Software as a Service Agreement
Effective May 2026.
This Software as a Service Agreement (the "Agreement") is between the entity named below ("Customer") and Modal Labs, Inc., a Delaware corporation ("Modal"). This Agreement consists of these terms, each order form for Services that has been executed by Modal and Customer (each an "Service Order") and all exhibits and amendment of any of the foregoing. Customer consents to this Agreement by executing a Service Order or creating an account on the Service.
SCOPE OF SERVICE AND RESTRICTIONS
Access and Scope of Service. Subject to receipt of the applicable Fees with respect to the service specified in the corresponding Service Order (the "Service(s)"), Modal will make the Service available to Customer as set forth in this Agreement and the Service Order. Subject to Customer's compliance with the terms and conditions of the Agreement and the Service Order, Customer may access and use the Service during the period specified in the Service Order. Any such use of the Service by Customer is solely for Customer's internal business.
No-Fee Use.If Customer is accessing or making use of the Service on a trial or no-fee basis (the "No-Fee Use"), Customer may use the Service consistent with applicable use limitations in the corresponding Service Order or otherwise provided to Customer. Customer acknowledges and agrees that the No-Fee Use is provided on an "as-is" basis and the No-Fee Use is provided without any indemnification, support, warranties or representation of any kind. Further, No-Fee Use may be subject to certain additional restrictions, limitations and differing terms all as specified in the corresponding No-Fee Use Limitations.
Restrictions. Customer will use the Service only in accordance with all applicable laws, including, but not limited to, laws related to data (whether applicable within the United States, the European Union, or otherwise). Customer agrees not to (and will not allow any third party to): (a) remove or otherwise alter any proprietary notices or labels from the Service or any portion thereof; (b) reverse engineer, decompile, disassemble, or otherwise attempt to discover the underlying structure, ideas, or algorithms of the Service or any software used to provide or make the Service available; (c) rent, resell or otherwise allow any third party direct access to or use of the Service; or (d) or use the Service for any Prohibited Purpose or to process Prohibited Content.
"Prohibited Content" means content that: (a) is illegal under applicable law, (b) violates any third party's intellectual property rights, including, without limitation, copyrights, trademarks, patents, and trade secrets, (c) contains indecent or obscene material; (d) contains libelous, slanderous, or defamatory material, or material constituting an invasion of privacy or misappropriation of publicity rights; (e) contains false, misleading, or deceptive statements; or (f) contains any harmful, malicious, or hidden code, programs, procedures, routines, or mechanisms that would: (i) cause the Service to cease functioning; (ii) in any way damage or corrupt data, storage media, programs, equipment, or communications; or (iii) otherwise interfere with the operations of the Service, including, without limitation, trojan horses, viruses, worms, time bombs, time locks, devices, traps, access codes, or drop dead or trap door devices.
"Prohibited Purpose" means use of the Service to: (a) promote unlawful or illegal goods, services, or activities; or (b); conduct cryptocurrency mining or related blockchain related activities, denial of service attacks, peer-to-peer file sharing, or general file-hosting or media-serving platform services.
Service Suspension. Modal may suspend Customer's access to or use of the Service if Modal determines such action is reasonably necessary to enforce its rights and Customer's obligations herein. Modal will notify Customer before suspending access to the Service and give Customer an opportunity to remediate any deficiencies, unless emergency suspension is required.
Ownership of the Service. Modal retains all right, title, and interest in and to the Service, and any software, products, works or other intellectual property created, used, provided or made available by Modal under or in connection with the Service. Customer may from time to time provide suggestions, comments or other feedback to Modal with respect to the Service ("Feedback"). Customer hereby grants to Modal a nonexclusive, worldwide, perpetual, irrevocable, transferable, sublicensable, royalty-free, fully paid up license to use and exploit any Feedback for any purpose, excluding any Customer Data and other Customer Confidential information contained therein. Nothing in this Agreement will impair Modal's right to develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions as, or otherwise compete with any products, software or technologies that Customer may develop, produce, market, or distribute.
