Master Services Agreement
For any customer who entered into an Order Form with Asymbl for products and/or services prior to April 29, 2026, the following Master Services Agreement was incorporated into your Order Form (unless you entered into a separate Master Services Agreement that would have been separately referenced and attached to your appliable Order Form with Asymbl.
THIS MASTER SERVICES AGREEMENT (THIS “AGREEMENT”) IS BY AND BETWEEN ASYMBL, INC., A DELAWARE CORPORATION (“ASYMBL”), TOGETHER WITH ITS AFFILIATES (AS THAT TERM IS DEFINED IN THIS AGREEMENT) (ASYMBL AND AFFILIATES, COLLECTIVELY AND INDIVIDUALLY, THE “PROVIDER”) AND THE CUSTOMER IDENTIFIED ON THE ORDER FORM AS THE LICENSEE OF THE PRODUCTS AND/OR RECIPIENT OF THE SERVICES.
AS USED IN THIS AGREEMENT, (I) THE TERM “AFFILIATES” MEANS ANY CORPORATION OR OTHER BUSINESS ENTITY THAT OWNS AND CONTROLS, OR IS OWNED AND CONTROLLED BY, OR IS UNDER COMMON OWNERSHIP AND CONTROL WITH PROVIDER, INCLUDING BUT NOT LIMITED TO BLUEPRINT ADVISORY SOFTWARE, LLC, A DELAWARE LIMITED LIABILITY COMPANY, (FOR THE PURPOSE OF THIS CLAUSE, OWNERSHIP AND CONTROL SIGNIFIES OWNERSHIP OF A MAJORITY OF THE VOTING RIGHTS IN A BUSINESS ENTITY), (II) THE TERM “CUSTOMER” MEANS IN THE CASE OF AN INDIVIDUAL ACCEPTING THIS AGREEMENT ON HIS OR HER OWN BEHALF, SUCH INDIVIDUAL, OR IN THE CASE OF AN INDIVIDUAL ACCEPTING THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, THE COMPANY OR OTHER LEGAL ENTITY ON BEHALF OF WHICH SUCH INDIVIDUAL IS ACCEPTING THIS AGREEMENT, AND (III) THE TERM “ORDER FORM” MEANS AN ORDER FORM SIGNED OR OTHERWISE SUBSCRIBED TO BY AN AUTHORIZED REPRESENTATIVE OF CUSTOMER THAT SPECIFIES THE PRODUCTS AND SERVICES TO BE PROVIDED HEREUNDER, THE FEES ASSOCIATED THEREWITH AND ANY OTHER APPLICABLE TERMS AND HAS BEEN ACCEPTED BY PROVIDER, AND SHALL INCLUDE ANY MODIFICATIONS, ADDENDA AND SUPPLEMENTS TO SUCH ORDER FORM. WHEN USED IN THIS AGREEMENT, CAPITALIZED TERMS THAT ARE DEFINED IN SECTION 23 BELOW SHALL HAVE THE RESPECTIVE MEANINGS ASCRIBED TO THOSE TERMS IN SECTION 23. ALL OTHER CAPITALIZED TERMS USED IN THIS AGREEMENT HAVE THE RESPECTIVE MEANINGS ASCRIBED TO THEM IN THIS AGREEMENT.
CUSTOMER MAY ACCEPT THIS AGREEMENT EITHER BY (1) CLICKING A BOX INDICATING ACCEPTANCE, OR (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, WHICHEVER OCCURS FIRST. BY ACCEPTING THIS AGREEMENT, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY CONSISTENT WITH THE PREVIOUS PARAGRAPH. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS AGREEMENT, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE PRODUCTS OR SERVICES.
THIS AGREEMENT IS EFFECTIVE BETWEEN CUSTOMER AND PROVIDER AS OF THE DATE OF CUSTOMER’S ACCEPTANCE OF THIS AGREEMENT (THE “EFFECTIVE DATE”).
- The Products and Services
- Provision of Work. This Agreement governs Customer’s (i) subscription to and use of one or more products, including any AI Products, that are ordered by Customer and made available by Provider to Customer (each a “Product” and collectively, the “Products”) and/or, (ii) the provision of professional services provided by Provider or an Affiliate or any Provider AI Solution to Customer (collectively, the “Services”), each as further described in one or more Order Form(s).
- The Products and Services. Unless otherwise specified in the applicable Order Form, each Product is purchased as a subscription for the term stated in the applicable Order Form. Customer agrees that Customer’s subscription to each Product is not contingent on the delivery of any future functionality or features, or dependent on any oral or written comments made by Provider regarding future functionality or features. Customer further agrees that Customer may purchase Services from Provider or an Affiliate which are related to the purchase of Products, or independent of and unrelated to any Product. All Services, including those related to installation, training, implementation and configuration of the Products, shall be provided under this Agreement and further specified in the appliable Order Form.
- Use of Provider AI Solutions & Deployment Tools. Customer acknowledges and agrees that Provider may use Provider AI Solutions in the delivery and deployment of Services to Customer, and that such Provider AI Solutions will have access to and use of Customer Data as necessary to deliver Services under applicable Order Forms. Customer authorizes such access and use of Customer Data by Provider AI Solutions to deliver the Services. Customer acknowledges that Provider’s pricing is dependent upon using Provider AI Solutions to deliver Services. Customer further agrees that Provider may use any Deployment Tools necessary to properly and efficiently deploy any Product with Customer.
- Beta Products. From time-to-time, Provider may make Beta Products available to Customer at no charge or minimal charge. Customer may choose to try such Beta Products or not at their sole discretion. Customer agrees that any such use of Beta Products by Customer will be provided “AS-IS” with no representations or warranties and that Provider will have no liability to Customer based on its usage of any such Beta Products and Customer hereby waives any and all potential claims against Provider in connection with its usage of any Beta Products. Provider may cease providing a Beta Product at any time.
- License Grant and Restrictions
- Subscription to the Products. Subject to the terms of this Agreement, Provider hereby grants to Customer a non-sublicensable, non-transferable, non-exclusive subscription license for Customer’s use of the Products by the quantity of subscription Users as specified in an associated Order Form or pursuant to such other subscription model as provided for in the Order Form (including consumption based subscriptions), each solely for Customer’s internal business purposes. For Products with User subscription licenses, such User subscription licenses are for designated Users and cannot be shared or used by more than one User but may be reassigned to new Users replacing former Users who no longer require ongoing use of the Product. Provider reserves all rights not expressly granted to Customer in this Agreement.
- Additional Users for User Based Products. If Customer wishes to add additional Users (“Additional Users”) for any Product, Customer must contact Provider and Provider shall make the Product available for the Additional Users on the terms and conditions set forth in this Agreement and the applicable Order Form. With respect to Additional Users: (i) the term access of any Additional Users to any Product will be coterminous with the preexisting Product subscription term (either the initial subscription term or any renewal subscription term) and all other terms of this Agreement and the applicable Order Form, and (ii) Customer will be responsible for any additional fees for any additional use exceeding the authorized number of Users.
- Salesforce.com. Provider makes no representations or warranties regarding third party service providers, including but not limited to, Customer’s access to Salesforce.com Services. Regardless of Customer’s access to or license to Salesforce.com Service or any other third party service, Customer is subject to the terms of this Agreement and Customer’s inability to fully access or utilize the Products due to access to Salesforce, Salesforce.com, or a third party service provider is not grounds to terminate this Agreement nor is it a reason for Customer to default on any or all provisions of this Agreement or the licensing fees.
- Customer Responsibilities
- Customer Restrictions. Customer shall not (i) license, sublicense, sell, or resell any Product or Service for a third party’s benefit unless expressly authorized in writing by Provider; (ii) transfer, assign, distribute or otherwise commercially exploit or use any Product, any Provider AI Solution, the Services, the Asymbl System or any Content except as authorized by Provider; (iii) modify or make derivative works based upon any of the Products, Provider A Solutions, the Services or the Content; (iv) create internet links to any of the Products or frame or mirror any Content on any other server or wireless or Internet-based device; (v) reverse engineer, decompile, disassemble, or otherwise create, attempt to create, or derive or permit a third party to create or derive, the source code, underlying technology or proprietary intellectual property underlying any of the Products, any Provider AI Solutions, the Services or the Asymbl System; (vi) interfere with or misuse any of the Products, Provider AI Solutions or the Services in any manner; (vii) upload Customer Data to any of the Products that contains any viruses or programming routines, macros, or other elements that may damage, surreptitiously intercept or expropriate any system, data or personal information; (viii) use the Products, Provider AI Solutions, Services or Services to transmit any infringing, libelous or otherwise unlawful content or data or to store, use or transmit any material in violation of any third party privacy rights; (Iv) access any of the Products for purposes of monitoring its availability, penetration or security testing, or for any benchmarking or competitive purposes or (x) otherwise use the Products, Provider AI Solutions, Services or Asymbl System outside the scope expressly permitted under this Agreement or applicable Order Form, including to develop a product or service competitive with Provider’s Products and Services.
- Customer shall: (i) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Products, Provider AI Solutions and Services, and notify Provider promptly of any unauthorized use of any password or account or any other known or suspected breach of security; (ii) report to Provider promptly and use reasonable efforts to stop immediately any unauthorized copying or distribution of Content that is known or suspected by Customer or Customer’s Users; and (iii) not impersonate another user of any Product or provide false identity information to gain access to or use any of the Products, Provider AI Solutions or Services; (iii) use the Products, Provider AI Solutions and Services in accordance with the terms of this Agreement and the Order Form, the and applicable laws and regulations; (iv) take all necessary actions to ensure compliance with applicable consumer protection laws associated with their usage of any Product (including obtaining necessary consents); and (v) be responsible for obtaining and maintaining any equipment, software and ancillary services needed to connect to, access or otherwise use the Products and Services. In addition, Customer will be responsible for ensuring that its systems (e.g., APIs) have sufficient bandwidth to use the Products and Services.
- Customer is responsible for the accuracy, quality and legality of the Customer Data it provides, its right to use any Customer Data or input, store or use such Customer Data within any Product, any Provider AI Solutions, the Asymbl System or in connection with any Services delivered hereunder, and the means by which it obtains or acquires such Customer Data.
