Data Processing Agreement - United States

This Data Processing Agreement (United States) (“DPA”) is entered into as of the Effective Date, and is by and between Euna Solutions, Inc., a Delaware corporation (“Service Provider”), and the customer identified in the signature block (“Customer”) (each a “Party,” collectively the “Parties”). This DPA may be executed: (a) as an addendum, exhibit, or schedule to a master services agreement, subscription agreement, order form, or other agreement between the Parties governing Customer’s use of the Platform Services (the “Related Agreement”), in which case it supplements and forms part of the Related Agreement and prevails over it with respect to the subject matter hereof; or (b) as a standalone agreement, in which case it governs Service Provider’s Processing of Customer Personal Data and shall be read together with the applicable order form or statement of work identifying the Platform Services. In either case, references herein to the “Related Agreement” mean whichever instrument applies. NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

1. DEFINITIONS

As used in this DPA:

“Applicable US Privacy Law” means any U.S. federal or state privacy, data protection, or data security law or regulation applicable to Service Provider’s Processing of Customer Personal Data under this DPA, which may include, without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.100 et seq., and the regulations promulgated thereunder, Cal. Code Regs. tit. 11, §§ 7000–7305; the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; and the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; in each case as enacted and effective from time to time.
“Business Purpose” means the specific operational purposes for which Customer engages Service Provider to Process Customer Personal Data, as further described in Schedule A.
“Customer Personal Data” means Personal Information that is submitted, uploaded, or otherwise made available to Service Provider by Customer or its End Users through the Platform Services, and that is in the possession or control of Service Provider or any Sub-processor under this DPA. Customer Personal Data does not include: (a) Personal Information that is or becomes publicly available within the meaning of Applicable US Privacy Law through no act or omission of Service Provider; (b) Personal Information that Service Provider independently collects or generates outside the Platform Services without reference to Customer Personal Data; (c) Personal Information that has been de-identified or that constitutes aggregate consumer information in accordance with the requirements of Applicable US Privacy Law; or (d) Personal Information that Service Provider is required to disclose by applicable law, regulation, or legal process.
“Data Breach” means a confirmed security incident in which unencrypted Customer Personal Data in the possession or control of Service Provider is accessed or acquired by an unauthorized person or in an unauthorized manner. A Data Breach does not include access to or acquisition of Customer Personal Data that is secured by encryption or other comparable technology, provided that the encryption key or comparable security mechanism was not also acquired in the same incident.
“End Users” means Customer’s employees and contractors authorized by Customer to access and use the Platform Services on Customer’s behalf.
“Personal Information” has the meaning given to it under Applicable US Privacy Law and, for purposes of this DPA, means any information that identifies, relates to, describes, or is reasonably capable of being linked or associated with, directly or indirectly, an identifiable individual. Personal Information does not include information that is anonymous, de-identified, or aggregated in accordance with the requirements of Applicable US Privacy Law such that it cannot reasonably be used to infer information about or be linked to a particular individual.
“Platform Services” means the software-as-a-service platform and related products and services provided by Service Provider to Customer pursuant to the Related Agreement.
“Processing” or “Process” means any operation performed on Customer Personal Data, including collection, storage, use, disclosure, transfer, deletion, or destruction.
“Sensitive Personal Information” means any category of Personal Information designated as “sensitive” under Applicable US Privacy Law, which may include, without limitation, Social Security numbers, financial account credentials, precise geolocation, health information, biometric data, and racial or ethnic origin. Service Provider does not collect Sensitive Personal Information except as may be inputted into Platform Services directly by Customer.
“Sub-processor” means any third party engaged by Service Provider to Process Customer Personal Data on Service Provider’s behalf in connection with the Platform Services.