Customer Data. Customer shall retain all right, title and interest in and to the Customer Data, including all intellectual property rights therein. Customer hereby grants to Modal a limited license to use Customer Data as necessary to provide the Service to Customer. For purposes of this Agreement, "Customer Data" shall mean any data, information or other material provided, uploaded, or submitted by Customer to the Service in the course of using the Service. As between Modal and Customer, Customer owns all Customer Data. Customer is solely responsible for Customer Data including, but not limited to: (a) compliance with all applicable laws and regulations; and (b) any claims that Customer Data infringes, misappropriates, or otherwise violates the rights of any third party.
Processing Locations. Customer may configure the Service to process Customer Data only on servers in the geographic regions Customer specifies, as described at https://modal.com/docs/guide/region-selection. Modal will not process Customer Data on servers in other regions, except with Customer's prior written consent.
Modal Client. In their discretion, Customers may access and use SDKs, software libraries and other tools available at the following URL: https://github.com/modal-labs/modal-client (the "Modal Tools") to configure their Services deployments. Modal Tools are community-developed and made available under open source licensing terms, Customer agrees that it is responsible for obtaining, installing and maintaining the Modal Tools, that the Modal Tools are not part of the Service, are not subject to this Agreement, and that Modal disclaims all representations, warranties and other obligations under this Agreement as to the Modal Tools.
Service Metrics. Notwithstanding anything to the contrary, Customer acknowledges and agrees that Modal may collect and use Service Metrics for its own business purposes during the term of this Agreement and thereafter. "Service Metrics" means data and information related to Customer's or its Users' use of the Services that is used by Modal in an aggregate and/or permanently anonymized manner such that it does not identify an individual or Customer, and for which Modal has implemented technical safeguards and business processes to prohibit reidentification of such data..
FEES AND TAXES
Fees. Customer shall pay to Modal the fees as set forth in each applicable Service Order(s) (collectively, the "Fees") and will provide accurate and updated billing contact information. Minimum commitments as set forth in Service Orders are: (a) based on the Service purchased and not actual usage; (b) non-cancelable except as described in section 3.2 below; and (c) cannot be decreased during the specified term set forth in such Service Order. Fees are not refundable, except as described in section 3.2 below.
Invoicing Terms.Modal will invoice Customer either monthly or according to the billing frequency stated in the Service Order. Invoices are due pursuant to the corresponding Service Order. If any invoiced amount is not received by Modal by the due date, then without limiting Modal's rights or remedies: (a) those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and (b) Modal may condition future renewals and Service Orders on shorter payment terms. If Modal is required to initiate legal action due to nonpayment of fees, Customer shall bear all costs resulting from the collection of such fees.
Taxes. Any and all payments made by Modal in accordance with this Agreement are exclusive of any taxes that might be assessed against Customer by any jurisdiction. Customer shall pay or reimburse Modal for all value-added, sales, use, property and similar taxes; all customs duties, import fees, stamp duties, license fees and similar charges; and all other mandatory payments to government agencies of whatever kind, except taxes imposed on the net or gross income of Modal. All amounts payable to Modal under this Agreement shall be without set-off and without deduction of any taxes, levies, imposts, charges, withholdings and/or duties of any nature which may be levied or imposed, including without limitation, value added tax, customs duty and withholding tax.
TERM AND TERMINATION
Term. The term of this Agreement shall commence on the Effective Date identified in the Service Order and unless terminated earlier according to this Section 3, will end on the last day of the term specified in the last Service Order (the "Term"). Each Service Order will renew automatically at the end of the applicable term unless either party provides to the other advance written notice with respect to non-renewal at least 30 days prior to the end of the then current term.
Termination. This Agreement and the Service Orders hereunder may be terminated: (a) by either party if the other has materially breached this Agreement, within thirty (30) calendar days after written notice of such breach to the other party if the breach is remediable or immediately upon notice if the breach is not remediable; or (b) either party upon written notice to the other if such other party (w) has made or attempted to make any assignment for the benefit of its creditors or any compositions with creditors, (x) has any action or proceedings under any bankruptcy or insolvency laws taken by or against it which have not been dismissed within 60 days, (y) has effected a compulsory or voluntary liquidation or dissolution, or (z) has undergone the occurrence of any event analogous to any of the foregoing under the law of any jurisdiction.
