Last Updated: February 19, 2025
Scalafai, Inc. ("Scalafai," "we," "our," or "us") is committed to providing high-quality AI-powered work management solutions and professional services to our customers. These Terms and Conditions ("Terms") constitute a legally binding agreement between Scalafai and you, either an individual or entity ("Customer"), governing your access to and use of our software products, including Safia ("Products"), and our professional services ("Services").
By accessing or using our Products or Services, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you are accepting these Terms on behalf of an organization, company, or other entity, you represent and warrant that you have the legal authority to bind that entity to these Terms.
These Terms apply to visitors to our websites, Users of our Products, and clients of our Services. Your use of our Products and Services is also subject to our Privacy Policy.
The following terms, when capitalized, have the meanings set forth below:
"Beta Services" means Products or features that are in pre-release, beta, or trial form, provided on a temporary basis and identified as such.
"Contributor" means individuals that may or may not have access to Safia through Customer accounts but whose data is processed by Safia's AI.
"Customer" means the entity or organization that has entered into an agreement with Scalafai for the provision of Products or Services.
"Customer Content" means all data, information, files, text, code, materials, and other content that is uploaded, submitted, stored, processed, generated, or displayed by or on behalf of Customer, Users, or Contributors via the Products or Services.
"Effective Date" means the earlier of the date that Customer electronically consents to a version of these Terms and the date that Customer first accesses the Products or Services.
"Owner" means an individual responsible for creating and administering content and permissions associated with Workspaces.
"Outputs" means the results, responses, suggestions, or other content generated by the Products in response to Prompts.
"Professional Services" means implementation, integration, training, consulting, development services, and any other professional services provided by Scalafai as described in an applicable Statement of Work.
"Prompts" means requests, questions, instructions, or other inputs submitted to the Products.
"Safia" means Scalafai's AI-powered work management platform and all related components, features, and functionality.
"Scalafai" means Scalafai, Inc., a Delaware corporation with its principal place of business at Austin, Texas.
"User" means individuals authorized by Customer to access and use the Products through Customer's account.
"Workspace" means a digital work environment with a combination of User, Contributor, and AI-generated data.
Subject to these Terms and payment of applicable fees, Scalafai grants Customer a limited, non-exclusive, non-transferable, non-sublicensable license to access and use the Products during the Term. Customer may permit authorized Users to access and use the Products in accordance with these Terms. Customer is responsible for all Users' compliance with these Terms and for all activities that occur under Customer's account.
Safia provides AI-powered work management features, including project tracking, team collaboration, task management, analytics, integrations with third-party applications, and other functionality as described in the applicable documentation. The Products may generate recommendations, insights, and other Outputs based on Customer Content and AI processing.
Customer acknowledges that:
Scalafai may provide Professional Services as described in a mutually executed Statement of Work ("SOW"). Each SOW will specify, at minimum:
Professional Services may include implementation support, integration development, training, consulting, and other services as agreed. Performance of Professional Services is contingent upon Customer's timely cooperation and provision of necessary resources, information, and approvals as specified in the applicable SOW.
Customer shall review and test deliverables in accordance with the acceptance criteria and procedures specified in the SOW. Unless otherwise specified in the SOW, deliverables shall be deemed accepted if Customer does not provide written notice of non-conformance within ten (10) business days after delivery.
Scalafai may offer Beta Services from time to time at its sole discretion. Beta Services are provided "as is" on a temporary basis and are not suitable for production use. Scalafai makes no warranties or guarantees regarding Beta Services and may modify, limit, or discontinue Beta Services at any time without notice.
Customer acknowledges and agrees that:
As between Customer and Scalafai, Customer owns all Customer Content, including Customer's Prompts. To the extent permitted by applicable law, Scalafai disclaims any rights it may receive to Customer Content under these Terms. Scalafai does not anticipate obtaining any rights in Customer Content under these Terms. Subject to Customer's compliance with these Terms, Scalafai hereby assigns to Customer its right, title, and interest (if any) in and to Prompts.