2. ROLES AND CUSTOMER REPRESENTATIONS

2.1 Roles. As between the Parties, Customer is the “business” or “controller” (as applicable under Applicable US Privacy Law) with respect to Customer Personal Data, and Service Provider is the “service provider” or “processor.” Service Provider Processes Customer Personal Data solely on behalf of and as directed by Customer, for the Business Purposes described in Schedule A, and for other purposes described in this DPA.
2.2 Customer Representations and Warranties. Customer represents, warrants, and covenants on a continuing basis that:
- Customer has the full legal right, power, and authority to submit Customer Personal Data to Service Provider for Processing under this DPA and for the Business Purposes described herein;
- Prior to submitting Customer Personal Data to Service Provider, Customer has provided all notices and obtained all consents, authorizations, opt-ins, and other approvals required under Applicable US Privacy Law and any other applicable law for Service Provider to Process Customer Personal Data as contemplated by this DPA;
- The submission, transfer, and other Processing of Customer Personal Data under this DPA does not and will not violate any applicable law, regulation, court order, or the privacy rights of any individual;
- Customer’s instructions to Service Provider comply, and will at all times comply, with Applicable US Privacy Law; and
- Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it.

3. SERVICE PROVIDER PROCESSING OBLIGATIONS

3.1 Instructions. Service Provider will Process Customer Personal Data only: (a) as necessary to provide the Platform Services in accordance with the Related Agreement and this DPA; (b) as documented in written instructions from Customer; (c) as required by Applicable US Privacy Law; or (d) as reasonably necessary to detect, prevent, or address fraud, security incidents, technical issues, or illegal activity, or to enforce Service Provider’s rights or agreements with End Users or Customer.
3.2 Security. Service Provider will implement reasonable security measures designed to protect Customer Personal Data against unauthorized access or acquisition, and that are appropriate to the risk presented by the nature and sensitivity of the Customer Personal Data Processed. Customer had the opportunity to review Service Provider’s security measures and has determined they are adequate and appropriate for the risk to Customer Personal Data and the Platform Services.
3.3 Compliance with Law; Restrictions on Use and Disclosure. Service Provider will comply with the requirements applicable to service providers under Applicable US Privacy Law. Further, Service Provider will not: (a) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose specified in Schedule A or as otherwise permitted by this DPA; (b) “sell” or “share” (as those terms are defined under Applicable US Privacy Law) Customer Personal Data; or (c) combine Customer Personal Data received from Customer with Personal Information received from or collected from other sources, except as permitted under Applicable US Privacy Law or elsewhere in this DPA. In the event that any amendment to, or change in, Applicable US Privacy Law imposes obligations on Service Provider that are materially beyond those required as of the Effective Date of this DPA, or that would require Service Provider to incur material additional costs to comply, Service Provider shall have no obligation to comply with such additional obligations until the Parties have conferred in good faith regarding the impact of such change; and if the Parties are unable to agree on an allocation of such additional costs or obligations within thirty (30) days of Service Provider’s written notice to Customer of the change, Service Provider may, at its election: (a) pass through to Customer any reasonable additional costs required to achieve compliance, which Customer shall pay within thirty (30) days of invoice; or (b) terminate the affected portion of the Platform Services upon sixty (60) days’ written notice to Customer without liability to Customer for such termination.
3.4 De-identified Data. To the extent Service Provider creates de-identified information derived from Customer Personal Data, Service Provider will: (a) implement reasonable technical and organizational measures to prevent re-identification; (b) not attempt to re-identify such information; and (c) require any recipient to comply with the same restrictions.
3.5 Compliance Continuation. Service Provider will notify Customer in writing if it determines or reasonably suspects its inability to materially comply with its obligation set forth in this DPA.
3.6 Confidentiality. Service Provider will impose on its employees and contractors an obligation to maintain the confidentiality of Customer Personal Data.
3.7 Artificial Intelligence and Automated Processing. To the extent Customer’s subscription under the Related Agreement includes AI Features, as defined in Schedule C, the additional terms set forth in Schedule C shall apply and are incorporated into this DPA by reference. In the event of a conflict between Schedule C and the DPA body with respect to the Processing of Customer Personal Data through AI Features, Schedule C shall prevail.