Effect of Termination. Upon any expiration or termination of this Agreement, (a) Customer shall immediately cease use of the Service, and (b) each party shall return or destroy all Confidential Information and other materials and information provided by the other party. Any termination or expiration shall not relieve Customer of its obligation to pay all Fees accruing prior to termination. On termination of this Agreement, Customer shall pay to Modal all Fees set forth in the corresponding Service Order(s). Customer's Service account will be deleted within 60 days following the termination date.
Survival.The following provisions will survive termination of this Agreement: Sections 1.7 (Ownership), 3.3 (Effect of Termination), Section 3.4 (Survival), Section 4 (Confidentiality), Section 6 (Limitation of Liability), and Section 8 (Miscellaneous).
CONFIDENTIALITY
During the term of this Agreement, either party may provide the other party with confidential and/or proprietary materials and information ("Confidential Information"). All materials and information provided by the disclosing party and identified at the time of disclosure as "Confidential" or bearing a similar legend, and all other information that the receiving party reasonably should have known was the Confidential Information of the disclosing party, shall be considered Confidential Information. This Agreement is Confidential Information, and all pricing terms are Modal Confidential Information. The receiving party shall maintain the confidentiality of the Confidential Information and will not disclose such information to any third party without the prior written consent of the disclosing party. The receiving party will only use the disclosing party's Confidential Information internally for the purposes contemplated hereunder. The obligations in this Section shall not apply to any information that: (a) is made generally available to the public without breach of this Agreement, (b) is developed by the receiving party independently from and without reference to the Confidential Information, (c) is disclosed to the receiving party by a third party without restriction, or (d) was in the receiving party's lawful possession prior to the disclosure and was not obtained by the receiving party either directly or indirectly from the disclosing party. The receiving party may disclose Confidential Information as required by law or court order; provided that, the receiving party provides the disclosing with prompt written notice thereof and uses the receiving party's best efforts to limit disclosure. At any time, upon the disclosing party's written request, the receiving party shall return to the disclosing party all disclosing party's Confidential Information in its possession, including, without limitation, all copies and extracts thereof.
WARRANTIES
Authority. Each of Modal and Customer represents and warrants that: (a) it has the full right, power and authority to enter into and fully perform this Agreement; (b) the person signing this Agreement on its behalf is a duly authorized representative of such party who has in fact been authorized to execute this Agreement; (c) its entry herein does not violate any other agreement by which it is bound; and (d) it is a legal entity in good standing in the jurisdiction of its formation.
Services Operation.The Service, when used by Customer in accordance with the provisions of this Agreement and in compliance with the applicable documentation, will perform, in all material respects, the functions described in the documentation during the Term. If Customer has purchased a subscription plan that includes Modal's uptime and support SLAs, Modal's Service Level Agreement will be attached to the Service Order.
Protection of Customer Data.Modal will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data in accordance with its security documentation, which will be made available to Customer on request, and Modal's Data Processing Addendum attached as Exhibit A, which is incorporated herein by reference. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Data by Modal personnel except: (a) to provide the Service and to prevent or address service or technical problems, or (b) as Customer expressly permits in writing.
Deletion of Customer Data.Customer Data processed by the Service is expunged promptly following completion of processing, as described at https://modal.com/docs/guide/security#data-privacy.
Use of Artificial Intelligence.
As used herein "AI Tools" means Modal products or features that implement or utilize large language models or other artificial intelligence to generate Output based upon Customer's Input; "Input" means any instructions, text, data, content, or materials that Customer enters into or otherwise submit to the AI Tools for the purpose of generating Output; and "Output" means the resulting output, including any information, data, conclusions, insights, summaries, correlations, images, text, text effects, vector graphic files, audio files, video files, or any other content, which is created and provided to Customer by the AI Tools. Input and Output shall be considered Customer Data.
Customer is solely responsible for any and all Input it and its Users submit to the Services, including obtaining any and all necessary rights to provide or use such Input.
Subcontractors that process Customer Data to provide AI Tools are identified on Modal's Subprocessor list, as further described in the Data Processing Addendum.
Modal will not, except with Customer's prior written consent: (i) train any AI model using Customer Data, or (ii) export Customer Data into, or cause Customer Data to be ingested by, large language models.
