diff --git a/common/models/user.py b/common/models/user.py index 5274cc1..45113b6 100644 --- a/common/models/user.py +++ b/common/models/user.py @@ -1,4 +1,5 @@ from datetime import date +from enum import Enum from common.extensions import db from flask_security import UserMixin, RoleMixin @@ -121,7 +122,6 @@ class User(db.Model, UserMixin): def has_roles(self, *args): return any(role.name in args for role in self.roles) - class TenantDomain(db.Model): __bind_key__ = 'public' __table_args__ = {'schema': 'public'} @@ -311,6 +311,49 @@ class PartnerTenant(db.Model): updated_by = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=True) +class TenantConsent(db.Model): + __bind_key__ = 'public' + __table_args__ = {'schema': 'public'} + id = db.Column(db.Integer, primary_key=True) + tenant_id = db.Column(db.Integer, db.ForeignKey('public.tenant.id'), nullable=False) + partner_id = db.Column(db.Integer, db.ForeignKey('public.partner.id'), nullable=False) + partner_service_id = db.Column(db.Integer, db.ForeignKey('public.partner_service.id'), nullable=False) + user_id = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=False) + consent_type = db.Column(db.String(50), nullable=False) + consent_date = db.Column(db.DateTime, nullable=False, server_default=db.func.now()) + consent_version = db.Column(db.String(20), nullable=False, default="1.0.0") + consent_data = db.Column(db.JSON, nullable=False) + + # Tracking + created_at = db.Column(db.DateTime, nullable=False, server_default=db.func.now()) + created_by = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=True) + updated_at = db.Column(db.DateTime, nullable=False, server_default=db.func.now(), onupdate=db.func.now()) + updated_by = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=True) + + +class ConsentVersion(db.Model): + __bind_key__ = 'public' + __table_args__ = {'schema': 'public'} + id = db.Column(db.Integer, primary_key=True) + consent_type = db.Column(db.String(50), nullable=False) + consent_version = db.Column(db.String(20), nullable=False) + consent_valid_from = db.Column(db.DateTime, nullable=False, server_default=db.func.now()) + consent_valid_to = db.Column(db.DateTime, nullable=True) + + # Tracking + created_at = db.Column(db.DateTime, nullable=False, server_default=db.func.now()) + created_by = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=True) + updated_at = db.Column(db.DateTime, nullable=False, server_default=db.func.now(), onupdate=db.func.now()) + updated_by = db.Column(db.Integer, db.ForeignKey('public.user.id'), nullable=True) + + +class ConsentStatus(Enum): + CONSENTED = 'CONSENTED' + NOT_CONSENTED = 'NOT_CONSENTED' + RENEWAL_REQUIRED = 'RENEWAL_REQUIRED' + CONSENT_EXPIRED = 'CONSENT_EXPIRED' + UNKNOWN_CONSENT_VERSION = 'UNKNOWN_CONSENT_VERSION' + class SpecialistMagicLinkTenant(db.Model): __bind_key__ = 'public' __table_args__ = {'schema': 'public'} diff --git a/common/services/user/tenant_services.py b/common/services/user/tenant_services.py index fa68509..9749a24 100644 --- a/common/services/user/tenant_services.py +++ b/common/services/user/tenant_services.py @@ -1,10 +1,12 @@ from typing import Dict, List from flask import session, current_app +from sqlalchemy import desc from sqlalchemy.exc import SQLAlchemyError from common.extensions import db, cache_manager -from common.models.user import Partner, PartnerTenant, PartnerService, Tenant +from common.models.user import Partner, PartnerTenant, PartnerService, Tenant, TenantConsent, ConsentStatus, \ + ConsentVersion from common.utils.eveai_exceptions import EveAINoManagementPartnerService from common.utils.model_logging_utils import set_logging_information from datetime import datetime as dt, timezone as tz @@ -172,4 +174,30 @@ class TenantServices: except Exception as e: current_app.logger.error(f"Error checking specialist type access: {str(e)}") - return False \ No newline at end of file + return False + + @staticmethod + def get_consent_status(tenant_id: int) -> ConsentStatus: + cts = current_app.config.get("CONSENT_TYPES") + status = ConsentStatus.CONSENTED + for ct in cts: + consent = (TenantConsent.query.filter_by(tenant_id=tenant_id, consent_type=ct) + .order_by(desc(TenantConsent.id)) + .first()) + if not consent: + status = ConsentStatus.NOT_CONSENTED + break + cv = ConsentVersion.query.filter_by(consent_type=ct, consent_version=consent.consent_version).first() + if not cv: + current_app.logger.error(f"Consent version {consent.consent_version} not found checking tenant {tenant_id}") + status = ConsentStatus.UNKNOWN_CONSENT_VERSION + break + if cv.consent_valid_to: + if cv.consent_valid_to.date() >= dt.now(tz.utc).date(): + status = ConsentStatus.RENEWAL_REQUIRED + break + else: + status = ConsentStatus.NOT_CONSENTED + break + + return status diff --git a/common/utils/nginx_utils.py b/common/utils/nginx_utils.py index b9e2e4d..7aedf83 100644 --- a/common/utils/nginx_utils.py +++ b/common/utils/nginx_utils.py @@ -1,14 +1,39 @@ -from flask import request, url_for +from flask import request, url_for, current_app from urllib.parse import urlsplit, urlunsplit import re VISIBLE_PREFIXES = ('/admin', '/api', '/chat-client') + +def _normalize_prefix(raw_prefix: str) -> str: + """Normalize config prefix to internal form '/admin' or '' if not set.""" + if not raw_prefix: + return '' + s = str(raw_prefix).strip() + if not s: + return '' + # remove leading/trailing slashes, then add single leading slash + s = s.strip('/') + if not s: + return '' + return f"/{s}" + + +def _get_config_prefix() -> str: + """Return normalized prefix from config EVEAI_APP_PREFIX (config-first).""" + try: + cfg_val = (current_app.config.get('EVEAI_APP_PREFIX') if current_app else None) + return _normalize_prefix(cfg_val) + except Exception: + return '' + + def _derive_visible_prefix(): # 1) Edge-provided header (beste en meest expliciete bron) xfp = request.headers.get('X-Forwarded-Prefix') - if xfp and any(xfp.startswith(p) for p in VISIBLE_PREFIXES): - return xfp.rstrip('/') + current_app.logger.debug(f"X-Forwarded-Prefix: {xfp}") + if xfp and any(str(xfp).startswith(p) for p in VISIBLE_PREFIXES): + return str(xfp).rstrip('/') # 2) Referer fallback: haal het top-level segment uit de Referer path ref = request.headers.get('Referer') or '' @@ -24,13 +49,31 @@ def _derive_visible_prefix(): return '' +def _visible_prefix_for_runtime() -> str: + """Decide which prefix to use at runtime. + Priority: config EVEAI_APP_PREFIX; optional dynamic fallback if enabled. + """ + cfg_prefix = _get_config_prefix() + if cfg_prefix: + current_app.logger.debug(f"prefixed_url_for: using config prefix: {cfg_prefix}") + return cfg_prefix + # Optional dynamic fallback + use_fallback = bool(current_app.config.get('EVEAI_USE_DYNAMIC_PREFIX_FALLBACK', False)) if current_app else False + if use_fallback: + dyn = _derive_visible_prefix() + current_app.logger.debug(f"prefixed_url_for: using dynamic fallback prefix: {dyn}") + return dyn + current_app.logger.debug("prefixed_url_for: no prefix configured, no fallback enabled") + return '' + + def prefixed_url_for(endpoint, **values): """ Gedrag: - Default (_external=False, for_redirect=False): retourneer relatief pad (zonder leading '/') voor templates/JS. De dynamische zorgt voor correcte resolutie onder het zichtbare prefix. - - _external=True: bouw absolute URL (schema/host). Als X-Forwarded-Prefix aanwezig is, - prefixeer de path daarmee (handig voor e-mails/deeplinks). + - _external=True: bouw absolute URL (schema/host). Pad wordt geprefixt met config prefix (indien gezet), + of optioneel met dynamische fallback wanneer geactiveerd. - for_redirect=True: geef root-absoluut pad inclusief zichtbaar top-prefix, geschikt voor HTTP Location headers. Backwards compat: _as_location=True wordt behandeld als for_redirect. """ @@ -46,16 +89,20 @@ def prefixed_url_for(endpoint, **values): if external: scheme = request.headers.get('X-Forwarded-Proto', request.scheme) host = request.headers.get('Host', request.host) - xfp = request.headers.get('X-Forwarded-Prefix', '') or '' - new_path = (xfp.rstrip('/') + path) if (xfp and not path.startswith(xfp)) else path + visible_prefix = _visible_prefix_for_runtime() + new_path = (visible_prefix.rstrip('/') + path) if (visible_prefix and not path.startswith(visible_prefix)) else path + current_app.logger.debug(f"prefixed_url_for external: {scheme}://{host}{new_path}") return urlunsplit((scheme, host, new_path, query, fragment)) if for_redirect: - visible_prefix = _derive_visible_prefix() + visible_prefix = _visible_prefix_for_runtime() if visible_prefix and not path.startswith(visible_prefix): - return f"{visible_prefix}{path}" - # root-absoluut pad, zonder prefix als onbekend + composed = f"{visible_prefix}{path}" + current_app.logger.debug(f"prefixed_url_for redirect: {composed}") + return composed + current_app.logger.debug(f"prefixed_url_for redirect (no prefix): {path}") return path - # Default: relatief pad - return path[1:] if path.startswith('/') else path \ No newline at end of file + # Default: relatief pad (zonder leading '/') + rel = path[1:] if path.startswith('/') else path + return rel \ No newline at end of file diff --git a/common/utils/security_utils.py b/common/utils/security_utils.py index eae67ce..991aa4a 100644 --- a/common/utils/security_utils.py +++ b/common/utils/security_utils.py @@ -36,7 +36,7 @@ def send_confirmation_email(user): try: send_email(user.email, f"{user.first_name} {user.last_name}", "Confirm your email", html) - current_app.logger.info(f'Confirmation email sent to {user.email}') + current_app.logger.info(f'Confirmation email sent to {user.email} with url: {confirm_url}') except Exception as e: current_app.logger.error(f'Failed to send confirmation email to {user.email}. Error: {str(e)}') raise @@ -51,7 +51,7 @@ def send_reset_email(user): try: send_email(user.email, f"{user.first_name} {user.last_name}", subject, html) - current_app.logger.info(f'Reset email sent to {user.email}') + current_app.logger.info(f'Reset email sent to {user.email} with url: {reset_url}') except Exception as e: current_app.logger.error(f'Failed to send reset email to {user.email}. Error: {str(e)}') raise diff --git a/config/config.py b/config/config.py index f3d9737..687797b 100644 --- a/config/config.py +++ b/config/config.py @@ -310,15 +310,12 @@ class Config(object): # API Encryption ------------------------------------------------------------------------------ API_ENCRYPTION_KEY = environ.get('API_ENCRYPTION_KEY') - # Email settings for API key notifications + # Email settings for API key notifications ---------------------------------------------------- PROMOTIONAL_IMAGE_URL = 'https://askeveai.com/wp-content/uploads/2024/07/Evie-Call-scaled.jpg' # Replace with your actual URL - # Langsmith settings - LANGCHAIN_TRACING_V2 = True - LANGCHAIN_ENDPOINT = 'https://api.smith.langchain.com' - LANGCHAIN_PROJECT = "eveai" - + # Type Definitions ---------------------------------------------------------------------------- TENANT_TYPES = ['Active', 'Demo', 'Inactive', 'Test'] + CONSENT_TYPES = ["Data Privacy Agreement", "Terms & Conditions"] # The maximum number of seconds allowed for audio compression (to save resources) MAX_COMPRESSION_DURATION = 60*10 # 10 minutes @@ -351,7 +348,7 @@ class Config(object): # Entitlement Constants ENTITLEMENTS_MAX_PENDING_DAYS = 5 # Defines the maximum number of days a pending entitlement can be active - # Content Directory for static content like the changelog, terms & conditions, privacy statement, ... + # Content Directory for static content like the changelog, terms & conditions, dpa statement, ... CONTENT_DIR = '/app/content' # Ensure health check endpoints are exempt from CSRF protection @@ -361,6 +358,12 @@ class Config(object): ] SECURITY_LOGIN_WITHOUT_VIEWS = True # Dit voorkomt automatische redirects + # Define the nginx prefix used for the specific apps + CHAT_CLIENT_PREFIX = 'chat-client/chat/' + EVEAI_APP_PREFIX = 'admin/' + # Whether to use dynamic fallback (X-Forwarded-Prefix/Referer) when EVEAI_APP_PREFIX is empty + EVEAI_USE_DYNAMIC_PREFIX_FALLBACK = False + class DevConfig(Config): DEVELOPMENT = True @@ -368,9 +371,6 @@ class DevConfig(Config): FLASK_DEBUG = True EXPLAIN_TEMPLATE_LOADING = False - # Define the nginx prefix used for the specific apps - CHAT_CLIENT_PREFIX = 'chat-client/chat/' - # Define the static path STATIC_URL = None @@ -394,9 +394,6 @@ class TestConfig(Config): FLASK_DEBUG = True EXPLAIN_TEMPLATE_LOADING = False - # Define the nginx prefix used for the specific apps - CHAT_CLIENT_PREFIX = 'chat-client/chat/' - # Define the static path STATIC_URL = None @@ -420,9 +417,6 @@ class StagingConfig(Config): FLASK_DEBUG = True EXPLAIN_TEMPLATE_LOADING = False - # Define the nginx prefix used for the specific apps - CHAT_CLIENT_PREFIX = 'chat-client/chat/' - # Define the static path STATIC_URL = 'https://evie-staging-static.askeveai.com/' diff --git a/config/specialist_forms/globals/MINIMAL_PERSONAL_CONTACT_FORM/1.0.0.yaml b/config/specialist_forms/globals/MINIMAL_PERSONAL_CONTACT_FORM/1.0.0.yaml index b238615..6d7f7c5 100644 --- a/config/specialist_forms/globals/MINIMAL_PERSONAL_CONTACT_FORM/1.0.0.yaml +++ b/config/specialist_forms/globals/MINIMAL_PERSONAL_CONTACT_FORM/1.0.0.yaml @@ -26,7 +26,7 @@ fields: required: true meta: kind: "consent" - consentRich: "Ik Agree with the Terms and Conditions and the Privacy Statement of Ask Eve AI" + consentRich: "Ik Agree with the Terms and Conditions and the Privacy Statement of Ask Eve AI" ariaPrivacy: "Open privacyverklaring in a modal dialog" ariaTerms: "Open algemene voorwaarden in a modal dialog" metadata: diff --git a/config/static-manifest/manifest.json b/config/static-manifest/manifest.json index 93512e5..9bc0bcc 100644 --- a/config/static-manifest/manifest.json +++ b/config/static-manifest/manifest.json @@ -1,6 +1,6 @@ { - "dist/chat-client.js": "dist/chat-client.421bb8ee.js", - "dist/chat-client.css": "dist/chat-client.23ac6be5.css", + "dist/chat-client.js": "dist/chat-client.59b28883.js", + "dist/chat-client.css": "dist/chat-client.79757200.css", "dist/main.js": "dist/main.f3dde0f6.js", "dist/main.css": "dist/main.c40e57ad.css" } \ No newline at end of file diff --git a/content/DPIA template/1.0.0.md b/content/DPIA template/1.0.0.md new file mode 100644 index 0000000..bcbddb6 --- /dev/null +++ b/content/DPIA template/1.0.0.md @@ -0,0 +1,671 @@ +# Data Protection Impact Assessment (DPIA) Template +## Ask Eve AI + +**Date of Assessment**: [Date] +**Assessed By**: [Name, Role] +**Review Date**: [Date - recommend annual review] + +--- + +## 1. Executive Summary + +| Field | Details | +|-------|---------| +| **Processing Activity Name** | [e.g., "Job Candidate Assessment Specialist"] | +| **Brief Description** | [1-2 sentence summary] | +| **Risk Level** | ☐ Low ☐ Medium ☐ High | +| **DPIA Required?** | ☐ Yes ☐ No | +| **Status** | ☐ Draft ☐ Under Review ☐ Approved ☐ Requires Revision | + +--- + +## 2. Description of the Processing + +### 2.1 Nature of the Processing + +**What Personal Data will be processed?** +- [ ] Contact information (name, email, phone) +- [ ] Identification data (ID numbers, passport) +- [ ] Professional data (CV, work history, qualifications) +- [ ] Assessment results or scores +- [ ] Communication records +- [ ] Behavioral data (how users interact with the system) +- [ ] Technical data (IP addresses, device information) +- [ ] Other: _______________ + +**Categories of Data Subjects:** +- [ ] Job applicants/candidates +- [ ] Employees +- [ ] Customers +- [ ] End users/consumers +- [ ] Other: _______________ + +**Volume of Data Subjects:** +- [ ] < 100 +- [ ] 100-1,000 +- [ ] 1,000-10,000 +- [ ] > 10,000 + +### 2.2 Scope of the Processing + +**What is the purpose of the processing?** + +[Describe the specific business purpose, e.g., "To assess job candidates' suitability for specific roles by analyzing their responses to standardized questions"] + +**How will the data be collected?** +- [ ] Directly from data subjects (forms, interviews) +- [ ] From third parties (recruiters, references) +- [ ] Automated collection (web forms, chatbots) +- [ ] Other: _______________ + +**Where will data be stored?** +- [ ] EU (specify: France - Scaleway) +- [ ] Non-EU (specify and justify): _______________ + +### 2.3 Context of the Processing + +**Is this processing new or existing?** +- [ ] New processing activity +- [ ] Modification of existing processing +- [ ] Existing processing (periodic review) + +**Who has access to the Personal Data?** +- [ ] Ask Eve AI employees (specify roles): _______________ +- [ ] Customer/Tenant employees +- [ ] Partners (specify): _______________ +- [ ] Sub-Processors (list): _______________ +- [ ] Other: _______________ + +**How long will data be retained?** + +[Specify retention period and justification, e.g., "Candidate data retained for 12 months to comply with recruitment record-keeping requirements"] + +--- + +## 3. Necessity and Proportionality Assessment + +### 3.1 Lawful Basis + +**What is the lawful basis for processing? (Article 6 GDPR)** +- [ ] **Consent** - Data subject has given explicit consent +- [ ] **Contract** - Processing necessary for contract performance +- [ ] **Legal obligation** - Required by law +- [ ] **Vital interests** - Necessary to protect someone's life +- [ ] **Public task** - Performing a public interest task +- [ ] **Legitimate interests** - Necessary for legitimate interests (requires balancing test) + +**Justification:** + +[Explain why this lawful basis applies] + +### 3.2 Special Categories of Data (if applicable) + +**Does the processing involve special categories of data? (Article 9 GDPR)** +- [ ] No +- [ ] Yes - racial or ethnic origin +- [ ] Yes - political opinions +- [ ] Yes - religious or philosophical beliefs +- [ ] Yes - trade union membership +- [ ] Yes - genetic data +- [ ] Yes - biometric data for identification +- [ ] Yes - health data +- [ ] Yes - sex life or sexual orientation data + +**If yes, what is the additional lawful basis?** + +[Article 9(2) provides specific conditions - specify which applies] + +### 3.3 Automated Decision-Making + +**Does the processing involve automated decision-making or profiling?** +- [ ] No +- [ ] Yes - automated decision-making WITH human oversight +- [ ] Yes - fully automated decision-making (no human intervention) + +**If yes:** + +**Does it produce legal effects or similarly significant effects?** +- [ ] No +- [ ] Yes (explain): _______________ + +**What safeguards are in place?** +- [ ] Right to obtain human intervention +- [ ] Right to express point of view +- [ ] Right to contest the decision +- [ ] Regular accuracy reviews +- [ ] Transparency about logic involved +- [ ] Other: _______________ + +### 3.4 Necessity Test + +**Is the processing necessary to achieve the stated purpose?** + +☐ Yes ☐ No + +**Justification:** + +[Explain why this specific processing is necessary and whether less intrusive alternatives were considered] + +**Could the purpose be achieved with less data or through other means?** + +☐ Yes (explain why not pursued): _______________ +☐ No + +### 3.5 Proportionality Test + +**Is the processing proportionate to the purpose?** + +☐ Yes ☐ No + +**Data Minimization:** +- Are you collecting only the minimum data necessary? ☐ Yes ☐ No +- Have you considered pseudonymization or anonymization? ☐ Yes ☐ No ☐ N/A +- Can data be aggregated instead of individual records? ☐ Yes ☐ No ☐ N/A + +**Storage Limitation:** +- Is the retention period justified and documented? ☐ Yes ☐ No +- Is there an automated deletion process? ☐ Yes ☐ No ☐ Planned + +--- + +## 4. Stakeholder Consultation + +### 4.1 Data Subject Consultation + +**Have data subjects been consulted about this processing?** + +☐ Yes ☐ No ☐ Not required + +**If yes, how were they consulted?** + +[Describe consultation method: surveys, focus groups, user research, etc.] + +**Key concerns raised by data subjects:** + +[List any concerns and how they were addressed] + +### 4.2 DPO or Security Contact Consultation + +**Has the DPO or security contact been consulted?** + +☐ Yes ☐ No ☐ N/A (no formal DPO) + +**Comments from DPO/Security Contact:** + +[Record any recommendations or concerns] + +--- + +## 5. Risk Assessment + +### 5.1 Risk Identification + +For each risk, assess: +- **Likelihood**: Negligible / Low / Medium / High +- **Severity**: Negligible / Low / Medium / High +- **Overall Risk**: Low / Medium / High / Very High + +**Risk 1: Unauthorized Access or Data Breach** + +**Description**: Personal data could be accessed by unauthorized parties due to security vulnerabilities. + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Risk 2: Discrimination or Bias in Automated Decisions** + +**Description**: Automated processing could result in discriminatory outcomes or unfair treatment. + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Risk 3: Lack of Transparency** + +**Description**: Data subjects may not understand how their data is processed or decisions are made. + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Risk 4: Inability to Exercise Data Subject Rights** + +**Description**: Data subjects may have difficulty exercising their rights (access, erasure, portability, etc.). + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Risk 5: Data Quality Issues** + +**Description**: Inaccurate or outdated data could lead to incorrect decisions or outcomes. + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Risk 6: Function Creep / Scope Expansion** + +**Description**: Data collected for one purpose could be used for other purposes without consent. + +| Assessment | Rating | +|------------|--------| +| Likelihood | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| Severity (if occurs) | ☐ Negligible ☐ Low ☐ Medium ☐ High | +| **Overall Risk** | ☐ Low ☐ Medium ☐ High ☐ Very High | + +**Additional Risks:** + +[Add any processing-specific risks] + +--- + +## 6. Mitigation Measures + +For each identified risk, document mitigation measures: + +### Risk 1: Unauthorized Access or Data Breach + +**Mitigation Measures:** +- [ ] Encryption in transit (TLS 1.2+) +- [ ] Encryption at rest +- [ ] Multi-factor authentication +- [ ] Access controls (RBAC) +- [ ] Regular security audits +- [ ] WAF and DDoS protection (Bunny.net Shield) +- [ ] Multi-tenant data isolation +- [ ] Regular security training +- [ ] Incident response plan +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Risk 2: Discrimination or Bias in Automated Decisions + +**Mitigation Measures:** +- [ ] Regular bias testing of AI models +- [ ] Diverse training data sets +- [ ] Human review of automated decisions +- [ ] Clear criteria for decision-making +- [ ] Right to contest decisions +- [ ] Transparency about decision logic +- [ ] Regular fairness audits +- [ ] Monitoring of outcomes by demographic groups +- [ ] Ability to request explanation +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Risk 3: Lack of Transparency + +**Mitigation Measures:** +- [ ] Clear Privacy Policy explaining processing +- [ ] Explicit consent mechanisms +- [ ] Plain language explanations +- [ ] Information provided before data collection +- [ ] Explanation of automated decision logic +- [ ] Contact information for questions +- [ ] Regular communication with data subjects +- [ ] Privacy-by-design approach (anonymous until consent) +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Risk 4: Inability to Exercise Data Subject Rights + +**Mitigation Measures:** +- [ ] Clear procedures for rights requests +- [ ] Multiple request channels (email, helpdesk) +- [ ] 30-day response timeframe +- [ ] Technical capability to extract data +- [ ] Data portability in standard formats +- [ ] Secure deletion processes +- [ ] Account disabling/restriction capability +- [ ] Identity verification procedures +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Risk 5: Data Quality Issues + +**Mitigation Measures:** +- [ ] Data validation on input +- [ ] Regular data accuracy reviews +- [ ] Ability for data subjects to correct errors +- [ ] Clear data update procedures +- [ ] Data quality monitoring +- [ ] Source verification for third-party data +- [ ] Archiving of outdated data +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Risk 6: Function Creep / Scope Expansion + +**Mitigation Measures:** +- [ ] Documented purpose limitation +- [ ] Access controls preventing unauthorized use +- [ ] Regular compliance audits +- [ ] Privacy Policy clearly states purposes +- [ ] Consent required for new purposes +- [ ] Technical controls preventing misuse +- [ ] Staff training on data protection +- [ ] Other: _______________ + +**Residual Risk After Mitigation:** ☐ Low ☐ Medium ☐ High ☐ Very High + +### Additional Mitigation Measures + +[Document any additional mitigation measures not covered above] + +--- + +## 7. Data Subject Rights Implementation + +**How will you ensure data subjects can exercise their rights?