4. SUB-PROCESSORS

4.1 General Authorization. Customer hereby provides written authorization for Service Provider to engage Sub-processors to assist in providing the Platform Services and Process Customer Personal Data, subject to the requirements of this Section 4. Service Provider’s current Sub-processors are listed in Schedule B.
4.2 Changes. Service Provider will provide Customer with reasonable prior written notice (which may be by email or by updating Schedule B on Service Provider’s website) before adding or replacing any Sub-processor that will Process Customer Personal Data. If Customer reasonably objects to a proposed Sub-processor on data protection grounds, Customer shall notify Service Provider in writing within ten (10) business days of receiving notice. The Parties shall work in good faith to resolve the objection. If unresolved within thirty (30) days, Customer’s sole and exclusive remedy is to terminate the affected portion of the Platform Services upon written notice.
4.3 Sub-processor Obligations. Service Provider will impose relevant data protection obligations on each Sub-processor that are materially consistent with those in this DPA with respect to Customer Personal Data. Service Provider remains responsible to Customer for its Sub-processors’ performance, subject to the liability limitations in Section 10 and the Related Agreement.

5. INDIVIDUAL RIGHTS REQUESTS

5.1 Customer Responsibility. Customer, as the business or controller, is solely responsible for receiving, validating, and responding to requests from individuals exercising their privacy rights under Applicable US Privacy Law (“Rights Requests”), including rights to know, delete, correct, opt out, and data portability.
5.2 Service Provider Assistance. Service Provider will provide reasonable technical assistance to Customer to fulfill Rights Requests, to the extent technically feasible given the nature of the Processing and the information available to Service Provider. Where Platform Services self-service tools are available, Customer shall use such tools in the first instance.
5.3 Direct Requests. If Service Provider receives a Rights Request directly from an individual relating to Customer Personal Data, Service Provider will notify Customer and will not respond to the individual directly, except to acknowledge receipt or as required by Applicable US Privacy Law.

6. DATA BREACH NOTIFICATION

6.1 Notification to Customer. Upon becoming aware of a Data Breach, Service Provider will notify Customer without undue delay. Such notification will be provided to the contact designated in Schedule A.
6.2 Content. Service Provider’s notification will include, to the extent then known: (a) the nature of the Data Breach and categories and approximate number of individuals and records affected; (b) measures taken or proposed to address the Data Breach; and (c) Service Provider’s designated privacy contact. Service Provider may provide information in phases.
6.3 Customer’s Notification Responsibility. Customer is solely responsible for all notifications to affected individuals, state attorneys general, regulatory authorities, and any other required third parties under Applicable US Privacy Law. Service Provider will have no obligation to notify any individual or authority directly. Service Provider will provide reasonable assistance to Customer in preparing required notifications upon Customer’s written request, at Customer’s expense.
6.4 No Admission. Service Provider’s notification of a Data Breach shall not be construed as an admission of fault, liability, or responsibility.

7. RETENTION AND DELETION

7.1 Retention. Service Provider will retain Customer Personal Data only for as long as necessary to provide the Platform Services, as required by Applicable US Privacy Law or the Related Agreement, or as otherwise necessary under this DPA.
7.2 Return or Deletion. Upon termination or expiration of the Related Agreement, or upon Customer’s written request, Service Provider will, at Customer’s election and expense: (a) return Customer Personal Data to Customer in a commonly used machine-readable format; or (b) securely delete or destroy Customer Personal Data; in each case within sixty (60) days of Service Provider’s receipt of Customer’s written request.
7.3 Backups and Archives. Notwithstanding the foregoing, Service Provider shall not be required to delete Customer Personal Data to the extent that retention is: (a) necessary to comply with applicable law, regulation, legal process, or governmental request, including applicable data retention mandates; (b) necessary to establish, exercise, or defend legal rights or claims arising out of or related to this DPA or the Related Agreement, including for purposes of litigation, dispute resolution, or regulatory investigation; (c) necessary to detect, prevent, or investigate fraud, security incidents, or other illegal or unauthorized activity involving the Platform Services; (d) necessary for audit, compliance, or financial record-keeping purposes in accordance with Service Provider’s reasonable internal policies and applicable law; (e) contained in backup, archival, or disaster recovery storage systems prior to the scheduled purge or rotation of such systems in the ordinary course of Service Provider’s data management practices, provided that Service Provider will not actively restore, access, or use such data for any purpose other than recovery operations; or (f) otherwise required or permitted by Applicable US Privacy Law. In each case, Customer Personal Data retained pursuant to this Section will remain subject to the confidentiality and security obligations of this DPA, except as the preceding exceptions require, and will be deleted as soon as all applicable exceptions no longer apply.