Customer acknowledges and agrees that the use of AI has known and unknown risks and limitations and the AI Tools may provide Output that is inaccurate, offensive, biased, poses a threat to public safety, or does not meet Customer's specific needs, particular purpose, expectations, or legal, regulatory, or compliance obligations. Additionally, Output may not be unique, and similar or identical Output may be generated by other users of the AI Tools. The parties agree that Customer is solely responsible for reviewing, validating, editing, and amending any Output before any publication, use, disclosure, or reliance on such Output.
Exclusive Remedies.Customer shall report to Modal, pursuant to the notice provision of this Agreement, any breach of the warranties set forth in this Section 5. In the event of a breach of warranty by Modal under this Agreement, Customer's sole and exclusive remedy, and Modal's entire liability, shall be prompt correction of any material non-conformance in order to minimize any material adverse effect on Customer's business.
Disclaimer of Warranty. Modal does not represent or warrant that the operation of the Service (or any portion thereof) will be uninterrupted or error free, or that the Service (or any portion thereof) will operate in combination with other hardware, software, systems or data not provided by Modal, except as expressly specified in the applicable documentation. CUSTOMER ACKNOWLEDGES THAT, EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, MODAL MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE SERVICE OR SERVICES, OR THEIR CONDITION. MODAL IS FURNISHING THE WARRANTIES HEREIN IN LIEU OF, AND MODAL HEREBY EXPRESSLY EXCLUDES, ANY AND ALL OTHER EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES, WHETHER UNDER COMMON LAW, STATUTE OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY AND ALL WARRANTIES AS TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY OR NON-INFRINGEMENT OF THIRD-PARTY RIGHTS.
INDEMNIFICATION
Indemnification by Customer. Customer will defend, indemnify, and hold Modal, its affiliates, suppliers and licensors harmless and each of their respective officers, directors, employees and representatives from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to any third party claim with respect to alleged infringement or misappropriation of third-party's intellectual property rights or violation of applicable law related to Customer Data.
Indemnification by Modal. Modal will defend, indemnify, and hold Customer harmless from and against any third party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from claims by a third party that Customer's use of the Service directly infringes or misappropriates a third party's intellectual property rights (an "Infringement Claim"). Notwithstanding any other provision in this Agreement, Modal shall have no obligation to indemnify or reimburse Customer with respect to any Infringement Claim to the extent arising from: (a) the combination of any Customer Data with the Service; (b) the combination of any products or services, other than those provided by Modal to Customer under this Agreement, with the Service; or (c) non-discretionary designs or specifications provided to Modal by Customer that caused such Infringement Claim.
Notice of Claim and Indemnity Procedure. In the event of a claim for which a party seeks indemnity or reimbursement under this Section 6 (each an "Indemnified Party") and as conditions of the indemnity, the Indemnified Party shall: (a) notify the indemnifying party in writing as soon as practicable, but in no event later than thirty (30) days after receipt of such claim, together with such further information as is necessary for the indemnifying party to evaluate such claim; and (b) the Indemnified Party allows the indemnifying party to assume full control of the defense of the claim, including retaining counsel of its own choosing. Upon the assumption by the indemnifying party of the defense of a claim with counsel of its choosing, the indemnifying party will not be liable for the fees and expenses of additional counsel retained by any Indemnified Party. The Indemnified Party shall cooperate with the indemnifying party in the defense of any such claim. Notwithstanding the foregoing provisions, the indemnifying party shall have no obligation to indemnify or reimburse for any losses, damages, costs, disbursements, expenses, settlement liability of a claim or other sums paid by any Indemnified Party voluntarily, and without the indemnifying party's prior written consent, to settle a claim. Subject to the maximum liability set forth in Section 7, the provisions of this Section 6 constitute the entire understanding of the parties regarding each party's respective liability under this Section 6, including but not limited to Infringement Claims (including related claims for breach of warranty) and each party's sole obligation to indemnify and reimburse any Indemnified Party.
LIMITATIONS OF LIABILITY
IN NO EVENT SHALL EITHER PARTY BE LIABLE UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY, LOST PROFITS, BUSINESS INTERRUPTION, REPLACEMENT SERVICE OR OTHER SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR INDIRECT DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THEORY OF LIABILITY.
EACH PARTY'S LIABILITY FOR ALL CLAIMS ARISING UNDER THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, SHALL NOT EXCEED THE AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER UNDER THE APPLICABLE SERVICE ORDER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENTS GIVING RISE TO THE CLAIM.