** + +### Right of Access (Article 15) +- [ ] Procedure documented +- [ ] Technical capability implemented +- [ ] Response within 30 days +- Method: _______________ + +### Right to Rectification (Article 16) +- [ ] Procedure documented +- [ ] Technical capability implemented +- [ ] Response within 30 days +- Method: _______________ + +### Right to Erasure (Article 17) +- [ ] Procedure documented +- [ ] Technical capability implemented +- [ ] Response within 30 days +- Method: _______________ +- Limitations: _______________ + +### Right to Restriction (Article 18) +- [ ] Procedure documented +- [ ] Technical capability implemented (account disabling) +- [ ] Response within 30 days + +### Right to Data Portability (Article 20) +- [ ] Procedure documented +- [ ] Technical capability implemented +- [ ] Export format: JSON / CSV / XML / Other: _______________ + +### Right to Object (Article 21) +- [ ] Procedure documented +- [ ] Opt-out mechanisms implemented +- [ ] Clear in Privacy Policy + +### Rights Related to Automated Decision-Making (Article 22) +- [ ] Human intervention available +- [ ] Explanation of logic provided +- [ ] Right to contest implemented +- [ ] Documented in Privacy Policy + +--- + +## 8. Privacy by Design and Default + +**Privacy Enhancing Technologies Implemented:** +- [ ] Data minimization (collect only necessary data) +- [ ] Pseudonymization (where applicable) +- [ ] Anonymization (where applicable) +- [ ] Anonymous interaction until consent (privacy-by-design) +- [ ] Encryption (in transit and at rest) +- [ ] Access controls and authentication +- [ ] Audit logging +- [ ] Secure deletion +- [ ] Data isolation (multi-tenant architecture) +- [ ] Other: _______________ + +**Default Settings:** +- [ ] Most privacy-protective settings by default +- [ ] Opt-in (not opt-out) for non-essential processing +- [ ] Clear consent mechanisms before data collection +- [ ] Limited data sharing by default + +--- + +## 9. Compliance with Principles + +**For each GDPR principle, confirm compliance:** + +### Lawfulness, Fairness, Transparency (Article 5(1)(a)) +- [ ] Lawful basis identified and documented +- [ ] Processing is fair and transparent +- [ ] Privacy Policy clearly explains processing +- Evidence: _______________ + +### Purpose Limitation (Article 5(1)(b)) +- [ ] Specific purposes documented +- [ ] Data not used for incompatible purposes +- [ ] New purposes require new consent/legal basis +- Evidence: _______________ + +### Data Minimization (Article 5(1)(c)) +- [ ] Only necessary data collected +- [ ] Regular review of data collected +- [ ] Excess data not retained +- Evidence: _______________ + +### Accuracy (Article 5(1)(d)) +- [ ] Mechanisms to ensure data accuracy +- [ ] Ability to correct inaccurate data +- [ ] Regular data quality reviews +- Evidence: _______________ + +### Storage Limitation (Article 5(1)(e)) +- [ ] Retention periods defined and documented +- [ ] Automated deletion where appropriate +- [ ] Justification for retention documented +- Evidence: _______________ + +### Integrity and Confidentiality (Article 5(1)(f)) +- [ ] Appropriate security measures implemented +- [ ] Protection against unauthorized access +- [ ] Encryption and access controls in place +- Evidence: See Annex 2 of DPA + +### Accountability (Article 5(2)) +- [ ] Documentation of compliance measures +- [ ] Records of processing activities maintained +- [ ] DPIA conducted and documented +- [ ] DPA in place with processors +- Evidence: This DPIA, DPA with customers + +--- + +## 10. International Transfers + +**Does this processing involve transfer to third countries?** + +☐ No - all processing within EU +☐ Yes (complete below) + +**If yes:** + +**Country/Region:** _______________ + +**Transfer Mechanism:** +- [ ] Adequacy decision (Article 45) +- [ ] Standard Contractual Clauses (Article 46) +- [ ] Binding Corporate Rules (Article 47) +- [ ] Other: _______________ + +**Transfer Impact Assessment Completed?** ☐ Yes ☐ No + +**Additional Safeguards:** + +[Document supplementary measures to ensure adequate protection] + +--- + +## 11. Documentation and Records + +**Documentation Maintained:** +- [ ] This DPIA +- [ ] Privacy Policy +- [ ] Data Processing Agreement +- [ ] Consent records (if applicable) +- [ ] Records of processing activities (Article 30) +- [ ] Data breach register +- [ ] Data Subject rights request log +- [ ] Staff training records +- [ ] Sub-processor agreements + +**Record of Processing Activities (Article 30) Completed?** + +☐ Yes ☐ No ☐ In Progress + +--- + +## 12. Outcomes and Recommendations + +### 12.1 Overall Risk Assessment + +**After implementing mitigation measures, what is the residual risk level?** + +☐ Low - processing can proceed +☐ Medium - additional measures recommended +☐ High - significant concerns, consult DPO/legal counsel +☐ Very High - processing should not proceed without major changes + +### 12.2 Recommendations + +**Recommended Actions Before Processing Begins:** + +1. [Action item 1] +2. [Action item 2] +3. [Action item 3] + +**Recommended Monitoring/Review Activities:** + +1. [Monitoring item 1] +2. [Monitoring item 2] +3. [Monitoring item 3] + +### 12.3 Consultation with Supervisory Authority + +**Is consultation with supervisory authority required?** + +☐ No - residual risk is acceptable +☐ Yes - high residual risk remains despite mitigation (Article 36) + +**If yes, when will consultation occur?** _______________ + +### 12.4 Sign-Off + +**DPIA Completed By:** + +Name: _______________ +Role: _______________ +Date: _______________ +Signature: _______________ + +**Reviewed and Approved By:** + +Name: _______________ +Role: _______________ +Date: _______________ +Signature: _______________ + +**Next Review Date:** _______________ + +*(Recommend annual review or when significant changes occur)* + +--- + +## Appendix A: Completed Example - Job Candidate Assessment + +This appendix provides a completed example for reference. + +### Example: Job Candidate Assessment Specialist + +**Processing Activity**: AI-powered job candidate assessment tool + +**Personal Data Processed**: +- Assessment responses (text) +- Communication records (chatbot interactions) +- Contact information (name, email) - collected AFTER assessment with consent +- Assessment scores/results + +**Purpose**: To assess candidates' suitability for job roles based on their responses to standardized questions + +**Lawful Basis**: +- Consent (candidates explicitly consent before providing contact information) +- Contract (processing necessary to take steps at request of data subject prior to entering into contract) + +**Automated Decision-Making**: Yes, with human oversight. Candidates are assessed by AI, but: +- Contact information only collected AFTER positive assessment +- Human recruiter makes final hiring decisions +- Candidates can restart assessment at any time +- Candidates informed about AI assessment before beginning + +**Key Risks Identified**: +1. Bias/discrimination in assessment algorithms - MEDIUM risk +2. Lack of transparency about assessment criteria - MEDIUM risk +3. Data breach exposing candidate information - LOW risk (after mitigation) + +**Key Mitigation Measures**: +- Anonymous assessment until consent obtained +- Clear explanation of assessment process +- Right to contest results +- Human review of all final decisions +- Regular bias testing of algorithms +- Strong technical security measures (encryption, access controls) +- 12-month retention period with secure deletion + +**Residual Risk**: LOW - processing can proceed + +**Special Considerations**: +- Candidates must be informed about automated decision-making +- Privacy Policy must explain assessment logic +- Contact information collected only after explicit consent +- Right to human intervention clearly communicated + +--- + +## Appendix B: Resources and References + +**GDPR Articles Referenced:** +- Article 5: Principles relating to processing +- Article 6: Lawfulness of processing +- Article 9: Special categories of data +- Article 13-14: Information to be provided +- Article 15-22: Data subject rights +- Article 22: Automated decision-making +- Article 28: Processor obligations +- Article 30: Records of processing activities +- Article 33-34: Data breach notification +- Article 35: Data Protection Impact Assessment +- Article 36: Prior consultation with supervisory authority +- Article 45-46: International transfers + +**Additional Guidance:** +- WP29 Guidelines on DPIAs (WP 248) +- WP29 Guidelines on Automated Decision-Making (WP 251) +- ICO DPIA Guidance +- EDPB Guidelines on processing personal data for scientific research +- Belgian DPA Guidance (https://www.gegevensbeschermingsautoriteit.be) + +**Internal Documents:** +- Ask Eve AI Data Protection Agreement +- Ask Eve AI Privacy Policy +- Technical and Organizational Measures (DPA Annex 2) + +--- + +**End of DPIA Template** \ No newline at end of file diff --git a/content/Security & Compliance/Assurance Questions.md b/content/Security & Compliance/Assurance Questions.md index 8060055..7bfc785 100644 --- a/content/Security & Compliance/Assurance Questions.md +++ b/content/Security & Compliance/Assurance Questions.md @@ -4,17 +4,17 @@ No, we do not currently have a formal information security policy document. As a However, we do maintain several key security practices: Product Security (Evie SaaS Platform): -Multi-tenant architecture with strict data isolation (separate database schemas and object storage folders per tenant) -Hosted exclusively with European providers (Scaleway, Bunny.net, Mistral) compliant with EU regulations -Published Privacy Policy and Terms & Conditions -GDPR-compliant data handling practices +- Multi-tenant architecture with strict data isolation (separate database schemas and object storage folders per tenant) +- Hosted exclusively with European providers (Scaleway, Bunny.net, Mistral) compliant with EU regulations +- Published Privacy Policy and Terms & Conditions +- GDPR-compliant data handling practices Internal Operations Security: -Secure password and credential management using Proton Pass -All internal business data maintained in secure cloud environments (Proton, Dropbox, Canva) -Code versioning and backup through GitHub -Controlled access to all systems and services +- Secure password and credential management using Proton Pass +- All internal business data maintained in secure cloud environments (Proton, Dropbox, Canva) +- Code versioning and backup through GitHub +- Controlled access to all systems and services We plan to formalise our security practices into a comprehensive security policy as our organisation scales beyond 10 employees. diff --git a/content/privacy/1.0/1.0.0.md b/content/dpa/1.0/1.0.0.md similarity index 74% rename from content/privacy/1.0/1.0.0.md rename to content/dpa/1.0/1.0.0.md index ceb95c7..3698553 100644 --- a/content/privacy/1.0/1.0.0.md +++ b/content/dpa/1.0/1.0.0.md @@ -124,13 +124,13 @@ Ask Eve AI System Data is the data required to enable Ask Eve AI to: The following personal information is gathered: 1. *Account / User Information*: This information enables a user to log - into the Ask Eve AI systems, or to subscribe to the system's - services. It includes name, e-mail address, a secured password and - roles in the system. + into the Ask Eve AI systems, or to subscribe to the system's + services. It includes name, e-mail address, a secured password and + roles in the system. 2. *Tenant / Customer Information*: Although not personal data in the - strict sense, in order to subscribe to the services provided by Ask - Eve AI, payment information such as financial details, VAT numbers, - valid addresses and email information is required. + strict sense, in order to subscribe to the services provided by Ask + Eve AI, payment information such as financial details, VAT numbers, + valid addresses and email information is required. **Tenant Data:** @@ -151,15 +151,15 @@ There's no personal data collected explicitly, however, the following personal information is gathered: 1. *End User Content*: Ask Eve AI collects Personal Data that the End - User provides in the input to our Services ("Content") as is. + User provides in the input to our Services ("Content") as is. 2. *Communication Information*: If the Customer communicates with Ask - Eve AI, such as via email, our pages on social media sites or the - chatbots or other interfaces we provide to our services, Ask Eve AI - may collect Personal Data like name, contact information, and the - contents of the messages the Customer sends ("Communication - Information"). End User personal information may be provided by End - User in interactions with Ask Eve AI's services, and as such will be - stored in Ask Eve AI's services as is. + Eve AI, such as via email, our pages on social media sites or the + chatbots or other interfaces we provide to our services, Ask Eve AI + may collect Personal Data like name, contact information, and the + contents of the messages the Customer sends ("Communication + Information"). End User personal information may be provided by End + User in interactions with Ask Eve AI's services, and as such will be + stored in Ask Eve AI's services as is. > @@ -170,52 +170,46 @@ personal information is gathered: > contact or provide us with information to establish your identity or > age. -> - -> - -> \ - -**Technical Data:**\ +**Technical Data:**\\ When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions ("Technical Information"): 1. *Log Data:* Ask Eve AI collects information that your browser or - device automatically sends when the Customer uses the Services. Log - data includes the Internet Protocol address, browser type and - settings, the date and time of your request, and how the Customer - interacts with the Services. + device automatically sends when the Customer uses the Services. Log + data includes the Internet Protocol address, browser type and + settings, the date and time of your request, and how the Customer + interacts with the Services. 2. *Usage Data:* Ask Eve AI collects information about the use of the - Services, such as the types of content that the Customer views or - engages with, the features the Customer uses and the actions the - Customer takes, as well as the Customer's time zone, country, the - dates and times of access, user agent and version, type of computer - or mobile device, and the Customer's computer connection. + Services, such as the types of content that the Customer views or + engages with, the features the Customer uses and the actions the + Customer takes, as well as the Customer's time zone, country, the + dates and times of access, user agent and version, type of computer + or mobile device, and the Customer's computer connection. 3. *Interaction Data*: Ask Eve AI collects the data you provide when - interacting with it's services, such as interacting with a chatbot - or similar advanced means. + interacting with it's services, such as interacting with a chatbot + or similar advanced means. 4. *Device Information:* Ask Eve AI collects information about the - device the Customer uses to access the Services, such as the name of - the device, operating system, device identifiers, and browser you - are using. Information collected may depend on the type of device - the Customer uses and its settings. + device the Customer uses to access the Services, such as the name of + the device, operating system, device identifiers, and browser you + are using. Information collected may depend on the type of device + the Customer uses and its settings. 5. *Location Information:* Ask Eve AI may determine the general area - from which your device accesses our Services based on information - like its IP address for security reasons and to make your product - experience better, for example to protect the Customer's account by - detecting unusual login activity or to provide more accurate - responses. In addition, some of our Services allow the Customer to - choose to provide more precise location information from the - Customer's device, such as location information from your device's - GPS. + from which your device accesses our Services based on information + like its IP address for security reasons and to make your product + experience better, for example to protect the Customer's account by + detecting unusual login activity or to provide more accurate + responses. In addition, some of our Services allow the Customer to + choose to provide more precise location information from the + Customer's device, such as location information from your device's + GPS. 6. *Cookies and Similar Technologies:* Ask Eve AI uses cookies and - similar technologies to operate and administer our Services, and - improve your experience. If the Customer uses the Services without - creating an account, Ask Eve AI may store some of the information - described in this Agreement with cookies, for example to help - maintain the Customer's preferences across browsing sessions. For - details about our use of cookies, please read our Cookie Policy. + similar technologies to operate and administer our Services, and + improve your experience. If the Customer uses the Services without + creating an account, Ask Eve AI may store some of the information + described in this Agreement with cookies, for example to help + maintain the Customer's preferences across browsing sessions. For + details about our use of cookies, please read our Cookie Policy. **External Data:** @@ -253,11 +247,11 @@ and not attempt to reidentify the information, unless required by law. As noted above, Ask Eve AI may use content the Customer provides Ask Eve AI to improve the Services, for example to train the models that power -Ask Eve AI. Read [**our instructions*⁠*(opens in a new -window)**](https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance) on -how you can opt out of our use of your Content to train our models.\ +Ask Eve AI. Read [\**our instructions*⁠\*(opens in a new +window)\*\*](https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance) on +how you can opt out of our use of your Content to train our models.\\ -1. 1. ## Instructions {#instructions-3} +1. 1. \#\# Instructions {#instructions-3} Data Processor shall only Process Personal Data of Data Controller on behalf of the Data Controller and in accordance with this Data @@ -267,12 +261,12 @@ manner, as is reasonably necessary to provide the Services in accordance with the Agreement. Data Controller shall only give instructions that comply with the Data Protection legislation. -2. 1. ## Applicable mandatory laws {#applicable-mandatory-laws-3} +2. 1. \#\# Applicable mandatory laws {#applicable-mandatory-laws-3} Data Processor shall only Process as required by applicable mandatory -laws and always in compliance with Data Protection Legislation.\ +laws and always in compliance with Data Protection Legislation.\\ -3. 1. ## Transfer to a third party {#transfer-to-a-third-party-3} +3. 1. \#\# Transfer to a third party {#transfer-to-a-third-party-3} Data Processor uses functionality of third party services to realise it's functionality. For the purpose of realising Ask Eve AI's @@ -284,7 +278,7 @@ other third party and/or appoint any third party as a sub-processor of Personal Data unless it is legally required or in case of a notification to the Data Controller by which he gives his consent. -4. 1. ## Transfer to a Third Country {#transfer-to-a-third-country-3} +4. 1. \#\# Transfer to a Third Country {#transfer-to-a-third-country-3} Data Processor shall not transfer Personal Data (including any transfer via electronic media) to any Third Country without the prior written @@ -305,9 +299,9 @@ Data Controller about the particular measures taken to guarantee the protection of the Personal Data of the Data Subject in accordance with the Regulation. -\ +\\ -5. 1. ## Data secrecy {#data-secrecy-3} +5. 1. \#\# Data secrecy {#data-secrecy-3} The Data Processor shall maintain data secrecy in accordance with applicable Data Protection Legislation and shall take all reasonable @@ -324,7 +318,7 @@ steps to ensure that: > in accordance with applicable Data Protection Legislation and at all > times act in compliance with the Data Protection Obligations. -6. 1. ## Appropriate technical and organizational measures {#appropriate-technical-and-organizational-measures-3} +6. 1. \#\# Appropriate technical and organizational measures {#appropriate-technical-and-organizational-measures-3} Data Processor has implemented (and shall comply with) all appropriate technical and organizational measures to ensure the security of the @@ -348,7 +342,7 @@ registration, de-registration and withdrawal of automation access codes (API Keys), and is also responsible for the complete physical security of its environment. -7. 1. ## Assistance and co-operation {#assistance-and-co-operation-3} +7. 1. \#\# Assistance and co-operation {#assistance-and-co-operation-3} The Data Processor shall provide the Data Controller with such assistance and co-operation as the Data Controller may reasonably @@ -358,7 +352,7 @@ Data processed by the Data Processor, including but not limited to: > \(1\) on request of the Data Controller, promptly providing written > information regarding the technical and organizational measures which -> the Data Processor has implemented to safeguard Personal Data;\ +> the Data Processor has implemented to safeguard Personal Data;\\ > \(2\) disclosing full and relevant details in respect of any and all > government, law enforcement or other access protocols or controls @@ -401,7 +395,7 @@ Data processed by the Data Processor, including but not limited to: > Processor shall support the Data Controller in the provision of such > information when explicitly requested by the Data Controller. -4. # Audit {#audit-1} +4. \# Audit {#audit-1} At the Data Controller's request the Data Processor shall provide the Data Controller with all information needed to demonstrate that it @@ -423,7 +417,7 @@ minimum, and the Data Controller shall impose sufficient confidentiality obligations on its auditors. Every auditor who does an inspection will be at all times accompanied by a dedicated employee of the Processor. -4. # Liability {#liability-1} +4. \# Liability {#liability-1} Each Party shall be liable for any suffered foreseeable, direct and personal damages ("Direct Damages") resulting from any attributable @@ -458,7 +452,7 @@ immediately prior to the cause of damages. In no event shall the Data Processor be held liable if the Data Processor can prove he is not responsible for the event or cause giving rise to the damage. -4. # Term {#term-1} +4. \# Term {#term-1} This Data Processing Agreement shall be valid for as long as the Customer uses the Services. @@ -469,7 +463,7 @@ use of Personal Data and delete all Personal Data and copies thereof in its possession unless otherwise agreed or when deletion of the Personal Data should be technically impossible. -4. # Governing law -- jurisdiction {#governing-law-jurisdiction-1} +4. \# Governing law -- jurisdiction {#governing-law-jurisdiction-1} This Data Processing Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and @@ -482,91 +476,18 @@ litigation concerning or related to this Data Processing Agreement, without any exception, shall be submitted to the exclusive jurisdiction of the courts of Gent, Belgium. -# Annex1 +# Annex1 -# Sub-Processors +# Sub-Processors The Data Controller hereby agrees to the following list of Sub-Processors, engaged by the Data Processor for the Processing of Personal Data under the Agreement: -+-------------+--------------------------------------------------------+ -| | | -+=============+========================================================+ -| **‍Open AI** | | -+-------------+--------------------------------------------------------+ -| ‍Address | OpenAI, L.L.C., | -| | | -| | 3180 18th St, San Francisco, | -| | | -| | CA 94110, | -| | | -| | United States of America. | -+-------------+--------------------------------------------------------+ -| ‍Contact | OpenAI's Data Protection team | -| | | -| | dsar@openai.com | -+-------------+--------------------------------------------------------+ -| ‍Description | Ask Eve AI accesses Open AI's models through Open AI's | -| | API to realise it's functionality. | -| | | -| | Services are GDPR compliant. | -+-------------+--------------------------------------------------------+ -| | | -+-------------+--------------------------------------------------------+ -+---------------+------------------------------------------------------+ -| | | -+===============+======================================================+ -| **StackHero** | | -+---------------+------------------------------------------------------+ -| ‍‍Address | Stackhero | -| | | -| | 1 rue de Stockholm | -| | | -| | 75008 Paris | -| | | -| | France | -+---------------+------------------------------------------------------+ -| ‍‍Contact | support@stackhero.io | -+---------------+------------------------------------------------------+ -| ‍‍Description | StackHero is Ask Eve AI's cloud provider, and hosts | -| | the services for PostgreSQL, Redis, Docker, Minio | -| | and Greylog. | -| | | -| | Services are GDPR compliant. | -+---------------+------------------------------------------------------+ -| **‍** | | -+---------------+------------------------------------------------------+ +# Annex 2 -+----------------+-----------------------------------------------------+ -| | | -+================+=====================================================+ -| **A2 Hosting** | | -+----------------+-----------------------------------------------------+ -| ‍‍‍Address | A2 Hosting, Inc. | -| | | -| | PO Box 2998 | -| | | -| | Ann Arbor, MI 48106 | -| | | -| | United States | -+----------------+-----------------------------------------------------+ -| ‍‍‍Contact | [*+1 734-222-4678*](tel:+1(734)222-4678) | -+----------------+-----------------------------------------------------+ -| ‍‍‍Description | A2 hosting is hosting our main webserver and | -| | mailserver. They are all hosted on European servers | -| | (Iceland). It does not handle data of our business | -| | applications. | -| | | -| | Services are GDPR compliant. | -+----------------+-----------------------------------------------------+ -| **‍** | | -+----------------+-----------------------------------------------------+ - -# Annex 2 - -# []{#anchor-7}Technical and organizational measures +# []{#anchor-7}Technical and organizational measures # 1. Purpose of this document @@ -580,13 +501,13 @@ list below following a Data Protection Impact Assessment (DPIA). These measures are designed to: 1. ensure the security and confidentiality of Ask Eve AI managed data, - information, applications and infrastructure; + information, applications and infrastructure; 2. protect against any anticipated threats or hazards to the security - and integrity of Personal Data, Ask Eve AI Intellectual Property, - Infrastructure or other business-critical assets; + and integrity of Personal Data, Ask Eve AI Intellectual Property, + Infrastructure or other business-critical assets; 3. protect against any actual unauthorized processing, loss, use, - disclosure or acquisition of or access to any Personal Data or other - business-critical information or data managed by Ask Eve AI. + disclosure or acquisition of or access to any Personal Data or other + business-critical information or data managed by Ask Eve AI. Ask Eve AI ensures that all its Sub-Processors have provided the necessary and required guarantees on the protection of personal data @@ -614,7 +535,7 @@ infrastructure. Ask Eve AI uses an intent-based approach where activities are constantly monitored, analysed and benchmarked instead of relying solely on a simple authentication/authorization trust model. -4. 