top of page

TERMS OF SERVICE (PILOT)


This Terms of Service (Pilot) (the “Agreement”) is entered into as of the Effective Date stated in the standalone Order Form (the “Order Form”) by and between the provider identified in the Order Form (“Provider”) and the customer identified in the Order Form (“Customer”). Each a “Party”, collectively the “Parties.” The Order Form is incorporated by reference and controls commercial terms (pricing, quantities, usage limits, dates, support tier).


1. Scope; Access to the Service


1.1 Service. Provider will make a pre‑release beta version of its hosted software‑as‑a‑service platform identified in the Order Form (the “Service”) available to Customer for a limited pilot (the “Pilot”), subject to this Agreement and any usage limitations in the Order Form.
1.2 Documentation & AUP. Customer’s use is subject to Provider’s then‑current documentation and acceptable use requirements (Exhibit C).
1.3 Beta Software. The Parties acknowledge the Service is beta, pre‑release software. (a) Features are experimental and may change or be removed; (b) the Service may contain defects and is provided without service level credits; (c) the Service may be suspended or discontinued; (d) processing sensitive/regulated data is discouraged unless expressly permitted in the Order Form and supported by appropriate safeguards (e.g., DPA, regional hosting); (e) Customer will promptly report issues and provide feedback; (f) feedback is licensed per §4.4.

 

2. Pilot Term; Renewal; Conversion

 

2.1 Pilot Term. The Pilot begins on the Pilot Start Date and continues for the Pilot Term specified in the Order Form, unless terminated earlier in accordance with this Agreement.
2.2 Conversion. The Pilot may convert to a paid annual subscription upon mutual execution of Provider’s then‑current subscription agreement and order form. The Pilot Fee will be credited toward the first year’s Annual Subscription Fee if the Parties enter into an annual subscription for the Service.

 

3. Fees; Payment

 

3.1 Pilot Fee. The fee for the Pilot is thirty‑five percent (35%) of the Service’s then‑current Annual Subscription Fee for the configuration stated in the Order Form (the “Pilot Fee”).
3.2 Non‑Refundable; Net 7. The Pilot Fee is due within seven (7) days of invoice and is non‑refundable, including in the event of early termination, except as required by applicable law or expressly stated otherwise herein.
3.3 Taxes. Fees are exclusive of taxes. Customer is responsible for all applicable taxes, duties, and similar charges (excluding taxes based on Provider’s net income).

 

4. Co‑Development; Feature Requests

 

4.1 Collaboration. During the Pilot, the Parties may collaborate on configuration, integrations, and limited enhancements related to the Service (“Co‑Development”). Details, milestones, and Customer responsibilities may be described in a Statement of Work or written supplement, if applicable.
4.2 No Guarantee Outside Scope. Provider will use commercially reasonable efforts to consider Customer’s feature requests. Requested features are not guaranteed if they are outside the scope of the Service’s platform roadmap, architecture, or security model. Provider retains discretion over prioritization, design, and release decisions.
4.3 Deliverables & Acceptance. If a Statement of Work or written supplement identifies specific Deliverables, Provider will deem a Deliverable accepted upon the earlier of: (a) Customer’s written acceptance; or (b) ten (10) days after delivery with no rejection notice specifying material non‑conformance. Rejected Deliverables will be remedied and re‑submitted.
4.4 IP in Co‑Development; Feedback. As between the Parties: (a) Service IP. Provider retains all rights in the Service, platform, and any enhancements, modifications, or derivative works, whether or not suggested by Customer. (b) Feedback License. To the extent Customer provides feedback or suggestions, Customer grants Provider a worldwide, irrevocable, perpetual, royalty‑free license to use and exploit such feedback. (c) Customer Materials. Customer retains all rights in materials, data, and content supplied by Customer; Provider is granted a non‑exclusive license to use Customer Materials solely to provide the Service and perform Co‑Development.