- Any use of the Products, Provider AI Solutions, Services or the Asymbl System by Customer (or its Users) in violation of the above terms that in Provider’s reasonable judgment (i) threatens the security, integrity or availability of the any of the Products or the Asymbl System or (ii) violates applicable laws or Customer’s obligations hereunder, may result in the immediate suspension of Customer’s usage of any Products, the Asymbl System and any relevant Services, however Asymbl will use commercially reasonable efforts under the circumstances to provide Customer prior notice and an opportunity to remedy such threat or violation prior to any such suspension, to the extent practicable.
- Customer Data Generally. Certain features of the Products, Provider AI Solutions and Services may permit Customer (and its Users) to submit, use, upload, or otherwise transmit Customer Data to the Product, a Provider AI Solution or Asymbl System. Customer retains any and all copyright and other proprietary rights that Customer may hold in the Customer Data that Customer introduces to the Product or any Provider AI Solution, subject to the licenses granted in this Agreement. By providing Customer Data to or via any Product, Provider AI Solution or Service, Customer authorizes Provider to use it to provide the relevant Products and Service (including any Provider AI Solutions) to Customer (and its End Users).
- Customer’s Rights to the Customer Data. Customer will not provide any Customer Data if Customer is not the owner of, or not fully authorized to grant rights in all of the elements of that Customer Data. Provider disclaims any and all liability in connection with Customer Data. By providing Customer Data via the relevant Products, Provider AI Solution, Services and/or Asymbl System, Customer represents that:
- The Customer is the creator and owner of the Customer Data, or has the necessary licenses, rights, consents, and permissions to authorize Provider to use and distribute Customer Data as necessary to exercise the licenses granted by Customer in this Section, in the manner contemplated by Provider and this Agreement to enable Provider to deliver the relevant Products and Services (including via Provider AI Solutions) to Customer;
- The Customer Data, and the use of Customer Data as contemplated by this Agreement, does not and will not: (A) infringe, violate, misappropriate, or otherwise breach any third-party right, including any copyright, trademark, patent, trade secret, moral right, privacy right, right of publicity, or any other intellectual property, contract, or proprietary right; (B) slander, defame, libel, or invade the right of privacy, publicity or other property rights of any other person; or (C) cause Provider to violate any law or regulation or require Provider to obtain any further licenses from or pay any royalties, fees, compensation or other amounts or provide any attribution to any third parties; and
- The Customer Data could not be deemed by a reasonable person to be objectionable, profane, indecent, pornographic, harassing, threatening, embarrassing, hateful, or otherwise inappropriate.
- The Customer is the creator and owner of the Customer Data, or has the necessary licenses, rights, consents, and permissions to authorize Provider to use and distribute Customer Data as necessary to exercise the licenses granted by Customer in this Section, in the manner contemplated by Provider and this Agreement to enable Provider to deliver the relevant Products and Services (including via Provider AI Solutions) to Customer;
- Customer Data Disclaimer. Provider has no obligation to edit or control Customer Data that Customer or Customer’s Users use with the Product or Provider AI Solutions and will not be in any way responsible or liable for Customer Data, except to the extent expressly provided for in the Data Processing Addendum set forth in Exhibit B hereof. Provider may, however, at any time and without prior notice, screen, remove, edit, or block any Customer Data that Provider determines in its sole judgment violates this Agreement, is alleged to violate the rights of third parties, or is otherwise objectionable. If notified by a third party or content owner that Customer Data allegedly does not conform to this Agreement, Provider may investigate the allegation and determine in Provider’s sole discretion whether to remove the Customer Data, which Provider reserves the right to do at any time and without notice.
- No Sensitive Personal Information. Customer specifically agrees not to use the Products, Provider AI Solutions, Services, or the Asymbl System to collect, store, process or transmit any Sensitive Personal Information. Customer shall be responsible for any Sensitive Personal Information it submits to any Product, the Asymbl System or in connection with any Services, and Customer acknowledges that Provider is not subject to any additional obligations that may apply to any Sensitive Personal Information submitted to the Services. “Sensitive Personal Information” means any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (“PCI DSS"); (ii) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA") not authorized or covered by a duly executed Business Associate Agreement with Provider; (iii) social security numbers, passport, driver licenses, other forms of identification, or (iv) any other personal data of an EU citizen deemed to be in a “special category” (as identified in EU General Data Protection Regulation or any successor directive or regulation).
- Monitoring of Customer Data. Provider does not control and does not have any obligation to monitor: (a) Customer Data; (b) any content made available by third parties; or (c) the use of the Products, Provider AI Solutions, Services or Asymbl System by its Users. Customer acknowledges and agrees that Provider reserves the right to, and may from time to time, monitor any and all information transmitted or received through the Products, Provider AI Solutions, Services, or the Asymbl System. If at any time Provider chooses to monitor Customer Data, then Provider still assumes no responsibility or liability for Customer Data or any loss or damage incurred as a result of the use of Customer Data. During monitoring, information may be examined, recorded, copied, and used in accordance with Provider’s Privacy Policy. Provider may block or filter any Customer Data uploaded to or transmitted through the Products, Service, and the Asymbl System without any liability to the Customer (or any User who provided such Customer Data to the Product, Service or Asymbl System).
- Compliance with Laws
- Customer is responsible for all activity occurring under Customer’s User accounts and shall abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with Customer’s use of the Products and Services, including those related to data privacy, voice recording laws, the Telephone Consumer Protection Act, the FCRA, 15 U.S.C. § 1681 et seq., international communications and the transmission of technical or personal data, each as applicable (“Related Law”). To the extent Customer is licensing the Asymbl Intelligence Product, Customer agrees to comply with the terms set forth in Exhibit A hereto.
- Provider shall abide by all applicable local, state, national and foreign laws, treaties, and regulations in connection with providing the Products and Services, including those related to data privacy, international communications, artificial intelligence, and the transmission of technical or personal data.
- Telephone Consumer Protection Act (TCPA).
- Customer acknowledges that certain features of the Products and Services may enable automated or AI-powered outreach via telephone calls, SMS/text messages, or similar communications. Customer is solely responsible for determining the applicability of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227 et seq., to Customer’s use of such features. Provider makes no representation regarding whether Customer’s use constitutes use of an “automatic telephone dialing system” (ATDS) or otherwise triggers TCPA requirements.
- Customer shall be solely responsible for: (i) obtaining prior express written consent where required by the TCPA or Related Law; (ii) maintaining records of consents; (iii) complying with time-of-day restrictions; (iv) honoring all applicable Do-Not-Call registries and internal do-not-contact lists; (v) providing required caller identification and opt-out mechanisms; and (vi) otherwise ensuring compliance with the TCPA and all applicable telemarketing laws. Customer shall indemnify and hold Provider harmless from any claims, costs, damages, or liabilities arising from Customer’s failure to comply with the TCPA or applicable telemarketing or communication laws.
- Provider does not obtain TCPA consents on Customer's behalf and is not responsible for the validity, scope, or revocation of any consent obtained by Customer. Customer shall maintain all records of consent, opt-out requests, and do-not-call compliance, and shall make such records available to Provider upon reasonable request in connection with any third-party claim or regulatory inquiry.
- Provider's voice and SMS outreach features may utilize third-party communication platforms, and Provider does not warrant that such platforms include built-in TCPA compliance mechanisms. Customer is solely responsible for verifying that its configuration and use of any outreach features comply with all applicable requirements.
- Voice Recording.
- Customer acknowledges that certain features of the Products and Services may enable the recording, transcription, or other processing of telephone calls or voice communications. Customer is solely responsible for compliance with all applicable federal and state laws governing voice recording, including laws requiring all-party or two-party consent (such as those in California, Illinois, Florida, and other jurisdictions). Provider makes no representation regarding the applicability of such laws to Customer’s particular use case.
- Where Customer enables voice recording features, Customer shall be solely responsible for: (i) providing required notices and disclosures prior to recording (e.g., “this call may be recorded or monitored”); (ii) obtaining required consents; (iii) configuring Products or Services to disable recording where consent is not obtained; and (iv) maintaining records of consents and disclosures. Customer shall indemnify and hold Provider harmless from any claims, costs, damages, or liabilities arising from Customer’s failure to comply with applicable voice recording laws.
- Customer further acknowledges that certain features may process audio input from Customer’s Users (including voice-to-text transcription) separate from recording of calls with third parties. Customer is solely responsible for providing required notices and obtaining required consents from its Users with respect to such audio processing under applicable employer monitoring, wiretapping, or privacy laws.
- Support, Service Level and Security
- Provider will provide the support and service levels for the Products as set forth in Exhibit B, attached hereto, and incorporated by this reference (the “Service Level Agreement”).
- Provider has implemented and will maintain Appropriate Security Measures based upon industry best practices. Provider may update these security procedures from time to time but will not materially reduce their scope during the term of this Agreement.
- Customer acknowledges and agrees that Provider will use its commercially reasonable efforts to maintain Customer’s access to and use of the Products, but such access and use is dependent upon and subject to the availability of the Salesforce.com Service, to the extent such Products are native to the Saleforce.com environment.
- Intellectual Property Ownership
- Provider Intellectual Property. Provider owns all rights, title and interest, including all related Intellectual Property Rights, in and to the Asymbl System, the Products, the Provider AI Solutions, the Services, the Content, and all improvements, enhancements, modifications, and derivative works of or included in the foregoing, including any software, applications, inventions or other technology developed in connection with and all intellectual property and proprietary rights in or related to any of the foregoing, including without limitation, all artificial intelligence, algorithms, software code, software designs, proprietary data bases, artificial intelligence (AI) systems, machine learning models, AI agents, automation workflows, training datasets, prompts, system prompts, AI agent configurations, API integrations, any other AI-related intellectual property (“Provider IP”). To the extent Customer acquires any right, title, or interest in any of the Provider IP, Customer hereby assigns all of its right, title, and interest in such Provider IP to Provider.
- Customer Intellectual Property. All Intellectual Property Rights in and to the Deliverables, excluding any Provider IP, that are specifically prepared by or on behalf of Provider in the course of performing the Services, that are delivered to Customer and paid for by Customer pursuant to an Order Form shall be the exclusive property of Customer (the “Customer Intellectual Property”). Customer hereby grants Provider a non-exclusive, worldwide, sublicensable, perpetual, paid-up right and license to use the Customer Intellectual Property to provide, maintain, protect, and improve the Products and Services and to develop other products and services.