Customer grants Scalafai a non-exclusive, worldwide, royalty-free license to use, reproduce, display, distribute, modify, and process Customer Content solely for the purposes of:
Customer represents and warrants that it has all necessary rights, licenses, and permissions to submit Customer Content to the Products and Services and to grant the licenses described in these Terms.
Except as expressly set forth in these Terms, Scalafai and its licensors exclusively own all right, title, and interest in and to the Products and Services, including all related intellectual property rights. No rights are granted to Customer other than as expressly set forth herein.
If Customer provides suggestions, ideas, enhancement requests, feedback, recommendations, or other information relating to the Products or Services ("Feedback"), Scalafai may use such Feedback without restriction or obligation to Customer. However, Scalafai will not identify Customer as the source of Feedback without Customer's prior written consent.
Scalafai may NOT train models on Customer Content from paid Products or Services without express written consent. For clarity, "training" refers to the process of using data to develop or improve AI models or algorithms. Scalafai may use Customer Content to:
Customer acknowledges that the Products utilize AI technology that processes and learns from interactions to deliver personalized experiences, without using Customer Content to train new models or for purposes beyond service provision.
Customer and its Users must comply with this Acceptable Use Policy ("AUP") when using the Products and Services. Customer must use reasonable efforts to ensure compliance by its Users and Contributors. Customer shall not, and shall ensure that Users and Contributors do not:
Scalafai reserves the right to investigate potential violations of this AUP and may take action it deems appropriate, including suspending or terminating access to the Products or Services.
Customer may not and must not attempt to:
Customer and its Users may only use the Products or Services in countries and regions Scalafai currently supports.
When using AI features of the Products, Customer and its Users shall:
Customer acknowledges that Outputs may contain content inconsistent with Scalafai's views and that the Products may include limitations designed to prevent misuse.
If Customer submits personal data or personally identifiable information (collectively, "PII") to the Products or Services, the Scalafai Data Processing Addendum ("DPA") in Exhibit A applies and is incorporated into these Terms by reference.
Customer acknowledges that the Products and Services are not designed, intended, or provided for the purpose of making predictions regarding any individual, determining creditworthiness, or any other manner of automated decision-making regarding individual(s) to which the PII relates.
Scalafai's processing of PII will comply with applicable data protection laws. Customer agrees that it has provided appropriate notice to and obtained appropriate consents from Users and Contributors regarding the collection, use, and processing of their PII through the Products and Services.
The parties acknowledge their respective roles:
Scalafai implements and maintains reasonable administrative, technical, and physical safeguards designed to protect Customer Content from unauthorized access, disclosure, use, alteration, or destruction. Scalafai's security measures include:
Customer is responsible for configuring appropriate security settings within the Products, maintaining the security of account credentials, and implementing appropriate security measures for its own systems and networks.
Scalafai will notify Customer without undue delay after becoming aware of any unauthorized access to, or disclosure of, Customer Content ("Security Incident"). Notification will include a description of the Security Incident, the measures taken to mitigate the impact, and recommendations for further steps. Scalafai's notification of, or response to, a Security Incident will not be construed as an acknowledgment of fault or liability.
Customer shall pay all fees specified in the applicable Order Form. Subscription fees and billing cycles will be specified on a separate Order Form document executed by both parties. Unless otherwise specified in the Order Form:
If Customer believes an invoice is incorrect, Customer must contact accounting@scalafai.com within thirty (30) days of the invoice date to be eligible for an adjustment or credit.
The fee structure, rate(s), and payment schedules for Professional Services will be specified on a separate Statement of Work document executed by both parties. Unless otherwise specified in the SOW:
Fees do not include any taxes, duties, or assessments that may be owed by Customer for use of the Products or Services ("Taxes"), unless otherwise specified in the applicable invoice. Customer is responsible for paying all Taxes associated with its purchases, excluding taxes based on Scalafai's net income.