1. ## General Governance & Awareness {#general-governance-awareness-3} +4. 1. \#\# General Governance & Awareness {#general-governance-awareness-3} As a product company, Ask Eve AI is committed to maintain and preserve an IT infrastructure that has a robust security architecture, complies @@ -676,7 +597,7 @@ enabled. Key management governance is implemented and handled by Facilities. -1. 1. ## Endpoint Security & User Accounts {#endpoint-security-user-accounts-3} +1. 1. \#\# Endpoint Security & User Accounts {#endpoint-security-user-accounts-3} All endpoints and any information stored are encrypted using enterprise-grade encryption on all operating systems supported by Ask @@ -701,7 +622,7 @@ ensure endpoint integrity and policy compliance. Access is managed according to role-based access control principles and all user behavior on Ask Eve AI platforms is audited. -1. 1. ## Data Storage, Recovery & Securing Personal Data {#data-storage-recovery-securing-personal-data-3} +1. 1. \#\# Data Storage, Recovery & Securing Personal Data {#data-storage-recovery-securing-personal-data-3} > Ask Eve AI has deployed: @@ -720,7 +641,7 @@ all user behavior on Ask Eve AI platforms is audited. - Records of the processing activities. - Data Retention Policies -1. 1. ## Protection & Insurance {#protection-insurance-3} +1. 1. \#\# Protection & Insurance {#protection-insurance-3} Ask Eve AI has a cyber-crime insurance policy. Details on the policy can be requested through the legal department. diff --git a/content/dpa/1.1/1.1.0.md b/content/dpa/1.1/1.1.0.md new file mode 100644 index 0000000..7de677b --- /dev/null +++ b/content/dpa/1.1/1.1.0.md @@ -0,0 +1,1143 @@ +# Data Protection Agreement +## Ask Eve AI + +**Version 1.1.0** +**Effective Date: October 3, 2025** + +Ask Eve AI respects the privacy of its Customers, Partners, Users and End Users, and is strongly committed to keeping secure any information obtained from, for or about each of them. This Data Protection Agreement describes the practices with respect to Personal Data that Ask Eve AI collects from or about Customers, Partners, Users and End Users when they use the applications and services of Ask Eve AI (collectively, "Services"). + +--- + +## 1. Definitions + +**Data Controller and Data Processor**: have each the meanings set out in the Data Protection Legislation. + +**Data Protection Legislation**: means the European Union's General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") and all applicable laws and regulations relating to the processing of personal data and privacy, including the Belgian Data Protection Act of 30 July 2018, and any amendment or re-enactment of any of them. + +**Data Subject**: has the meaning set out in the Data Protection Legislation and shall refer, in this Data Protection Agreement, to the identified or identifiable individual(s) whose Personal Data is/are under control of the Data Controller and is/are the subject of the Processing by the Data Processor in the context of the Services. + +**Personal Data**: has the meaning set out in the Data Protection Legislation and shall refer, in this Data Protection Agreement, to any information relating to the Data Subject that is subject to the Processing in the context of the Services. + +**Processing**: has the meaning given to that term in the Data Protection Legislation and "process" and "processed" shall have a corresponding meaning. + +**Purposes**: shall mean the limited, specific and legitimate purposes of the Processing as described in this Agreement and as instructed by the Data Controller. + +**Regulators**: means those government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the privacy matters dealt with in agreements and/or by the parties to the agreements (as the case may be). + +**Sub-Processor**: shall mean the subcontractor(s) listed in Annex 1, engaged by the Data Processor to Process Personal Data on behalf of the Data Controller and in accordance with its instructions, the terms of this Data Processing Agreement and the terms of the written subcontract entered into with the Sub-Processor. + +**Third Country**: means a country outside the European Economic Area that is not considered by the European Commission as offering an adequate level of protection in accordance with Article 45 of the GDPR. + +**Tenant / Customer**: A tenant is the organisation, enterprise or company subscribing to the services of Ask Eve AI. The terms "Tenant" and "Customer" are used interchangeably. In the context of GDPR, the Tenant/Customer acts as Data Controller. + +**Partner**: Any organisation, enterprise or company that offers services or knowledge on top of the Ask Eve AI platform. Partners may act as Data Controllers or Data Processors depending on the nature of their engagement with the Tenant/Customer. + +**Account / User**: A user is a natural person performing activities such as configuration or testing in Ask Eve AI, working within the context of a Tenant. A user is explicitly registered within the system as a member of the tenant. + +**End User**: An end user is every person making use of Ask Eve AI's services in the context of Ask Eve AI services exposed by the tenant (e.g., a chatbot). This user is not explicitly registered within the system and typically interacts with the Services anonymously until they provide consent for data collection. + +**Ask Eve AI Platform**: The Ask Eve AI Platform (also referred to as "Evie" or "platform") is the combination of software components and products, code, configuration and prompts that allow Ask Eve AI to perform its activities. + +**Ask Eve AI Services**: Is the collection of all services on top of the Ask Eve AI Platform offered to all users of the platform (Tenants, Partners, Users and End Users), including all services exposed by Partners on the Ask Eve AI platform. + +**Partner Services**: Is the collection of all services and applications built on top of the Ask Eve AI Platform offered by Partners. This excludes services connected through APIs to the Ask Eve AI platform or services connected to the platform by any other means. + +**Management Service**: A specific type of Partner Service where the Partner provides management, implementation, or support services on behalf of the Tenant's own customers, thereby acting as a Data Processor rather than a Data Controller. + +--- + +## 2. Qualification of Parties + +### 2.1 Standard Processing Relationship + +As part of the provision of the Services, the Tenant/Customer engages Ask Eve AI to collect, process and/or use Personal Data on its behalf. In this standard relationship: + +- The **Tenant/Customer acts as the Data Controller**: The Tenant/Customer determines the purposes and means of processing Personal Data. +- **Ask Eve AI acts as the Data Processor**: Ask Eve AI processes Personal Data on behalf of and according to the instructions of the Data Controller. + +This is the default relationship model for all services provided by Ask Eve AI. + +### 2.2 Sub-Processing Relationship + +In certain circumstances, a Partner or Tenant/Customer may act on behalf of their own customers (third parties) through a Management Service arrangement. In this sub-processing scenario: + +- The **Tenant's customer (third party) acts as the Data Controller**: This third party determines the purposes and means of processing. +- The **Tenant/Customer or Partner acts as the Data Processor**: They process Personal Data on behalf of the third-party Data Controller. +- **Ask Eve AI acts as the Sub-Processor**: Ask Eve AI processes Personal Data on behalf of the Tenant/Customer or Partner (who themselves act as Data Processors). + +This sub-processing relationship is triggered when: +1. A Partner provides a Management Service (as defined in the Partner Service configuration); AND +2. The Partner or Tenant/Customer explicitly acts on behalf of a third-party customer. + +The Parties agree that in this scenario, all obligations of the "Data Controller" in this Agreement apply to the Tenant/Customer or Partner (acting as Data Processor), and all obligations of the "Data Processor" apply to Ask Eve AI (acting as Sub-Processor). + +--- + +## 3. Data Classification + +Ask Eve AI classifies data into the following categories: + +### 3.1 System Data + +Ask Eve AI System Data is the data required to enable Ask Eve AI to: +- Authenticate and authorize accounts/users +- Authenticate and authorize automated interfaces (APIs, sockets, integrations) +- Invoice according to subscription and effective usage of Ask Eve AI's services +- Maintain audit trails and system integrity + +The following personal information is gathered: + +**Account / User Information**: This information enables a user to log into the Ask Eve AI systems or to subscribe to the system's services. It includes: +- Name +- Email address +- Secured password (hashed, never stored in plain text) +- Roles in the system +- Authentication metadata (login timestamps, login counts) +- IP addresses (when implemented for security purposes such as rate limiting or fraud prevention, based on legitimate interest) + +**Tenant / Customer Information**: In order to subscribe to the services provided by Ask Eve AI, the following information is required: +- Organization name and details +- Financial details and VAT numbers +- Valid addresses and email information +- Payment information +- Billing and invoice data + +### 3.2 Tenant Data + +Tenant data is all information that is added to Ask Eve AI by: +- One of the tenant's registered accounts +- One of the automated interfaces (APIs, sockets, integrations) authorized by the tenant +- Interaction by end users who have access to Ask Eve AI's services exposed by the tenant + +This data is required to enable Ask Eve AI to perform the tenant-specific functions requested or defined by the Tenant, such as enabling AI chatbots or AI specialists to work on tenant-specific information. + +Personal data in this category includes: + +**End User Content**: Ask Eve AI collects Personal Data that the End User provides in the input to our Services ("Content"). End Users typically interact anonymously with the Services until they provide explicit consent for the collection of their personal information. Personal Data is only collected after: +- The End User has been informed about the processing +- The End User has provided explicit consent +- The purpose of collection has been clearly communicated (e.g., to connect with a human recruiter) + +**Communication Information**: If the Customer communicates with Ask Eve AI, such as via email, social media, chatbots, or other interfaces provided by our services, Ask Eve AI may collect Personal Data including: +- Name and contact information +- Contents of messages sent +- Support ticket information + +End User personal information may be provided by End Users in interactions with Ask Eve AI's services and will be stored as provided. + +### 3.3 User Data + +Ask Eve AI collects information the User may provide to Ask Eve AI, such as when users participate in events, surveys, request contact, or provide information to establish identity or age. + +### 3.4 Technical Data + +When visiting, using, or interacting with the Services, Ask Eve AI receives the following information ("Technical Information"): + +**Log Data**: Information that browsers or devices automatically send when using the Services, including: +- Internet Protocol addresses (when logged for security purposes) +- Browser type and settings +- Date and time of requests +- Interaction patterns with the Services + +**Usage Data**: Information about the use of Services, such as: +- Types of content viewed or engaged with +- Features used and actions taken +- Time zone, country, dates and times of access +- User agent and version +- Type of computer or mobile device +- Computer connection details + +**Interaction Data**: Data provided when interacting with services, such as chatbot interactions or use of AI specialists. Note that Business Event Logs contain only technical metrics (tokens, timings, event types) and do not contain personal data. + +**Device Information**: Information about devices used to access the Services, including: +- Device name and operating system +- Device identifiers +- Browser information + +**Location Information**: Ask Eve AI may determine the general area from which devices access Services based on IP addresses for security reasons and to improve the product experience, such as: +- Protecting accounts by detecting unusual login activity +- Providing more accurate responses + +Some Services allow users to provide more precise location information from device GPS. + +**Cookies and Similar Technologies**: Ask Eve AI uses cookies and similar technologies to operate and administer Services and improve user experience. For details, please read our Cookie Policy. + +### 3.5 External Data + +Information Ask Eve AI receives from other sources: + +Ask Eve AI receives information from trusted partners, including: +- Security partners, to protect against fraud, abuse, and other security threats +- Marketing vendors providing information about potential customers + +Ask Eve AI may also collect information from publicly available sources on the internet to develop models that power the Services (subject to opt-out provisions as described in Section 4.4). + +--- + +## 4. Data Protection and Processing Principles + +The Data Processor warrants, represents and undertakes to the Data Controller that it shall only process Personal Data as limited in the following sections. + +### 4.1 Processing Instructions + +Data Processor shall only Process Personal Data of Data Controller on behalf of the Data Controller and in accordance with this Data Processing Agreement, solely for the Purposes and according to the documented instructions of the Data Controller, and to the extent, and in such manner, as is reasonably necessary to provide the Services in accordance with the Agreement. + +Data Controller shall only give instructions that comply with the Data Protection Legislation. + +### 4.2 Lawful Processing Basis + +Ask Eve AI may use Personal Data for the following purposes, based on the appropriate lawful basis: + +**Performance of Contract**: +- To provide, analyze, and maintain the Services +- To respond to Customer questions and requests +- To process payments and fulfill contractual obligations + +**Legitimate Interest**: +- To improve and develop the Services and conduct research (e.g., to develop new product features) +- To prevent fraud, illegal activity, or misuses of Services +- To protect the security of systems and Services +- When implemented: IP address logging for rate limiting and security purposes + +**Legal Obligation**: +- To comply with legal obligations +- To protect the rights, privacy, safety, or property of users or third parties +- To maintain records as required by Belgian accounting law (7-year retention for financial records) + +**Consent** (where applicable): +- To communicate with Customers about Services, events, and updates (where consent is required) +- For End Users: to collect personal information after automated assessments or interactions (explicit consent required before collection) +- For future model training purposes (opt-out available as described in Section 4.4) + +### 4.3 Applicable Mandatory Laws + +Data Processor shall only Process as required by applicable mandatory laws and always in compliance with Data Protection Legislation. + +### 4.4 Future Use for Model Training + +Ask Eve AI may aggregate or de-identify Personal Data so that it no longer identifies individuals and use this information to: +- Analyze how Services are being used +- Improve and add features to Services +- Conduct research and development +- Train or improve AI models that power the Services + +**Opt-Out Provisions**: Customers and End Users will have the ability to opt out of having their data used for model training purposes. This opt-out mechanism will be: +- Clearly communicated in the Privacy Policy +- Accessible through account settings or by contacting Ask Eve AI +- Honored immediately upon request +- Maintained as a persistent preference + +Ask Eve AI will maintain and use de-identified information in de-identified form and will not attempt to re-identify the information, unless required by law. + +**Current Status**: As of the effective date of this Agreement, Ask Eve AI does not currently use Customer or Tenant data to train its own models. This provision establishes the framework for potential future use, subject to the opt-out rights described above and notification to Customers through Privacy Policy updates. + +### 4.5 Automated Decision-Making and Profiling + +Ask Eve AI may facilitate automated decision-making or profiling activities through its AI specialists, including but not limited to: +- Candidate assessment and job fit evaluation +- Content classification and routing +- Personalized recommendations +- Risk assessment and fraud detection + +**Data Controller Obligations**: When the Data Controller uses Ask Eve AI Services for automated decision-making or profiling that produces legal effects or similarly significantly affects Data Subjects, the Data Controller must: + +1. **Obtain appropriate legal basis**, which may include: + 2. Explicit consent from the Data Subject + 3. Necessity for entering into or performing a contract + 4. Authorization by Union or Member State law + +2. **Inform Data Subjects** about: + 2. The existence of automated decision-making + 3. The logic involved in the processing + 4. The significance and envisaged consequences + 5. Their right to obtain human intervention + 6. Their right to express their point of view + 7. Their right to contest the decision + +3. **Implement safeguards** including: + 2. The right for Data Subjects to obtain human intervention + 3. The right to express their point of view + 4. The right to contest the decision + 5. Regular accuracy and fairness reviews of automated systems + +4. **Privacy-by-Design Approach**: Wherever technically feasible, Ask Eve AI Services are designed to: + 2. Process Data Subjects anonymously until explicit consent is obtained + 3. Collect personal information only when necessary and after consent + 4. Minimize data collection to what is strictly required + +**Ask Eve AI's Role**: As Data Processor, Ask Eve AI provides the technical capability for automated decision-making but does not determine the purposes or essential means of such processing. The Data Controller remains responsible for ensuring GDPR compliance, including conducting Data Protection Impact Assessments (DPIAs) where required. + +### 4.6 Special Categories of Personal Data + +As of the effective date of this Agreement, Ask Eve AI does not intentionally process special categories of personal data as defined in Article 9 GDPR (health data, biometric data, genetic data, etc.). + +If the Data Controller intends to process special categories of personal data through the Services, the Data Controller must: +1. Notify Ask Eve AI in writing in advance +2. Ensure an appropriate legal basis exists under Article 9(2) GDPR +3. Implement additional safeguards as required +4. Conduct a Data Protection Impact Assessment +5. Obtain written confirmation from Ask Eve AI regarding additional technical and organizational measures + +### 4.7 Transfer to Third Parties + +Data Processor uses functionality of third-party services (Sub-Processors as listed in Annex 1) to realize its functionality. For the purpose of providing Ask Eve AI's Services, and only for this purpose, information is sent to its Sub-Processors. + +Data Processor shall not transfer or disclose any Personal Data to any other third party and/or appoint any third party as a Sub-Processor of Personal Data unless: +1. It is legally required; OR +2. The Data Controller has been notified and has provided consent + +**Sub-Processor Changes**: Ask Eve AI will notify the Data Controller of any intended changes concerning the addition or replacement of Sub-Processors at least thirty (30) days in advance. The Data Controller has the right to object to such changes on reasonable grounds relating to data protection. + +### 4.8 No Transfer to Third Countries + +**EU-Only Processing**: All Personal Data processing by Ask Eve AI and its Sub-Processors occurs exclusively within the European Union. Ask Eve AI does not transfer Personal Data to any Third Country. + +All Sub-Processors listed in Annex 1 are located within the EU and are subject to GDPR and European data protection regulations. Data sovereignty is maintained, with all customer data remaining within European jurisdiction. + +This strategic decision ensures: +- Full compliance with GDPR without need for Standard Contractual Clauses or other transfer mechanisms +- Alignment with the EU AI Act requirements +- Enhanced data protection under strict European privacy laws +- Simplified compliance framework + +If Ask Eve AI intends to engage Sub-Processors located outside the EU in the future, Ask Eve AI will: +1. Notify the Data Controller in writing at least sixty (60) days in advance +2. Obtain explicit written consent from the Data Controller +3. Implement appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions) +4. Conduct a Transfer Impact Assessment as required by GDPR and Schrems II jurisprudence +5. Document additional security measures to protect against third-country government access + +--- + +## 5. Data Security and Confidentiality + +### 5.1 Data Secrecy + +The Data Processor shall maintain