- Provider Marks. . The Asymbl name, Asymbl Recruiter Suite, Asymbl Intelligence, Asymbl Recruiter Agent, Asymbl Time, Workforce Orchestration Company, the Provider logo and robot images, and any other names and logos associated with the Products and/or Services offered by Provider are trademarks of Provider.
- Customer Data. Customer retains all right, title, and interest in and to Customer Data. Customer grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data in an aggregated and anonymized manner, including to compile statistical, usage and performance information related to the provision, operation, support, improvement, and development of the Products and Services. Provider will not use or access any Customer Data except as set forth in this Agreement. Customer Data will not be used by Provider to train any Provider artificial intelligence models.
- Feedback. If Customer or any User provides any feedback to Provider regarding the Provider IP or otherwise, suggesting or recommending any changes, including without limitation, new features, enhancements, or functionality relating thereto, or any comments, questions, suggestions, or other feedback (“Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer grants Provider a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Provider IP any Feedback provided on or behalf of Customer, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other Intellectual Property Rights contained in the Feedback, for any purpose whatsoever. Notwithstanding the above, Provider is not required to use any Feedback.
- No Other Rights. Except as expressly set forth herein, no rights or licenses are granted.
- Fees and Billing
- Fees. Customer will pay all fees (including any usage based fees) for the Products and Services (the “Fees”) as specified in the associated Order Form(s). Fees for renewal subscription terms for Products will be based on Provider’s then-current Fees, unless otherwise stated in an Order Form. The Fees are exclusive of all value added taxes (VAT), other sales tax, any country specific custom duty, licenses, permits, tariffs or import tax (which shall be paid by Customer in addition to the Fees), excluding only United States (federal or state) taxes based solely on Provider’s income.
- Talent Intelligence Product Pricing. The Talent Intelligence Product is delivered as a subscription-based service that provides continuous access to the platform and its full suite of capabilities throughout the term of the Order Form.
The subscription to the Talent Intelligence Product includes a defined level of usage capacity, established based on anticipated Customer needs and prior usage patterns as provided for in an applicable Order Form. This capacity is administered through a flexible credit framework designed to support a range of activities within the Talent Intelligence Product. Credits are intended to guide expected usage within the subscription of the Talent Intelligence Product and may be utilized dynamically over the subscription period. If usage requirements exceed the included capacity for the subscription to the Talent Intelligence Product as provided for in an applicable Order Form, Customers may expand their subscription through the purchase of additional capacity if credits or by upgrading to a higher subscription tier, ensuring uninterrupted access to the Talent Intelligence Product. - Billing and Payment. Provider issues invoices for each Product on or about the Product subscription start date for the initial subscription term and each renewal date for any renewal subscription term. Fees for Products shall be paid in advance for the period specified on the Order Form or for a period of one (1) year in the case of any renewal subscription term or as otherwise provided with respect to any usage based fees provided for in an Order Form. Fees for Services shall be paid in accordance with the terms of the applicable Order Form. Unless otherwise stated on an Order Form, Fees are due net thirty (30) days from the date of the invoice. For any payment that is past due, Provider may, in its discretion and in addition to any other rights and remedies, impose and require Customer to pay late payment charge(s), upon demand at the lesser of fifteen percent (15%) per month or the highest rate permitted by applicable law. Late charges are calculated from the payment due date until the account is paid and shall be added to the subsequent invoice. All Fees due and payable under an Order Form shall be made to Provider in the currency listed in the Order Form, and in accordance with the instructions on such invoices. Customer is responsible for providing complete and accurate billing and contact information and notifying Provider of any changes to such information. All payment obligations are non-cancelable, and all amounts paid are nonrefundable, except as expressly set forth in this Agreement. If Customer adds additional Users to any Product or allows use of any Product by more than the paid-for number of Users associated with Customer’s subscription, Provider will invoice Customer for the additional applicable fees at the same rate for the current term.
- Offset. Customer acknowledges that Provider may, in addition to its other rights and remedies, set off any amount owed to Provider or Provider’s Affiliates from Customer under this Agreement, any Order Form, or any other agreement with Provider or Provider’s Affiliates against amounts owed by Customer, to Provider or Provider’s Affiliates under this Agreement, an Order Form or any other agreement with Provider or Provider’s Affiliates. Any and all costs and expenses, and all credits, refunds, and obligations, due to Provider or Provider’s Affiliates under this Agreement or an Order Form shall be (i) paid by Customer to Provider; or (ii) offset by Provider or Provider’s Affiliates against any of Customer’s unpaid invoices, at Provider’s option. Payments suspended or offset in good faith by Provider will not be a basis for Customer suspending its own performance under this Agreement or declaring Provider in breach of this Agreement or an Order Form. Customer may not set off any amount due from Provider, whether under this Agreement, an Order Form or otherwise, against any amount due to Provider or due to Provider’s Affiliates hereunder without Provider’s prior written consent.
- Term
- Term of Agreement. The term of this Agreement commences on the Effective Date and continues until (i) the expiration or termination of all of Customer’s Order Forms, or (ii) if earlier, termination of this Agreement pursuant to Section 10(b) below.
- Term of Product Subscriptions. The term of each Product subscription shall be as specified in the applicable Order Form. Except as otherwise specified in an Order Form, Product subscriptions will automatically renew for additional one year terms, unless either party gives the other written notice of non-renewal at least thirty (30) days before the end of the relevant Product subscription term. Customer agrees that Provider is permitted to increase its Product Fees by up to 10% annually for Order Form auto-renewals on the same terms and conditions as the Order Form that is auto-renewing. In the case of Beta Products, notifications provided through the applicable Product indicating the remaining number of days in the free trial shall constitute notice of termination, or the number of days stated on a trial Order Form shall constitute notice of termination. Except as expressly provided in the applicable Order Form, renewal of promotional or one-time priced Product subscriptions will be at Provider’s applicable list price in effect at the time of the applicable renewal. All Product subscriptions shall terminate at the same time as any termination of this Agreement pursuant to Section 10(b) below.
- Third-Party Products
- Third Party Products and Terms & Partner Tools. In connection with Customer’s license and use of the Products, Customer may elect to purchase one or more Third Party Products. The Third Party Products are subject to their own terms and conditions of service and/or use, including, but not limited to, warranties (if any) and ownership of intellectual property (the “Third Party Terms”). Such Third Party Terms and the applicable flow-through provisions are an integral part of this Agreement and Customer’s breach of such Third Party Terms shall be deemed a breach of this Agreement. If Customer does not agree to abide by the applicable Third Party Terms, then Customer should not install or use such Third Party Products. To the extent that Customer uses any Partner Tools in connection with the delivery of any Services or Products under an Order Form, Customer agrees that it will comply with all applicable terms, which Provider will provide to Customer, as applicable. If Customer violates any such terms related to Partner Tools, Provider may remove access to any such Partner Tool and take any other actions as permitted hereunder.
- No Representations or Warranties. Customer acknowledges and agrees that the use of the Third Party Products is at Customer’s sole risk. THE THIRD PARTY PRODUCTS AND RELATED DOCUMENTATION ARE PROVIDED “AS IS” AND WITHOUT ANY WARRANTY OF ANY KIND AND PROVIDER EXPRESSLY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE OR USE, INCLUDING CUSTOMER’S PARTICULAR BUSINESS OR INTENDED USE, OR OF THE THIRD PARTY PRODUCT'S RELIABILITY, PERFORMANCE OR CONTINUED AVAILABILITY. PROVIDER HAS NO LABILITY FOR ANY THIRD PARTY PRODUCTS WHICH THE CUSTOMER CHOOSES TO USE, INCLUDING THE THIRD PARTY PRODUCTS INABILITY TO ACCESS CUSTOMER DATA FOR ANY REASON NOT DUE TO PROVIDER.
- Suspension and Termination
- Suspension. If Customer is in breach of this Agreement, an Order Form, or in breach of another agreement with an Provider Affiliate due to non-payment such that payment is due and owing for fifteen (15) calendar days past the due date, in addition to any other rights or remedies, Provider may suspend Customer’s and any and all of Customer’s User’s access to and use of the Products and Services until Customer has cured the breach.
- Termination. In addition to Provider’s suspension rights, Provider may terminate this Agreement and any Order Form, and all Product subscriptions thereunder, upon written notice to Customer if: (i) Customer breaches this Agreement or an Order Form and does not cure such breach within thirty (30) days after written notice of such breach; (ii) if Customer becomes insolvent, make an assignment for the benefit of creditors, commence any proceedings in bankruptcy or consent to any bankruptcy or similar proceedings; or (iii) Provider determines, in its sole discretion, that such termination is necessary to prevent the unauthorized disclosure of confidential or proprietary information. Upon the expiration or termination of this Agreement for any reason, any amounts which Customer owes to Provider under this Agreement or an Order Form for the period prior to such termination will become immediately due and payable, and Provider will terminate Customer’s access to and use of the Products and Services. Sections 3, 6, 7, 10-16 and 18-23 will survive the termination or expiration of this Agreement. In no event will termination relieve Customer of Customer’s obligation to pay any Fees payable to Provider for the period prior to the effective date of termination.
- Representations and Warranties
- Mutual Warranty. Each party represents and warrants that it has the legal power and authority to enter into this Agreement.
- Data Warranty. Customer represents and warrants that Customer owns or has obtained all rights, consents, permissions, or licenses necessary to allow the Products to access, possess, manipulate, process, or use Customer Data and User Details.