Customer is responsible for remitting any necessary withholding Taxes to the relevant authority on a timely basis and providing Scalafai with evidence of the same upon request. Where law provides for the reduction or elimination of withholding taxes, including via Tax treaty, the parties will collaborate in good faith to do so.
For clarity, Customer must pay Scalafai the amount ("Gross-up Payment") that will ensure that Scalafai receives the same total amount that it would have received if no such withholding or reduction by Customer had been required (taking into account any and all applicable Taxes, including any Taxes imposed on the Gross-up Payment).
These Terms start on the Effective Date and continue until terminated (the "Term"). The initial subscription term for Products is specified in the applicable Order Form and will automatically renew for additional periods equal to the expiring term or one year (whichever is shorter), unless either party gives the other notice of non-renewal at least thirty (30) days before the end of the relevant subscription term.
Each SOW for Professional Services will specify its own term, which may be different from the subscription term for Products.
Either party may terminate these Terms:
Scalafai may terminate these Terms immediately with notice if it reasonably believes or determines that its provision of the Products or Services to Customer is prohibited by applicable law.
Upon termination:
Unless otherwise specified in these Terms or required by law, Scalafai has no obligation to retain Customer Content after termination and may delete it after thirty (30) days following termination.
Scalafai may suspend Customer's access to any portion or all of the Products if:
Scalafai will use reasonable efforts to provide written notice of any suspension to Customer and will resume providing access to the Products as soon as reasonably possible after the event giving rise to the suspension is cured. Scalafai will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur because of a suspension.
"Confidential Information" means information that is identified as confidential, proprietary, or similar, or that a party would reasonably understand to be confidential or proprietary, including non-public features, functionality, technology, business plans, marketing strategies, financial information, and customer lists. Customer Content is Customer's Confidential Information.
Confidential Information does not include information that:
Each party ("Recipient") agrees to:
Upon Discloser's request or upon termination of these Terms, Recipient will promptly return or destroy all copies of Discloser's Confidential Information, except as necessary to comply with legal obligations or to maintain a record for archival purposes. Recipient may retain Confidential Information in its automated backup systems, subject to continued confidentiality obligations, until deleted through normal retention cycles.
Each party represents and warrants that:
Scalafai warrants that:
EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THE PRODUCTS AND SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED UNDER LAW, SCALAFAI DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING, OR USAGE OF TRADE.
SCALAFAI DOES NOT WARRANT THAT: (A) THE PRODUCTS OR SERVICES WILL BE ERROR-FREE OR UNINTERRUPTED; (B) THE PRODUCTS OR SERVICES WILL MEET CUSTOMER'S REQUIREMENTS; (C) THE OUTPUTS WILL BE ACCURATE, COMPLETE, OR ERROR-FREE; OR (D) DEFECTS WILL BE CORRECTED. CUSTOMER ACKNOWLEDGES THAT FACTUAL ASSERTIONS IN OUTPUTS SHOULD NOT BE RELIED UPON WITHOUT INDEPENDENTLY CHECKING THEIR ACCURACY, AS THEY MAY BE FALSE, INCOMPLETE, MISLEADING, OR NOT REFLECTIVE OF RECENT EVENTS OR INFORMATION.
REFERENCES TO THIRD PARTIES IN THE OUTPUTS MAY NOT MEAN THEY ENDORSE OR ARE OTHERWISE WORKING WITH SCALAFAI. CUSTOMER ACKNOWLEDGES THAT OUTPUTS MAY CONTAIN CONTENT INCONSISTENT WITH SCALAFAI'S VIEWS.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATED TO THESE TERMS, WHETHER BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
EXCEPT AS STATED IN SECTION 11.3, THE LIABILITY OF EACH PARTY, AND ITS AFFILIATES AND LICENSORS, FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THESE TERMS WILL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER TO SCALAFAI FOR THE PRODUCTS AND SERVICES IN THE TWELVE (12) MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.