 

5. Customer Obligations

 

5.1 Access & Accounts. Customer is responsible for maintaining the confidentiality of its credentials and for all activities under its accounts.
5.2 Use Restrictions. Customer will not: (a) reverse engineer, decompile, or attempt to gain unauthorized access to the Service; (b) circumvent usage limits; (c) use the Service to develop a competing product; or (d) use the Service in violation of Exhibit C.
5.3 Third‑Party Services. If the Service interoperates with third‑party services, Customer may be required to obtain rights to those services. Provider is not responsible for third‑party services or their availability.

 

6. Data; Security; Privacy

 

6.1 Customer Data. “Customer Data” means data submitted to the Service by or on behalf of Customer. Customer grants Provider the right to process Customer Data to provide, secure, and improve the Service (including generating aggregated or de‑identified insights, provided no individual or Customer is identified).
6.2 Security. Provider will implement and maintain industry‑standard administrative, physical, and technical safeguards appropriate to the nature of the Customer Data processed.
6.3 DPA. The Parties agree to the Data Processing Addendum in Exhibit D, which is incorporated by reference and governs Provider’s processing of personal data on behalf of Customer under applicable data protection laws (including GDPR, UK GDPR, and the Swiss FADP), as well as cross‑border transfer mechanisms where applicable.

 

7. Availability; Support

 

7.1 Service Levels (Pilot). During the Pilot, Provider will use commercially reasonable efforts to make the Service available. No service level credits apply.
7.2 Support. Provider will provide reasonable email or in‑app support during business hours, unless otherwise stated in the Order Form.

 

8. Confidentiality

 

8.1 Confidential Information. Each Party may disclose confidential or proprietary information (“Confidential Information”) to the other. The receiving Party will use the same care it uses for its own similar information (but no less than reasonable care) to protect the disclosing Party’s Confidential Information and will use it only to perform under this Agreement.
8.2 Exclusions. Confidential Information does not include information that is or becomes public through no fault of the receiving Party; was rightfully known by the receiving Party without restriction; is independently developed without use of the disclosing Party’s Confidential Information; or is rightfully received from a third party without restriction.
8.3 Compelled Disclosure. The receiving Party may disclose Confidential Information when legally required, provided it gives reasonable notice (where lawful) and cooperates in seeking protective treatment.

 

9. Intellectual Property; Ownership

 

9.1 Reservation of Rights. Except for the limited rights expressly granted, no rights are granted to either Party, whether by implication, estoppel, or otherwise. Provider and its licensors own all right, title, and interest in and to the Service, including all improvements and derivative works.
9.2 License to Use Service. During the Pilot Term and subject to this Agreement, Provider grants Customer a non‑exclusive, non‑transferable, non‑sublicensable license to access and use the Service solely for the Pilot Purpose.

 

10. Warranties; Disclaimers

 

10.1 Mutual Warranties. Each Party represents that it has validly entered into this Agreement and has the legal power to do so.
10.2 Disclaimer (Pilot). THE SERVICE, DELIVERABLES, AND ALL CO‑DEVELOPMENT OUTPUT ARE PROVIDED “AS IS” FOR PILOT PURPOSES. PROVIDER DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT.

 

11. Indemnification (IP)

 

11.1 By Provider. Provider will defend Customer against third‑party claims that the Service, as provided by Provider and used by Customer in accordance with this Agreement, infringes a third‑party intellectual property right, and will pay amounts finally awarded (or settlement amounts approved by Provider). Provider’s obligations do not apply to claims arising from: (a) Customer Materials; (b) combinations not provided by Provider; (c) Customer’s breach or misuse; or (d) features or modifications requested by Customer and not generally made available by Provider.
11.2 Mitigation. If the Service is alleged to infringe, Provider may: (a) procure rights; (b) modify or replace the Service; or (c) terminate impacted access and, if termination occurs during the Pilot, no refund will be due except where required by law.
11.3 Procedures. The indemnified Party must promptly notify the indemnifying Party, allow control of the defense, and provide reasonable cooperation.
11.4 Beta Exclusion. Provider’s indemnity in §11.1 does not apply to the beta nature of the Service or to pre‑release features designated as alpha/beta/preview.