8. AUDIT AND COMPLIANCE

8.1 Compliance Documentation. No more than once per calendar year, unless required by Applicable US Privacy Law, Service Provider will make available to Customer, upon written request, information reasonably necessary to demonstrate compliance with this DPA.
8.2 Third-Party Certifications. Service Provider may satisfy its obligations under Section 8.1 by providing a current third-party audit report or certification (such as SOC 2 Type II) covering the Platform Services. Customer shall treat such reports as Service Provider’s Confidential Information.

9. GOVERNMENTAL CUSTOMER PROVISIONS

9.1 Applicability. This Section 9 applies where Customer is a U.S. federal, state, or local government agency, instrumentality, or public entity (“Governmental Entity”).
9.2 Sovereign Immunity. Nothing in this DPA constitutes a waiver of any governmental immunity, sovereign immunity, or similar immunity to which Customer may be entitled under applicable law. Service Provider acknowledges that certain remedies that might otherwise be available under this DPA, including injunctive relief, specific performance, punitive damages, or consequential damages, may be limited or entirely unavailable against a Governmental Entity under applicable law. Any such limitations shall not affect the validity or enforceability of the remaining provisions of this DPA.
9.3 Appropriations. To the extent Customer is a Governmental Entity, Customer’s obligations under this DPA are subject to the availability of lawfully appropriated funds. Service Provider shall not be entitled to any remedy against Customer for failure to perform obligations arising solely from a lack of appropriated funds, provided that Customer promptly notifies Service Provider of such circumstance.
9.4 Open Records and Public Records Laws. Customer acknowledges that Customer Personal Data submitted to the Platform Services may be subject to applicable open records, public records, freedom of information, or government records laws (“Records Laws”). Customer is solely responsible for determining whether and how Records Laws apply to Customer Personal Data, for responding to any records request, and for any resulting disclosure. Service Provider shall, upon written request, provide reasonable assistance in identifying Customer Personal Data relevant to a records request. Service Provider’s compliance with a records disclosure directed by Customer shall not constitute a breach of this DPA.
9.5 Government Contracting Requirements. Customer shall notify Service Provider in writing of any government contracting requirements that impose specific data protection obligations on Service Provider prior to execution of this DPA. Service Provider will use commercially reasonable efforts to accommodate such requirements, provided that Service Provider shall not be required to accept obligations that materially expand its liability or obligations beyond those in this DPA.
9.6 No Third-Party Beneficiaries. This DPA is for the sole benefit of the Parties and their permitted successors and assigns. No government agency, constituent, end user, or other third party is a third-party beneficiary of this DPA or has any right to enforce its terms.