THE LIMITATIONS OF LIABILITY IN THIS SECTION 11 APPLY: (A) TO LIABILITY FOR NEGLIGENCE; (B) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT PRODUCT LIABILITY, OR OTHERWISE; (C) EVEN IF THE BREACHING PARTY IS ADVISED IN ADVANCE OF THE POSSIBILITY OF THE DAMAGES IN QUESTION AND EVEN IF SUCH DAMAGES WERE FORESEEABLE; AND (D) EVEN IF THE INJURED PARTY'S REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.
The limitations in this Section 11 do not apply to:
The parties agree that they have entered into these Terms in reliance on the limitations of liability and exclusions of damages set forth in these Terms, which form an essential basis of the bargain between the parties.
Scalafai will defend Customer and its officers, directors, employees, and agents from and against any third-party claim, suit, or proceeding alleging that Customer's authorized use of the Products or Outputs generated through such authorized use violates third-party patent, trade secret, trademark, or copyright rights ("Customer Claim"). Scalafai will indemnify Customer for any damages, reasonable attorney's fees, and costs finally awarded against Customer in connection with a Customer Claim, or those costs and damages agreed to in a monetary settlement of such Customer Claim.
Scalafai's obligations under this section are conditioned upon:
If the Products become, or in Scalafai's opinion are likely to become, the subject of a claim of infringement, Scalafai may, at its option and expense:
Customer will defend Scalafai and its officers, directors, employees, and agents from and against any third-party claim, suit, or proceeding arising out of or related to:
Customer will indemnify Scalafai for any damages, reasonable attorney's fees, and costs finally awarded against Scalafai in connection with such claims, or those costs and damages agreed to in a monetary settlement of such claims.
Neither party's defense or indemnification obligations will apply to the extent the underlying allegation arises from:
This Section 12 states the indemnifying party's sole liability, and the indemnified party's exclusive remedy, for any third-party claims covered by this Section 12.
In the event of a dispute, claim, or controversy relating to these Terms ("Dispute"), the parties will first attempt to resolve the matter informally. The party raising the Dispute must notify the other party in writing ("Dispute Notice"), and within fifteen (15) days of receipt of the Dispute Notice, the parties shall meet with appropriately leveled executives to attempt to resolve the Dispute.
If the parties have not resolved the Dispute within forty-five (45) days of delivery of the Dispute Notice, either party may proceed with the formal dispute resolution process described in Section 13.2.
Any Dispute not resolved through informal resolution will be determined by final, binding arbitration in Austin, Texas, administered by JAMS under its Comprehensive Arbitration Rules and Procedures by a single arbitrator. The proceedings will be conducted in English. Each party will bear its own costs, but the parties will equally share the fees and expenses of the arbitrator and the arbitration proceedings.
Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitrator shall have the authority to grant any equitable and legal remedies that would be available in any judicial proceeding instituted to resolve the Dispute.
EACH PARTY ACKNOWLEDGES AND AGREES THAT, BY ENTERING INTO THESE TERMS, EACH PARTY IS WAIVING THE RIGHT TO A TRIAL BY JURY AND THE RIGHT TO PARTICIPATE IN A CLASS ACTION OR SIMILAR PROCEEDING TO THE FULLEST EXTENT PERMITTED UNDER THE LAW IN CONNECTION WITH ANY DISPUTE.
Nothing in this Section 13 will preclude either party from seeking injunctive relief or other equitable remedies in a court of competent jurisdiction. Notwithstanding the foregoing, either party may bring an individual action in small claims court.
All notices, demands, and other communications under these Terms ("Notices") must be in writing. Notices to Customer will be sent to the address specified in the Order Form or SOW by nationally recognized overnight delivery service or electronic mail. Notices to Scalafai must be sent to:
Scalafai, Inc.
Attn: Legal Department
1606 Headway Cir
Suite 9601
Austin, TX 78754
Notices will be deemed effective upon: (a) actual delivery to the receiving party, or (b) if sent by email, one business day after transmission provided no delivery failure notification is received.