- Disclaimer of Warranties
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, PROVIDER MAKES NO WARRANTIES, REPRESENTATIONS OR GUARANTIES OF ANY KIND, AND ALL CONTENT IS PROVIDED TO CUSTOMER STRICTLY ON AN “AS-IS, AS-AVAILABLE” BASIS. PROVIDER DISCLAIMS, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL IMPLIED OR STATUTORY WARRANTIES, INCLUDING WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT AI PRODUCTS AND PROVIDER AI SOLUTIONS ARE BASED ON ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING, ARE INTENDED TO AUGMENT (NOT REPLACE) CUSTOMER’S BUSINESS DECISIONS AND HUMAN JUDGMENT, AND MAY CONTAIN ERRORS OR BE UNAVAILABLE AT TIMES. NO ADVICE OR INFORMATION OBTAINED FROM THE PRODUCTS OR SERVICES WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT. CUSTOMER USES THE PRODUCTS AND SERVICES AT ITS OWN RISK AND SHOULD NOT RELY EXCLUSIVELY ON AI PRODUCTS OR PROVIDER AI SOLUTIONS FOR CRITICAL DECISIONS WITHOUT INDEPENDENT VERIFICATION.
- Mutual Indemnification
- Customer’s Indemnity. Customer shall indemnify and hold Provider and its affiliates, officers, directors, employees, and agents harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys’ fees and costs) arising out of, or in connection with (i) a breach of this Agreement or an Order Form by Customer, Customer’s employees or agents, (ii) the negligent or unlawful use of the Products or Services or any aspect thereof by Customer, Customer’s employees or agents, (iii) a third party infringement or similar claim due to the Services, Asymbl System’s, Provider AI Solutions or any Products access to, possession of, manipulation of, processing of, or use of, the Customer Data or User Details as is necessary to provide the Products or Services or (iv) Customer's failure to comply with the TCPA, applicable voice recording laws, the FCRA, or any other Related Law in connection with Customer’s use of the Products or Services, or (v) any claim by a third party arising from Customer Data, including any Voice Data, submitted to or processed by the Products or Services.
- Provider’s Indemnity. If any action is instituted by an unaffiliated third party against Customer based upon a claim that the Products or Services, as provided to Customer, infringe a copyright, registered patent or trademark, then Provider shall indemnify, defend and hold Customer and Customer’s affiliates, officers, directors, employees, and agents harmless from and against the claims, costs, damages, and expenses (including reasonable attorneys’ fees and costs) arising out of, or in connection with such claim brought by an unaffiliated third party as are finally awarded against Customer or paid in settlement of such claim. Provider also may, at its option and expense: (i) procure for Customer the right to continue using the Products and Services, (ii) replace or modify the Products and Services so that it is no longer infringing but continues to provide comparable functionality, or (iii) terminate this Agreement and the applicable Order Form and Customer’s access to the Products and Services and refund any amounts previously paid for the Products and Services attributable to the remainder of the then-current subscription term(s). Provider will have no liability to Customer for any infringement action that arises out of a breach of the terms and conditions of this Agreement by Customer or of the use of the Products, Provider AI Solutions or Services (Y) after any Product or Service has been modified by Customer or a third party without Provider’s prior written consent, or (Z) in combination with any other service, equipment, software or process not provided by Provider where the combination is the basis for the infringing activity. THIS SECTION SETS FORTH THE ENTIRE OBLIGATION OF PROVIDER AND CUSTOMER’S EXCLUSIVE REMEDY AGAINST PROVIDER OR ANY OF ITS AFFILIATES OR SUPPLIERS FOR ANY INFRINGEMENT CLAIM.
- Procedure. A party seeking indemnification under this Section 13 will: (i) give written notice of the claim promptly to the other party, (ii) give the other party sole control of the defense and settlement of the claim, and (iii) provide to the other party all available information and assistance.
- Insurance; Limitations of Liability
- Insurance. During the term of this Agreement, Provider will, at its cost, maintain (i) workers’ compensation and technology errors and omissions insurance policies, and (ii) any other insurance required by law in any jurisdiction where Provider provides Services under this Agreement. During the term of this Agreement, Customer will, at Customer’s cost, maintain all insurance required by law in any jurisdiction where Customer operates Customer’s business and/or uses the Products or Services. All policies required under this Section will be written by reputable national insurance carriers.
- LIMITATION OF LIABILITY. PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL IN NO EVENT EXCEED THE AMOUNT PAID BY CUSTOMER HEREUNDER (EXCLUDING THE COST OF CREDITS OR TOKENS OR SIMILAR USAGE BASED FEE PROVIDED FOR UNDER ANY APPLICABLE ORDER FORM) IN THE TWELVE (12) MONTHS PRECEDING THE ACT, OMISSION, ERROR OR BREACH GIVING RISE TO SUCH LIABILITY. THE ABOVE LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. HOWEVER, THE ABOVE LIMITATIONS WILL NOT LIMIT CUSTOMER’S PAYMENT OBLIGATIONS UNDER SECTION 7. IN NO EVENT MAY A CAUSE OF ACTION BE ASSERTED AGAINST PROVIDER UNDER THIS AGREEMENT WHICH ARISES OUT OF OR RELATES TO ANY EVENT OCCURRING MORE THAN ONE (1) YEAR PRIOR TO THE FILING OF SUCH CAUSE OF ACTION.
- NO SPECIAL DAMAGES. IN NO EVENT SHALL PROVIDER OR ANY PROVIDER AFFILIATE BE LIABLE TO ANYONE FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR OTHER SPECIAL DAMAGES OF ANY TYPE OR KIND (INCLUDING LOSS OF REVENUE, PROFITS, DATA, USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE PRODUCTS, THE THIRD PARTY PRODUCTS, OR SERVICES, AN ORDER FORM OR THIS AGREEMENT, EVEN IF PROVIDER HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, TO THE MAXIMUM EXTENT ALLOWABLE BY APPLICABLE LAW.
- EXCEPTIONS TO LIMITATION OF LIABILITY. NOTWITHSTANDING THE FOREGOING, THE LIMITATIONS OF LIABILITY SET FORTH IN SECTIONS 14(b) AND 14(c) SHALL NOT APPLY TO: (I) CUSTOMER'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 13(a); (II) CUSTOMER'S PAYMENT OBLIGATIONS UNDER SECTION 7; (III) EITHER PARTY'S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER SECTION 15; OR (IV) EITHER PARTY'S WILLFUL MISCONDUCT OR FRAUD.
- Confidentiality.
- Confidential Information. Each party (the “Disclosing Party”) may from time to time disclose to the other party (the “Receiving Party”) certain information regarding the business, products, or services of the Disclosing Party and its suppliers, including technical, marketing, financial, employee, planning, Customer Data, User Details, and other confidential or proprietary information, including information that the Receiving Party knew or should have known, under the circumstances, was considered confidential or proprietary by the Disclosing Party (“Confidential Information”).
- Protection of Confidential Information. The Receiving Party will not use any Confidential Information of the Disclosing Party for any purpose other than exercising its rights or exercising its obligations and rights under this Agreement, and will disclose the Confidential Information of the Disclosing Party only to the employees or contractors of the Receiving Party who have a need to know such Confidential Information for purposes of this Agreement and who are under a duty of confidentiality no less restrictive than the Receiving Party’s duty under this Section 15(b). The Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner as the Receiving Party protects its own confidential or proprietary information of a similar nature and with no less than reasonable care.
- Exceptions. The Receiving Party’s obligations under Section 15(b) with respect to any Confidential Information of the Disclosing Party will not apply if such information: (i) was already known to the Receiving Party without restriction at the time of disclosure by the Disclosing Party; (ii) was disclosed to the Receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (iii) is, or through no fault of the Receiving Party has become, generally available to the public; or (iv) was independently developed by the Receiving Party without access to or use of the Disclosing Party’s Confidential Information. In addition, the Receiving Party will be allowed to disclose Confidential Information of the Disclosing Party to the extent that such disclosure is (x) approved in writing by the Disclosing Party; (y) necessary for the Receiving Party to enforce its rights under this Agreement in connection with a legal proceeding; or (z) required by law or by the order of a court of similar judicial or administrative body, provided that the Receiving Party notifies the Disclosing Party of such required disclosure promptly and in writing and cooperates with the Disclosing Party, at the Disclosing Party’s request and expense, in any lawful action to contest or limit the scope of such required disclosure. Disclosure pursuant to clause (z) of the preceding sentence shall not render Confidential Information as non-confidential or remove such Confidential Information from the obligations of the confidentiality obligations set forth in this Section 15.
- Return of Confidential Information. Upon the expiration or termination of this Agreement, and following a written request from the Disclosing Party, the Receiving Party will return to the Disclosing Party or use reasonable efforts to destroy all Confidential Information of the Disclosing Party in the Receiving Party’s possession or control. Upon request, the Receiving Party will certify in writing signed by an officer of the Receiving Party that it has fully complied with its obligations under this Section 15(d). Notwithstanding the foregoing, the Receiving Party may retain a limited number of electronic backup copies of Confidential Information as are automatically created and retained by the Receiving Party’s standard backup processes and systems. The Receiving Party shall comply with its nondisclosure obligations under this Agreement with regard to such copies and shall destroy them in accordance with Receiving Party’s normal destruction processes.
- Injunctive Relief. Each party acknowledges and agrees that, in the event of a breach or threatened breach of this Section 15, damages will not be an adequate remedy and accordingly, the Disclosing Party may be entitled to seek injunctive relief against such breach or threatened breach in addition to any other remedies available to such party.
- Compliance and Privacy
- Export and Anti-Corruption. The Products, Services, Provider AI Solutions, the Content, and other technology Provider makes available to Customer, and any derivatives thereof, may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. Customer shall not permit Users to access or use the Products, Services or Content in a U.S.-embargoed country or in violation of any U.S. export law or regulation. Customer has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Provider’s employees or agents in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use its best efforts to promptly notify Provider at [email protected].
- Data Security and Privacy. Because the provision of the Products and/or Provider AI Solutions and/or may require Provider to receive, store, transmit or manage Customer Data, Provider and Customer hereby agree to comply with the provisions of Exhibit C, attached hereto, and otherwise will ensure appropriate protection and handling of Customer Data.
- Assignment; Binding Effect
Neither this Agreement nor any rights or obligations hereunder may be assigned or transferred by Customer without the prior written consent of Provider. Any attempted assignment or transfer in violation of the foregoing will be void. This Agreement shall be binding on and inure to the benefit of the parties hereto and their respective heirs, representatives, successors and permitted assigns. Any purported assignment in violation of this Section shall be null and void and have no effect.