10. LIMITATION OF LIABILITY AND DISCLAIMERS

10.1 Incorporation of Related Agreement Limitations. The limitations on Service Provider’s liability set forth in the Related Agreement, including any aggregate caps and exclusions of consequential, indirect, incidental, special, or punitive damages, apply in full to all claims arising under or related to this DPA. Nothing in this DPA expands Service Provider’s liability beyond the limits in the Related Agreement.
10.2 Aggregate Liability Cap. Notwithstanding any other provision of this DPA or the Related Agreement, Service Provider’s total aggregate liability to Customer for all claims arising under or related to this DPA, whether in contract, tort, statute, or otherwise, shall not exceed the total fees actually paid by Customer to Service Provider under the Related Agreement in the twelve (12) months immediately preceding the event giving rise to the claim.
10.3 Exclusion of Consequential Damages. IN NO EVENT SHALL SERVICE PROVIDER BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR THE COST OF SUBSTITUTE SERVICES, ARISING OUT OF OR RELATED TO THIS DPA OR THE PROCESSING OF CUSTOMER PERSONAL DATA, EVEN IF SERVICE PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
10.4 Disclaimer of Warranties. SERVICE PROVIDER MAKES NO WARRANTY, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, WITH RESPECT TO THE SECURITY OR PRIVACY OF CUSTOMER PERSONAL DATA BEYOND THE OBLIGATIONS EXPRESSLY SET FORTH IN THIS DPA. SERVICE PROVIDER DOES NOT WARRANT THAT ITS SECURITY MEASURES WILL PREVENT ALL DATA BREACHES OR UNAUTHORIZED ACCESS.
10.5 Customer’s Sole Responsibility for Compliance. Service Provider’s performance of its obligations under this DPA does not constitute legal advice and does not guarantee Customer’s compliance with Applicable US Privacy Law or any other law. Customer is solely responsible for its own legal compliance, including obtaining all required consents, providing all required notices, and responding to all individual rights requests. Service Provider shall have no liability for Customer’s failure to comply with Applicable US Privacy Law.

11. TERM AND TERMINATION

11.1 Term. This DPA is effective as of the Effective Date and remains in force for the duration of the Related Agreement.
11.2 Termination. This DPA terminates automatically upon the earlier of the termination or expiration of the Related Agreement and may not be terminated independently.
11.3 Survival. Sections 2.2 (Customer Representations), 7 (Retention and Deletion), 9 (Governmental Customer Provisions) where applicable, 10 (Limitation of Liability and Disclaimers), and any other provisions that by their nature should survive, shall survive termination or expiration of this DPA.

12. GENERAL PROVISIONS

12.1 Order of Precedence. In the event of a conflict between this DPA and the Related Agreement with respect to the Processing of Customer Personal Data, this DPA shall prevail.
12.2 Governing Law. This DPA shall be governed by and construed in accordance with the governing law provision of the Related Agreement. To the extent Applicable US Privacy Law mandates specific terms or dispute resolution procedures, those shall apply as required by law.
12.3 Updates. Service Provider may update this DPA from time to time to reflect changes in Applicable US Privacy Law or Service Provider’s practices. Service Provider will provide Customer with reasonable prior notice of material changes. Customer’s continued use of the Platform Services after the effective date of any update constitutes acceptance.
12.4 Entire Agreement. This DPA, together with the Related Agreement and its schedules and exhibits, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior understandings relating thereto.
12.5 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force.
12.6 No Waiver. No failure to exercise, and no delay in exercising, any right or remedy under this DPA constitutes a waiver of that right or remedy.
12.7 Counterparts; Electronic Signatures. This DPA may be executed in counterparts, each of which is an original. Electronic signatures are valid and binding.
12.8 No Third-Party Beneficiaries. This DPA is for the sole benefit of the Parties. No third party, including any End User, individual, or government body, has any right to enforce this DPA.

SCHEDULE A — DETAILS OF PROCESSING

This Schedule A forms part of the DPA and describes the processing activities to be performed by Service Provider.