Neither party may assign its rights or delegate its obligations under these Terms without the other party's prior written consent, except that Scalafai may assign these Terms without Customer's consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Any attempt to assign or transfer these Terms in violation of this section will be null and void.
Subject to the foregoing, these Terms will bind and inure to the benefit of the parties, their respective successors, and permitted assigns.
Neither party will be liable for any failure or delay in performance under these Terms (except for payment obligations) due to causes beyond that party's reasonable control, including acts of God, natural disasters, terrorism, riots, war, actions or decrees of governmental bodies, internet service provider failures or delays, or denial of service attacks ("Force Majeure Event").
The affected party will give the other party prompt written notice of a Force Majeure Event and use commercially reasonable efforts to minimize the impact of such event.
Scalafai may use Customer's name and logo to publicly identify Customer as a customer of the Products or Services on Scalafai's website and in marketing materials. Customer will consider in good faith any request by Scalafai to:
Any use of Customer's name, logo, or quotes beyond the foregoing will require Customer's prior written approval.
These Terms and any dispute or claim arising out of or in connection with them will be governed by and construed in accordance with the laws of the State of Texas, without giving effect to any choice of law principles that would require the application of the laws of a different jurisdiction, including Delaware corporate law. The exclusive venue for any legal action related to these Terms shall be the state or federal courts located in Travis County, Texas, and the parties hereby irrevocably consent to the personal jurisdiction of such courts.
The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Terms.
Scalafai may update these Terms at any time, to be effective thirty (30) days after the updates are posted by Scalafai or Customer otherwise receives Notice, except that updates made in response to changes to law or regulation take effect immediately upon posting or Notice. Changes will not apply retroactively.
No other amendment to or modification of these Terms is effective unless it is in writing and signed by both parties. Failure to exercise or delay in exercising any rights or remedies arising from these Terms does not and will not be construed as a waiver; and no single or partial exercise of any right or remedy will preclude future exercise of such right or remedy.
Customer may not export or provide access to the Products or Services to persons or entities or into countries or for uses where it is prohibited under U.S. or other applicable international law. Without limiting the foregoing sentence, this restriction applies to:
Customer represents and warrants that it is not subject to sanctions or export restrictions and will comply with all applicable export control.
If you have any questions about these Terms and Conditions, please contact us at help@scalafai.com.
This Data Processing Addendum ("DPA") is incorporated into and forms an integral part of the Terms and Conditions ("Terms") between Scalafai, Inc. ("Scalafai", "Processor", or "we") and the Customer ("Customer", "Controller", or "you"). This DPA applies to Scalafai's processing of Personal Data in relation to the provision of Scalafai's Products and Services to the Customer. Unless otherwise expressly stated in the Terms, this DPA shall be effective for the full term of the Terms.
"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, including but not limited to the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, and other similar laws as they may be amended or otherwise updated from time to time.
"Controller" means: (a) the entity which determines the purposes and means of the Processing of Personal Data, as defined under Applicable Data Protection Laws; or (b) the "business" as defined under Applicable Data Protection Laws.
"Covered Data" means Personal Data shared by Customer or a Customer Affiliate in relation to the provision of the Products or Services.
"Data Subject" means a natural person whose Personal Data is part of the Covered Data.
"Data Subject Request" means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws.
"Personal Data" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Applicable Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. "Process", "Processes" and "Processed" will be interpreted accordingly.
"Processor" means: (a) the entity which Processes Personal Data on behalf of the Controller, as defined under Applicable Data Protection Laws; or (b) the "service provider" as defined under Applicable Data Protection Laws.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Covered Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, specifically Module Two (controller to processor) and/or Module Three (processor to processor) as applicable.
"Sub-processor" means any entity appointed by Scalafai, as a Processor, to Process Covered Data on its behalf.
2.1 For the purposes of this DPA: a) Customer is the Controller of Covered Data; b) Scalafai is the Processor of Covered Data; c) Each party will comply with the obligations applicable to its role under Applicable Data Protection Laws.
