Laws; or (b) the meaning given to “service provider” under Applicable Data Protection Laws.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to(including unauthorized internal access to), Covered Data.
  • "Services" means the services to be provided by Anthropic pursuant to the Agreement.
  • "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor)and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
  • "Sub-processor" means an entity appointed by Anthropic, as a Processor, to Process Covered Data on its behalf.
  • UK GDPR” has the meaning given under the Data Protection Act 2018 (UK).

2. GENERAL

  1. This DPA is incorporated into and forms an integral part of the Agreement. If there is any conflict between this DPA and the Agreement relating to the Processing of Covered Data, this DPA shall govern. Customer acknowledges and agrees that Anthropic may amend this DPA from time to time on reasonable notice to Customer where such changes are required because of changes in Applicable Data Protection Laws.
  2. Clauses 3 to 9 of this DPA apply to the extent Anthropic acts as a Processor on behalf of Customer with respect to the Covered Data.

3. DETAILS OF DATA PROCESSING

  1. The details of the Processing of Covered Data (such as subject matter, duration, nature, and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Part B of Schedule 1 to this DPA.
  2. Anthropic will only Process Covered Data in accordance with Applicable Data Protection Laws and on the documented instructions of Customer (including as set out in the Agreement and this DPA), unless required to do otherwise by applicable law to which Anthropic is subject, in which case Anthropic will, unless prohibited by applicable law, inform Customer of such legal requirement before Processing. Without limiting the foregoing, Anthropic is prohibited from:
    1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
    2. sharing Covered Data with any third party for cross-context behavioural advertising;
    3. retaining, using, or disclosing Covered Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and
    4. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Anthropic receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
  3. To the extent that any of the instructions provided by Customer to Anthropic in accordance with clause 3.b require Processing of Covered Data in a manner that falls outside the scope of the Services, Anthropic may:
    1. notify Customer that such instructions fall outside the scope of Services under the Agreement and not carry out such instructions, or at Anthropic’s election, make the performance of any such instructions subject to the payment by Customer of any costs and expenses incurred by Customer or such additional charges as Customer may reasonably determine; or
    2. immediately terminate the Agreement and the Services.
  4. Anthropic will promptly inform Customer if, in its opinion, an instruction from Customer relating to the Processing of Covered Data infringes Applicable Data Protection Law.
  5. Customer hereby authorises and instructs Anthropic to Process Covered Data anywhere that Anthropic or its Sub-processors maintain facilities.
  6. Anthropic will, at the request of Customer, provide assistance that is reasonable necessary for Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws.
  7. Customer will have the right to take reasonable and appropriate steps to ensure that Anthropic uses Covered Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws.
  8. Anthropic will ensure that each person authorised to process Covered Data is subject to a duty of confidentiality.
  9. Customer acknowledges that Anthropic’s Services are not designed, intended, or provided for the purpose of making predictions regarding any Data Subject, determining creditworthiness, or any other manner of automated decision-making regarding Data Subject(s) to which the Covered Data relates.
  10. Anthropic may charge Customer, and Customer will reimburse Anthropic, for any assistance provided by Anthropic to Customer in relation to this DPA, including with respect to any TIAs or consultation with any supervisory authority of Customer.

4. SUB-PROCESSORS

  1. Customer grants Anthropic the general authorisation to engage the Sub-processors listed in Schedule 5, and any additional Sub-processors in accordance with clause 4.c.
  2. Anthropic will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantively no less protective of Covered Data than Anthropic’s obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
  3. In the event that Anthropic wishes to appoint an additional Sub-processor: (a) Anthropic will provide Customer reasonable notice; and (b) Customer may, on the basis of reasonable data privacy and data security concerns, object to Anthropic’s use of such Sub-processor by providing Anthropic with written notice of the objection within ten (10) days of the date of such notice, otherwise the additional Sub-processor shall be deemed approved. In the event Customer objects to Anthropic’s use of a new Sub-processor, Customer and Anthropic will work together in good faith to find a mutually acceptable resolution to address any objections raised by Customer.