Subject matter of Processing:	Provision of the Platform Services as described in the Related Agreement
Duration of Processing:	For the term of the Related Agreement and as specified in Section 7
Nature and purpose of Processing (Business Purpose):	Processing necessary to deliver, maintain, support, secure, and operate the Platform Services, including account management, transaction processing, technical support, security monitoring, and as otherwise directed by Customer in writing or described in the DPA
Processing Instructions:	In addition to other instructions, purposes and requirements of the DPA, Service Provider will Process Customer Personal Data in accordance with the following instructions, which Customer may supplement or modify in writing from time to time: (a) Customer’s configuration of the Platform Services, including user permissions, access controls, workflow settings, data fields, and reporting parameters, constitutes Customer’s instructions to Service Provider regarding the manner in which Customer Personal Data is organized, accessed, and used within the Platform Services; (b) Customer’s submission of data through the Platform Services constitutes Customer’s instruction to Process that data in connection with the specific Platform Services module or function to which it is submitted; and (c) Customer’s written requests submitted through Service Provider’s support channels, account management processes, or other designated means constitute ad hoc instructions for Processing activities outside the scope of Customer’s standard configuration. Service Provider has no obligation to evaluate whether Customer’s instructions are appropriate for Customer’s business purposes or compliant with applicable law, and Customer is solely responsible for the instructions it provides.
Categories and Type of Customer Personal Data:	[To be completed — e.g., employee names and contact information, constituent data, financial transaction data, procurement data, budget and compensation data as applicable to subscribed Platform Services]
Type of Sensitive Personal Information (if any):	[Identify if applicable — e.g., financial account credentials, Social Security numbers]
Categories of individuals:	Customer’s employees, End Users, and other individuals whose Personal Information Customer submits to the Platform Services
Customer contact for Data Breach notification:	[To be completed]

SCHEDULE B — APPROVED SUB-PROCESSORS

The following Sub-processors are approved as of the Effective Date. Changes will be notified in accordance with Section 4.2.

Sub-processor	Location	Processing Purpose
Sub-processors	Please refer to the full listing on our website at https://eunasolutions.com/privacy-policy/

Additionally, current Sub-processor list available upon request from [email protected].

SCHEDULE C — ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

This Schedule C forms part of the DPA and applies only where Customer’s subscription under the Related Agreement includes AI Features as defined herein. Where Schedule C does not apply, the terms of this Schedule C create no obligations for either Party. In the event of a conflict between this Schedule C and the DPA body with respect to the Processing of Customer Personal Data through AI Features, this Schedule C shall prevail. C.1 Definitions. As used in this Schedule C:

(a) “AI Features” means any artificial intelligence, machine learning, generative AI, automated decision-making, or similar algorithmic processing capabilities made available by Service Provider as part of the Platform Services, as identified in the applicable order form, statement of work, or product documentation.
(b) “AI Output” means any content, recommendation, prediction, decision, score, summary, or other result generated by AI Features in connection with the Processing of Customer Personal Data.
(c) “Third-Party AI Provider” means any third-party provider of AI infrastructure, foundation models, or machine learning services engaged by Service Provider in connection with the delivery of AI Features, as listed in Schedule B.