data secrecy in accordance with applicable Data Protection Legislation and shall take all reasonable steps to ensure that: + +1. Only Data Processor personnel and Sub-Processor personnel that need access to Personal Data are given access, and only to the extent necessary to provide the Services. + +2. Data Processor and Sub-Processor personnel entrusted with processing Personal Data or who may have access to Personal Data are: + 2. Reliable and properly vetted + 3. Familiar with the requirements of data protection + 4. Subject to appropriate obligations of confidentiality and data secrecy in accordance with applicable Data Protection Legislation + 5. Acting in compliance with data protection obligations at all times + +### 5.2 Appropriate Technical and Organizational Measures + +Data Processor has implemented (and shall maintain and update as necessary) all appropriate technical and organizational measures to ensure: +- The security of Personal Data +- Processing is performed in compliance with applicable Data Protection Legislation +- Protection against accidental or unauthorized access, alteration, destruction, damage, corruption, or loss +- Protection against any other unauthorized or unlawful processing or disclosure ("Data Breach") + +Such measures shall: +- Ensure best practice security standards +- Be compliant with Data Protection Legislation at all times +- Comply with the Data Controller's applicable IT security policies (where communicated to Data Processor) +- Be regularly reviewed and updated to address evolving threats + +Detailed technical and organizational measures are described in Annex 2. + +### 5.3 Data Controller Responsibilities + +The Data Controller has also introduced technical and organizational measures and will continue to maintain them to protect Personal Data. The Data Controller is responsible for: +- Access control policy for its Users +- Registration, de-registration, and withdrawal of access rights for Users +- Access control for automation access codes (API Keys) +- Registration, de-registration, and management of API credentials +- Physical security of its own environment +- Providing clear instructions to Data Processor regarding processing activities +- Ensuring its Users comply with security requirements + +--- + +## 6. Data Processor Assistance Obligations + +### 6.1 General Assistance and Cooperation + +The Data Processor shall provide the Data Controller with such assistance and cooperation as the Data Controller may reasonably request to enable the Data Controller to comply with obligations imposed by Data Protection Legislation in relation to Personal Data processed by the Data Processor. + +### 6.2 Technical and Organizational Measures Information + +On request of the Data Controller, the Data Processor shall promptly provide written information regarding: +- Technical and organizational measures implemented to safeguard Personal Data +- Current security certifications and compliance status +- Relevant details from the most recent third-party security audits (subject to confidentiality obligations) + +### 6.3 Government and Regulatory Access Requests + +The Data Processor shall: + +1. Disclose full and relevant details regarding government, law enforcement, or other access protocols or controls implemented, to the extent this information is available to the Data Processor. + +2. Notify the Data Controller as soon as possible (and in any event within 48 hours), to the extent legally permitted, of any access request for disclosure of Personal Data by any Regulator, court, or authority of competent jurisdiction. + +3. Not disclose or release any Personal Data in response to such requests served on the Data Processor without first consulting with and, to the extent legally permitted, obtaining the written consent of the Data Controller. + +4. Provide reasonable assistance to the Data Controller in responding to such requests. + +### 6.4 Instruction Impediments + +The Data Processor shall notify the Data Controller as soon as possible of any legal or factual circumstances preventing the Data Processor from executing any instructions of the Data Controller, and shall propose alternative solutions where feasible. + +### 6.5 Data Subject Rights Support + +The Data Processor shall: + +1. **Notification of Data Subject Requests**: Notify the Data Controller within five (5) business days of any request received directly from a Data Subject regarding the Processing of Personal Data, without responding to such request unless instructed by the Data Controller. + +2. **Support for Rights Exercise**: Provide reasonable assistance to the Data Controller in responding to Data Subject requests to exercise their rights under Data Protection Legislation, including: + 2. Right of access (Article 15 GDPR) + 3. Right to rectification (Article 16 GDPR) + 4. Right to erasure / "right to be forgotten" (Article 17 GDPR) + 5. Right to restriction of processing (Article 18 GDPR) + 6. Right to data portability (Article 20 GDPR) + 7. Right to object (Article 21 GDPR) + 8. Rights related to automated decision-making (Article 22 GDPR) + +3. **Response Timeframes**: Provide requested information or take requested actions within thirty (30) calendar days of receiving the Data Controller's instruction, unless a shorter timeframe is required by law or agreed between the parties. + +4. **Data Portability Format**: When supporting data portability requests, provide Personal Data in a structured, commonly used, and machine-readable format (such as JSON, CSV, or XML). + +**Data Controller Responsibility**: The Data Controller remains solely responsible for: +- Verifying the identity of Data Subjects making requests +- Determining whether a request is valid under Data Protection Legislation +- Providing responses and decisions to Data Subjects +- Handling any appeals or complaints from Data Subjects + +**Channels for Data Subject Rights Requests**: +- Primary: Email to security contact (pieter@askeveai.com) +- Alternative: Support helpdesk for logged-in users +- Future: In-application functionality as the platform scales + +### 6.6 Data Breach Notification + +The Data Processor shall: + +1. **Immediate Notification**: Notify the Data Controller immediately upon becoming aware of any Data Breach, and in any event within twenty-four (24) hours of confirmation of the breach. + +2. **Detailed Information**: Provide the Data Controller, as soon as reasonably possible, with detailed information relating to the Data Breach, including (to the extent this information is readily available to the Data Processor): + 2. Nature of the Data Breach + 3. Categories and approximate number of Data Subjects concerned + 4. Categories and approximate number of Personal Data records concerned + 5. Likely consequences and adverse effects of the Data Breach + 6. Measures taken or proposed to address the Data Breach + 7. Measures taken or proposed to mitigate possible adverse effects + 8. Contact point for further information + +3. **Ongoing Updates**: Provide timely updates to the Data Controller as additional information becomes available regarding the Data Breach. + +4. **Cooperation**: Cooperate with the Data Controller and provide reasonable assistance in investigating and remediating the Data Breach. + +5. **Documentation**: Maintain documentation of all Data Breaches, including facts, effects, and remedial actions taken. + +**Data Controller Obligations**: The Data Controller acknowledges that under GDPR Article 33, the Data Controller (not Data Processor) is responsible for: +- Notifying the supervisory authority (Belgian Data Protection Authority) within seventy-two (72) hours of becoming aware of a breach that poses a risk to Data Subjects +- Notifying affected Data Subjects without undue delay if the breach poses a high risk to their rights and freedoms + +### 6.7 Data Protection Impact Assessments + +Where the Data Controller is legally required to conduct a Data Protection Impact Assessment (DPIA) regarding Processing activities performed by the Data Processor, the Data Processor shall provide reasonable assistance, including: +- Description of Processing operations and purposes +- Assessment of necessity and proportionality of Processing +- Information about technical and organizational measures +- Information about Sub-Processors and their security measures + +### 6.8 Consultation with Supervisory Authority + +If the Data Controller is required to consult with the supervisory authority under Article 36 GDPR (prior consultation), the Data Processor shall provide reasonable assistance and information as requested by the Data Controller. + +--- + +## 7. Audit Rights + +### 7.1 Information Provision + +At the Data Controller's reasonable request, the Data Processor shall provide the Data Controller with all information needed to demonstrate compliance with this Data Processing Agreement and the obligations set out in Article 28 GDPR. + +### 7.2 Audit and Inspection Rights + +The Data Processor shall permit the Data Controller, or a third-party auditor acting under the Data Controller's direction, to conduct a data privacy and security audit concerning: +- The Data Processor's data security and privacy procedures relating to the processing of Personal Data +- Compliance with this Data Processing Agreement and Data Protection Legislation + +**Audit Conditions**: + +1. **Frequency**: Not more than once per contract year, unless: + 2. Required by a supervisory authority + 3. Following a Data Breach + 4. The Data Controller has reasonable grounds to believe non-compliance has occurred + +2. **Notice**: The Data Controller shall provide the Data Processor with at least thirty (30) days prior written notice of intention to perform an audit. + +3. **Audit Plan**: The notification must include: + 2. Name and credentials of the auditor + 3. Description of the purpose and scope of the audit + 4. Proposed dates and duration + 5. Specific areas or systems to be examined + +4. **Auditor Restrictions**: The Data Processor may reasonably object to a third-party auditor if: + 2. The auditor is a competitor of the Data Processor + 3. The auditor has not agreed to appropriate confidentiality obligations + 4. The auditor does not have appropriate professional credentials + +5. **Minimal Disruption**: The audit shall be carried out in such a way that inconvenience and disruption to the Data Processor's operations are kept to a minimum. + +6. **Confidentiality**: The Data Controller shall impose sufficient confidentiality obligations on its auditors, including non-disclosure agreements covering: + 2. The Data Processor's confidential information + 3. Other customers' information + 4. Security vulnerabilities discovered + +7. **Accompaniment**: Every auditor conducting an inspection will be at all times accompanied by a dedicated employee of the Data Processor. + +8. **Cost**: Audits shall be conducted at the Data Controller's cost (for both internal and external costs), except where an audit reveals material non-compliance by the Data Processor. + +9. **Audit Report**: The Data Controller shall provide the Data Processor with a copy of any audit report and shall discuss any findings with the Data Processor before taking action. + +### 7.3 Alternative Compliance Evidence + +In lieu of an on-site audit, the Data Processor may provide: +- Current third-party security audit reports or certifications (SOC 2, ISO 27001, etc.) +- Completed security questionnaires +- Evidence of Sub-Processor certifications +- Detailed documentation of technical and organizational measures + +The Data Controller shall reasonably consider whether such evidence is sufficient before exercising on-site audit rights. + +--- + +## 8. Data Retention and Deletion + +### 8.1 Retention Periods + +The Data Processor shall retain Personal Data only for as long as necessary to fulfill the Purposes or as required by applicable law. Specific retention periods are: + +**System Data - User Accounts**: +- **Active Users**: Retained for the duration of the Tenant relationship +- **Inactive Users**: User accounts are disabled (not deleted) to maintain audit trail integrity for change tracking and system logs +- **Authentication Data**: Retained while user account exists +- **Audit Trail References**: User identifiers in audit logs retained per billing/operational data retention requirements + +**System Data - Financial and Billing**: +- **Invoices and Payment Records**: Seven (7) years from date of invoice (as required by Belgian Companies Code Article 6 and applicable tax law) +- **License Agreements**: Seven (7) years after expiration or termination +- **Usage Data Linked to Billing**: Seven (7) years (aligned with financial record retention) + +**Tenant Data - Content and Documents**: +- **Active Tenant Content**: Retained while Tenant relationship is active +- **Upon Tenant Termination**: + - Tenant-specific content (database schema, object storage) isolated and marked for deletion + - Content deleted within ninety (90) days of termination unless extended by written agreement + - Financial records retained per above schedule + +**Technical Data**: +- **Business Event Logs**: Seven (7) years when linked to billing; ninety (90) days for non-billing operational logs +- **Application Logs**: Ninety (90) days for troubleshooting and security analysis +- **Infrastructure Logs**: Seven (7) days for metrics; thirty-one (31) days for logs (as per Scaleway Cockpit default retention) +- **Translation Cache**: Ninety (90) days (contains only static platform text translations, no user content) +- **Security Logs**: Two (2) years for incident investigation and compliance + +**Note on Business Event Logs**: These logs contain only technical metrics (token counts, timing data, event types) and do not contain Personal Data. They are retained for billing verification and system performance analysis. + +### 8.2 Tenant Data Isolation and "Deletion" + +Due to the requirement to retain financial and billing records, Tenants cannot be fully deleted from the system. Instead, "tenant deletion" is implemented through: + +1. **Data Isolation**: + 2. Removal of tenant-specific database schema + 3. Deletion of tenant-specific object storage folder + 4. Removal of all tenant content and documents + +2. **Account Status**: + 2. All User accounts associated with the Tenant are disabled + 3. Authentication is prevented for all disabled users + 4. Personal details may be pseudonymized in audit trails where legally permissible + +3. **Retained Information** (for legal/regulatory compliance): + 2. Financial and billing records (7 years) + 3. License and usage information linked to billing + 4. Audit trail references (user IDs, timestamps) + 5. Business event logs linked to billing + +4. **Timeframe**: Content deletion occurs within ninety (90) days of Tenant termination request. + +### 8.3 Data Deletion After Processing Completion + +Upon termination of the Processing of Personal Data, or earlier upon written request of the Data Controller, the Data Processor shall: + +1. **Cease All Use**: Immediately cease all use of Personal Data + +2. **Delete or Return**: At the Data Controller's choice: + 2. **Delete**: Securely delete all Personal Data and copies thereof + 3. **Return**: Return all Personal Data in a structured, commonly used, and machine-readable format + +3. **Certification**: Upon request, provide written certification of deletion or return + +4. **Exceptions**: The Data Processor may retain Personal Data to the extent: + 2. Required by applicable law (e.g., financial record retention) + 3. Necessary for audit trail integrity + 4. Technically infeasible to delete (provided such data is isolated and protected) + +5. **Deletion Method**: Deletion shall be performed using industry-standard secure deletion methods appropriate to the storage medium. + +### 8.4 Sub-Processor Data Deletion + +The Data Processor shall ensure that Sub-Processors comply with equivalent data retention and deletion obligations, and shall provide evidence of Sub-Processor deletion upon request. + +--- + +## 9. Liability + +### 9.1 Mutual Liability + +Each Party shall be liable for any suffered foreseeable, direct, and personal damages ("Direct Damages") resulting from any attributable breach of its obligations under this Data Processing Agreement. + +### 9.2 Indemnification + +If one Party is held liable for a violation of its obligations hereunder, it undertakes to indemnify the non-defaulting Party for any Direct Damages resulting from any attributable breach of the defaulting Party's obligations under this Data Processing Agreement or any fault or negligence in the performance of this Data Processing Agreement. + +### 9.3 Exclusion of Indirect Damages + +Under no circumstances shall the Data Processor be liable for indirect, incidental, or consequential damages, including but not limited to: +- Financial and commercial losses +- Loss of profit or revenue +- Increase of general expenses +- Lost savings or diminished goodwill +- Damages resulting from business interruption or interruption of operation +- Damages resulting from claims of customers of the Data Controller +- Disruptions of planning +- Loss of anticipated profit or capital +- Loss of customers or missed opportunities +- Loss of advantages +- Corruption and/or loss of files resulting from the performance of the Agreement + +### 9.4 Shared Responsibility + +If it appears that both the Data Controller and the Data Processor are responsible for damage caused by the processing of Personal Data, both Parties shall be liable and pay damages in accordance with their individual share in the responsibility for the damage caused by the processing, as determined by applicable law or by mutual agreement. + +### 9.5 Liability Cap + +In any event, the total aggregate liability of the Data Processor under this Agreement shall be limited to: +- The cause of damage; AND +- An amount that equals the total amount of fees paid by the Data Controller to the Data Processor for the delivery and performance of the Services for a period not exceeding twelve (12) months immediately prior to the cause of damages. + +### 9.6 Proof of Non-Responsibility + +In no event shall the Data Processor be held liable if the Data Processor can prove it is not responsible for the event or cause giving rise to the damage. + +### 9.7 GDPR Liability Provisions + +Nothing in this section shall limit or exclude liability to the extent such limitation or exclusion is prohibited by Data Protection Legislation, including Articles 82-84 GDPR. + +--- + +## 10. Term and Termination + +### 10.1 Term + +This Data Processing Agreement shall be valid and remain in effect for as long as the Tenant/Customer uses the Services and Ask Eve AI processes Personal Data on behalf of the Tenant/Customer. + +### 10.2 Survival + +The following provisions shall survive termination of this Agreement: +- Data retention and deletion obligations (Section 8) +- Liability provisions (Section 9) +- Confidentiality obligations +- Audit rights for the period during which Personal Data was processed +- Any obligations required by applicable law + +### 10.3 Effect of Termination + +Upon termination of this Agreement: +1. The Data Processor shall cease all Processing of Personal Data (except as required by Section 8) +2. The provisions of Section 8 (Data Retention and Deletion) shall apply +3. Sub-Processors shall be instructed to cease Processing and delete or return Personal Data as appropriate + +--- + +## 11. Governing Law and Jurisdiction + +### 11.1 Governing Law + +This Data Protection Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with Belgian Law. + +### 11.2 Jurisdiction + +Any litigation relating to the conclusion, validity, interpretation, and/or performance of this Data Processing Agreement or of subsequent contracts or operations derived therefrom, as well as any other litigation concerning or related to this Data Processing Agreement, without any exception, shall be submitted to the exclusive jurisdiction of the courts of Ghent (Gent), Belgium. + +### 11.3 Supervisory Authority + +The competent supervisory authority for data protection matters is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données). + +**Contact Details**: +- Website: https://www.gegevensbeschermingsautoriteit.be +- Address: Rue de la Presse 35, 1000 Brussels, Belgium +- Email: contact@apd-gba.be + +--- + +## 12. General Provisions + +### 12.1 Security Contact + +For all matters relating to this Data Protection Agreement, including data subject rights requests, data breaches, and security inquiries, the Data Controller may contact: + +**Ask Eve AI Security Contact**: +- Name: Pieter Moons +- Email: pieter@askeveai.com +- Role: Informal security contact (not formal Data Protection Officer) + +The Data Processor will respond to inquiries within five (5) business days. + +### 12.2 Amendment + +This Data Processing Agreement may only be amended by written agreement signed by authorized representatives of both Parties, except that Ask Eve AI may update: +- The list of Sub-Processors (Annex 1) subject to the notification requirements in Section 4.7 +- The technical and organizational measures (Annex 2) to improve security, provided such changes do not materially decrease the level of protection + +### 12.3 Severability + +If any provision of this Data Processing Agreement is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired thereby. + +### 12.4 Entire Agreement + +This Data Processing Agreement, together with its Annexes and the main Services Agreement, constitutes the entire agreement between the Parties concerning the processing of Personal Data and supersedes all prior agreements, understandings, and arrangements, whether written or oral. + +### 12.5 Conflicts + +In the event of any conflict between this Data Processing Agreement and the main Services Agreement, this Data Processing Agreement shall prevail with respect to data protection matters. + +### 12.6 Language + +This Agreement is executed in English. In case of any discrepancy between language versions, the English version shall prevail. + +--- + +## Annexes + +The following annexes form an integral part of this Data Protection Agreement: + +- **Annex 1**: List of Sub-Processors +- **Annex 2**: Technical and Organizational Measures + +--- + +# Annex 1: List of Sub-Processors + +The Data Controller hereby agrees to the following list of Sub-Processors engaged by the Data Processor for the Processing of Personal Data under the Agreement: + +## Current Sub-Processors + +| Sub-Processor | Service Provided | Location | Purpose | Personal Data Processed | Certifications | +| ------------------------------- | ------------------------------------------------------------------ | ------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| **Scaleway SAS** | Cloud Infrastructure & Hosting | France (Paris) | Infrastructure hosting, Kubernetes orchestration, PostgreSQL database, Redis cache, Object Storage, Email delivery (TEM) | All categories of Personal Data processed through the Services | ISO/IEC 27001:2022, HDS (Health Data Hosting), GDPR compliant, pursuing SecNumCloud | +| **Mistral AI** | AI Language Model Services | France | Large Language Model processing, natural language understanding, AI specialist functionality | Tenant Content, End User interactions, communication information (text only) | SOC 2 Type II, ISO 27001, ISO 27701, GDPR compliant | +| **BunnyWay d.o.o. (Bunny.net)** | Content Delivery Network, Web Application Firewall, Static Storage | European Union (Slovenia) | CDN services, DDoS protection, WAF, rate limiting, static file hosting and delivery | Technical Data (IP addresses, request logs, access patterns), static content | ISO 27001, SOC 2 Type II, PCI compliant, GDPR compliant | +| **Billit** | Payment Processing & Invoicing | Belgium | Payment processing, invoice generation and management, billing services | Tenant/Customer financial information, contact details, VAT numbers, payment data | GDPR compliant | + +## Sub-Processor Responsibilities + +Each Sub-Processor is contractually bound to: +1. Process Personal Data only in accordance with Ask Eve AI's documented instructions +2. Maintain appropriate technical and organizational measures +3. Maintain confidentiality of Personal Data +4. Assist Ask Eve AI in responding to Data Subject rights requests +5. Notify Ask Eve AI of any Data Breaches +6. Delete or return Personal Data upon termination + +## Sub-Processor Changes + +Ask Eve AI will notify the Data Controller at least thirty (30) days in advance of: +- Adding a new Sub-Processor +- Replacing an existing Sub-Processor +- Material changes to a