MISCELLANEOUS
Amendment; Waiver. No modification of or amendment to this Agreement, nor any waiver of any rights under this Agreement, shall be effective unless in writing signed by the parties hereto. The failure by either party to enforce any rights under this Agreement shall not be construed as a waiver of any rights of such party.
Compliance with Laws.Customer shall comply with all applicable laws and regulations in its use of any Service, including without limitation export control laws, privacy laws and laws regarding the unlawful gathering or collecting, or assisting in the gathering or collecting of information.
Assignment. Neither party may transfer or assign this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, either party may assign this Agreement without consent from the other party in connection with a change in control, acquisition or sale of all or substantially all of its assets.
Notice. All notices between the parties shall be in writing and shall be deemed to have been given if personally delivered or sent by registered or certified mail (return receipt), by recognized courier service, or electronic mail with no notice of delivery failure.
No Agency. Both parties agree that no agency, partnership, joint venture, or employment is created as a result of this Agreement. Neither party has any authority of any kind to bind the other.
Governing Law. This Agreement shall be governed exclusively by, and construed exclusively in accordance with, the laws of the United States and the State of California, without regard to its conflict of laws provisions. The federal courts of the United States in the Northern District of California and the state courts of the State of California shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement. Each party hereby consents to the jurisdiction of such courts and waives any right it may otherwise have to challenge the appropriateness of such forums, whether on the basis of the doctrine of forum non conveniens or otherwise. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement or any Service Order issued under this Agreement.
Publicity. With Customer's prior written consent, Modal may identify Customer as a Modal customer, and use Customer's name, mark and/or logo on Modal's website and/or in Modal's marketing materials with respect to the same.
Entire Agreement. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications, and other understandings relating to the subject matter of this Agreement, and all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. Any term or provision of this Agreement held to be illegal or unenforceable shall be, to the fullest extent possible, interpreted so as to be construed as valid, but in any event the validity or enforceability of the remainder hereof shall not be affected. In the event of a conflict between this Agreement and the Service Order document, the terms of this Agreement shall control. This Agreement may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
Exhibit A: Data Processing Addendum
This Data Processing Addendum (the "DPA") is incorporated by reference into the agreement between Modal Labs, Inc. ("Modal") and Customer (the "Agreement") regarding the Services described in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Modal under the Agreement. Capitalized terms have the meanings provided in the Agreement except as provided here.
IT IS AGREED AS FOLLOWS:
Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
"Applicable Privacy Law(s)" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable:
"EU Data Protection Law": Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.
"Swiss DPA": the Swiss Federal Act on Data Protection 1992 (including as amended or superseded).
"UK Data Protection Law": the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
"US Data Protection Law": all applicable comprehensive state Applicable Privacy Laws and regulations in each case as may be amended or superseded from time to time, including the California Privacy Rights Act ("CPRA"); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act.
"Customer Personal Data" means any Personal Data Processed by a Subprocessor on behalf of Customer pursuant to or in connection with the Agreement;
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
"Controller", "Data Subject", "Process", (whether or not capitalized) "Processor", and "Subprocessor" have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.
"EEA" means the European Economic Area;
"Standard Contractual Clauses" or "SCCs" means: (a) where EU Data Protection Law or the Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (b) where UK Data Protection Law applies, standard data protection clauses adopted pursuant to or permitted under UK Data Protection Law ("UK SCCs").
Processing of Customer Personal Data
Purpose Limitation. Modal will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA, unless obligated to do otherwise by Applicable Privacy Law. In such case, Modal will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Modal shall only Process Customer Personal Data for the following purposes: (a) Processing as reasonably required to provide the Service and perform Modal's obligations under the Agreement and this DPA, and as otherwise agreed by the Parties; (b) Processing initiated by Customer and its users in their use of the Service; (c) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Applicable Privacy Laws; and (d) as otherwise required by Applicable Privacy Laws. Further details regarding Modal's Processing operations are set forth in Schedule 1.
Lawful Instructions. Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will not instruct Modal to Process Personal Data in violation of Applicable Privacy Law. Modal has no obligation to monitor the compliance of Customer's use of the Service with Applicable Privacy Law, though Modal will immediately inform Customer if, in Modal's opinion, an instruction from Customer infringes Applicable Privacy Law.