- Notices
All notices required or permitted under this Agreement must be delivered in writing by courier, email or by certified or registered mail (postage prepaid and return receipt requested) to the other party. Notices hereunder will be effective (a) upon receipt or 3 days after being deposited in the U.S. Mail as required above, whichever occurs sooner, or (b) if delivered by email, upon confirmation by the receiving party of receipt of the particular email. Any notice to Provider must be delivered to Asymbl, Inc., 3005 S. Lamar Blvd, Ste D109 #369, Austin, Texas 78704 or to [email protected].
- Governing Law; Venue
This Agreement, and its negotiation, execution, delivery, performance and enforcement, shall be governed by and construed in accordance with the substantive and procedural laws of the State of Texas, without giving effect to any conflicts of laws principles that require the application of the law of a different jurisdiction. Any disputes, actions, claims or causes of action arising out of or in connection with this Agreement, the Products, or the Services shall be subject to the exclusive jurisdiction of the state and federal courts located in Austin, Texas.
- Marketing. Customer agrees to participate in reasonable marketing/customer stories activities to highlight its customer experience with Provider, as outlined below.
- Upon Signature. Upon execution of this Agreement: (i) Customer grants Provider the right to display Customer’s name and logo on Provider’s website and in general marketing materials as a customer of Provider and (I) Customer agrees to collaborate with Provider to develop a 1–2 paragraph written “win story” summarizing (i) Customer’s core challenge and (ii) the reasons Customer selected Provider. This content may be used for external sharing on Provider’s website, social media channels, and in customer-facing presentations.
- Upon Go-Live. Following successful implementation and phased go-live of any of the Customer’s Products/Services as provided for in the applicable Order Form, Customer agrees to collaborate with Provider to develop a 1–2 paragraph written “launch story” summarizing (i) Customer’s core challenge, (ii) Customer’s experience during the implementation/build phase, and (iii) how Provider’s Products and Services were implemented to address the challenge. This content may be used for external sharing on Provider’s website, social media channels, and in customer-facing presentations.
- Post-Live ROI Story (Within 90 Days of Product/Services Go-Live). Within approximately ninety (90) days following any of the Product/Services phased go-live, Customer agrees to collaborate with Provider to develop a longer-form written customer story to be published on Provider’s website and incorporated into customer-facing presentations. This story will include: (i) A description of Customer’s core challenge, (ii) The reasons Customer selected Provider, (iii) Customer’s experience during implementation, and (iv) At least one measurable outcome or ROI statistic demonstrating the impact of the partnership.
- Exclusions. The marketing support outlined earlier excludes executive quotes, employee headshots, video interviews, or involvement in webinars unless Customer specifically consents. Additionally, Customer is not required to provide these elements. All marketing materials referencing Customer contemplated herein will be subject to Customer’s prior written approval, not to be unreasonably withheld or delayed.
- Non-Solicitation. During the Term of this Agreement and for a period of twelve (12) months following its expiration or earlier termination (the "Restricted Period"), Customer shall not, and shall cause its affiliates, subsidiaries, and any person or entity acting on Customer's behalf not to, directly or indirectly: (a) solicit, recruit, induce, or attempt to solicit, recruit, or induce any Covered Person to terminate or reduce their engagement with Provider, whether as an employee, independent contractor, or consultant; (b) hire, engage, or retain any Covered Person as an employee, independent contractor, consultant, advisor, or in any other capacity, whether directly or through an intermediary (including a staffing agency or professional employer organization); or (c) encourage, facilitate, or assist any third party in taking any action described in clauses (a) or (b) above. "Covered Person" means any individual who is, or was at any point during the twelve (12) months preceding the date of the solicitation or hire, employed by or engaged with Provider as an employee, contractor, consultant, or in any similar capacity, and whom Customer first became aware of, or had contact with, in connection with the performance of this Agreement. The foregoing shall not prohibit Customer from making general solicitations not specifically targeted at Covered Persons (including broad-based job postings or advertising campaigns), provided Customer agrees it shall not hire or engage any Covered Person who may respond to such posting or campaign in accordance with this provision. Customer acknowledges that any breach of this Section 21 would cause Provider irreparable harm for which monetary damages would be an inadequate remedy, and that Provider shall be entitled to seek equitable relief, including injunction and specific performance, without the requirement to post bond or prove actual damages, in addition to all other remedies available at law or in equity. If any court of competent jurisdiction determines that any restriction set forth in this Section 21 is unenforceable or invalid by reason of its duration, geographic scope, scope of covered persons, or any other basis, the parties expressly authorize and request that such court modify and enforce the restriction to the maximum extent permitted by applicable law rather than void or strike it in its entirety. The parties acknowledge that the restrictions in this Section 21 are severable, and that the unenforceability of any individual restriction shall not affect the validity or enforceability of any remaining restriction. Without limiting the foregoing, if any provision of this Section 21 is held unenforceable in a particular jurisdiction, such holding shall apply only in that jurisdiction and shall not affect the enforceability of such provision in any other jurisdiction in which it would otherwise be valid. Provider and Customer further agree that, to the extent any provision of this Section 21 is deemed unenforceable solely because it applies to a category of persons broader than permitted by applicable law, it shall be enforced as applied to the narrower category of persons for which enforcement is permissible.
- General. If any legal action or other proceeding is brought in connection with this Agreement, the prevailing party shall be entitled to recover reasonable attorneys’ fees and costs, in addition to any other relief to which such party may be entitled. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision, with all other provisions remaining in full force and effect. The parties are independent contractors and this Agreement does not create any joint venture, partnership, employment, or agency relationship between them. The failure of either party to enforce any right or provision in this Agreement shall not constitute a waiver of that or any future right or provision. The descriptive headings of the sections, and subsections of this Agreement are for convenience of reference only. They do not constitute a part of this Agreement and do not affect this Agreement’s construction or interpretation. This Agreement, together with any associated Order Form, comprises the entire agreement between Customer and Provider and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein, including any previously executed electronic version of a Provider subscription or service agreement, commonly known as a clickthrough or end user license agreement. In the event of a conflict between the terms in this Agreement and the terms in any Order Form, the Order Form will control. Any delay in or failure of performance by either party under this Agreement will not be considered a breach of this Agreement to the extent caused by any Force Majeure Event.
- Definitions
As used in this Agreement the following terms have these meanings:
- “AI Product” means a software product (including any cloud-based SaaS product), any Digital Worker or other software solution or platform that is built upon artificial intelligence, agentic AI technology, machine learning, and other relevant technology.
- “Appropriate Security Measures” means commercially reasonable technical, physical, and procedural controls to (i) protect Customer Data and User Details against destruction, loss, alteration, unauthorized disclosure to third parties, and unauthorized access by employees or contractors employed by Provider, and (ii) prevent the introduction of any malicious code, files, scripts, agents or programs intended to do harm, including without limitation, viruses, worms, time bombs and Trojan horses, into the Products and the Content.
- “Asymbl Intelligence Product” means is the intelligence layer of the Asymbl platform using artificial intelligence, that captures context, pattern recognition and wisdom that accumulates across every workflow, decision, and outcome, and makes these signals available to every Digital Worker and every human teammate operating on the platform.
- “Asymbl System” means the hardware, software, platform, network equipment, and other technology used by Provider to deliver the Products, and any other of Provider’s proprietary technology (including software, hardware, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information) made available to Customer by Provider in providing the Products.
- “Beta Products” means a service, functionality, feature, and/or product that may be made available to Customer to try at its option at no additional (or minimal) charge which is clearly designated as beta, pilot, limited release, limited availability, non-production, evaluation or by a similar description.
- “Content” means the visual information, documents, software, products, and services contained or made available to Customer in the course of using the Products and Services, other than the Products and Services themselves, Customer Data and User Details.
- “Customer Data” means any information (including without limitation personally identifiable information) provided, made available, or submitted by Customer to any of the Products or retrieved by any of the Products from another source as directed by Customer other than User Details.
- "Deliverables” means the output provided as part of the Services or as otherwise described in an Order Form, which could include any output via any Provide AI Solutions use to provide any part of the Services provided for under any applicable Order Form.
- “Deployment Tool” means any tool or solution that facilitate the deployment of any Product in Customer’s environment or any third party environment, including Salesforce, which includes access to all relevant Customer Data to enable such deployment of the relevant Product.
- “Digital Worker” means Provider’s product line of intelligent digital teammates built to perform defined roles within a hybrid workforce, which are offered as (i) product workers pre-built to operate within Provider applications, (ii) service delivery workers who operate as part of Provider's team on customer engagements for Service engagements for Customers, and (iii) custom digital workers built to spec for a Customer's specific business needs.
- “Force Majeure Event” means events or circumstances beyond a party’s reasonable control, including without limitation, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, pandemics, epidemics, strikes or other labor problems, LLM provider, telecommunications or network failures or delays, service or computer failures involving services, hardware, or software not within Provider’s possession or reasonable control, and acts of vandalism, including network intrusions and denial of service attacks. For the avoidance of doubt, Customer acknowledges that Customer’s inability to pay the Fees or to access the Salesforce Service is not a Force Majeure Event and Customer expressly assumes such risk that its ability to utilize the Products can be impaired by its inability to use or access Salesforce.com Services. Customer’s payment obligations under this Agreement shall remain in effect regardless of any Force Majeure Event.
- "GDPR” means the General Data Protection Regulation of the European Union.
- “Intellectual Property Rights” means unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world.
- “Partner Tools” means any third party tools that Provider licenses from a third party provider and provides to Customer for usage in connection with delivery and/or usage of any Services or Products provided for in an applicable Order Form.
- “Provider AI Solutions” means all artificial intelligence solutions and technology, including agentic AI solutions and products and any Digital Workers that Provider may use to deliver, implement, or deploy any of the Services under this Agreement and relevant Order Forms.
- “Salesforce.com Service” means the service provided by salesforce.com to which Customer must be a subscriber in order to obtain the Products.
- “Third Party Products” means application software products provided by third party vendors, including operating system and application software with which any Product may interface.
- “Third Party Vendors” means the manufacturers, authors, developers, vendors, and/or service providers of the Third Party Products.
- “User(s)” means Customer’s named employees, representatives, consultants, contractors, partners, or agents who are authorized to use the Products by Customer through the Salesforce LMA (License Management Application) or the user management facility of the Products or otherwise.