Sub-Processor's role or data processing activities + +The Data Controller may object to such changes on reasonable data protection grounds within the notice period. If Ask Eve AI cannot accommodate the objection, the Data Controller may terminate the affected Services without penalty. + +## Geographic Scope + +All Sub-Processors operate exclusively within the European Union. No Personal Data is transferred to Third Countries (countries outside the EEA without an adequacy decision). + +## Sub-Processor Due Diligence + +Ask Eve AI conducts due diligence on all Sub-Processors, including verification of: +- Security certifications and compliance status +- Data processing agreements +- Technical and organizational measures +- Data breach notification procedures +- Geographic location of data processing and storage + +--- + +# Annex 2: Technical and Organizational Measures + +## 1. Purpose of this Document + +This document contains an overview of the technical and organizational measures which are applicable by default within Ask Eve AI. The actual measures taken depend on the services provided and the specific customer context. Ask Eve AI guarantees it has for all its services and infrastructure the necessary adequate technical and organizational measures following a Data Protection Impact Assessment (DPIA) approach. + +These measures are designed to: +1. Ensure the security and confidentiality of Personal Data and other data managed by Ask Eve AI +2. Protect against any anticipated threats or hazards to the security and integrity of Personal Data and infrastructure +3. Protect against any actual unauthorized processing, loss, use, disclosure, acquisition of, or access to any Personal Data or other business-critical information + +Ask Eve AI ensures that all its Sub-Processors have provided the necessary and required guarantees on the protection of Personal Data they process on Ask Eve AI's behalf. + +Ask Eve AI continuously monitors the effectiveness of its information safeguards and plans to organize regular compliance reviews as the organization scales. + +## 2. Technical and Organizational Measures + +Ask Eve AI has designed and implemented a multi-layered security architecture protecting its infrastructure, cloud services, and applications against cyberattacks including phishing, malware, intrusion, ransomware, and data loss/breach incidents. + +This architecture combines automated proactive, reactive, and forensic measures with internal awareness to create an end-to-end chain of protection. Ask Eve AI uses an intent-based approach where activities are constantly monitored and analyzed. + +### 2.1 General Governance and Awareness + +As a product company, Ask Eve AI is committed to maintaining IT infrastructure that has robust security architecture, complies with data protection policies, and provides a secure platform for operations. + +**Cloud-First Strategy**: Ask Eve AI has a cloud-first and cloud-native strategy and works exclusively with European vendors that are compliant with GDPR and European Data Protection Regulations. + +**Geographic Data Residence**: All Personal Data processing and storage occurs exclusively within the European Union. All Sub-Processors are EU-based and subject to European data protection regulations. + +**Third-Country Transfers**: Ask Eve AI does not transfer Personal Data to third countries. Any future third-country transfers would require: +- Prior written notice to customers (60 days minimum) +- Standard Contractual Clauses or other appropriate safeguards +- Transfer Impact Assessments +- Customer consent + +**IT Policies**: Ask Eve AI has IT policies applicable to any employee or service provider using Ask Eve AI platforms or infrastructure, informing users of rights, duties, and monitoring mechanisms to enforce security and data compliance. + +**Application Security Requirements**: Ask Eve AI has internal policies on minimum requirements before applications, platforms, or tools enter the application landscape, including: +- Encryption requirements +- Data Loss Prevention (DLP) requirements +- Transparent governance and licensing requirements +- Support contract procedures and certifications + +**Policy Enforcement**: Policies are enforced through endpoint security and monitoring solutions. Infractions may result in restricted access or additional legal action. + +### 2.2 Physical Security and Infrastructure + +**Data Center Security**: All infrastructure is hosted with certified cloud providers (Scaleway) in European data centers with: +- Industry-standard physical access controls +- 24/7 surveillance and monitoring +- Environmental controls (fire suppression, temperature management) +- Redundant power and network connectivity +- ISO 27001 certified facilities + +**Office Security**: Ask Eve AI office locations implement: +- Controlled physical access +- Visitor management procedures +- Secure storage for sensitive materials +- Clean desk policies + +### 2.3 Network Security and Architecture + +**Private Network Architecture**: +- Kubernetes cluster deployed in private network (Scaleway VPC) +- Internal services (PostgreSQL, Redis) isolated within private network +- No direct external exposure of backend infrastructure +- Administrative access via secure port-forwarding only + +**Perimeter Security**: +- All external traffic routed exclusively through Bunny.net Shield +- Web Application Firewall (WAF) with cutting-edge threat detection +- Advanced rate limiting to prevent abuse +- Robust DDoS mitigation capabilities +- No direct internet exposure of application servers + +**Network Segmentation**: +- Logical separation between platform infrastructure and management systems +- Firewall protections at infrastructure level (Scaleway) +- Separation of development, staging, and production environments + +**Encryption in Transit**: +- TLS encryption for all external communications (browser to CDN to cluster) +- TLS 1.2 minimum, TLS 1.3 supported +- TLS encryption for internal service communications (PostgreSQL, Redis) +- Certificate-based authentication for database connections +- Let's Encrypt certificates with automatic renewal + +### 2.4 Endpoint Security and Access Control + +**Endpoint Protection**: +- All endpoints encrypted using enterprise-grade encryption +- Anti-malware protection (CleanMyMac X on macOS devices) +- Regular security updates and patches applied +- macOS built-in security features enabled (XProtect, Gatekeeper, FileVault) + +**User Authentication and Access Control**: +- Multi-factor authentication (MFA) enforced on all critical platforms +- Strong password requirements via Proton Pass password manager +- Conditional access policies limiting access to specific regions +- Role-based access control (RBAC) principles implemented +- Access granted on need-to-know basis +- Production superuser access restricted to authorized founder only + +**Account Management**: +- Centralized user account management +- Regular access reviews +- Immediate access revocation upon termination +- Audit logging of all user activities + +**API Security**: +- API key authentication for service integration +- Credentials securely stored in Scaleway Secret Manager +- Secrets automatically imported into Kubernetes secrets +- No credentials stored in code or configuration files + +### 2.5 Application Security + +**Secure Development Practices**: +- Version control through GitHub +- GitFlow workflow for code management +- Code review processes +- Separation of development, test, and production environments + +**Security Controls**: +- Security headers implemented across applications +- SQL injection prevention through parameterized queries and ORM +- Cross-Site Scripting (XSS) protection via input validation and DOM inspection +- Input validation and sanitization for all user-supplied data +- Standard Flask security frameworks deployed +- OWASP Top 10 awareness and ongoing verification + +**Authentication and Authorization**: +- Password hashing (bcrypt or equivalent, never plain text) +- Secure session management +- API authentication using API keys and JWT tokens +- Multi-tenant architecture with strict data isolation + +**Data Isolation**: +- Separate database schemas per tenant +- Separate object storage folders per tenant +- Middleware-enforced tenant boundary protection +- Prevention of cross-tenant data access + +### 2.6 Data Protection Measures + +**Encryption**: +- **In Transit**: TLS 1.2+ for all external and internal communications +- **At Rest**: Managed by cloud provider (Scaleway) with encryption enabled +- **Database**: PostgreSQL connections use TLS with certificate authentication +- **Backups**: Encrypted backups stored in geographically redundant locations + +**Data Minimization**: +- Privacy-by-design approach: anonymous interactions until consent obtained +- Collection of only necessary Personal Data +- Regular review of data collection practices +- Pseudonymization where appropriate + +**Data Segregation**: +- Logical separation between Ask Eve AI's own data, customer data, and supplier data +- Multi-tenant architecture ensuring customer data isolation +- Access controls preventing cross-contamination + +**Backup and Recovery**: +- Automated multi-site encrypted backup process +- Daily integrity reviews of backups +- Managed backup services for PostgreSQL, Redis, and Object Storage +- Regular backup restoration testing +- Geographic redundancy for disaster recovery +- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined + +**Data Retention**: +- Defined retention policies per data category +- Automated deletion processes where appropriate +- Secure deletion methods for end-of-life data +- Records of processing activities maintained + +### 2.7 Monitoring, Logging, and Incident Response + +**Centralized Logging**: +- Scaleway Cockpit (Prometheus & Grafana) for log aggregation +- Application logs from all containerized services +- Infrastructure logs (PostgreSQL, Redis, Kubernetes) +- Security event logging +- Log retention: 7 days for infrastructure logs, 31 days for metrics + +**Security Monitoring**: +- Real-time monitoring of security events +- WAF logs accessible via Bunny.net API +- Automated alerts for security incidents (planned implementation) +- Business event monitoring (Prometheus, Grafana) +- System monitoring for all infrastructure resources + +**Incident Response**: +- Defined incident detection capabilities +- Root cause analysis using system logs and monitoring data +- Rapid patch and deployment capabilities via CI/CD +- Access to Sub-Processor support for infrastructure-level incidents +- Version control allowing rollback to previous stable versions +- 24-hour customer notification target for confirmed breaches + +**Vulnerability Management**: +- Regular security updates and patches +- Quarterly review and update cycle for application dependencies +- Container image rebuilds using latest base images +- Planned implementation of automated vulnerability scanning (Harbor registry) + +### 2.8 Change Management and Development Operations + +**Change Control**: +- Changes managed through YouTrack issue tracking +- Kanban board for progress tracking +- GitFlow workflow for all code changes +- Official releases tagged in container registry +- Rollback capability maintained for all deployments + +**Development Pipeline**: +- Standard deployment path: Development → Test (Podman) → Staging (Kubernetes) → Production +- Testing in non-production environments before production deployment +- Deployment scripts for consistent, repeatable deployments +- Release guide documentation maintained + +**Patch Management**: +- Managed services automatically patched by Scaleway +- Quarterly Python dependency updates +- Weekly to monthly container image rebuilds +- Critical security patches applied immediately upon notification +- Testing of patches in non-production environments + +### 2.9 Email Security + +**Proton Mail Business**: +- Advanced spam and phishing protection (60% more accurate than SpamAssassin) +- PhishGuard protection against spoofing +- Link protection displaying full URLs +- Proton Sentinel 24/7 monitoring by security analysts +- AI-assisted threat detection +- Protection against account takeover + +**Email Authentication**: +- SPF (Sender Policy Framework) configured +- DKIM (DomainKeys Identified Mail) configured +- DMARC (Domain-based Message Authentication) configured +- All authentication protocols verified for askeveai.com domain + +**Encryption**: +- End-to-end encryption for Proton-to-Proton communications +- TLS 1.2+ encryption for external email providers +- Zero-access encryption for stored emails + +### 2.10 Vendor and Sub-Processor Management + +**Due Diligence**: +- Security certification verification for all Sub-Processors +- Review of data processing agreements +- Assessment of technical and organizational measures +- Regular review of Sub-Processor compliance status + +**Contractual Safeguards**: +- Data processing agreements with all Sub-Processors +- Confidentiality obligations +- Security requirements in contracts +- Data breach notification requirements +- Right to audit Sub-Processors + +**Sub-Processor Monitoring**: +- Active monitoring of security updates from Sub-Processors +- Review of Sub-Processor security advisories +- Response to Sub-Processor security notifications + +### 2.11 Business Continuity and Disaster Recovery + +**Infrastructure Resilience**: +- Kubernetes cluster with auto-scaling capabilities +- Geographic redundancy through cloud provider +- Managed services with built-in high availability + +**Backup Strategy**: +- Automated daily backups of all critical data +- Multi-site backup storage +- Regular backup integrity testing +- Documented restoration procedures + +**Disaster Recovery**: +- Ability to restore services from backups +- Container rollback capabilities +- Cloud infrastructure redundancy +- Recovery procedures documented + +### 2.12 Compliance and Certification + +**Current Compliance**: +- GDPR compliant (EU-based operations) +- Privacy Policy and Terms & Conditions published +- Data Processing Agreement available + +**Sub-Processor Certifications**: +- Scaleway: ISO/IEC 27001:2022, HDS, pursuing SecNumCloud +- Mistral AI: SOC 2 Type II, ISO 27001, ISO 27701 +- Bunny.net: ISO 27001, SOC 2 Type II, PCI compliant +- All Sub-Processors: GDPR compliant + +**Planned Enhancements**: +- Formal security policy documentation as organization scales +- Regular third-party security audits +- Penetration testing program +- Enhanced security awareness training program +- SOC 2 Type II certification pursuit + +### 2.13 Data Subject Rights Support + +**Technical Capabilities**: +- Ability to identify and extract Personal Data for access requests +- Capability to rectify inaccurate Personal Data +- Secure data deletion processes +- Data portability export in structured formats (JSON, CSV) +- Ability to restrict processing through account disabling + +**Processes**: +- Documented procedures for handling data subject requests +- 30-day response timeframe for standard requests +- Email and helpdesk channels for request submission +- Identity verification procedures + +### 2.14 Personnel Security + +**Current Practice** (2-person team): +- Founder's 30+ years IT and security experience +- Security-conscious architecture decisions +- Active monitoring of security updates + +**Planned Enhancements** (as team scales): +- Formal pre-employment screening +- Professional reference checks +- Security awareness training program +- Confidentiality and data protection agreements +- Structured onboarding covering security practices +- Limited production access for new hires +- Progressive trust model for system access + +### 2.15 Continuous Improvement + +Ask Eve AI is committed to continuously improving its security posture through: +- Regular review and updates of security measures +- Monitoring of evolving threat landscape +- Implementation of new security technologies +- Response to security advisories from vendors +- Incorporation of security best practices +- Planned third-party security assessments +- Customer and partner feedback integration + +--- + +**End of Data Protection Agreement** + +--- + +**Execution** + +This Data Protection Agreement is executed between: + +**Data Controller**: +[Customer/Tenant Name] +[Address] +Authorized Representative: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ +Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +**Data Processor**: +Ask Eve AI +[Address] +Authorized Representative: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ +Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \ No newline at end of file diff --git a/content/partner agreement/partnership_agreement_v1.md b/content/partner agreement/partnership_agreement_v1.md new file mode 100644 index 0000000..e61e6d0 --- /dev/null +++ b/content/partner agreement/partnership_agreement_v1.md @@ -0,0 +1,2364 @@ +# PARTNERSHIP AGREEMENT + +**Ask Eve AI Platform Partnership** + +**Version 1.0** +**Effective Date: [DATE]** + +--- + +## PARTIES + +### BETWEEN + +**Ask Eve AI**, a trademark of Flow IT BV, with registered office at Toekomststraat 62, 9800 Deinze, Belgium, with company number BE0877.273.542, duly represented by Pieter Laroy; + +hereinafter called "**Ask Eve AI**"; + +### AND + +**[Partner Legal Name]**, with registered office at [Address], with company number [Number], duly represented by [Name and Title]; + +hereinafter called "**Partner**"; + +Ask Eve AI and Partner being referred to hereinafter individually as "**Party**" and jointly as "**Parties**". + +--- + +## RECITALS + +**WHEREAS** Ask Eve AI has developed an AI-powered conversational platform that enables the creation of business-related question-answer dialogues and AI agents (Specialists) based on customer-specific information (the "**Platform**" or "**Ask Eve AI Platform**"); + +**WHEREAS** Partner wishes to offer services built on or integrated with the Ask Eve AI Platform to its customers within the agreed Territory and Domain(s); + +**WHEREAS** the Parties desire to form a partnership whereby Partner will develop and/or offer solutions using the Ask Eve AI Platform, generate business opportunities, and provide customer relationship management as specified in the applicable Annexes; + +**WHEREAS** the Parties wish to agree on the terms and conditions which will govern the partnership; + +**WHEREAS** this Agreement prevails over any terms issued by the Partner, even if Ask Eve AI did not expressly protest against such terms, and shall supersede and take precedence over purchase orders and general terms and conditions of the Partner or any other written or oral communications between the Parties unless explicitly agreed otherwise in writing; + +**WHEREAS** in the event of any conflict between the general provisions of this Agreement and the specific provisions of Annexes or Addenda, the provisions of Annexes and Addenda shall take precedence; + +**NOW, THEREFORE**, in consideration of the mutual covenants and agreements set forth herein, the Parties agree as follows: + +--- + +# ARTICLE 1: DEFINITIONS + +**"Additional Fees"** means fees charged to Customer on top of Basic Fees when effective usage of the Platform exceeds the usage limits covered by the Basic Fee for the applicable billing period. + +**"Addendum"** or **"Addenda"** means partner-specific commercial terms, pricing schedules, IP transfer arrangements, and custom provisions that supplement this Agreement for a specific Partner, attached as separately executed documents. + +**"Affiliate"** means, with respect to Ask Eve AI or Partner, any person or entity that controls, is controlled by, or is under common control with such Party, where "control" means ownership of fifty percent (50%) or more of the outstanding votes. + +**"Agreement"** means this Partnership Agreement, together with all Annexes, Addenda, and Exhibits attached hereto or executed separately and referenced herein. + +**"Basic Fees"** means the prepaid monthly or annual subscription fees paid by Customer for base platform access, covering specified usage limits for the billing period. + +**"Catalog"** means a structured collection of domain knowledge, information, and content provided by a Knowledge Partner and made available through the Ask Eve AI Platform. + +**"Confidential Information"** has the meaning set forth in Article 13. + +**"Customer"** means any end-user or end-customer of the Platform and Services who accesses such Services through Partner's offering or directly contracts with Ask Eve AI for Services. + +**"Data Protection Agreement"** or **"DPA"** means Ask Eve AI's standard Data Protection Agreement governing the processing of Personal Data, incorporated by reference as Exhibit B. + +**"Domain"** means the specific industry, business function, or subject matter area in which Partner is authorized to offer Platform-based services (e.g., HR/Recruitment, Legal, Healthcare, Finance). + +**"Expert Partner"** means a Partner authorized under Annex 2 to co-develop AI Specialists with Ask Eve AI. + +**"Knowledge Partner"** means a Partner authorized under Annex 1 to provide domain knowledge through Catalogs on the Platform. + +**"Management Partner"** means a Partner authorized under Annex 3 to manage customer relationships and act as the primary point of contact for Customers. + +**"Partner Services"** means the collection of all services and applications built by Partner on top of the Ask Eve AI Platform and offered to Partner's Customers. + +**"Personal Data"** has the meaning set out in the Data Protection Legislation as defined in the DPA. + +**"Platform"** or **"Ask Eve AI Platform"** means the Ask Eve AI software platform, including all software components, AI models, infrastructure, and services provided by Ask Eve AI. + +**"Prospect"** means a prospective Customer from either Partner or Ask Eve AI. + +**"Services"** means the Ask Eve AI Platform services, including hosting, AI processing, data storage, and all related functionality provided to Customers. + +**"Specialist"** or **"AI Specialist"** means an AI agent or virtual assistant configured on the Ask Eve AI Platform to perform specific business functions using AI and machine learning. + +**"Tenant"** means an organizational account on the Ask Eve AI Platform representing a Customer, with associated users, data, and configurations. + +**"Terms of Service"** or **"T&Cs"** means Ask Eve AI's standard Terms of Service governing use of the Platform, incorporated by reference as Exhibit D. + +**"Territory"** means the specific geographic region in which Partner is authorized to offer Platform-based services (e.g., Belgium, European Union, EMEA). + +--- + +# ARTICLE 2: PARTNERSHIP SCOPE + +## 2.1 Territory, Domain, and Partner Type + +Ask Eve AI appoints Partner, and Partner accepts appointment, as a non-exclusive partner of Ask Eve AI for the purpose of offering Platform-based services to Customers, subject to the following scope: + +**Territory:** [To be specified in Addendum - e.g., Belgium, EU, Benelux, EMEA] + +**Domain(s):** [To be specified in Addendum - e.g., HR/Recruitment, Legal Services, Healthcare] + +**Partner Type(s):** [Select applicable - may be multiple] +- ☐ Knowledge Partner (Annex 1 applies) +- ☐ Expert Partner (Annex 2 applies) +- ☐ Management Partner (Annex 3 applies) + +## 2.2 Non-Exclusivity + +This partnership is non-exclusive. The Parties acknowledge and agree that: + +(a) **Multiple Partners:** Ask Eve AI may appoint multiple partners within the same Territory and/or Domain. + +(b) **Direct Sales:** Ask Eve AI reserves the right to serve Customers directly within Partner's Territory and Domain. + +(c) **Customer Choice:** Customers may access and use: +- Knowledge and Specialists from Partners in different Domains +- Services from multiple Partners simultaneously +- Ask Eve AI's Platform directly without Partner involvement + +(d) **Partner Competition:** Partner may offer services in territories or domains outside those specified in Section 2.1, subject to the restrictions in Article 3. + +## 2.3 Independent Contractor Relationship + +(a) The Parties are independent contractors and not related to each other financially or legally, except as expressly agreed in this Agreement. + +(b) Neither Party shall have the ability to enter into agreements in the name and for the account of the other Party or bind the other Party with respect to third parties, unless expressly authorized in writing. + +(c) This Agreement does not create a partnership, joint venture, franchise, employment relationship, or agency of any kind between the Parties. + +(d) This Agreement is not subject to the application of: +- The Commercial Agency