C.2 Scope of Processing Through AI Features. Service Provider will Process Customer Personal Data through AI Features only: (a) as directed by Customer through Customer’s configuration and use of the Platform Services; (b) for the Business Purpose; and (c) subject to the restrictions on use and disclosure set forth in the DPA. This Schedule C supplements but does not replace the processing obligations in the DPA body, which continue to apply to all Processing of Customer Personal Data including Processing through AI Features. C.3 Prohibition on Training. Service Provider will not use Customer Personal Data to train, develop, fine-tune, or otherwise improve any AI or machine learning model, whether operated by Service Provider or a Third-Party AI Provider, for use beyond the specific instance of the Platform Services provided to Customer under the Related Agreement, without Customer’s prior written consent. Service Provider will impose equivalent restrictions on any Third-Party AI Provider with access to Customer Personal Data in connection with the AI Features. C.4 Third-Party AI Providers. Customer acknowledges that certain AI Features may be powered by Third-Party AI Providers. Service Provider will: (a) identify any Third-Party AI Providers with access to Customer Personal Data in Schedule B; (b) impose data protection obligations on such providers that are materially consistent with those in this DPA with respect to Customer Personal Data; and (c) require that such providers do not use Customer Personal Data to train their own models or for any purpose other than delivering the AI Features to Service Provider on Customer’s behalf. C.5 Automated Decision-Making — Customer’s Responsibility. To the extent AI Features generate AI Outputs that Customer uses to inform or make decisions about individuals, Customer acknowledges and agrees that: (a) Customer is solely responsible for evaluating the appropriateness, accuracy, and fitness of AI Outputs before applying them to any decision affecting individuals; (b) Service Provider does not represent or warrant the accuracy, completeness, reliability, or fitness for any particular purpose of AI Outputs, and AI Outputs may contain errors, omissions, or inaccuracies inherent in AI and machine learning systems; (c) Customer shall maintain appropriate human oversight of any decisions that produce legal or similarly significant effects concerning individuals, to the extent required by Applicable US Privacy Law or any applicable AI-specific law or regulation; and (d) Customer shall not rely solely on AI Outputs as the basis for decisions that produce legal or similarly significant effects concerning individuals without human review. C.6 Individual Rights Regarding Automated Processing. To the extent Applicable US Privacy Law grants individuals rights with respect to automated decision-making, profiling, or AI-generated outputs, Customer is solely responsible for receiving, evaluating, and responding to such rights requests with respect to Customer’s deployment and use of AI Features. Service Provider will provide reasonable technical assistance to Customer in fulfilling such obligations upon Customer’s written request, to the extent technically feasible given the nature of the AI Features and the information available to Service Provider. C.7 AI-Specific Regulatory Compliance. Customer is solely responsible for determining whether its deployment and use of AI Features constitutes a “high-risk artificial intelligence system,” “automated decision system,” or similar regulated category under any applicable AI-specific law or regulation, including without limitation the Colorado Artificial Intelligence Act, Colo. Rev. Stat. § 6-1-1701 et seq., or any other applicable state, federal, or local AI law or regulation enacted and effective from time to time, and for fulfilling any resulting compliance obligations, including algorithmic impact assessments, disclosures to affected individuals, and any required regulatory filings or registrations. Service Provider will provide reasonable cooperation to Customer in connection with such obligations upon Customer’s written request, at Customer’s expense. C.8 Changes in AI-Specific Law. In the event that any amendment to, or change in, any applicable AI-specific law or regulation imposes obligations on Service Provider with respect to AI Features that are materially beyond those required as of the Effective Date of this DPA, or that would require Service Provider to incur material additional costs to comply, the provisions of Section 3.3 of the DPA governing changes in law shall apply with equal force to such AI-specific legal changes. C.9 Disclaimer Regarding AI Outputs. CUSTOMER ACKNOWLEDGES THAT AI FEATURES INVOLVE INHERENT LIMITATIONS AND RISKS, INCLUDING THE POTENTIAL FOR INACCURATE, INCOMPLETE, BIASED, OR OTHERWISE ERRONEOUS OUTPUTS. SERVICE PROVIDER MAKES NO WARRANTY, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY, COMPLETENESS, OR FITNESS FOR ANY PARTICULAR PURPOSE OF ANY AI OUTPUT. CUSTOMER ASSUMES ALL RISK ARISING FROM ITS RELIANCE ON OR USE OF AI OUTPUTS, AND SERVICE PROVIDER SHALL HAVE NO LIABILITY FOR ANY HARM, LOSS, OR DAMAGE ARISING FROM CUSTOMER’S USE OF, RELIANCE ON, OR DECISIONS MADE IN CONNECTION WITH AI OUTPUTS, INCLUDING WHERE SUCH HARM RESULTS FROM ERRORS, HALLUCINATIONS, BIASES, OR OTHER LIMITATIONS INHERENT IN AI SYSTEMS. C.10 Schedule A and Schedule B. Where AI Features are included in Customer’s subscription: (a) Customer shall identify in Schedule A any categories of Customer Personal Data that will be submitted to or Processed by AI Features, and the specific Business Purpose for such Processing; and (b) Service Provider shall identify in Schedule B any Third-Party AI Providers with access to Customer Personal Data, which Customer hereby authorizes subject to the requirements of Section C.4 and Section 4 of the DPA.

QUICK LINKS

Euna Financial Suite

Euna Budget

Euna Grants

Euna Payments

Euna Procurement

Euna Supplier Network

Resources

Community & events

INDUStry reports

Real Customer Results

Modernizing Public Procurement: A Candid Conversation with the City of Mississauga

Euna Solutions Launches Solicitation Advisor, an Industry-First AI Tool That Helps Public Sector Agencies Strengthen Solicitations Before Publication