US State Law Requirements. With respect to Customer Personal Data to which US Data Protection Law applies (capitalized terms used in this section having the meanings provided in US Data Protection Law):
Modal shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Customer Personal Data solely for the purpose of performing Modal's obligations under this Agreement for or on behalf of Customer and for no commercial purpose other than the performance of such obligations.
Modal shall not Sell or Share, disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another business or third party without Customer's prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, subject to Section 5.1(a) below. Notwithstanding the foregoing, nothing in this DPA shall restrict Modal's ability to disclose Customer Personal Data to comply with applicable laws; provided that if such disclosure is required, Modal will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order.
Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures, described on Schedule 2, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, Processor shall take account, in particular, the risks that are presented by Processing from a Personal Data Breach perspective.
Subprocessing
Customer hereby consents to Modal's appointment of Subprocessors of Personal Data under this Agreement. Modal's current Subprocessors are listed on Schedule 3 hereto. Modal confirms that it:
has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are at least as protective of Personal Data provided by Customer as those set out in this DPA; and
At least 30 days prior to the addition or replacement of any subcontractor Modal will: (i) update its Subprocessor website at https://trust.modal.com/subprocessors, and (ii) if Customer has self-enrolled to receive email updates, notify Customer of any such intended changes, thereby giving Customer the opportunity to object. Customer's sole recourse if it objects to a Subprocessor will be to terminate its subscription to the Service.
Emergency Replacement. Modal may replace a Subprocessor if the need for the change is urgent and necessary to provide the Service. In such instance, Modal shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor as described above.
Data Subject Rights
Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Privacy Laws.
Processor shall:
promptly notify Customer if it receives a request from a Data Subject under any Applicable Privacy Laws in respect of Customer Personal Data; and
ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Privacy Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Privacy Laws inform Customer of that legal requirement before the Processor responds to the request.
Personal Data Breach
Processor shall notify Customer without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Privacy Laws.
Processor shall co-operate with the Customer and take commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.
Deletion or return of Customer Personal Data
Customer Data processed by the Service is expunged promptly following completion of processing, as described at https://modal.com/docs/guide/security#data-privacy. On termination of the Agreement, Modal will delete and procure the deletion of all copies of any other Customer Personal Data as described in the MSA.
Audit rights
Customer may request an on-site audit of Processor's applicable controls related to the processing activities under this DPA when: (a) the information provided under the information provided by Processor is not sufficient to demonstrate compliance with the obligations set out in this DPA or (b) required by Applicable Privacy Laws or Customer's competent supervisory authority. Upon Customer's written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Processor shall make available to Customer information regarding Processor's compliance with the obligations set forth in this DPA in the form of a copy of Processor's then most recent third-party audits or certifications, if any.
Cross Border Transfers
Consent. Modal may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer's prior written consent, except in compliance with Section 10.2 below (in each case a "Transfer").
Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where Modal has implemented a Transfer solution compliant with GDPR and UK GDPR, which for example may include: (a) an adequacy decision by applicable authorities; (b) the Standard Contractual Clauses as incorporated herein pursuant to Appendix 1; (c) another appropriate safeguard pursuant to Article 46 of GDPR or UK GDPR equivalent; or (d) a derogation pursuant to Article 49 of GDPR or UK GDPR equivalent.
General Terms
This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.
This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by GDPR, in which case this DPA will be governed by the laws of Sweden.
In the event of inconsistencies between this DPA and the SCCs, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise the SCCs shall apply.
Appendix 1: Applicable Standard Contractual Clauses and Supplemental Terms
Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Modal Processes Personal Data as a Controller, Modal and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Modal Processes Personal Data as a Processor, Modal and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Modal Processes Personal Data as a Processor, Modal and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
Standard Contractual Clause Optional Provisions
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
Clause 7 (Docking Clause) is omitted;
In Clause 9(a) (Use of sub-processors) - Option 2 shall apply and the parties shall follow the process and timing agreed in the DPA to appoint sub-processors;
In Clause 11(a) (Redress) - the Optional provision shall NOT apply;
In Clause 16(b) (Suspension of transfers) if Modal is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
In Clause 17 (Governing Law) - the laws of Sweden shall govern; and
In Clause 18 (Choice of forum and jurisdiction) - the courts of Sweden shall have jurisdiction.