Act of 13 April 1995 (as included in the Economic Law Code, Book X, Title I) +- The Act on unilateral termination of concessions of exclusive sale granted for an indefinite period dated 27 July 1961 + +These laws are expressly excluded in view of the independent contractor relationship between the Parties. + +--- + +# ARTICLE 3: PARTNER OBLIGATIONS + +## 3.1 General Obligations + +Partner shall, at all times during the Term: + +(a) **GDPR Compliance:** +- Comply with all applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Belgian Data Protection Act +- Obtain all necessary consents, authorizations, and legal bases required to process Personal Data through the Platform +- Ensure end users are properly informed about data processing activities +- Provide appropriate privacy notices to data subjects +- Maintain records of processing activities as required by GDPR Article 30 + +(b) **Customer Relationship Management:** +- Act as primary point of contact for all Customers acquired through this Partnership +- Provide first-line and second-line helpdesk support to Customers +- Escalate third-line technical issues to Ask Eve AI in accordance with support procedures +- Not permit Customers to contact Ask Eve AI directly for support without Partner involvement, except as agreed in writing + +(c) **Marketing and Brand Compliance:** +- Use Ask Eve AI trademarks and marketing materials only in accordance with Ask Eve AI's brand guidelines (when published) +- Submit marketing materials featuring Ask Eve AI functionality to Ask Eve AI for review before publication +- Identify Ask Eve AI as the underlying Platform provider when white-labeling services +- Use Ask Eve AI's platform identification logo (to be provided) in all customer-facing materials +- Not suggest that Ask Eve AI endorses Partner's specific offerings unless expressly agreed + +(d) **Testing and Quality Assurance:** +- Thoroughly test all Partner Services before offering to Customers +- Validate that outputs from AI Specialists and Catalogs are appropriate for intended use cases +- Implement human review processes for critical customer-facing outputs +- Monitor and refine Partner Services based on customer feedback and performance data + +(e) **Accurate Information:** +- Provide accurate and complete information about Customers to Ask Eve AI +- Notify Ask Eve AI within ten (10) business days of any material changes to Customer information +- Maintain current contact details and billing information for all managed Customers + +(f) **Good Faith and Reputation:** +- Act in good faith at all times in the partnership +- Not bring Ask Eve AI into disrepute through actions, statements, or business practices +- Represent Ask Eve AI's capabilities accurately and not make unauthorized representations + +## 3.2 Security Requirements + +Partner warrants that it has implemented and will maintain technical and organizational measures to ensure security of Personal Data, including: + +(a) **Access Controls:** +- Strong password policies for all user accounts +- Multi-factor authentication on critical systems (where available) +- Role-based access control limiting access to necessary personnel only +- Immediate revocation of access for departed personnel +- Secure management of API keys and authentication credentials + +(b) **Data Protection:** +- Encryption of data in transit (TLS 1.2 minimum) +- Secure storage of credentials and API keys +- Regular backup procedures for critical data +- Secure deletion procedures for end-of-life data + +(c) **Security Awareness:** +- Personnel training on data protection and security best practices +- Awareness of common threats (phishing, social engineering, malware) +- Documented incident reporting procedures + +(d) **Operational Security:** +- Regular software updates and security patching +- Malware protection on endpoints (as applicable) +- Monitoring for security incidents +- Documented incident response procedures + +(e) **Compliance Verification:** +- Partner shall not implement security measures that conflict with Ask Eve AI's security requirements +- Partner shall cooperate with Ask Eve AI security audits as reasonable +- Partner shall notify Ask Eve AI of any material changes to security posture + +Partner acknowledges that failure to maintain adequate security measures may result in immediate suspension of access to the Platform pursuant to Article 4.7. + +## 3.3 Testing and Validation Obligations + +Partner acknowledges and warrants that: + +(a) **Pre-Deployment Testing:** Partner has thoroughly tested all Partner Services, including AI Specialists, Catalogs, and integrations, before making them available to Customers. + +(b) **Output Validation:** Partner understands that AI-generated outputs from the Platform: +- May not always be accurate and should not be relied upon as the sole source of truth +- Must be evaluated for accuracy and appropriateness for the specific use case +- Require human review as appropriate before use in critical applications +- Must not be used for decisions with legal or material impact on individuals without appropriate human oversight + +(c) **Customer Education:** Partner shall inform Customers about: +- The limitations of AI-generated outputs +- The need for human review and validation +- Appropriate use cases and restrictions +- The probabilistic nature of AI systems + +(d) **Ongoing Monitoring:** Partner shall: +- Monitor performance and accuracy of Partner Services +- Collect and act upon customer feedback +- Implement improvements and corrections as needed +- Report significant issues or patterns to Ask Eve AI + +## 3.4 Non-Solicitation of Personnel + +(a) **Restriction Period:** During the Term and for twelve (12) months thereafter, neither Party shall, without the prior written consent of the other Party, directly solicit for employment or engagement any employee, contractor, or consultant of the other Party who: +- Was engaged in activities related to this Partnership; AND +- Had material access to the other Party's Confidential Information; AND +- Performed services under this Agreement in the 12 months prior to solicitation + +(b) **Permitted Activities:** This restriction does NOT apply to: +- General job advertisements not specifically targeted at the other Party's personnel +- Recruitment through third-party recruiters operating independently +- Individuals who independently apply without solicitation +- Personnel who had already left the other Party's employment before solicitation (if termination was not encouraged by the soliciting Party) +- Personnel employed by the other Party before this Agreement commenced + +(c) **Remedies:** If a Party violates this provision, the non-breaching Party may seek: +- Injunctive relief (immediate court order to stop the violation) +- Compensation equal to twelve (12) months' salary of the solicited person; OR +- Actual damages, whichever is greater + +## 3.5 Non-Compete and Non-Solicitation + +### (a) During Term + +Partner shall not, directly or indirectly through Affiliates: + +(i) Develop, market, distribute, or resell any AI-powered conversational platform that competes with the Ask Eve AI Platform in the Territory and Domain(s) specified in Section 2.1; + +(ii) Encourage or assist any third party to develop a competing platform using Confidential Information or proprietary methodologies obtained from Ask Eve AI; + +(iii) Represent to Customers or Prospects that any third-party solution is equivalent to or superior to Ask Eve AI without objective comparison data. + +### (b) Post-Termination Customer Non-Solicitation (18 Months) + +For eighteen (18) months following termination of this Agreement, Partner shall not: + +(i) Directly solicit any Customer acquired through this Partnership to migrate to a competing AI conversational platform; + +(ii) Offer discounts or incentives to Customers specifically conditioned on discontinuing use of the Ask Eve AI Platform; + +(iii) Disparage Ask Eve AI or the Platform to Customers for competitive purposes. + +**This restriction does NOT prohibit:** +- General marketing activities not targeted at Ask Eve AI Customers +- Responding to unsolicited inquiries from former Customers +- Competing for new customers not acquired through this Partnership + +### (c) Post-Termination Technology Restrictions (12 Months) + +For twelve (12) months following termination, Partner shall not use Ask Eve AI's proprietary methodologies, algorithms, or architectural approaches disclosed under this Agreement to develop a competing conversational AI platform. + +**This restriction does NOT prohibit:** +- Using general AI/ML knowledge and publicly available techniques +- Developing AI solutions in different domains or use cases +- Using different technology stacks or approaches +- Partnering with other AI platform providers + +### (d) Permitted Activities (No Restriction) + +The following activities are explicitly PERMITTED at all times: + +(i) **Individual employees or advisors of Partner:** +- Joining Ask Eve AI as employees +- Developing AI Specialists on the Ask Eve AI Platform (even in new domains) +- Developing AI solutions on other platforms after leaving Partner +- Using general AI expertise in new roles + +(ii) **Partner entity:** +- Developing additional AI Specialists on the Ask Eve AI Platform +- Offering complementary services (consulting, integration, training) +- Partnering with non-competing AI providers +- Competing in markets outside Territory/Domain after restrictions expire + +### (e) Geographic and Domain Scope + +All restrictions in this Section 3.5 apply ONLY to: +- **Territory:** As defined in Section 2.1 +- **Domain(s):** As defined in Section 2.1 +- **Customer Type:** Customers acquired through this Partnership + +Partner may freely compete in other territories, domains, or for customers not connected to this Partnership. + +### (f) Survival and Enforceability + +- Section 3.5(a) survives only during the Term +- Sections 3.5(b) and (c) survive for the stated periods after termination +- All other provisions of this Section 3.5 survive termination + +If any provision of this Section 3.5 is held unenforceable, the remaining provisions remain in effect, and the unenforceable provision shall be reformed to the maximum extent enforceable under applicable law. + +--- + +# ARTICLE 4: Ask Eve AI OBLIGATIONS + +## 4.1 Platform Access + +Ask Eve AI shall provide Partner with access to the Ask Eve AI Platform in accordance with the terms of this Agreement and applicable Annexes, including: + +(a) Access to the administrative console for Partner's authorized users +(b) Ability to create and manage Tenant accounts for Customers +(c) Access to Platform features and functionality as specified in applicable Annexes +(d) API access as needed and agreed (subject to separate API terms if applicable) + +## 4.2 Partner Portal + +Ask Eve AI will provide Partner with access to a partner portal (when available) to facilitate: + +(a) Communication and documentation +(b) Customer order registration and management +(c) Usage reporting and billing information +(d) Support ticket management +(e) Marketing materials and resources + +## 4.3 Marketing Support + +Ask Eve AI may, at its sole discretion, provide Partner with: + +(a) Marketing collateral and materials +(b) Product information and documentation +(c) Demo environments and training materials +(d) Co-marketing opportunities + +Ask Eve AI reserves the right to modify, update, or discontinue any marketing support at any time with reasonable notice to Partner. + +## 4.4 Third-Line Support + +Ask Eve AI will provide third-line technical support to Partner for: + +(a) Platform infrastructure and availability issues +(b) Complex technical issues escalated by Partner +(c) Platform bugs and defects +(d) Feature requests and enhancement discussions + +**Support Terms:** +- Support is provided to Partner, not directly to Partner's Customers +- Support requests must be submitted through designated channels +- Response times are subject to Ask Eve AI's standard support SLAs +- Ask Eve AI is not responsible for Partner Services or Partner-created content + +## 4.5 Professional Services + +Partner may request Ask Eve AI to provide professional services relating to use of the Platform, either: + +(a) Directly to Customer (at Customer's expense); OR +(b) As a subcontractor to Partner (with Ask Eve AI's prior written consent) + +All professional services are subject to: +- Availability of Ask Eve AI resources +- Separate statements of work or service agreements +- Ask Eve AI's then-current professional services rates +- Mutual written agreement before commencement + +## 4.6 Platform Modifications + +Ask Eve AI may modify any provisions of Platform features, pricing (Exhibit A), or service terms upon not less than thirty (30) days' prior written notice to Partner. + +If modifications adversely affect Partner's operations relative to marketing and delivery of Partner Services, Partner may terminate this Agreement pursuant to Article 14.2, provided that Ask Eve AI shall honor existing pricing and terms for active Customer contracts for ninety (90) days following the modification notice. + +## 4.7 Service Suspension Rights + +Ask Eve AI reserves the right to suspend or terminate Partner's or Customer's access to the Platform immediately without prior notice if: + +(a) Basic Fees or platform usage fees are not paid when due +(b) Partner or Customer breaches the Terms of Service or this Agreement +(c) Partner or Customer's use of the Platform: +- Violates applicable laws or regulations +- Infringes third-party intellectual property rights +- Poses security risks to the Platform or other users +- Involves prohibited content or activities (as defined in Terms of Service) + +(d) Partner or Customer becomes insolvent or files for bankruptcy +(e) Ask Eve AI must suspend services to comply with applicable law or court order + +Upon suspension, Ask Eve AI will notify Partner and provide opportunity to remedy the cause of suspension, except where immediate suspension is required for legal or security reasons. + +--- + +# ARTICLE 5: INTELLECTUAL PROPERTY + +## 5.1 Ask Eve AI Platform IP + +Ask Eve AI retains and shall be the sole owner of all right, title, and interest in and to: + +(a) The Ask Eve AI Platform, including: +- All software, code, algorithms, and AI models +- Platform infrastructure and architecture +- Core functionality and features +- User interfaces and design elements + +(b) All improvements, enhancements, modifications, or derivative works to the Platform, regardless of who suggests or requests such changes + +(c) All Intellectual Property Rights related to the foregoing + +**"Intellectual Property Rights"** means current and future worldwide rights under patent, copyright, trade secret, trademark, moral rights, database rights, and other similar proprietary rights. + +**Clarification:** This Section 5.1 applies to the Platform itself. Ownership of Partner-created content (Catalogs, Specialist configurations, etc.) is governed by applicable Annexes and Addenda. + +## 5.2 Partner Content and Services + +### (a) General Principle + +Subject to the specific provisions in Annexes and Addenda: + +(i) **Partner retains ownership** of: +- Original content created by Partner (Catalog information, training materials, etc.) +- Partner's trademarks, logos, and brand materials +- Partner's business processes and methodologies +- Customer data provided by Partner's Customers + +(ii) **Ask Eve AI retains ownership** of: +- All Platform code and infrastructure +- AI models and training methodologies +- Platform-specific functionality +- Core Specialist framework and architecture + +### (b) License Grants + +Partner grants Ask Eve AI a non-exclusive, royalty-free, worldwide license to: +- Host and operate Partner's Catalogs and Specialists on the Platform +- Use Partner content as necessary to provide Services to Customers +- Display Partner's trademarks in connection with Partner Services +- Create derivative works as necessary to integrate with Platform functionality + +Ask Eve AI grants Partner a non-exclusive, non-transferable, non-sublicensable license to: +- Access and use the Platform during the Term +- Use Ask Eve AI trademarks in accordance with Article 5.4 +- Distribute Ask Eve AI marketing materials to Prospects and Customers + +### (c) Specialist and Catalog IP + +Specific ownership and IP transfer arrangements for: +- Knowledge Partner Catalogs: See Annex 1 +- Expert Partner Specialists: See Annex 2 and applicable Addenda +- Co-developed solutions: As specified in applicable Addenda + +## 5.3 Restrictions on Use + +Partner shall not: + +(a) Remove, alter, or obscure any identification, proprietary, copyright, or other notices in the Platform, documentation, or Services + +(b) Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or algorithms of the Platform, except as expressly permitted by applicable law + +(c) Modify, adapt, translate, or create derivative works from the Platform without Ask Eve AI's express written consent + +(d) Merge or combine the Platform with other software not expressly approved in writing by Ask Eve AI + +(e) Reproduce, distribute, perform, display, or sublicense the Platform, except as expressly permitted in this Agreement + +(f) Use the Platform to develop a competing product or service + +(g) Represent that outputs were human-generated when they were AI-generated + +Any attempt to violate these restrictions constitutes an infringement of Ask Eve AI's intellectual property rights and grounds for immediate termination pursuant to Article 14.3. + +## 5.4 Trademark License + +During the Term, Ask Eve AI grants to Partner, and Partner accepts, a non-transferable, non-exclusive license within the Territory to: + +(a) **Use Ask Eve AI Trademarks** for: +- Marketing Partner Services to Prospects and Customers +- Identifying Ask Eve AI as the underlying Platform provider +- Co-marketing activities approved by Ask Eve AI + +(b) **Display Marketing Materials:** +- Reproduce, distribute, and display Ask Eve AI marketing information +- Use approved product screenshots and descriptions +- Reference Ask Eve AI in case studies and testimonials (with prior approval) + +**Usage Requirements:** +- All trademark use must comply with Ask Eve AI's brand guidelines (when published) +- Partner must display Ask Eve AI's platform identification logo when white-labeling +- Partner may not modify Ask Eve AI trademarks +- Partner may not register any trademarks confusingly similar to Ask Eve AI marks + +**Termination of License:** +- Upon termination of this Agreement, Partner shall immediately cease all use of Ask Eve AI trademarks +- Partner shall remove Ask Eve AI trademarks from all materials within thirty (30) days + +## 5.5 IP Infringement Notification + +(a) **Partner's Obligation:** Partner shall immediately notify Ask Eve AI if Partner discovers any: +- Misappropriation of Ask Eve AI's intellectual property +- Infringement of Ask Eve AI's patents, copyrights, or trademarks +- Misuse of Ask Eve AI's confidential information +- Unauthorized use of the Platform + +(b) **Cooperation:** At Ask Eve AI's request, Partner shall assist Ask Eve AI, at Ask Eve AI's reasonable expense, to: +- Enforce Ask Eve AI's intellectual property rights +- Investigate infringement or misappropriation +- Take steps to cease unauthorized use + +(c) **Ask Eve AI's Rights:** Ask Eve AI retains sole discretion to: +- Pursue or not pursue enforcement actions +- Settle or litigate IP disputes +- Control strategy and decisions in IP matters + +--- + +# ARTICLE 6: DATA PROTECTION AND GDPR COMPLIANCE + +## 6.1 Data Processing Roles + +### (a) Standard Processing Relationship + +In the standard relationship where Partner has a direct relationship with Customers: + +- **Customer (Tenant):** Acts as Data Controller +- **Partner:** May act as Data Controller or Data Processor depending on the nature of services provided +- **Ask Eve AI:** Acts as Data Processor on behalf of Customer + +### (b) Management Services Relationship + +When Partner provides Management Services and acts on behalf of a third-party customer: + +- **Third-Party Customer:** Acts as Data Controller +- **Partner:** Acts as Data Processor on behalf of third-party customer +- **Ask Eve AI:** Acts as Sub-Processor + +Partner must ensure that: +- Partner has executed a Data Processing Agreement with the third-party customer +- Partner flows down DPA obligations to Ask Eve AI +- Partner has authority to bind the third-party customer to Ask Eve AI's Terms of Service + +## 6.2 Partner GDPR Warranties and Compliance + +Partner warrants, represents, and undertakes that: + +(a) **Legal Compliance:** Partner complies and shall continue to comply with: +- The General Data Protection Regulation (GDPR) 2016/679 +- The Belgian Data Protection Act of 30 July 2018 +- All applicable national data protection laws in the Territory +- Any amendments or updates to the foregoing + +(b) **Lawful Basis:** Partner has and shall maintain appropriate lawful bases under GDPR Article 6 for all Personal Data processing through the Platform, including: +- Valid consent where required +- Contractual necessity where applicable +- Legitimate interests where appropriate +- Legal obligations where mandated + +(c) **Data Subject Rights:** Partner shall: +- Implement processes to respond to data subject rights requests within GDPR timeframes +- Maintain appropriate privacy notices for data subjects +- Honor data subject requests for access, rectification, erasure, restriction, portability, and objection +- Cooperate with Ask Eve AI in facilitating data subject rights (as detailed in DPA) + +(d) **Data Minimization:** Partner shall: +- Process only Personal Data necessary for the specified purposes +- Not process excessive or irrelevant Personal Data through the Platform +- Implement appropriate retention and deletion policies + +(e) **Technical and Organizational Measures:** Partner shall implement and maintain appropriate technical and organizational measures as specified in Article 3.2. + +(f) **Records of Processing:** Partner shall maintain records of processing activities as required by GDPR Article 30. + +(g) **Data Protection Impact Assessments:** Where required by GDPR Article 35, Partner shall conduct Data Protection Impact Assessments before processing Personal Data through high-risk Platform features. + +## 6.3 Data Breach Notification + +### (a) Notification Timing + +**Partner to Ask Eve AI:** Partner shall notify Ask Eve AI within twenty-four (24) hours of becoming aware of any Data Breach affecting Personal Data processed through the Platform. + +**Ask Eve AI to Partner:** Ask Eve AI shall notify Partner within twenty-four (24) hours of becoming aware of any Data Breach. + +### (b) Notification Content + +Notifications shall include, to the extent information is readily available: +- Nature of the Data Breach +- Categories and approximate number of data subjects affected +- Categories and approximate number of Personal Data records affected +- Likely consequences and adverse effects +- Measures taken or proposed to address the breach +- Measures taken or proposed to mitigate adverse effects +- Contact point for further information + +### (c) Ongoing Updates + +The Party discovering the breach shall provide timely updates as additional information becomes available. + +### (d) Supervisory Authority Notification + +**Data Controller Responsibility:** The Party acting as Data Controller is responsible for: +- Notifying the supervisory authority (Belgian Data Protection Authority) within seventy-two (72) hours of becoming aware of a breach that poses a risk to data subjects (GDPR Article 33) +- Notifying affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms (GDPR Article 34) + +**Data Processor Assistance:** The Party acting as Data Processor shall provide reasonable assistance to the Data Controller in meeting these obligations. + +### (e) Cooperation + +Parties shall: +- Cooperate in investigating and remediating breaches +- Share information necessary for regulatory notifications +- Coordinate communications with affected parties +- Implement corrective measures to prevent recurrence + +## 6.4 DPA Flow-Down Requirements + +### (a) Customer DPA Execution + +When Partner acts as a Management Partner: + +(i) Partner must ensure each Customer signs Ask Eve AI's Data Protection Agreement before platform access is granted + +(ii) Partner must provide Ask Eve AI with executed copies of Customer DPAs within fifteen (15) days of Customer onboarding + +(iii) Partner warrants that it has authority to bind Customer to the DPA on behalf of the Customer + +### (b) Partner's Own DPA + +When Partner acts as Data Processor (Management Services scenario): + +(i) Partner must have its own executed Data Processing Agreement with the third-party customer (Data Controller) + +(ii) Partner's DPA with the customer must include provisions allowing Partner to engage Ask Eve AI as Sub-Processor + +(iii) Partner shall flow down to Ask Eve AI the data protection obligations required by the customer, provided such obligations are not materially more burdensome than those in Ask Eve AI's standard DPA + +### (c) Sub-Processor Approval + +By executing this Agreement, Customer (through Partner) provides general authorization for Ask Eve AI to engage the Sub-Processors listed in the DPA (Exhibit B, Annex 1). + +Ask Eve AI shall notify Partner at least thirty (30) days in advance of: +- Adding new Sub-Processors +- Replacing existing Sub-Processors +- Material changes to Sub-Processor roles + +Partner (on behalf of Customer) may object to such changes on reasonable data protection grounds within the notice period. + +## 6.5 Partner Indemnification for GDPR Violations + +### (a) Scope of Indemnification + +Partner shall indemnify, defend, and hold Ask Eve AI harmless from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to: + +(i) Partner's failure to comply with GDPR or other applicable data protection laws + +(ii) Partner's failure to obtain appropriate consent or legal basis for processing Personal Data + +(iii) Partner's failure to provide adequate privacy notices to data subjects + +(iv) Partner's improper handling of data subject rights requests + +(v) Partner's data breach caused by Partner's failure to implement appropriate security measures + +(vi) Partner's processing of Personal Data outside the scope authorized by data subjects or required by law + +(vii) Claims by data subjects, supervisory authorities, or other third parties arising from Partner's data protection violations + +### (b) Exclusions + +Partner is not obligated to indemnify Ask Eve AI to the extent the claim arises from: +- Ask Eve AI's failure to implement security measures required by the DPA +- Ask Eve AI's unauthorized processing of Personal Data beyond Partner's instructions +- Ask Eve AI's data breach caused solely by Ask Eve AI's security failures + +### (c) Cooperation + +Partner shall cooperate with Ask Eve AI in defending against any claims subject to this indemnification, including: +- Providing timely information and documentation +- Making personnel available for depositions or testimony +- Participating in settlement negotiations as requested + +--- + +# ARTICLE 7: PARTNER CONTENT LIABILITY AND INDEMNIFICATION + +## 7.1 Knowledge Partner Content Responsibility + +Where Partner provides domain knowledge through Catalogs (Annex 1), Partner acknowledges and agrees that Partner is solely responsible for: + +(a) **Accuracy and Completeness:** +- The accuracy, completeness, and currency of all information in Catalogs +- Regular review and updates to maintain accuracy +- Corrections of errors or outdated information +- Quality control of content before publication + +(b) **Legal Compliance:** +- Ensuring all Catalog content complies with applicable laws and regulations +- Not including illegal, defamatory, or infringing content +- Respecting intellectual property rights of third parties +- Obtaining necessary licenses for content used + +(c) **Rights and Licenses:** +- Obtaining all necessary rights and licenses for content provided +- Warranting that Partner has authority to grant Ask Eve AI the license in Article 5.2(b) +- Not infringing any third-party copyrights, trademarks, or other IP rights + +(d) **Customer Reliance:** +- Understanding that Customers may rely on Catalog information +- Implementing appropriate disclaimers where necessary +- Clearly identifying opinions versus facts +- Distinguishing between current and historical information + +## 7.2 Expert Partner Specialist Responsibility + +Where Partner co-develops AI Specialists with Ask Eve AI (Annex 2), Partner acknowledges and agrees that Partner is solely responsible for: + +(a) **Accuracy of Configurations:** +- The accuracy and appropriateness of AI Specialist prompts, instructions, and configurations +- Logic and workflows defined for Specialists +- Expected behaviors and outputs from Specialists +- Domain-specific knowledge provided to train Specialists + +(b) **Testing and Validation:** +- Thorough testing of all Specialist functionality before deployment to Customers +- Validation that Specialist outputs meet intended purposes +- Testing edge cases and error scenarios +- Regression testing after updates or modifications + +(c) **Ongoing Monitoring:** +- Monitoring Specialist performance in production +- Collecting and analyzing customer feedback +- Identifying and addressing accuracy issues +- Refining configurations based on real-world usage + +(d) **Documentation:** +- Providing clear documentation of Specialist capabilities and limitations +- Documenting appropriate use cases and restrictions +- Maintaining change logs for Specialist versions +- Creating user guides for Customers + +## 7.3 Ask Eve AI's Role and Disclaimers + +(a) **Platform Provider Only:** Ask Eve AI provides the Platform infrastructure, AI models, and hosting services, but makes no warranties regarding: +- The accuracy, completeness, or appropriateness of Partner-provided content +- The suitability of Partner Services for any particular purpose +- The outputs generated by Partner-configured Specialists +- The reliability of Partner-maintained Catalogs + +(b) **No Content Liability:** Ask Eve AI is not responsible for: +- Errors, omissions, or inaccuracies in Partner content +- Customer decisions based on Partner content +- Harm resulting from incorrect or misleading Partner content +- Partner's failure to update or maintain content + +(c) **AI Output Limitations:** Partner acknowledges that: +- AI outputs are probabilistic and may not always be accurate +- Platform AI models are general-purpose and not customized for specific domains +- Partner is responsible for domain-specific accuracy and validation +- Ask Eve AI does not verify or validate Partner-provided knowledge + +## 7.4 Partner Indemnification for Content + +Partner shall indemnify, defend, and hold Ask Eve AI harmless from and against any and all third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to: + +(a) **Inaccurate or Misleading Content:** +- Errors, omissions, or inaccuracies in Partner-provided Catalogs +- Outdated or obsolete information not properly updated +- Misleading statements or representations in Partner content +- Factual errors that cause harm to Customers or third parties + +(b) **Specialist Defects:** +- Errors, bugs, or defects in Partner-configured Specialists +- Inappropriate outputs from Partner-designed Specialists +- Specialist failures due to inadequate testing by Partner +- Logic errors in Specialist workflows or decision trees + +(c) **Intellectual Property Infringement:** +- Use of copyrighted material without permission in Catalogs +- Infringement of third-party trademarks in Partner content +- Violation of third-party patents through Specialist functionality +- Misappropriation of trade secrets in Partner Services + +(d) **Legal and Regulatory Violations:** +- Partner content that violates applicable laws or regulations +- Provision of unlicensed professional advice (legal, medical, financial) +- Failure to comply with industry-specific regulations +- Privacy violations in content collection or use + +(e) **Customer Reliance:** +- Customer claims arising from reliance on inaccurate Partner content +- Damages suffered by Customers due to Partner content errors +- Financial losses from decisions based on Partner-provided information +- Harm to Customer reputation from Partner Service failures + +(f) **Third-Party Claims:** +- Claims by individuals or entities referenced in Partner content +- Defamation or privacy claims related to Partner content +- Consumer protection claims related to Partner Services +- Professional malpractice claims (if applicable) + +### Indemnification Process + +(i) **Notice:** Ask Eve AI shall promptly notify Partner in writing of any claim subject to indemnification + +(ii) **Control:** Partner shall have the right to control the defense and settlement of the claim, provided that: +- Ask Eve AI may participate in the defense at its own expense +- Partner shall not settle any claim in a manner that admits Ask Eve AI's liability or imposes obligations on Ask Eve AI without Ask Eve AI's prior written consent + +(iii) **Cooperation:** Ask Eve AI shall cooperate reasonably with Partner in the defense, at Partner's expense + +(iv) **Mitigation:** Partner shall use commercially reasonable efforts to mitigate damages + +--- + +# ARTICLE 8: CUSTOMER MANAGEMENT AND DOCUMENTATION + +## 8.1 Customer Relationship Structure + +For Customers acquired through this Partnership: + +(a) **Primary Contact:** Partner acts as the primary point of contact for all Customer interactions, including: +- Initial sales and onboarding +- Day-to-day account management +- First-line and second-line support +- Billing and payment discussions +- Renewal and upsell conversations + +(b) **Ask Eve AI Role:** Ask Eve AI provides: +- Third-line technical support (escalated from Partner) +- Platform infrastructure and maintenance +- Platform updates and new features +- Security and compliance oversight + +(c) **Direct Customer Contact:** Customers shall not contact Ask Eve AI directly for support or sales inquiries unless: +- Partner explicitly refers the Customer to Ask Eve AI +- The matter relates to Platform-level issues requiring Ask Eve AI intervention +- Emergency situations requiring immediate Ask Eve AI response +- Mutually agreed circumstances documented in writing + +## 8.2 Customer Onboarding Requirements + +Before granting Customer access to the Platform, Partner must: + +(a) **Tenant Creation:** +- Create a Tenant account for the Customer on the Ask Eve AI Platform +- Configure appropriate license tier and usage limits +- Set up initial users and access permissions +- Configure relevant Specialists or Catalogs + +(b) **Contractual Documentation:** +- Ensure Customer executes Ask Eve AI's Terms of Service (Exhibit D) +- Ensure Customer executes Ask Eve AI's Data Processing Agreement (Exhibit B) +- Provide executed copies to Ask Eve AI within fifteen (15) days of Customer onboarding +- Maintain records of all Customer agreements + +(c) **Customer Information:** +- Provide accurate and complete Customer information to Ask Eve AI, including: + - Legal entity name and registration details + - Billing address and VAT number + - Primary contact information (name, email, phone) + - Intended use cases and expected usage volumes + - Any special requirements or restrictions + +(d) **Training and Orientation:** +- Provide adequate training to Customer users +- Explain Platform capabilities and limitations +- Set appropriate expectations for AI outputs +- Document Customer-specific configurations + +## 8.3 Payment Responsibility (Management Partners) + +For Partners designated as Management Partners (Annex 3): + +(a) **Payment Guarantee:** Partner guarantees timely payment of all Basic Fees and Additional Fees for Customers managed by Partner, regardless of whether Customer pays Partner. + +(b) **Payment Terms:** +- Partner pays Ask Eve AI based on actual Platform usage per Exhibit A +- Invoices issued monthly based on usage in previous month +- Payment due within thirty (30) days of invoice date +- Late payments subject to interest and service suspension (Article 9.4) + +(c) **Customer Payment Defaults:** If a Customer fails to pay Partner: +- Partner remains liable to Ask Eve AI for all Platform fees +- Partner may request service suspension for the non-paying Customer +- Ask Eve AI will consider suspension requests in good faith +- Partner must demonstrate efforts to collect from Customer (demand letters, etc.) + +(d) **Billing Transparency:** Ask Eve AI shall provide Partner with: +- Detailed monthly usage reports per Customer +- Breakdown of Basic Fees and Additional Fees +- Usage metrics (embeddings, storage, interactions) +- Historical usage trends and projections + +## 8.4 Customer Information Accuracy + +(a) **Update Obligations:** Partner must notify Ask Eve AI within ten (10) business days of: +- Changes to Customer legal name or structure +- Changes to billing address or VAT number +- Changes to primary contact information +- Material changes to usage patterns or requirements +- Customer insolvency or financial distress +- Customer requests to terminate or downgrade services + +(b) **Data Quality:** Partner warrants that all Customer information provided to Ask Eve AI is: +- Accurate and complete to the best of Partner's knowledge +- Current and up-to-date +- Obtained lawfully and with appropriate consents +- Maintained in accordance with GDPR requirements + +## 8.5 Support Structure and Escalation + +(a) **First-Line Support (Partner):** +- Answer basic Customer questions about Partner Services +- Provide user training and guidance +- Troubleshoot common issues +- Resolve configuration and usage questions +- Expected response time: Per Partner's own SLA with Customer + +(b) **Second-Line Support (Partner):** +- Investigate complex issues reported by Customers +- Reproduce and document issues +- Review Specialist configurations and Catalog content +- Attempt resolution before escalating to Ask Eve AI +- Expected resolution time: Per Partner's own SLA with Customer + +(c) **Third-Line Support (Ask Eve AI):** +- Platform infrastructure issues +- System bugs and defects +- API and integration problems +- Security and compliance issues +- Expected response time: Per Ask Eve AI's standard SLA + +(d) **Escalation Process:** +- Partner submits support tickets through designated channels +- Partner provides detailed issue description, reproduction steps, and logs +- Ask Eve AI acknowledges and prioritizes tickets +- Ask Eve AI provides updates and resolution timeline +- Partner communicates status to affected Customers + +--- + +# ARTICLE 9: PRICING, FEES, AND PAYMENT + +## 9.1 Partner Pricing Model + +(a) **Customer Pricing:** Partner is free to set its own pricing to Customers, including: +- Markups over Ask Eve AI's platform costs +- Value-added service fees +- Bundled offerings combining Platform access with Partner services +- Custom pricing for enterprise Customers + +(b) **Platform Fees:** Partner pays Ask Eve AI for Platform usage according to Exhibit A: +- Basic Fees: Monthly subscription per Customer Tenant +- Additional Fees: Overage charges for usage exceeding included limits +- Pricing based on Customer's usage tier (Small, Large, Enterprise) + +(c) **Revenue Share Models:** Where applicable per Annexes or Addenda: +- Specific revenue share percentages +- Calculation methodologies +- Payment schedules and terms +- Adjustments and true-ups + +## 9.2 Invoicing and Payment Terms + +(a) **Invoicing Cycle:** +- Ask Eve AI issues invoices monthly for the preceding month's usage +- Invoices sent within five (5) business days of month end +- Invoices include detailed usage breakdown per Customer +- Invoices sent via email to Partner's designated billing contact + +(b) **Payment Deadline:** +- Payment due thirty (30) days from invoice date +- Payment by wire transfer to Ask Eve AI's designated account +- Partner bears all bank fees and transfer charges +- Payments applied to oldest outstanding invoices first + +(c) **Currency and Taxes:** +- All prices and payments in Euro (EUR) +- Prices exclude VAT unless otherwise stated +- Partner responsible for all applicable taxes except Ask Eve AI's corporate income tax +- VAT charged at applicable Belgian/EU rates + +(d) **Invoice Disputes:** +- Partner must notify Ask Eve AI of disputed amounts within fifteen (15) days of invoice date +- Notification via email to finance@Ask Eve AI.com +- Must specify nature and extent of dispute with supporting documentation +- Undisputed amounts remain due and payable +- Parties to negotiate disputed amounts in good faith + +## 9.3 Partner Invoicing to Ask Eve AI + +Where applicable under revenue share or other compensation models: + +(a) **Partner Invoice Requirements:** +- Partner invoices Ask Eve AI monthly (or per agreed schedule) +- Invoices must reference this Partnership Agreement +- Invoices must reference specific Customer contracts or revenue sources +- Invoices must include VAT where applicable +- Invoices sent to finance@Ask Eve AI.com + +(b) **Supporting Documentation:** +- Partner provides usage reports or revenue documentation +- Ask Eve AI may request verification of underlying Customer payments +- Partner maintains records for audit purposes (7 years per Belgian law) + +(c) **Payment by Ask Eve AI:** +- Payment within thirty (30) days of receiving compliant invoice +- Subject to Ask Eve AI's receipt of underlying Customer payments (where applicable) +- Payment via wire transfer to Partner's designated account + +## 9.4 Late Payment and Service Suspension + +(a) **Late Payment Interest:** +- Late payments subject to interest per Belgian Law of 2 August 2002 +- Interest calculated at legal rate determined by Belgian government +- Does not exclude Partner's liability for damages + +(b) **Service Suspension for Non-Payment:** +- If Basic Fees not paid when due: Ask Eve AI may immediately suspend Platform access +- If Additional Fees unpaid 30+ days: Ask Eve AI may suspend Platform access +- Suspension notice sent via email before suspension (except emergency situations) +- Affected Customers lose Platform access during suspension + +(c) **Reactivation After Suspension:** +- Partner must pay all outstanding amounts plus accrued interest +- Ask Eve AI reactivates service within two (2) business days of confirmed payment +- No pro-rata refunds for suspension period +- Suspension time counts toward billing period + +(d) **Collection Costs:** +- Partner liable for Ask Eve AI's reasonable collection costs +- Includes legal fees, Belgian bailiff (deurwaarder/huissier de justice) fees +- Includes costs of formal collection proceedings + +## 9.5 Price Changes + +(a) **Notice Period:** +- Ask Eve AI may change Exhibit A pricing with thirty (30) days' written notice +- Notice sent via email to Partner's primary contact +- Changes effective at start of next billing period after notice + +(b) **Reasons for Changes:** +- Changes to product offerings and features +- Changes in Ask Eve AI's costs from Sub-Processors +- Changes in business operations or economic environment +- Security, legal, or regulatory requirements +- Currency fluctuations or inflation adjustments + +(c) **Existing Customer Protection:** +- Price changes apply to new Customers immediately after effective date +- For existing Customers: Ask Eve AI honors old pricing for ninety (90) days +- Gives Partner time to renegotiate Customer contracts or absorb increases + +(d) **Partner's Termination Right:** +- If price increases exceed 15% for any tier, Partner may terminate this Agreement +- Termination notice must be given within thirty (30) days of price change notice +- Termination effective end of current billing period +- Partner remains liable for fees accrued before termination + +## 9.6 Taxes and Withholding + +(a) **Partner Tax Responsibilities:** +- Partner responsible for all taxes except Ask Eve AI's corporate income tax +- Includes VAT, sales tax, use tax, excise tax +- Includes customs duties, import/export fees +- Partner must provide valid VAT number for intra-EU transactions + +(b) **Withholding Taxes:** +- If Partner required to withhold taxes on payments to Ask Eve AI: +- Partner shall gross-up payments so Ask Eve AI receives full amount +- Partner provides official tax receipts documenting withholding +- Partner files necessary forms with tax authorities +- Example: If Ask Eve AI invoice = €1,000 and 10% withholding required, Partner pays €1,111.11 (€1,000 to Ask Eve AI + €111.11 withheld and remitted to authorities) + +(c) **Tax Documentation:** +- Parties exchange VAT numbers and tax registration information +- Parties provide tax residency certificates if requested +- Parties cooperate in completing tax forms for treaty benefits + +--- + +# ARTICLE 10: WARRANTIES AND DISCLAIMERS + +## 10.1 Mutual Warranties + +Each Party represents and warrants to the other that: + +(a) **Authority:** It is duly organized, validly existing, and in good standing under the laws of its jurisdiction of formation. + +(b) **Power:** It has full corporate power and authority to enter into this Agreement and perform its obligations. + +(c) **Authorization:** The execution and performance of this Agreement has been duly authorized by all necessary corporate action. + +(d) **Enforceability:** This Agreement constitutes a legal, valid, and binding obligation enforceable against it in accordance with its terms. + +(e) **No Conflicts:** Entering into and performing this Agreement does not: +- Violate any law, regulation, or court order applicable to it +- Conflict with its organizational documents +- Breach any agreement to which it is a party + +(f) **Good Faith:** It shall act in good faith at all times and not bring the other Party into disrepute. + +## 10.2 AI Output and Platform Disclaimers + +Partner acknowledges, understands, and agrees that: + +(a) **AI Limitations:** +- Artificial intelligence and machine learning are rapidly evolving fields +- AI outputs are probabilistic and may not always be accurate +- The Platform uses general-purpose AI models not customized for specific domains +- Outputs may be incomplete, incorrect, or offensive in some situations + +(b) **No Sole Reliance:** +- Outputs should not be relied upon as the sole source of truth or factual information +- Outputs are not a substitute for professional advice (legal, medical, financial, etc.) +- Partner must evaluate all outputs for accuracy and appropriateness +- Human review is required before using outputs in critical applications + +(c) **No Automated Decisions on Individuals:** +- Outputs must not be used for automated decisions with legal or material impact on individuals +- Examples: credit decisions, employment decisions, insurance eligibility, medical diagnoses +- Human intervention and oversight required for such decisions + +(d) **No Endorsements:** +- If outputs reference third-party products or services, this does not mean the third party endorses or is affiliated with Ask Eve AI +- Outputs may not reflect current Ask Eve AI views or positions + +(e) **Customer Responsibility:** +- Partner is responsible for educating Customers about AI limitations +- Partner must implement appropriate disclaimers in Customer-facing materials +- Partner must set appropriate Customer expectations + +## 10.3 Platform "As Is" Provisions + +TO THE FULLEST EXTENT PERMITTED BY LAW: + +(a) **No Performance Warranties:** +- The Platform is provided "AS IS" and "AS AVAILABLE" +- Ask Eve AI does not warrant that the Platform will: + - Meet Partner's or Customer's specific requirements + - Operate uninterrupted or error-free + - Be secure or free from viruses or harmful code + - Produce particular results or outcomes + - Be compatible with all systems or software + +(b) **Disclaimer of Implied Warranties:** +- Ask Eve AI disclaims all implied warranties, including: + - Warranties of merchantability + - Warranties of fitness for a particular purpose + - Warranties of non-infringement + - Warranties arising from course of dealing or usage of trade + +(c) **No Content Warranties:** +- Ask Eve AI makes no warranties about: + - Partner-provided content (Catalogs, Specialist configurations) + - Customer-provided data or inputs + - Third-party content accessible through the Platform + - Accuracy, completeness, or reliability of any content + +(d) **No Guarantees:** +- Ask Eve AI does not guarantee: + - Specific uptime or availability percentages + - Response times for support requests + - Resolution of all issues or bugs + - Compatibility with future technologies + +(e) **Partner's Responsibility:** +- Partner is solely responsible for: + - Evaluating the Platform's suitability for its purposes + - Testing Partner Services before offering to Customers + - Backing up Partner data and configurations + - Implementing disaster recovery plans + - Compliance with legal and regulatory requirements + +## 10.4 Scheduled Maintenance + +(a) **Maintenance Windows:** +- Ask Eve AI may perform scheduled maintenance between 22:00 and 05:00 CET +- No prior notice required for maintenance within these windows +- Ask Eve AI will use commercially reasonable efforts to