 

12. Limitation of Liability

 

12.1 Damages Cap. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER FOR THE PILOT (i.e., the Pilot Fee).
12.2 Excluded Claims. “Excluded Claims” are: (a) a Party’s willful misconduct or fraud; (b) Customer’s payment obligations; (c) each Party’s breach of confidentiality; and (d) Customer’s breach of use restrictions.
12.3 No Indirect Damages. NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR LOST PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY AND EVEN IF A REMEDY FAILS ITS ESSENTIAL PURPOSE.

 

13. Termination; Suspension

 

13.1 Termination for Cause. Either Party may terminate this Agreement upon written notice if the other Party materially breaches and fails to cure within thirty (30) days after notice. No refunds will be due upon termination, except as required by law.
13.2 Suspension. Provider may suspend access immediately for security reasons, to prevent harm, or for Customer’s violation of this Agreement, including the AUP.
13.3 Effect of Termination. Upon termination, Customer must cease use of the Service and delete or return Provider’s Confidential Information. Upon Customer’s written request made within thirty (30) days of termination, Provider will make Customer Data available for export. Thereafter, Provider may delete Customer Data in accordance with its retention policies.

 

14. Miscellaneous

 

14.1 Publicity. Provider may identify Customer by name and logo as a pilot customer, subject to Customer’s trademark usage guidelines.
14.2 Assignment. Neither Party may assign this Agreement without the other Party’s prior written consent, except to an Affiliate or in connection with a merger, acquisition, or sale of substantially all assets, with notice.
14.3 Governing Law; Venue. This Agreement is governed by the laws of Switzerland, without regard to conflicts of laws rules. The Parties consent to the exclusive jurisdiction and venue of the competent courts of Zurich, Switzerland.
14.4 Notices. Notices will be in writing and deemed given when delivered by personal delivery, reputable courier, or email to the contacts in the Order Form.
14.5 Entire Agreement; Order of Precedence. This Agreement (including Exhibits and the standalone Order Form) is the entire agreement regarding the Pilot and supersedes prior or contemporaneous agreements and understandings on the subject matter. In case of conflict, the Order Form prevails for commercial terms (pricing, term, quantities, usage limits, support tier), then this Agreement, then the Exhibits (including Exhibit D – DPA and Exhibit C – AUP).
14.6 Amendments; Waivers; Severability. Any amendment must be in writing and signed by both Parties. A waiver is effective only if in writing and against the specific breach. If any part is unenforceable, it will be modified to the minimum extent necessary and the remainder will remain in effect.
14.7 Independent Contractors. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship.

 

Exhibit C – Acceptable Use Policy (Summary)

 

Customer agrees not to use the Service to: (a) violate laws or third‑party rights; (b) transmit malicious code; (c) compromise security or integrity; (d) send spam or abusive content; (e) process Prohibited Data (e.g., highly sensitive personal data, regulated health or financial data) unless expressly agreed in writing; or (f) exceed usage limits or attempt to circumvent technical controls.

 

Exhibit D – Data Processing Addendum (Controller–Processor)

 

This Data Processing Addendum (“DPA”) forms part of this Agreement between Provider and Customer. Capitalized terms not defined here have the meanings in the Agreement.

 

1. Roles; Scope; Instructions

 

1.1 Roles. Customer acts as Controller (or Business) and Provider acts as Processor (or Service Provider).
1.2 Scope & Purpose. Provider processes Customer Personal Data solely to provide the Service and Co‑Development as described herein and in the Order Form, and in accordance with Customer’s documented instructions. This Agreement and this DPA constitute such instructions.
1.3 No Sale/Sharing. Provider will not sell or share Customer Personal Data as defined by applicable laws.
1.4 Customer Responsibilities. Customer is responsible for the accuracy and lawfulness of Customer Personal Data, required notices/consents, and appropriate configuration and use of the Service.