5. DATA SUBJECT RIGHTS REQUESTS

  1. Anthropic will forward to Customer promptly any Data Subject Request received by Anthropic relating to the Covered Data and may advise the Data Subject to submit their request directly to Customer.
  2. Anthropic will, taking into account the nature of the Processing of Covered Data, provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

6. SECURITY

  1. Accounting for the state of the art, costs of implementation and the nature, scope and context and purposes of the relevant Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Anthropic will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for the Covered Data appropriate to the risk of the relevant Processing.
  2. The Parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Covered Data, accounting for the risks presented by the Processing outlined in the Agreement and this DPA.

7. AUDITS AND RECORDS

  1. Upon request, Anthropic will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
  2. To the extent required by Applicable Data Protection Legislation, Anthropic will permit Customer (or a suitably qualified, independent third-party auditor which is not a competitor of Anthropic) to audit Anthropic’s compliance with this DPA no more than once per calendar year on at least thirty (30) days’ written notice to Anthropic (an “Audit”), provided that Customer (or Customer’s third-party auditor, as applicable):
    1. may only conduct an Audit during Anthropic’s normal business hours;
    2. will conduct the Audit in a manner that does not disrupt Anthropic’s business;
    3. enters into a confidentiality agreement reasonably acceptable to Anthropic prior to conducting the Audit;
    4. pays any reasonably incurred costs and expenses incurred by Anthropic in the event of an Audit;
    5. ensures that its personnel comply with any policies and procedures notified by Anthropic to Customer when attending Anthropic’s premises;
    6. submits, as part of the written notice provided by Customer to Anthropic, a detailed proposed audit plan which is agreed by Anthropic (an “Audit Plan”); and
    7. conducts the Audit in compliance with the final agreed Audit Plan.
  3. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA. Nothing in this clause 7 will require Anthropic to breach any duties of confidentiality it owes to third parties.

8. SECURITY INCIDENTS

  1. Anthropic will notify Customer in writing without undue delay after becoming aware of any Security Incident. Anthropic will, to the extent reasonably necessary, cooperate with Customer’s investigation of the Security Incident. Anthropic’s notification of, or response to, a Security Incident will not be construed as an acknowledgement by Anthropic of any fault or liability with respect to the Security Incident.

9. DELETION AND RETURN

  1. Anthropic will, in any event, within thirty (30) days of the date of termination or expiry of the Agreement (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Anthropic or any Sub-processors.

10. STANDARD CONTRACTUAL CLAUSES

The Parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the Standard Contractual Clauses Module 1 (Controller to Controller),Module Two (Controller to Processor) and/or Module Three (Processor to Processor),each as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the Parties.

  1. To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the Parties.
  2. To the extent that there is any conflict between the terms of this DPA and the terms of the Standard Contractual Clauses, the Standard Contractual Clauses shall govern.
  3. Anthropic will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Covered Data. Anthropic will, upon Customer’s request and at Customer’s cost, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.

SCHEDULE 1 - DETAILS OF PROCESSING AND TRANSFERS

PART A – List of Parties

The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws, additional information regarding the data exporter and data importer is set out below.

  1. Data Exporter
    The data exporter is: Customer and/or Customer Affiliates exporting Covered Data to which the GDPR applies. The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Anthropic upon request.
  2. Data Importer
    The data importer is: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, United States. The data importer’s contact person and contact details are included in the Agreement or will be disclosed to Customer upon request.

PART B – Description of Processing

  1. Categories of Data Subjects - Determined by Customer (in accordance with the Agreement).
  2. Categories of Personal Data - Determined by the Customer (in accordance with the Agreement).
  3. Special categories of Personal Data (if applicable) - None.
  4. Duration and Frequency of the Processing - The Processing is performed on a continuous basis for the duration of the Agreement and is determined by Customer’s configuration of the Services.
  5. Subject matter and nature of the Processing - Performing the Services on behalf of Customer which involves Processing (including collection, storage, organisation and structuring) of Personal Data as part of a natural language-based, machine-learning tool, as further described in the Agreement; undertaking activities to verify or maintain the quality of the Services; debugging to identify and repair errors that impair existing intended functionality; helping to ensure security and integrity of the Services.
  6. Purpose(s) of the data transfer and further Processing - To provide the Services to Customer pursuant to the Agreement and as may be further agreed upon by Customer and Anthropic.
  7. Storage Limitation - The duration is the term of the Agreement.
  8. Sub-processor (if applicable) - To provide Processing system capability to Customer (as described in Schedule 4) to provide the Services described in the Agreement.