- “User Details” means basic information collected by Provider about Customer’s Users authorized by Customer to use the Products which is used for subscription management, activity logging, communications to Users by Provider, and technical support purposes.
Exhibit A
FCRA Requirements
Customer agrees to comply with the following terms in connection with their use of the Asymbl Intelligence Product:
- Permissible Purpose. Customer hereby agrees, represents, and warrants that the Asymbl Intelligence Product may create consumer reports as that term is defined in the Fair Credit Reporting Act (“FCRA”) at 15 U.S.C. § 1681a(d) (“consumer reports”), and therefore Customer will request the Asymbl Intelligence Product only for Customer’s permissible use. Customer certifies that it has a permissible purpose to request consumer reports in accordance with section 1681b of the FCRA. Customer further certifies that it will request consumer reports pursuant to procedures prescribed by Provider from time to time and will use the consumer reports for no other purpose than as contemplated pursuant to the Asymbl Intelligence Product.
- No Reselling. Consumer reports will be held in strict confidence and not disclosed to third parties except in compliance with the FCRA; provided, however, that Customer shall disclose the consumer report to the subject of the report in connection with an adverse action based on the report. Customer agrees that Provider may verify, through audit or otherwise, that Customer is in fact the end user of the consumer reports with no intention to resell the consumer reports in whole or in part to any other person or entity, except as approved in writing by Provider. Provider may use a third-party vendor to perform an on-site inspection of Customer’s business at Customer’s expense.
- Consumer Notices. Customer shall be responsible for its obligations under the FCRA to provide pre-adverse and adverse action notices to consumers, as applicable. Customer represents and warrants that it will provide the following statement to all applicants: “We use Asymbl’s AI software tool to determine the strength of employment applications and select them according to interviewing priority. Information gathered by Asymbl may be used to select your application for an interview.”
- Federal Disclosures. Customer acknowledges it has obtained a copy of the following appendices from www.consumerfinance.gov, and Customer agrees to comply with the disclosure requirements set forth in such appendices, as the same may be revised from time to time: (i) Summary of Consumer Rights (Appendix K to Part 1022 of Title 12 Code of Federal Regulations), https://www.consumerfinance.gov/rules-policy/regulations/1022/k/#ImageK2; (ii) Notice of User Responsibility (Appendix N to Part 1022 of Title 12 Code of Federal Regulations), https://www.consumerfinance.gov/rules-policy/regulations/1022/n/#e0ea2c2802cbf4d123ff5ff99e8f10aac40183aa00b5a7f3727b45e4; and (iii) Summary of Identity Theft Rights (Appendix I to Part 1022 of Title 12 Code of Federal Regulations), https://www.consumerfinance.gov/rules-policy/regulations/1022/i/. Customer may also obtain the full text of above-described Appendices to the FCRA from the FTC Website at www.ftc.gov.
- Vermont Regulations. Customer certifies that it will order Reports relating to Vermont residents that are consumer reports as defined by the Vermont Fair Credit Reporting Act (“VFCRA”), only after Customer has received prior consumer consent in accordance with VFCRA Section 2480e and applicable Vermont Rules. Customer further certifies that it has obtained and reviewed Section 2480e of the Vermont Fair Credit Reporting Statute from the following address: https://legislature.vermont.gov/statutes/section/09/063/02480e.
- California Regulations. Customer certifies that it will complete and provide to each California resident about whom Customer orders a consumer report from Provider a notice substantially similar in the form of that is set forth at https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1786.16 no later than three (3) calendar days after the date on which Customer ordered the applicable consumer report and, if such consumer indicates thereon that such consumer wishes to receive a copy of the consumer report relating to such consumer, to provide such copy to such consumer no later than three (3) business days from the date Customer received the consumer report from Provider. Customer agrees that it shall be responsible for compliance with California’s Investigative Consumer Reporting Agencies Act (“ICRAA”) in all respects, including, but not limited to, making determinations as to when the ICRAA is applicable to requests or orders of Services by Customer under this Agreement.
- Customer Disputes. Customer shall refer all consumers who have questions or disputes or seek disclosure of information in a consumer report to Provider’s mailing address. In no event will Customer attempt to or hold itself out to the consumer or the public as being able to handle disputes on behalf of Provider, or to reinvestigate information in a consumer report.
Exhibit B
Service Level Agreement
Provider will address Service Level Incidents in accordance with the terms below
Problem Response and Resolution
Customer acknowledges that the Products are dependent on Customer’s implementation and configuration of the Products and the availability and performance of technology from third-party software and hardware vendors including but not limited to salesforce.com, Salesforce AppExchange products and custom applications, Microsoft, Google, large language model (LLM) providers, and the providers of Internet browsers. Provider has no control over, and is not liable for, performance issues or downtime of the Products to the extent caused by such factors.
Encryption gateways and associated third party technology that require any re-direction of Asymbl-to-Salesforce connections are not eligible for Support Services. Customer may utilize such encryption solutions solely at Customer’s own risk.
Exhibit C
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA” or “Addendum”) is incorporated into and forms part of the Master Services Agreement between Customer and Provider to which this DPA is attached (the “Agreement”). In the event of a conflict between the DPA and Agreement, the terms, and conditions of this DPA will prevail.
- Definitions
Terms defined in the Agreement will, unless otherwise defined in this DPA, have the same meanings when used in this DPA. Further, the following capitalized terms used in this DPA will be defined as follows:
- “Controller” means the Customer when, alone, or jointly with others, it determines the purpose and means of processing Personal Data.
- “Customer Account Data” means Personal Data that relates to Customer’s relationship with Provider, including the names and contact information of the individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its Account. Customer Account Data also includes any data Provider may need to collect for the purpose of identity verification (e.g., providing multi-factor authentication services) or as part of its legal obligations to maintain records.
- “Customer Data” means any Customer-provided, non-public, or proprietary information exchanged as a result of using the Service form, including Customer Personal Data.
- "Customer Personal Data” means any Personal Data processed by Provider on behalf of Customer in connection with the Services, as furthered described in Schedule 1. Customer Personal Data includes the Personal Data of Customer’s third parties for whom Customer acts as a processor.
- “Data Protection Law” refers to all laws and regulations applicable to Provider’s processing of Personal Data under the Agreement.
- “Data Subject” means a natural person who can be identified, directly or indirectly.
- "Personal Data” means any information relating to a natural person who can be identified, directly or indirectly.
- “process” or “processing” means any operation or set of operations which is performed upon Customer Data whether or not by automated means.
- “Processor” means Provider when Provider processes Personal Data on behalf of Customer.
- “Security Breach” means a breach of Provider’s security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
- “Services” has the same meaning as defined in the Agreement, or if not defined in the Agreement, the processing of Customer Data by Provider on behalf of the Customer described in the Agreement.
- "Subprocessor" means a processor appointed by Provider to process Customer Personal Data.
- Instructions for Data Processing
- Generally. The Agreement and this DPA will be the Customer's instructions to Provider for the processing of Customer Data. Provider will process Customer Data solely for the purpose of providing the Services and will ensure that all individuals with access to Customer Data have a duty of confidentiality with respect to that Customer Data. Provider will not sell, share, disclose, retain, or otherwise use Customer Data for any other purpose unless specifically instructed by Customer in writing or as required by law.
- Regulatory and Legal Compliance. Provider will process Customer Data in compliance with Data Protection Law. Provider will provide reasonable assistance to Customer in complying with its obligations under Data Protection Law. Unless prohibited by law, Provider will notify Customer promptly of any inquiries or complaints received about the processing of Customer Personal Data from regulators or law enforcement authorities. Provider will not respond to any such inquiries or complaints except on the documented instructions of Customer or as required by law. If disclosure of Customer Data is required by applicable law or a compulsory legal process, Provider will, unless prohibited by applicable law: (i) notify Customer promptly in writing before complying with any such disclosure request and provide Customer an opportunity to intervene, if appropriate; and (ii) disclose only the minimum amount of Customer Data necessary to comply with applicable law or a compulsory legal process.
- Data Subject Rights. Unless prohibited by law, Provider will promptly notify Customer of any request from a data subject with respect to Customer Personal Data. Provider will not respond to any data subject request without Customer’s prior written consent, except to confirm that the request relates to Customer. Provider will provide reasonable and timely assistance to Customer in complying with its data protection obligations with respect to data subject rights under Data Protection Law.
- Additional Costs. If any of the Customer's instructions require processing Customer Data in a manner that falls outside the scope of the Services, Provider may either (a) make the performance of any such instructions subject to the payment by Customer of any costs and expenses incurred by Provider or such additional charges as Provider may reasonably determine; or (b) terminate the Agreement and the Services.
- California Consumer Privacy Act. To the extent that Customer Data comprises Personal Data (pursuant to the California Consumer Privacy Act “CCPA”)), it is hereby acknowledged that Provider is acting as a “Service Provider” (pursuant to CCPA) on behalf of Customer. Provider shall: (i) process the Customer Data that is Personal Data only on Customer’s instructions (including in accordance with the Agreement and this DPA), (ii) take appropriate technical, organizational and security measures against unauthorized access to or unauthorized alteration, disclosure, destruction or loss of such Personal Data, (iii) take reasonable steps to ensure that employees and/or subprocessors used by Provider to provide the Services are aware of and are suitably instructed in such technical, organizational and security measures, (iv) unless prevented by Data Protection Law, promptly refer to Customer any requests, notices or other communication from Data Subjects or a regulator (such as a data protection authority), and (v) not “sell” any Personal Data, as that term, and its cognates, are defined under the CCPA. To the extent any Customer Data constitutes 'sensitive personal information' as defined under the CPRA (Cal. Civ. Code § 1798.140(ae)), Provider shall process such sensitive personal information solely for the purposes set forth in this DPA and the Agreement, and shall not use such sensitive personal information for any purpose other than performing the Services.
- Customer Warranties and Undertakings
Customer warrants that it (a) has provided all applicable notices and obtained all required consents required for the lawful processing of Customer Data; and (b) has reviewed the security measures set out in Schedule 3 and agrees that the security measures are appropriate based on the nature and sensitivity of the Customer Data.