 

2. Confidentiality & Personnel

 

Provider ensures persons authorized to process Customer Personal Data are bound by confidentiality and receive appropriate data protection training.

 

3. Security

 

3.1 Technical and Organizational Measures (TOMs). Provider will implement and maintain TOMs appropriate to risk, including: access controls; encryption in transit/at rest; network security; vulnerability management; logging/monitoring; backup/recovery; business continuity; secure SDLC; incident response. The TOMs in Annex II apply.
3.2 Updates. TOMs may be updated without materially reducing protection.
3.3 Customer Responsibilities. Customer is responsible for its endpoints, identity/access, and Customer‑managed integrations.

 

4. Sub‑Processors

 

4.1 Authorization. Customer grants general authorization to engage sub‑processors to support the Service.
4.2 Flow‑Down. Provider will impose equivalent data protection obligations on sub‑processors and remains responsible for their performance.
4.3 List & Notice. Current sub‑processors are listed in Annex III. Provider will give advance notice of material changes. Customer may reasonably object; Parties will work in good faith to resolve.

 

5. Data Subject Requests

 

Taking into account the nature of processing, Provider will assist Customer (through available tools/support) in fulfilling data subject requests (access, deletion, rectification, restriction, portability, objection). Customer verifies requester identity and submits requests via available channels.

 

6. Personal Data Breach

 

6.1 Notice. Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and provide reasonably available information.
6.2 Legal Timing. Where GDPR applies, Customer remains responsible for notifying authorities/data subjects within 72 hours (GDPR Arts. 33–34). Where Swiss FADP applies, Customer remains responsible for notifying the FDPIC and affected data subjects as soon as possible when required.
6.3 Remediation. Provider will take reasonable steps to contain, investigate, and remediate.

 

7. Return and Deletion

 

At termination/expiry, at Customer’s choice and subject to legal retention, Provider will return or deleteCustomer Personal Data. Unless otherwise agreed, deletion occurs within 30 days; aggregated/de‑identified data not identifying a person or Customer may be retained.

 

8. International Data Transfers

 

8.1 EEA/Swiss/UK Transfers. If Customer Personal Data originating in the EEA, Switzerland, or UK is transferred to a country without adequacy, the Parties implement: EU SCCs (2021/914) (Module 2 and/or 3) with Swiss Addendum (FDPIC adjustments) and UK IDTA/Addendum as applicable. If Provider maintains an applicable Data Privacy Framework certification, transfers may rely on it to the extent permitted.
8.2 Conflicts. Where SCCs/IDTA apply, they prevail over conflicting terms in this DPA or the Agreement for the transferred data.

 

9. Audits & DPIAs

 

On reasonable written notice and no more than once annually (unless required by a competent authority or following a Personal Data Breach), Customer may audit compliance by reviewing third‑party reports/certifications and security documentation; where insufficient, conduct a remote or on‑site assessment under reasonable confidentiality, time, and scope limits. Costs: each bears own; Customer reimburses Provider’s reasonable out‑of‑pocket costs for on‑site audits.

 

10. Government Requests

 

Provider will, to the extent legally permitted, notify Customer of government or law‑enforcement requests for Customer Personal Data and will challenge overbroad or unlawful requests.

 

11. Liability; Order of Precedence

 

11.1 Liability. The Parties’ liabilities under this DPA are subject to the limitations and exclusions in the Agreement.
11.2 Precedence. If there is a conflict, this DPA controls for data protection and transfers; the SCCs/IDTAcontrol for the relevant transfers.

 

12. Governing Law

 

This DPA follows the governing law and venue of the Agreement (Switzerland; Zurich), without prejudice to the laws governing the SCCs/IDTA where applicable.