Supplementary Terms to Standard Contractual Clauses
Documentation and compliance. For the purposes of Clauses 8.9(b) and 8.9(e) the review and audit provisions in the Agreement and DPA shall apply.
Notification and Transparency.
The Parties acknowledge and agree that Modal, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly.
For purposes of Clause 8.2 - Module 1, Clause 8.3 - Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Modal to make the appropriate communications to data subjects and accordingly, Customer shall (following notification from Modal) have the option to be the party who communicates with the data subject, and Modal shall provide the level of assistance set out in the DPA.
Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Modal and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
Swiss Law Provisions
Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
United Kingdom Law Provisions
Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the "IDTA") issued by the UK Information Commissioner's Office (the "ICO") and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
In Part 1 of the IDTA, the information required by Tables 1 - 3 is provided in the Agreement, the DPA and these SCCs.
The IDTA's Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.
References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom and UK GDPR.
In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.
Schedule 1: Description of Data Processing
The data processing activities carried out by Modal under the Agreement may be described as follows:
Categories of data subjects whose personal data is transferred
Data subjects are: (a) Customer's personnel who use the Service by or at the direction of Customer, and (b) users of Customer's product or service, if Customer imports their Personal Data into the Service.
Categories of personal data transferred
The categories of Personal Data are: (a) the name, email and telephone contact information for Customer personnel who use the Service, and (b) Personal Data contained in queries and other unstructured data.
Sensitive data transferred(if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None required to provide the Services. If submitted via queries, sensitive or special categories of Personal Data will be processed
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
Modal will process Personal Data to provide the Service identified in the Agreement.
Purpose(s) of the data transfer and further processing
Modal will transfer Personal Data to provide the Service identified in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As described in the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subprocessors referenced in the DPA provide portions of the platform used by Modal to provide the Service
Schedule 2: Technical and Organizational Measures (TOMs)
The technical and organizational measures (TOMs) provided below apply to Services provided by Modal Labs, Inc. except where Customer is responsible for its own TOMs in its use of the Services. Evidence of the implementations of these TOMs may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon written request from Customer.
| Technical and Organizational Security Measure | Details |
|---|---|
| Measures of pseudonymisation and encryption of personal data | Customer data is stored in a multi-tenant application with logical separation between Customer instances. Sensitive authentication information is encrypted, and the database is encrypted at rest. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Modal has policies and procedures in place to ensure confidentiality, integrity and resilience of processing systems and services. These include an Access Control Policy, Business Continuity and Disaster Recovery Policy, Data Classification Policy and a Secure Development Policy. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Customer data is backed up at least at a daily cadence. Restoration tests are performed annually. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Modal monitors and tests controls to ensure they are operating as intended and updated as needed. Modal uses Vanta Inc. to automate several of these controls, including employee activity and adherence to Modal policies and procedures, infrastructure monitoring, and development procedures. Outside of this, Modal has completed its SOC2 Type II certification and maintains an active security program. |
| Measures for user identification and authorization | Modal maintains an Access Control Policy. Measures for access control and authorization include formally documented roles and permissions, encrypted connection to production systems and networks, and single-sign on or 2FA where available. Access reviews are performed on a regular basis. |
| Measures for the protection of data during transmission | All data transfer outside Modal's private network is encrypted with HTTPS/SSL. |
| Measures for the protection of data during storage | Modal's database and file stores are encrypted at rest. |