- Subprocessors
- Conditional Authorization. Customer provides a general authorization for Provider to engage downstream Subprocessors that is conditioned on the following requirements:
- Provider will impose contractual data protection obligations on any Subprocessor it appoints to process Customer Data to meet the standards required by Data Protection Law and this DPA; and
- Provider will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its Subprocessors.
- Current Subprocessors and Notification of Changes. Customer authorizes Provider to engage the Subprocessors listed in Schedule 2 to process Customer Data. Provider may update Schedule 2 by posting a new version of the Subprocessor list at the Asymbl Support Portal or providing Customer 14 days’ prior written notice of such change. Customer may object to Provider's appointment or replacement of a Subprocessor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If it can be reasonably demonstrated to Provider that the new Subprocessor is unable to process Customer Personal Data in compliance with the terms of this DPA and Provider cannot provide an alternative Subprocessor, or the parties cannot reach a resolution within 90 days from the date of Provider’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services with respect only to those aspects of such Services which cannot be provided by Provider without the use of the new Subprocessor by providing written notice to Provider. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Provider replacing or appointing a new Subprocessor, Customer will be deemed to have authorized the new Sub-processor. Provider may replace a Subprocessor at any time if the need for replacement is urgent and required for reasons beyond Provider’s reasonable control, and Provider will notify Customer of the replacement Subprocessor as soon as reasonably practicable, and Customer shall have the right to object to the replacement Subprocessor pursuant to this Section 4.b.
- Conditional Authorization. Customer provides a general authorization for Provider to engage downstream Subprocessors that is conditioned on the following requirements:
- International Provisions
- Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Customer’s use of the Services requires the transfer of Personal Data from a jurisdiction identified in Schedule 4 to a location outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 4 (Cross Border Transfer Mechanisms) of this Addendum will apply.
- Security Measures and Audits
- Security Measures. Provider will implement reasonable physical, organizational, and technical measures to protect against any unauthorized or unlawful access, processing, loss, destruction, theft, damage, use or disclosure of Customer Data or systems (collectively, “Appropriate Safeguards”), including, at a minimum, the security measures set forth as Schedule 3. These Appropriate Safeguards will be appropriate to the harm that might result from any risks to Customer Data or systems and having regard to the nature of the Customer Data or system which is to be protected and will take into consideration the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of the Personal Data subjects.
- Variation of Measures. Provider may review and update Schedule 3 from time to time, provided that any such updates shall not materially diminish the overall security of the Service or Customer Personal Data.
- Compliance Review. Provider will cooperate with reasonable assessments by Customer as to its compliance with this DPA and Data Protection Law. Customer may provide a written request Provider to assess Provider’s compliance with the Agreement. Following receipt by Provider of such request, Provider and Customer shall mutually agree in advance of the details of such assessment, including the reasonable start date, scope, and duration of, and security and confidentiality controls applicable to, any such assessment. Any such assessment assessments must be conducted (a) on reasonable written notice to Provider; (b) only during Provider's normal business hours; (c) in a manner that does not disrupt Provider's business; (d) subject to a confidentiality agreement in a form such as Provider may reasonably request; (e) in compliance with relevant policies for individuals visiting Provider’s or sub-vendors premises; and (f) at Customer’s expense. Provider may charge a fee for any such assessment, provided such rates shall be reasonable, accounting for the resources expended by Provider. Notwithstanding anything to the contrary, the assessment right provided in this Section 6.c may be satisfied by the provision of a successful assessment result performed by an experienced, qualified independent auditor within the last 24 months. Any assessment, assessment result, and any information arising therefrom shall be considered Provider’s confidential information and may only be shared with a third party (including a third party controller) with Provider’s prior written agreement.
- Security Breach and Response
- Breach Notification. Provider will promptly notify Customer without undue delay and no later than 72 hours upon Provider becoming aware of a Security Breach. Provider should notify Customer by telephone to Provider’s primary business contact and via email to the Customer Data Privacy Contact identified in the Customer profile if it has knowledge that there is an actual or potential Security Breach. To the extent known, notice will include the following: (a) the nature of the Security Breach, (b) the categories and numbers of data subjects concerned, and the categories and numbers of records concerned; (c) the name and contact details from whom more information may be obtained; (d) the likely consequences of the Security Breach; and (e) the measures taken or proposed to be taken to address the Security Breach. The parties acknowledge and agree that Provider is subject to common, unsuccessful attempts to access its systems that do not result in any unauthorized access, use, disclosure, modification, data destruction, or interference with systems operations (“Unsuccessful Security Incidents”). Provider hereby notifies Customer of Unsuccessful Security Incidents, including without limitation ping sweeps or other common network reconnaissance techniques, attempts to log onto a system with an invalid password or username, and denial of service attacks that do not result in a server being taken offline, which may occur from time to time, and this sentence shall be deemed to meet the requirements for reporting such Unsuccessful Security Incidents under this Addendum.
- Cooperation and Remediation. Provider will (i) cooperate with Customer in the manner reasonably requested by Customer and in accordance with law to investigate and resolve the Security Breach and to mitigate any harmful effects of the Security Breach; (ii) promptly implement any necessary remedial measures to ensure the protection of Customer Data; and (iii) document responsive actions taken related to any Security Breach.
- Information to Third Parties. Except as required by applicable law or regulation, Provider will not inform any third party of any Security Breach without first obtaining Customer’s prior written consent, other than to inform a complainant that Customer will be informed of the Security Breach, and Customer will have the sole right to determine whether notice of the Security Breach is to be provided to any individuals, Supervisory Authorities, regulators, law enforcement agencies, consumer reporting agencies, or others and the contents of any such notice.
- Liability
Any exclusions or limitations of liability set out in the Agreement will apply to any losses suffered by either party (whether in contract, tort (including negligence) or for restitution, or for breach of statutory duty or misrepresentation or otherwise) under this DPA.
- Duration and Termination
- Return/Deletion of Customer Data. Provider will, within 30 days of the date of termination or expiry of the Agreement: (a) if requested by Customer within that period, return a complete copy of Customer Data by secure file transfer in such format reasonably agreed to by Provider and Customer; and (b) other than any Customer Data retained by Provider after termination of the Agreement in accordance with the Agreement as expressly permitted by this DPA or as required by the EU Standard Contractual Clauses, delete, and use all reasonable efforts to procure the deletion of all other copies of Customer Data processed by Provider or any sub-processors.
- Certification. Upon Customer’s request, Provider will promptly confirm to Customer that it has destroyed or returned all Customer Data. If Provider is unable to return or destroy all Customer Data, Provider will retain Customer Data only to the extent and for such period as required by applicable laws, maintain the security and confidentiality of all such retained Customer Data in accordance with the protections of this DPA, and ensure that such Customer Data is only processed as necessary for the purposes specified in the applicable laws preventing its deletion and for no other purposes.
- Compliance with this DPA. If Provider determines that it can no longer meet its obligations under this DPA or Data Protection Law, Provider will notify Customer of that determination within 5 business days and work with Customer to take reasonable and appropriate steps to stop and remediate the unauthorized use of Customer Data.
- Law and Jurisdiction
Except to the extent expressly overridden by Schedule 3, the parties agree that the laws, jurisdictions, and venues set forth in the Agreement will also govern this DPA.
- General
- Third Party Rights. A person who is not a party to this DPA may not enforce any of its terms, except to the extent required by applicable law.
- Rights and remedies. Except as expressly provided in the Agreement, the rights and remedies provided in this DPA are in addition to, and not exclusive of, any rights or remedies provided by law.
- No partnership or agency. Nothing in the DPA is intended to, or will be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorize any party to make or enter into any commitments for or on behalf of any other party.
- Waiver. No delay or forbearance by either party in enforcing its rights will prejudice or restrict the rights of that party, and no waiver of any such rights or any breach of any contractual terms will be deemed to be a waiver of any other right or of any later breach.
- Severability. If any provision of the DPA is judged to be illegal or unenforceable, the continuation in full force and effect of the remainder of the provisions of the DPA will not be prejudiced.
SCHEDULE 1 TO DPA
DETAILS OF PROCESSING
- Categories of data subjects
The categories of data subjects whose Personal Data are transferred: (a) employees of Customers who are natural persons, (b) customers or vendors of Customer who are natural persons, (c) employees or contact persons of Customer’s third parties and vendors for whom Customer acts as a processor.
- Categories of Personal Data
The transferred categories of Personal Data are: identification and contact information (e.g., name, address, title, and contact details), IT information (e.g. IP addresses) employment and professional information (e.g., resume data, employment history, professional qualifications), voice and audio data (e.g., voice recordings, and call transcripts, where applicable), to the extent processed in connection with voice recording or other applicable features.
- Special categories of Personal Data (if applicable)
The transferred Personal Data may include the following special categories of data: None. Customer is solely responsible for determining the applicability of special category data requirements and obtaining any required consents for any special category data it introduces to the Products or Services.
- Frequency of the transfer
The frequency of the transfer is: continuous during the term of the Agreement.
- Subject matter / Purpose of the processing
The subject matter of the processing is: providing Customer with Products and Services as described in the Agreement, including candidate data management, AI-powered candidate analysis and scoring, automated and AI-assisted outreach (including voice and SMS communications), voice-to-text transcription, and related recruiting and talent intelligence services.
- Nature of the processing
The nature of the processing is: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, transmit or otherwise making available, alignment or combination, restriction, erasure, or destruction, in accordance with the Agreement.
- Purpose(s) of the data transfer and further processing
The purpose/s of the data transfer and further processing is/are: to provide and support Customer’s use of Provider technology solutions provided under the Agreement.
- Duration
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: as set out in Section 9 of the DPA.
- Sub-processor (if applicable)
See Schedule 2.
SCHEDULE 2 TO DPA
SUBPROCESSORS
Provider (including its affiliates and subsidiaries) may engage and use certain Subprocessors to provide services to its Customers. These Subprocessors may have access to personally identifiable information within the Customer Data provided directly to Provider or the applicable Subprocessor from Customers and their Users or to which Provider may have access to provide the Products and Services or to enable requested features related thereto.
The below table provides information about the identity, and role of each Subprocessor who may have access to or process personally identifiable information from or on behalf of Provider.
Provider currently uses the below list of Subprocessors to provide its Products and Services. Not all Subprocessors are used in the provision of all Products and Services provided. Not all Subprocessors are involved in all Products and Services.