 

Annex I – Description of Processing

 

A. Subject Matter & Purpose: Provision of the Service (including beta features during the Pilot), support, operations, security, and Co‑Development.
B. Duration: Pilot Term + data return window.
C. Nature: Collection, storage, hosting, transmission, analysis, display, deletion, and other processing necessary to provide the Service and support.
D. Data Subjects: Customer personnel and contractors; authorized users; end‑users of Customer’s services (if configured); pilot participants.
E. Categories of Personal Data: Business contact details (name, email, phone), account identifiers, authentication data, usage/telemetry logs, configuration/integration metadata, content entered by users, and support communications. Special Categories are not intended to be processed unless expressly permitted in the Order Form with safeguards.
F. Special Categories (if any): Not expected. If processed, only as expressly documented and with heightened safeguards.
G. Frequency of Transfers: Continuous as necessary during the Pilot.
H. Sub‑processor Transfers: As listed in Annex III.
I. Competent Supervisory Authority (GDPR): Determined under Art. 56 GDPR; for Swiss data, the FDPIC.

 

Annex II – Technical and Organizational Measures (TOMs)

  1. Information Security Program; governance and risk management.
     

  2. Access Controls (least privilege, RBAC, MFA for admin, password standards, session management).
     

  3. Encryption (TLS in transit; industry‑standard at rest).
     

  4. Network Security (segmentation, firewalls, IDS/IPS, DDoS protections).
     

  5. Secure SDLC & System Hardening (code review, dependency scanning, vuln/patch management).
     

  6. Monitoring & Logging (centralized logging, alerting, anomaly detection, regular review).
     

  7. Business Continuity & Disaster Recovery (backups, redundancy, tested recovery appropriate to Pilot RPO/RTO).
     

  8. Physical Security (data center controls via reputable hosting providers).
     

  9. Personnel Security & Training (background screening where permitted; confidentiality; training).
     

  10. Incident Response (detection, containment, eradication, recovery; post‑incident review).
     

  11. Data Minimization & Retention (retain only as necessary; deletion/anonymization routines).
     

  12. Third‑Party Management (security due diligence and contractual controls for sub‑processors).

 

 

Annex III – Authorized Sub‑Processors

 

Entity: Microsoft Azure(Microsoft)

Purpose: Cloud hosting - compute, storage, networking, managed DB/backups

Processing location: Germany West Central (EU)

Customer Personal Data types: App data, backups, logs, support artifacts

Transfer mechanism (if outside CH/EEA/UK): N/A (in‑EEA processing)

Entity: Twilio SendGrid, Inc.

Purpose: Transactional email delivery

Processing location: EU (data residency enabled)

Customer Personal Data types: Recipient names/emails, message content/headers, delivery & engagement metadata

Transfer mechanism (if outside CH/EEA/UK): N/A (in‑EEA processing)

Entity: Datadog (Datadog Europe)

Purpose: Logging, metrics, traces, monitoring

Processing location: EU (datadoghq.eu)

Customer Personal Data types: Logs/metrics/traces (pseudonymous IDs; PII redacted)

Transfer mechanism (if outside CH/EEA/UK): N/A (in‑EEA processing)

Entity: OpenAI, L.L.C.

Purpose: AI inference and content processing to support Service features

Processing location: United States

Customer Personal Data types: Prompts, model outputs, and related telemetry (avoid PII in prompts where possible)

Transfer mechanism (if outside CH/EEA/UK): SCCs + Swiss addendum / UK IDTA and/or DPF (as applicable)

 

Annex IV – Cross‑Border Transfer Tools

 

A. EU SCCs (2021/914): Controller‑to‑Processor (Module 2) and/or Processor‑to‑Processor (Module 3) including Annexes I–II above.
B. Swiss Addendum: SCCs amended for Swiss FADP and FDPIC; references to the EU include Switzerland; Swiss data subjects may enforce rights.
C. UK IDTA/Addendum: UK IDTA or UK Addendum to EU SCCs as published by the UK ICO, with Annexes I–II above.
D. Data Privacy Framework (if applicable): If Provider maintains certification to an applicable DPF, transfers may rely on that certification for relevant data sets, without prejudice to Customer’s right to require SCCs/IDTA.
 


 
17.09.25

bottom of page