2.2 If Customer acts as a Processor on behalf of a third-party Controller, Customer warrants that: a) Its instructions to Scalafai reflect the instructions of the third-party Controller; b) It has informed the third-party Controller of the terms of this DPA; c) It has obtained all necessary authorizations from the third-party Controller for Scalafai to Process the Covered Data.
3.1 Subject Matter and Duration a) The subject matter of the Processing is the provision of the Products and Services under the Terms. b) The duration of the Processing will be for the term of the Terms, unless otherwise agreed in writing.
3.2 Nature and Purpose of Processing a) The nature of Processing includes collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, and destruction of Covered Data. b) The purpose of Processing is to provide the Products and Services to Customer as described in the Terms, including: i) Providing the AI-powered work management platform (Safia); ii) Facilitating collaboration and communication between Users and Contributors; iii) Generating insights, analytics, and recommendations; iv) Providing Professional Services as specified in applicable SOWs; v) Maintaining and improving the Products and Services; vi) Providing customer support and resolving technical issues; vii) Ensuring security and preventing fraud; viii) Complying with legal obligations.
3.3 Categories of Data Subjects a) The categories of Data Subjects may include: i) Customer's employees, contractors, and agents (Users); ii) Customer's clients, customers, and business partners; iii) Contributors whose data is processed by Safia's AI; iv) Other individuals whose Personal Data is contained in Customer Content.
3.4 Categories of Personal Data a) The categories of Personal Data may include: i) Contact information (name, email address, phone number, etc.); ii) Professional information (job title, department, etc.); iii) User account and authentication data; iv) Usage data and interaction metrics; v) Content and communications data; vi) Any other Personal Data contained in Customer Content.
3.5 Special Categories of Personal Data a) Unless specifically authorized in writing by Customer, Scalafai will not knowingly collect or process special categories of Personal Data (as defined in Article 9 of the GDPR) or sensitive personal information (as defined in Applicable Data Protection Laws). b) If Customer instructs Scalafai to process special categories of Personal Data, Customer will ensure it has a lawful basis for such Processing.
4.1 Instructions a) Scalafai will only Process Covered Data in accordance with: i) The Terms and this DPA; ii) Customer's documented instructions; and iii) Applicable Data Protection Laws. b) If Scalafai is required by law to Process Covered Data other than as instructed by Customer, Scalafai will, unless prohibited by law, inform Customer of that legal requirement before Processing. c) If Scalafai believes that any instruction from Customer violates Applicable Data Protection Laws, Scalafai will promptly inform Customer.
4.2 Confidentiality a) Scalafai will ensure that all personnel authorized to Process Covered Data: i) Are subject to appropriate confidentiality obligations; ii) Have received appropriate training on protecting Personal Data; and iii) Process Covered Data only as needed to perform their assigned duties.
4.3 Prohibited Activities a) Unless expressly permitted by Applicable Data Protection Laws or the Terms, Scalafai is prohibited from: i) Selling Covered Data or making Covered Data available to any third party for monetary or other valuable consideration; ii) Retaining, using, or disclosing Covered Data for any purpose other than providing the Products and Services; iii) Retaining, using, or disclosing Covered Data outside of the direct business relationship between Scalafai and Customer; iv) Combining Covered Data with Personal Data that Scalafai receives from other sources unless specifically permitted by Applicable Data Protection Laws.
4.4 Data Subject Requests a) Scalafai will promptly notify Customer if it receives a Data Subject Request relating to Covered Data. b) Scalafai will provide Customer with reasonable assistance to help Customer respond to Data Subject Requests, taking into account the nature of the Processing and the information available to Scalafai. c) If a Data Subject Request is made directly to Scalafai, Scalafai will not respond to such request without Customer's prior authorization, unless legally required to do so.