PART C – Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Anthropic has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, accounting for the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Anthropic’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Anthropic’s organization, monitoring and maintaining compliance with Anthropic’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
    1. being transmitted by Anthropic over public networks (i.e., the Internet) or when transmitted wirelessly; or
    2. at rest or stored on portable or removable media (i.e., laptop computers,CD/DVD, USB drives, back-up tapes).
  4. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
  5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Anthropic’s passwords that are assigned to its employees; controls include appropriate password security requirements, and specific time and use limitations for passwords.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
  7. Physical and environmental security of data center, server room facilities and other areas containing Covered Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of
    Anthropic facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Anthropic’s possession.
  9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Anthropic’s technology and information assets.
  10. Incident / problem management procedures designed to allow Anthropic to investigate, respond to, mitigate, and notify of events related to Anthropic’s technology and information assets.
  11. Network security controls that provide for the use of firewall systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  12. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
  13. Business resiliency/continuity plan and procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

SCHEDULE 3 - INTERNATIONAL TRANSFERS

EU SCCS

Elections for the purposes of Module 1, Module Two and Module Three of the Standard Contractual Clauses:

  1. Clause 7 (Docking clause) – does not apply.
  2. Clause 11 (Redress) – optional wording does not apply.
  3. Clause 17 (Governing Law) – Option 1 will apply and the governing law will be the law of the Republic of Ireland.
  4. Clause 18 (Choice of forum and jurisdiction) – the applicable choice of forum and jurisdiction will be the Republic of Ireland.
  5. For the purpose of Annex I of the Standard Contractual Clauses, Part A of Schedule 1 contains the specifications regarding the parties, Part B of Schedule 1 contains the description of transfer for Module Two and Module Three, and Part B of Schedule 1 contains the description of transfer for Module 1 except that the purpose, nature and subject matter of the processing shall be as set out in clause 2.3, and Part C of Schedule 1 contains the competent supervisory authority.
  6. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.

Additional elections for the purposes of Module Two and Module Three of the Standard Contractual Clauses:

  1. Clause 9 (Use of sub-processors) – Option 2 (General written authorization) will apply, and the time period is as specified in clause 4.c of the DPA.
  2. For the purpose of Annex III of the Standard Contractual Clauses, the list of Sub-processors are set out in Schedule 4 or as otherwise determined by clause 4.c of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Anthropic upon request.

UK ADDENDUM

This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

  1. With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Customer (as data exporter) to Anthropic (as data importer):
    1. to the extent necessary under Applicable Data Protection Law, the Approved Addendum as further specified in this UK Addendum of this Schedule 3 will be incorporated into and form part of this DPA;
    2. for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Part A of Schedule 1;
    3. for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Schedule 3 including the Appendix Information are the selected SCCs; and
    4. for the purposes of Table 4 of Part 1 of the Approved Addendum, Anthropic (as data importer) may end the Approved Addendum.

SWISS ADDENDUM

This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

  1. Interpretation of this Addendum
    1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
      1. This Addendum: This Addendum to the Clauses
      2. Clauses: The Standard Contractual Clauses as further specified in this Schedule
      3. Swiss Data Protection Laws: The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
    2. This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
  2. Hierarchy
    In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
  3. Incorporation of the Clauses
    1. In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
      1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and
      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    2. To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):
      1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
      2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."
      3. References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s)
        of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.
      4. References to Regulation (EU) 2018/1725 are removed.
      5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
      6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
      7. Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".
      8. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

  1. To the extent that any Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 3.1 and 3.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under clause 3.3(b)(g) of this Swiss Addendum.
  2. Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

SCHEDULE 4 - SUB-PROCESSORS

Anthropic’s list of sub-processors is available at https://www.anthropic.com/subprocessors.

7.2. Ethan Mollick, One Useful Thing, Which AI to Use Now: An Updated Opinionated Guide (Updated Again 2/15)

Ethan Mollick, One Useful Thing, Which AI to Use Now: An Updated Opinionated Guide (Updated Again 2/15)

7.3. Second Chair, Practical Considerations When Evaluating AI Tools for Law Firms

Second Chair, Practical Considerations When Evaluating AI Tools for Law Firms

7.4. Opinion | We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. - The New York Times

Opinion | We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. - The New York Times