| Measures for ensuring physical security of locations at which personal data are processed | Modal does not operate physical servers or other infrastructure. For employer-provided computers: All Modal employees are required to complete physical security training, and all employees and contractors are required to enable a screen lock when the work computer is left unattended. |
| Measures for ensuring events logging | Modal has detailed event and data access logging, with automated alerts for anomalies or missing data. |
| Measures for ensuring system configuration, including default configuration | Modal maintains guidelines for configuring and hardening instances, images and containers before they can be used in production. |
| Measures for certification/assurance of processes and products | Modal has completed its SOC2 Type II certification, and engages a third-party to perform penetration tests on a regular basis. |
| Measures for ensuring data minimisation | Modal collects data in connection with Customer's use of the Service, but only in aggregate, de-identified form which is not linked specifically to Customer or any individual, excluding Customer Data uploaded or submitted by Customer. |
| Measures for ensuring data quality | Changes to Modal data collection are reviewed, tested and monitored after deployment. |
| Measures for ensuring limited data retention | Modal retains data as long as the Modal has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived. |
| Measures for ensuring accountability | Modal employees are required to review and acknowledge Modal security practices and policies, complete security training, and go through a security walkthrough with a senior member of the engineering organization. Modal conducts background checks on all new employees and requires all employees to sign a non-disclosure agreement before gaining access to systems. |
| Measures for allowing data portability and ensuring erasure | Customer may exercise portability or erasure rights upon request to Modal. |
| Technical and organizational measures of sub-processors | Modal collects and reviews the most security assessments from sub-processors on an annual basis. |
Schedule 3: Subprocessor List
Identified at https://trust.modal.com/subprocessors
'/%3e%3cpath%20d='M109.623%2064L73.2925%201.07001C72.0925%201.76001%2071.0825%202.76%2070.3625%204L1.0725%20124C-0.3575%20126.48%20-0.3575%20129.52%201.0725%20132L33.4026%20188C34.1126%20189.24%2035.1325%20190.24%2036.3325%20190.93L109.613%2064H109.623Z'%20fill='url(%23paint1_linear_342_139)'/%3e%3cpath%20d='M183.513%2064H109.613L36.3325%20190.93C37.5325%20191.62%2038.9025%20192%2040.3325%20192H104.993C107.853%20192%20110.492%20190.47%20111.922%20188L183.513%2064Z'%20fill='%2309AF58'/%3e%3cpath%20d='M365.963%20132C366.673%20130.76%20367.033%20129.38%20367.033%20128H294.372L258.042%20190.93C259.242%20191.62%20260.612%20192%20262.042%20192H326.703C329.563%20192%20332.202%20190.47%20333.632%20188L365.963%20132Z'%20fill='%2309AF58'/%3e%3cpath%20d='M225.083%200C223.653%200%20222.283%200.380007%20221.083%201.07001L294.362%20128H367.023C367.023%20126.62%20366.663%20125.24%20365.953%20124L296.672%204C295.242%201.53%20292.603%200%20289.743%200H225.073H225.083Z'%20fill='url(%23paint2_linear_342_139)'/%3e%3cpath%20d='M258.033%20190.93L294.362%20128L221.083%201.07001C219.883%201.76001%20218.873%202.76%20218.153%204L183.513%2064L255.103%20188C255.813%20189.24%20256.833%20190.24%20258.033%20190.93Z'%20fill='url(%23paint3_linear_342_139)'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_342_139'%20x1='155.803'%20y1='80'%20x2='101.003'%20y2='-14.93'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23BFF9B4'/%3e%3cstop%20offset='1'%20stop-color='%2380EE64'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_342_139'%20x1='8.62251'%20y1='174.93'%20x2='100.072'%20y2='16.54'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%2380EE64'/%3e%3cstop%20offset='0.18'%20stop-color='%237BEB63'/%3e%3cstop%20offset='0.36'%20stop-color='%236FE562'/%3e%3cstop%20offset='0.55'%20stop-color='%235ADA60'/%3e%3cstop%20offset='0.74'%20stop-color='%233DCA5D'/%3e%3cstop%20offset='0.93'%20stop-color='%2318B759'/%3e%3cstop%20offset='1'%20stop-color='%2309AF58'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint2_linear_342_139'%20x1='340.243'%20y1='143.46'%20x2='248.793'%20y2='-14.93'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23BFF9B4'/%3e%3cstop%20offset='1'%20stop-color='%2380EE64'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint3_linear_342_139'%20x1='284.822'%20y1='175.47'%20x2='193.372'%20y2='17.0701'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%2380EE64'/%3e%3cstop%20offset='0.18'%20stop-color='%237BEB63'/%3e%3cstop%20offset='0.36'%20stop-color='%236FE562'/%3e%3cstop%20offset='0.55'%20stop-color='%235ADA60'/%3e%3cstop%20offset='0.74'%20stop-color='%233DCA5D'/%3e%3cstop%20offset='0.93'%20stop-color='%2318B759'/%3e%3cstop%20offset='1'%20stop-color='%2309AF58'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)