4.5 Assistance to Customer a) Scalafai will provide reasonable assistance to Customer with: i) Customer's compliance with its obligations under Articles 32 to 36 of the GDPR (or similar provisions in other Applicable Data Protection Laws); ii) Responding to requests from supervisory authorities; iii) Conducting data protection impact assessments; iv) Implementing appropriate technical and organizational measures. b) Scalafai may charge a reasonable fee for assistance provided under this section, except where such assistance is required due to Scalafai's non-compliance with this DPA.
5.1 Implementation of Security Measures a) Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Scalafai will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. b) These measures will include, as appropriate: i) The pseudonymization and encryption of Covered Data; ii) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; iii) The ability to restore the availability and access to Covered Data in a timely manner in the event of a physical or technical incident; iv) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2 Specific Security Measures a) Scalafai will maintain the following specific security measures: i) Access Control: Role-based access controls, multi-factor authentication, and principle of least privilege; ii) Encryption: Encryption of data in transit using TLS 1.2+ and encryption of sensitive data at rest using industry-standard algorithms; iii) Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning; iv) Monitoring: Logging and monitoring of system activities and security events; v) Incident Response: Documented procedures for detecting, investigating, and responding to security incidents; vi) Business Continuity: Regular backups and disaster recovery procedures; vii) Personnel: Background checks, security training, and confidentiality agreements for employees; viii) Physical Security: Physical access controls to data centers and offices; ix) Development Security: Secure coding practices, code reviews, and security testing; x) Third-Party Assessment: Regular security assessments of Sub-processors.
5.3 Updates to Security Measures a) Scalafai may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Products and Services. b) Upon request, Scalafai will provide Customer with information about the security measures in place.
6.1 Notification a) Scalafai will notify Customer without undue delay after becoming aware of a Security Incident affecting Covered Data. b) The notification will, to the extent possible: i) Describe the nature of the Security Incident; ii) Describe the likely consequences of the Security Incident; iii) Describe the measures taken or proposed to address the Security Incident; iv) Provide a point of contact for further information.
6.2 Cooperation a) Scalafai will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident. b) Scalafai will provide timely information and updates as new details about the Security Incident become available.
6.3 Documentation a) Scalafai will maintain documentation of all Security Incidents, including: i) The facts relating to the Security Incident; ii) Its effects; and iii) The remedial action taken. b) Such documentation will be made available to Customer upon reasonable request.
7.1 General Authorization a) Customer provides Scalafai with general authorization to engage Sub-processors to Process Covered Data, provided that Scalafai: i) Maintains an up-to-date list of its Sub-processors on its website or through other means made available to Customer; ii) Imposes data protection terms on Sub-processors that are no less protective than those in this DPA; iii) Remains fully liable for the acts and omissions of its Sub-processors.
7.2 New Sub-processors a) When Scalafai engages a new Sub-processor: i) Scalafai will notify Customer at least seven (7) days before authorizing the new Sub-processor to Process Covered Data; ii) Customer may object to the addition of a new Sub-processor within seven (7) days of receiving notification, stating reasonable data protection concerns; iii) If Customer objects, Scalafai and Customer will work together in good faith to find a mutually acceptable resolution; iv) If no resolution can be reached within thirty (30) days of Customer's objection, Customer may terminate the affected portion of the Products or Services.
7.3 Emergency Replacement a) In case of an emergency replacement of a Sub-processor, Scalafai will notify Customer as soon as possible and provide Customer with the right to object as set out in Section 7.2.
7.4 Current Sub-processors a) Scalafai's current list of Sub-processors is available at [URL] or upon request to [email address]. b) By entering into this DPA, Customer accepts the Sub-processors listed at the time of execution.
8.1 Transfer Mechanisms a) Scalafai may transfer and Process Covered Data anywhere Scalafai or its Sub-processors maintain facilities, provided that such transfers comply with Applicable Data Protection Laws. b) For transfers of Covered Data from the European Economic Area, Switzerland, or the United Kingdom to countries that do not ensure an adequate level of protection (as determined by the relevant authority), Scalafai will implement appropriate safeguards, which may include: i) Standard Contractual Clauses; ii) Binding Corporate Rules; iii) Approved certification mechanisms; or iv) Other valid transfer mechanisms.