SCHEDULE 3 TO DPA
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational security measures implemented by the data importer / Provider to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
- Pseudonymisation and Encryption (Art. 32, para 1, point a GDPR)
- Encryption. Provider encrypts Customer Data at rest using AES 256-bit (or better) encryption. Provider uses encrypted network connections or protocols (e.g., TLS 1.2, HTTPS, VPN) for Customer Data in transit over untrusted networks.
- Key Management. Provider logically separates encryption keys from Customer Data and encryption keys are regularly rotated.
- Confidentiality (Art 32, para 1, point b GDPR)
- Confidentiality Generally. Provider uses measures designed to (a) prevent unauthorized persons from gaining access to Provider systems with which Customer Data are stored, processed, or used; (b) prevent systems processing Customer Data from being used without authorization, (c) ensure that persons entitled to use a system that processes Customer Data only have access to the data which they have a right of access, (d) prevent unauthorized reading, copying, modification, or removal of Personal Data in the course of processing or use and after storage, and (e) ensure data collected for different purposes can be processed (stored, amended, deleted, transmitted) separately.
- Physical Access Controls. Provider uses physical access control systems, such as proximity badges, at its offices. Provider requires its Cloud Service Providers meet industry-standard physical security controls, and Provider regularly reviews the appropriateness of such physical controls as audited under the Cloud Service Provider’s third-party audits and certifications.
- System/Electronic Access Controls. Provider personnel access Provider systems hosting Customer Data using unique user IDs, multifactor authentication, and passwords in accordance with industry standards. Access to Customer Data is restricted to Provider personnel with a need to access such Customer Data in connection with the Services or as required by law. Provider uses an industry standard security information and event management system. Infrastructure management and configuration management tools are used for security hardening and monitoring baseline configuration standards for Provider systems that process Customer Data.
- Isolation/Separation Controls. Provider allocates permissions and privileges on a least privilege principle and assigns network and data access rights based on user group and job function. Provider regularly reviews Provider personnel’s access privileges to Provider systems and removes access on a timely basis for all separated personnel. Provider logically separates Customer Data from its other customers data and logically separates production environments from development environments.
- Integrity (Art 32, para 1, point b GDPR)
- Encryption. Provider uses secure transmission between Customer and server and to external systems via industry-standard encryption as set forth in Section 1 of this Schedule.
- Firewalls. Provider maintains firewalls and other measures to appropriately limit access to and from Provider systems. Provider uses industry-standard firewall or security group technologies with deny-all default policies to prevent in-bound and out-bound network protocols to Provider systems other than those that are reasonably required to perform Services in accordance with the Agreement.
- Data Input Control. Provider uses monitoring tools to log certain activities and changes within Provider systems. Provider monitors these logs for abnormalities and securely stores such logs for at least one year.
- Anti-Malware. Provider maintains anti-malware controls to protect against malicious software causing accidental or unauthorized destruction, loss, alteration, disclosure, or access to Customer Data.
- Availability and Resilience (Art 32 para 1 point c GDPR)
- Backups. Provider maintains backups of Customer Data stored in the primary Provider system and maintains backups of Customer Data to a secondary system on at least a daily basis.
- System Monitoring. Provider monitors Provider systems using defined processes for security alerting, escalation, and remediation consistent with the applicable Service. Provider uses an issue tracking system to maintain, manage, and track changes to Provider systems. Enterprise monitoring applications are configured to monitor in-scope systems and alert operation personnel when predefined thresholds are met, and Provider uses tools to monitor security events, latency, and network performance.
- Disaster Recovery and Business Continuity Plan. Provider maintains disaster recovery and business continuity plans designed to minimize interruption of Services. Such plan includes disaster recover incident management, procedures for recovering access to Customer Data, and periodic testing of the disaster recovery plan. Production data centers are designed to mitigate the risk of single points of failure and support service continuity and performance. Incident response procedures that outline security event response are used, and Provider and reviews lessons learned to evaluate effectiveness of the procedures.
- Vulnerability Management.
- Vulnerability Detection. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on the potential impact to Services. Provider maintains standard patch management processes for Provider systems to protect against security vulnerabilities.
- Risk Assessments. Provider performs an annual security operational risk assessment of Provider systems processing Customer Data. Results from risk assessment activities are documented in a risk register and prioritized for treatment by risk level. Provider performs risk-based control monitoring throughout the year by performing control testing using a formal methodology. The testing results are documented and reviewed by management, including remediation plans for identified observations.
- Data Governance and Management.
- Information Security Plan. Provider maintains a comprehensive, documented information security program designed to protect Customer Data against unauthorized or accidental destruction, loss, alteration, disclosure, or access. Provider maintains commercially reasonable controls for information governance and data management.
- Security Officer. Provider has appointed one or more security officers to coordinate information security and monitor information security rules and procedures.
- Personnel.
- Roles and Responsibilities. Provider maintains written policies defining the roles and responsibilities of Provider personnel with access to Customer Data.
- Policies. Provider requires criminal background screening of Provider employees as part of its hiring process, to the extent permitted by law.
- Confidentiality. Provider ensures that Provider personnel authorized to access Customer Data are bound to confidentiality obligations or under appropriate statutory obligations of confidentiality.
- Training. Provider maintains an information security training and awareness program for Provider personnel and requires Provider personnel to complete such training annually.
- Data Minimization, Quality, and Portability.
- Data Minimization, Quality, and Portability. Provider will use reasonable efforts to use only the minimum necessary Personal Data in the performance of Services. As part of SaaS Services, Customer may access, amend, delete, and extract Customer Data within the applicable SaaS Services to assist Customer with its data quality, minimization, and portability efforts,
- Data Destruction. Provider ensures that residual magnetic, optical, physical, or electrical representations of Personal Data that have been deleted may not be retrieved or reconstructed when storage media is transferred, becomes obsolete, or is no longer usable or required by Provider. Personal Data stored on Provider media (e.g., hard drive, digital media, tapes) must be rendered unreadable using the NIST Guidelines for Media Sanitization prior to the media being disposed of or moved off site.
- Testing, Assessing, and Evaluating the Technical and Organization Measures (Art. 32 para 1 point D GDPR). Provider follows measures to regularly review and assess its technical and organizational measures.
- Internal Assessments. Provider internal resources review Provider’s information security practices on an annual basis.
- Vulnerability Testing. Provider conducts vulnerability testing on Provider systems in accordance with Section 5 of this Schedule.
- Penetration Testing. Provider engages an independent third-party organization to perform penetration testing of Provider systems annually.
- Business Continuity. Provider tests its business continuity and disaster response plan annually.
- Data Subject Requests (Clause 10(b) SCC). During the applicable term of the Agreement, Customer may access, extract, and delete Customer Data from the SaaS Services in accordance with the Documentation to respond to data subjects’ requests to exercise one or more of their rights available under Data Protection Laws.
- AI-Specific Security Controls
- Provider maintains measures designed to protect against prompt injection, adversarial inputs, and other AI-specific attack vectors applicable to the Products and Provider AI Solutions.
- Provider implements monitoring and logging of AI model inputs and outputs to support auditability of AI-driven decisions.
- Provider uses commercially reasonable measures to validate AI model outputs for accuracy and to mitigate the risk of erroneous, biased, or hallucinated outputs.
SCHEDULE 4 TO DPA
CROSS BORDER TRANSFER MECHANISM
- Definitions. “EEA” means the European Economic Area. “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
- Applicability. This Schedule will apply when Customer’s use of the Services requires the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to another jurisdiction.
- Cross Border Data Transfer Mechanisms.
- Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU Standard Contractual Clauses as set forth in Section 3.2 (EU Standard Contractual Clauses) of this Schedule; (b) the UK International Data Transfer Agreement as set forth in Section 3.3 (UK International Data Transfer Agreement) of this Schedule; and, if neither (a) nor (b) is applicable, then (c) other applicable data Transfer Mechanisms permitted under Data Protection Law.
- EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where Provider is processing Customer Account Data;
- Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Controller of Customer Data and Provider is processing Customer Data;
- Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Data and Provider is processing Customer Data on behalf of Customer;
- Module Four (Processor to Controller) of the EU Standard Contractual Clauses will apply where Customer is a Processor of Customer Data and Provider processes Customer Account Data; and
- For each Module, where applicable:
- in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
- in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 4.b (Current Subprocessors and Notification of Subprocessor Changes) of this Addendum;
- in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
- in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
- in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
- in Annex I, Part A of the EU Standard Contractual Clauses:
- Data Exporter: Customer
- Data Exporter Contact details: Set forth in the Order Form
- Data Exporter Role: Controller
- Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
- Data Importer: Provider, as defined in the preamble to the Agreement.
- Data Importer Contact details: Set forth at the top of the Order Form.
- Data Importer Role: Processor
- Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
- in Annex I, Part B of the EU Standard Contractual Clauses:
- The categories of data subjects are located in Section 1 of Schedule 1;
- The Special Categories of Personal Data transferred are located in Section 3 of Schedule 1;
- The frequency of the transfer is a continuous basis for the duration of the Agreement;
- The nature of the processing is located in Section 6 of Schedule 1;
- The purpose of the processing is located in Section 7 of Schedule 1;
- The period for which the Personal Data will be retained is located in Section 8 of Schedule 1;
- For transfers to sub-processors, the subject matter, nature, and duration of the processing are located in Schedule 2; and
- in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
- Schedule 3 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
- Notwithstanding anything to the contrary, in the event of a conflict between Clause 12 of the EU Standard Contractual Clauses and Section 8 of the DPA, Clause 12 will prevail.
- UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- In Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is located in Section 3.3 (e)(vi) of this Schedule 4.
- In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 3.2 (EU Standard Contractual Clauses) of this Schedule 4.
- In Table 3 of the UK International Data Transfer Agreement:
- The list of parties is located in Section 3.2(e)(vi) of this Schedule 4;
- The description of the transfer is located in Sections 6 and 7 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing);
- Annex II is located in Section 9 of Schedule 3 (Technical and Organizational Security Measures); and
- The list of sub-processors is located in Schedule 2 of this Addendum.
- In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
- Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, the Agreement, or the Asymbl Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.