8.2 Standard Contractual Clauses a) If Standard Contractual Clauses are used as the transfer mechanism: i) They are incorporated by reference into this DPA; ii) Annex I to the SCCs shall be deemed completed with the information set out in this DPA; iii) Annex II to the SCCs shall be deemed completed with the security measures described in Section 5.
8.3 Transfer Impact Assessments a) Upon Customer's request, Scalafai will cooperate with Customer to conduct and document a transfer impact assessment for transfers based on the SCCs. b) Scalafai will provide Customer with information reasonably necessary to conduct such assessments.
9.1 Audit Reports a) Upon request, Scalafai will provide Customer with information necessary to demonstrate compliance with this DPA, which may include third-party audit reports, certifications, or other documentation.
9.2 Customer Audits a) No more than once per year, Customer (or a qualified independent auditor approved by Scalafai) may audit Scalafai's compliance with this DPA by: i) Submitting a detailed audit plan at least thirty (30) days in advance; ii) Conducting the audit during regular business hours; iii) Causing minimal disruption to Scalafai's business operations; iv) Complying with Scalafai's security policies and confidentiality obligations. b) Customer will bear the costs of any audit unless the audit reveals material non-compliance with this DPA, in which case Scalafai will bear reasonable audit costs.
9.3 Regulatory Audits a) If a data protection authority requires an audit of the Processing of Covered Data, Scalafai will cooperate with such audit and provide Customer with the results of the audit to the extent permitted by law.
10.1 Upon Termination a) Upon termination or expiration of the Terms, Scalafai will, at Customer's choice: i) Return all Covered Data to Customer in a standard, machine-readable format; and/or ii) Delete all Covered Data from Scalafai's systems. b) This obligation applies to copies of Covered Data held by Scalafai and its Sub-processors.
10.2 Retention Period a) Scalafai may retain Covered Data after termination: i) For up to thirty (30) days to allow Customer to extract the data; ii) As required by applicable law, in which case Scalafai will continue to protect the data in accordance with this DPA; iii) In anonymized or aggregated form from which individuals cannot be identified.
10.3 Certification a) Upon Customer's request, Scalafai will provide written certification that it has fully complied with this Section 10.
11.1 Order of Precedence a) In case of conflict between the Terms and this DPA, this DPA will prevail with respect to the Processing of Covered Data. b) In case of conflict between this DPA and the SCCs, the SCCs will prevail.
11.2 Changes in Law a) If changes in Applicable Data Protection Laws require modifications to this DPA, the parties will negotiate in good faith to amend this DPA accordingly.
11.3 Severability a) If any provision of this DPA is invalid or unenforceable, the remaining provisions will remain in effect. b) The parties will replace any invalid or unenforceable provision with a valid and enforceable provision that achieves the same intent.
12.1 Liability Allocation a) Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions set out in the Terms. b) Each party is liable to the other for damages caused by its breach of this DPA.
12.2 Indemnification a) Customer will indemnify Scalafai against claims from third parties (including Data Subjects) arising from Processing Covered Data in accordance with Customer's instructions when such Processing violates Applicable Data Protection Laws. b) Scalafai will indemnify Customer against claims from third parties (including Data Subjects) arising from Scalafai's breach of this DPA.
13.1 Notices a) All notices under this DPA will be in writing and delivered in accordance with the notice provisions in the Terms.
13.2 No Third-Party Beneficiaries a) This DPA does not confer any benefits on any third party unless it expressly states that it does.
13.3 Counterparts a) This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
14.1 European Union a) For Customers subject to the GDPR, the additional terms in Appendix 1 (EU-Specific Terms) apply.
14.2 California a) For Customers subject to the CCPA/CPRA, the additional terms in Appendix 2 (California-Specific Terms) apply.
14.3 Other Jurisdictions a) Additional jurisdiction-specific terms may be added to this DPA as needed to comply with Applicable Data Protection Laws.