minimize disruption + +(b) **Outside Maintenance Windows:** +- Scheduled maintenance outside standard windows requires seven (7) days' notice +- Notice provided via email and/or in-application notification +- Ask Eve AI will attempt to schedule during low-usage periods + +(c) **Emergency Maintenance:** +- Ask Eve AI may perform emergency maintenance at any time without notice when necessary to: + - Protect security, integrity, or availability of the Platform + - Comply with legal or regulatory requirements + - Address critical security vulnerabilities + - Prevent data loss or corruption + +(d) **No Liability for Maintenance:** +- Ask Eve AI is not liable for Service unavailability during maintenance +- Maintenance time is not credited against any uptime commitments +- Partner should plan Customer activities around maintenance windows + +--- + +# ARTICLE 11: INDEMNIFICATION + +## 11.1 Partner Indemnification of Ask Eve AI + +Partner shall indemnify, defend, and hold Ask Eve AI, its Affiliates, and their respective officers, directors, employees, consultants, and agents harmless from and against any and all third-party claims, suits, actions, demands, investigations, damages, losses, liabilities, costs, and expenses (including reasonable legal fees and attorneys' fees) arising directly or indirectly out of: + +(a) **GDPR and Data Protection Violations:** +- Partner's failure to comply with GDPR or other data protection laws (per Article 6.5) +- Partner's improper handling of Personal Data +- Partner's data breaches caused by Partner's security failures +- Claims by data subjects or supervisory authorities based on Partner's violations + +(b) **Partner Content:** +- Inaccurate, misleading, or defective Partner content (per Article 7.4) +- Intellectual property infringement by Partner content +- Legal or regulatory violations in Partner content +- Customer or third-party reliance on Partner content + +(c) **Breach of Agreement:** +- Partner's material breach of this Agreement +- Partner's violation of restrictions in Article 3 or Article 5.3 +- Partner's failure to meet obligations in Articles 3, 6, or 8 +- Partner's unauthorized use of Ask Eve AI intellectual property + +(d) **Unauthorized Representations:** +- Unauthorized warranties or representations made by Partner to Customers +- Guarantees or promises beyond those in Ask Eve AI's Terms of Service +- Misleading statements about Platform capabilities or Ask Eve AI's commitments + +(e) **Combination with Third-Party Products:** +- Claims arising from Partner's combination of the Platform with non-Ask Eve AI products or services not authorized by Ask Eve AI in writing +- Interoperability issues caused by Partner's integrations + +(f) **Partner Operations:** +- Conduct of Partner's business operations under this Agreement +- Partner's relationships with its own customers, employees, or subcontractors +- Partner's violation of applicable laws or regulations + +## 11.2 Ask Eve AI Indemnification of Partner + +### (a) IP Infringement Indemnification + +Ask Eve AI shall indemnify, defend, and hold Partner harmless from and against claims that the Ask Eve AI Platform, when used in accordance with this Agreement, infringes any: +- Patent registered in the European Union +- Copyright registered in the European Union +- Trademark registered in Belgium or the European Union +- Misappropriation of trade secrets under Belgian or EU law + +### (b) Conditions + +Ask Eve AI's indemnification obligations are conditioned upon Partner: + +(i) **Prompt Notice:** Notifying Ask Eve AI in writing within ten (10) business days of becoming aware of the claim + +(ii) **Control:** Granting Ask Eve AI sole control over the defense and settlement of the claim + +(iii) **No Admissions:** Making no admissions of liability and entering into no settlements without Ask Eve AI's prior written consent + +(iv) **Cooperation:** Providing reasonable assistance in the defense at Ask Eve AI's expense + +(v) **Mitigation:** Using commercially reasonable efforts to mitigate damages + +### (c) Remedies + +Upon a final determination or settlement that the Platform infringes, Ask Eve AI may, at its option: + +(i) Procure the right for Partner to continue using the Platform + +(ii) Replace or modify the Platform to make it non-infringing while maintaining substantially equivalent functionality + +(iii) If neither (i) nor (ii) is commercially reasonable, terminate this Agreement and refund prepaid fees on a pro-rata basis + +### (d) Exclusions + +Ask Eve AI has no obligation to indemnify for claims based on: + +(i) **Non-Compliant Use:** Use of the Platform not in accordance with this Agreement or the Terms of Service + +(ii) **Combinations:** Use of the Platform in combination with non-Ask Eve AI products, equipment, software, or data, where infringement would not have occurred but for such combination + +(iii) **Modifications:** Modifications to the Platform not made by Ask Eve AI or at its express direction + +(iv) **Outdated Versions:** Continued use of outdated Platform versions after Ask Eve AI has provided an update to avoid infringement + +(v) **Partner Content:** Any content, data, or configurations provided by Partner or Customers + +(vi) **Third-Party Components:** Open-source software or third-party components included in the Platform + +(vii) **Compliance with Specifications:** Ask Eve AI's compliance with Partner's or Customer's specifications or requirements + +## 11.3 Indemnification Procedures + +(a) **Notice:** The indemnified Party shall promptly notify the indemnifying Party in writing of any claim. + +(b) **No Prejudice:** Failure to notify promptly shall not relieve the indemnifying Party of its obligations except to the extent the indemnifying Party can demonstrate material prejudice. + +(c) **Control:** The indemnifying Party shall have sole control over the defense and settlement, subject to the indemnified Party's right to participate at its own expense. + +(d) **Settlement Approval:** The indemnifying Party shall not settle any claim in a manner that: +- Admits fault or liability of the indemnified Party +- Imposes obligations on the indemnified Party +- Affects the indemnified Party's rights or business +...without the indemnified Party's prior written consent (not to be unreasonably withheld). + +## 11.4 Sole Remedy + +The indemnifications in this Article 11 constitute the indemnified Party's sole and exclusive remedy for the matters covered by such indemnifications, except where prohibited by applicable law. + +--- + +# ARTICLE 12: LIMITATION OF LIABILITY + +## 12.1 Exclusion of Consequential Damages + +EXCEPT WITH RESPECT TO: +- (a) Infringement or misappropriation of either Party's Intellectual Property Rights +- (b) Breach of Article 13 (Confidentiality) +- (c) Each Party's indemnification obligations in Article 11 +- (d) Partner's payment obligations +- (e) Partner's obligations under Sections 3.2, 3.3, 3.5 (Non-Solicitation and Non-Compete) +- (f) Partner's obligations under Article 5 (Intellectual Property restrictions) + +IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY: +- Consequential damages +- Indirect damages +- Special damages +- Incidental damages +- Exemplary or punitive damages +- Loss of goodwill or reputation +- Loss of profits or revenue +- Loss of anticipated savings +- Loss of business opportunity +- Loss or unavailability of data or equipment (except as covered by Ask Eve AI's backup obligations) +- Cost of procurement of substitute services or products + +WHETHER FORESEEABLE OR UNFORESEEABLE, AND EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +This exclusion applies regardless of the legal theory on which the claim is based, including contract, tort (including negligence), strict liability, misrepresentation, or otherwise. + +## 12.2 Liability Cap + +Subject to Section 12.3 (Exceptions), each Party's aggregate liability arising out of or related to this Agreement, whether in contract, tort, or otherwise, shall not exceed: + +**The total amount of Platform fees paid by Partner to Ask Eve AI (or payable by Ask Eve AI to Partner under revenue share arrangements) during the twelve (12) months immediately preceding the event giving rise to the liability.** + +For clarity: +- This cap is calculated per Party (each Party has its own cap) +- "Platform fees" means Basic Fees and Additional Fees only; excludes professional services +- The cap resets for each separate and independent cause of action + +## 12.3 Exceptions to Liability Limitations + +The limitations in Sections 12.1 and 12.2 do NOT apply to: + +(a) **Intellectual Property Infringement:** Claims for infringement or misappropriation of Intellectual Property Rights + +(b) **Confidentiality Breaches:** Breaches of Article 13 (Confidentiality) + +(c) **Indemnification Obligations:** Either Party's defense, indemnification, and hold harmless obligations under Article 11 + +(d) **Payment Obligations:** Partner's obligations to pay Platform fees, interest, and collection costs + +(e) **Non-Compete and Non-Solicitation:** Partner's violations of Sections 3.4 and 3.5 + +(f) **IP Restrictions:** Partner's violations of Article 5.3 (Restrictions on Use) + +(g) **Data Protection Violations:** Partner's GDPR indemnification obligations under Article 6.5 + +(h) **Fraud or Willful Misconduct:** Damages caused by fraud, willful misconduct, or gross negligence + +(i) **Mandatory Legal Liability:** Liability that cannot be limited or excluded under mandatory Belgian or EU law, including: +- Death or personal injury caused by negligence +- Fraudulent misrepresentation +- Any other liability prohibited from limitation by law + +## 12.4 Basis of the Bargain + +Partner acknowledges and agrees that: + +(a) The limitations of liability in this Article 12 are fundamental elements of the basis of the bargain between the Parties + +(b) Ask Eve AI would not be able to provide the Platform on an economically reasonable basis without these limitations + +(c) The pricing reflects these risk allocations + +(d) Partner has had the opportunity to negotiate these terms and accepts them as reasonable + +## 12.5 Mitigation + +Each Party shall use commercially reasonable efforts to mitigate its own damages arising from any breach or other event giving rise to liability. + +--- + +# ARTICLE 13: CONFIDENTIALITY + +## 13.1 Definition of Confidential Information + +"**Confidential Information**" means all information transmitted by either Party to the other pursuant to or in connection with this Agreement that: + +(a) The disclosing Party identifies as being proprietary or confidential, whether by marking as "Confidential," through oral designation, or by other means; OR + +(b) By the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as proprietary or confidential + +Confidential Information includes, without limitation: + +**Ask Eve AI's Confidential Information:** +- Platform source code, algorithms, and architecture +- AI models, training methodologies, and prompts +- Product roadmaps and development plans +- Pricing strategies and business plans +- Financial information +- Security practices and vulnerabilities +- Pre-release features and functionality +- Customer lists and usage data (aggregated) +- This Agreement (terms and conditions) + +**Partner's Confidential Information:** +- Customer lists and contact information +- Pricing to customers and business strategies +- Financial information and projections +- Proprietary methodologies and processes +- Customer data and usage patterns +- This Agreement (terms and conditions) + +**Mutual Confidential Information:** +- Terms and conditions of this Agreement +- Communications between the Parties regarding business strategy +- Joint development plans and specifications +- Sensitive discussions and negotiations + +## 13.2 Obligations of Confidentiality + +The receiving Party shall: + +(a) **Protect:** Protect the disclosing Party's Confidential Information using the same degree of care it uses to protect its own Confidential Information of similar nature, and in no event less than reasonable care + +(b) **Not Disclose:** Not disclose the Confidential Information to any third party without the disclosing Party's prior written consent, except as permitted in Section 13.4 + +(c) **Not Use:** Not use the Confidential Information except as necessary to exercise its rights and perform its obligations under this Agreement + +(d) **Limit Access:** Disclose Confidential Information only to employees, contractors, and advisors who: +- Have a legitimate need to know for purposes of this Agreement +- Are bound by confidentiality obligations at least as protective as those in this Agreement +- Have been informed of the confidential nature of the information + +(e) **Return or Destroy:** Upon termination of this Agreement or earlier upon request, promptly return or destroy (at disclosing Party's option) all Confidential Information in tangible form, and certify such return or destruction in writing if requested + +## 13.3 Exclusions from Confidential Information + +Confidential Information shall not include information that the receiving Party can demonstrate: + +(a) **Public Domain:** Was in or has entered the public domain through no breach of this Agreement by the receiving Party + +(b) **Prior Possession:** Was rightfully in the receiving Party's possession without confidentiality restrictions before disclosure by the disclosing Party + +(c) **Third-Party Disclosure:** Was rightfully received by the receiving Party from a third party without breach of any confidentiality obligation + +(d) **Independent Development:** Was independently developed by the receiving Party without reference to or use of the disclosing Party's Confidential Information, as evidenced by written records + +(e) **Approved Disclosure:** Was approved for disclosure by the disclosing Party in writing + +## 13.4 Permitted Disclosures + +The receiving Party may disclose Confidential Information: + +(a) **To Legal and Financial Advisors:** To its lawyers, accountants, auditors, and other professional advisors who have a legitimate need to know and are bound by professional confidentiality obligations + +(b) **To Prospects and Customers:** To Prospects and Customers to the extent necessary to market and deliver Partner Services, provided the receiving Party imposes confidentiality obligations substantially as protective as those in this Agreement + +(c) **As Required by Law:** As required by applicable law, regulation, court order, or governmental authority, provided the receiving Party: +- Gives the disclosing Party prompt written notice (unless prohibited by law) +- Cooperates with the disclosing Party's efforts to seek protective orders +- Discloses only the minimum information required +- Requests confidential treatment of the disclosed information + +(d) **To Affiliates:** To Affiliates who have a legitimate business need and are bound by confidentiality obligations at least as protective as those in this Agreement + +(e) **In Connection with Acquisition:** To potential acquirers, investors, or other parties in connection with due diligence for a merger, acquisition, or financing, provided such parties execute appropriate non-disclosure agreements before receiving Confidential Information + +## 13.5 Remedies for Breach + +(a) **Irreparable Harm:** The Parties acknowledge that breach of this Article 13 may cause irreparable harm for which monetary damages are an inadequate remedy + +(b) **Equitable Relief:** In addition to any other remedies available at law or in equity, the non-breaching Party shall be entitled to seek injunctive relief to prevent breaches and to compel specific performance + +(c) **No Bond:** The Parties agree that no bond or other security shall be required in connection with such equitable relief + +## 13.6 Survival + +The obligations in this Article 13 shall survive termination of this Agreement for a period of five (5) years, except that: + +(a) Trade secrets shall remain confidential for so long as they qualify as trade secrets under applicable law + +(b) Source code and technical specifications shall remain confidential indefinitely + +--- + +# ARTICLE 14: TERM AND TERMINATION + +## 14.1 Initial Term and Renewal + +(a) **Initial Term:** This Agreement commences on the Effective Date and continues for an initial term of twelve (12) months (the "**Initial Term**"). + +(b) **Automatic Renewal:** Unless terminated pursuant to this Article 14, this Agreement shall automatically renew for successive twelve (12) month periods (each a "**Renewal Term**"). The Initial Term and all Renewal Terms are collectively the "**Term**." + +(c) **Termination Upon Renewal:** Either Party may prevent automatic renewal by providing written notice to the other Party at least three (3) months before the end of the then-current term. + +(d) **Effect of Non-Renewal:** If either Party provides timely non-renewal notice: +- The Agreement terminates at the end of the current term +- No termination fees or penalties apply +- Provisions of Section 14.5 (Effect of Termination) apply + +## 14.2 Termination for Convenience + +Either Party may terminate this Agreement for convenience (without cause) by providing the other Party with three (3) months' written notice, provided that: + +(a) **During Initial Term:** Termination for convenience is not permitted during the first six (6) months of the Initial Term + +(b) **Financial Obligations:** The terminating Party remains liable for all fees and obligations accrued before the effective termination date + +(c) **No Refunds:** Partner is not entitled to refunds of prepaid fees unless otherwise expressly agreed + +(d) **Customer Commitments:** Partner remains responsible for fulfilling commitments to Customers or facilitating Customer transition per Article 15 + +## 14.3 Termination for Breach + +Either Party may terminate this Agreement immediately upon written notice if the other Party: + +(a) **Material Breach:** Commits a material breach of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice specifying the breach; OR + +(b) **Payment Default:** (For Partner) Fails to pay any fees within fifteen (15) days of receiving written notice of late payment; OR + +(c) **Insolvency:** Becomes insolvent, files (or has filed against it) a petition in bankruptcy, makes an assignment for the benefit of creditors, or ceases business operations; OR + +(d) **Legal Violation:** Engages in conduct that violates applicable laws or regulations and fails to cease such conduct within ten (10) days of notice; OR + +(e) **Repeated Breaches:** Commits three (3) or more breaches of the same or similar provisions within any twelve (12) month period, regardless of whether such breaches were cured + +**Material breaches include, without limitation:** +- Partner's violation of Section 3.5 (Non-Compete) +- Partner's violation of Article 5.3 (IP Restrictions) +- Partner's violation of Article 6 (GDPR Compliance) +- Partner's violation of Article 13 (Confidentiality) +- Partner's unauthorized use or disclosure of Ask Eve AI Confidential Information +- Partner's representation that it has rights or authority it does not possess + +## 14.4 Termination for Performance + +Ask Eve AI may terminate this Agreement upon sixty (60) days' written notice if: + +(a) **Inactivity (Knowledge Partners):** Partner has not updated Catalogs or generated Customer usage for six (6) consecutive months + +(b) **Inactivity (Expert Partners):** Partner has no active Customers using Partner-developed Specialists for six (6) consecutive months + +(c) **Inactivity (Management Partners):** Partner has no active Customers under management for six (6) consecutive months + +(d) **Customer Satisfaction:** Partner receives consistent negative Customer feedback that materially affects Ask Eve AI's reputation, and fails to implement adequate corrective measures within sixty (60) days of notice + +(e) **Security Failures:** Partner fails to maintain required security standards specified in Section 3.2 and fails to remediate within thirty (30) days of notice + +(f) **Payment Default Rate:** (Management Partners) Partner's Customer payment default rate exceeds twenty percent (20%) for three (3) consecutive months + +**Partner's Remedy Rights:** +- During the sixty (60) day notice period, Partner may remedy the performance issue +- If Partner demonstrates satisfactory remediation, Ask Eve AI shall withdraw the termination notice +- Partner must provide evidence of remediation (usage reports, customer feedback, security attestations, etc.) + +## 14.5 Effect of Termination + +Upon termination or expiration of this Agreement: + +### (a) Immediate Effects + +(i) **Access Termination:** +- Partner's access to the Platform terminates immediately (or on the specified termination date) +- Partner shall cease offering Partner Services to new Customers +- Partner shall cease using Ask Eve AI trademarks and marketing materials + +(ii) **Payment Obligations:** +- All unpaid fees and charges become immediately due and payable +- Partner remains liable for all fees accrued before termination +- No refunds of prepaid fees unless termination was due to Ask Eve AI's material breach + +(iii) **Customer Transition:** +- Provisions of Article 15 (Customer Transition) apply +- Partner shall cooperate in facilitating smooth Customer transition +- Existing Customer contracts may continue per Article 15 + +### (b) Return of Materials + +Within thirty (30) days of termination: +- Each Party shall return or destroy the other Party's Confidential Information +- Partner shall return or delete all Ask Eve AI marketing materials, documentation, and trademarks +- Partner shall provide written certification of deletion/destruction if requested + +### (c) Data Handling + +(i) **Customer Data:** +- Customer Tenant data remains available for ninety (90) days post-termination +- Customers may export their data during this period +- After ninety (90) days, Customer data is deleted per DPA Section 8.2 +- Financial and billing records retained per Belgian law (7 years) + +(ii) **Partner Data:** +- Partner-created Catalogs and Specialist configurations handled per applicable Annexes and Addenda +- IP ownership determined by specific Annex provisions +- Platform usage data and analytics retained by Ask Eve AI indefinitely + +### (d) No Further Obligations + +Except as expressly stated in this Agreement: +- Neither Party has further obligations to the other after termination +- Each Party released from future performance obligations +- Accrued rights and obligations remain enforceable + +## 14.6 Survival + +The following provisions survive termination or expiration of this Agreement: + +- Article 1 (Definitions) - as needed to interpret surviving provisions +- Section 3.4 (Non-Solicitation) - for 12 months post-termination +- Section 3.5(b) and (c) (Post-Term Non-Compete) - for stated periods +- Article 5.1 (Ask Eve AI IP) - indefinitely +- Article 5.2 (Partner Content IP) - per Annex provisions +- Section 6.5 (Partner GDPR Indemnification) - indefinitely for claims arising during Term +- Article 7 (Partner Content Liability) - indefinitely for claims arising during Term +- Section 9.2 (Payment obligations for accrued fees) - until paid +- Article 11 (Indemnification) - indefinitely for claims arising during Term +- Article 12 (Limitation of Liability) - indefinitely +- Article 13 (Confidentiality) - for 5 years (or longer per Section 13.6) +- Article 14.5 and 14.6 (Effect of Termination and Survival) - indefinitely +- Article 15 (Customer Transition) - as applicable +- Article 16 (General Provisions) - as applicable + +--- + +# ARTICLE 15: CUSTOMER TRANSITION UPON PARTNERSHIP TERMINATION + +## 15.1 Customer Rights Upon Termination + +When this Agreement terminates for any reason, Customers shall have the following options: + +(a) **Continue Directly with Ask Eve AI:** +- Customers may elect to continue Platform services directly with Ask Eve AI +- Customers enter into direct contractual relationship with Ask Eve AI +- Pricing according to Ask Eve AI's then-current standard rates +- Access to full Platform functionality and features + +(b) **Terminate Service:** +- Customers may terminate Platform services +- Customer data available for export for ninety (90) days per Section 14.5(c) +- No penalties or termination fees from Ask Eve AI + +(c) **Migrate to Another Partner:** +- If available, Customers may migrate to another Partner in the same Domain +- Subject to mutual agreement between Customer and new Partner +- Ask Eve AI facilitates technical migration as reasonably requested + +## 15.2 Customer Access to Platform Features + +Upon transition to direct Ask Eve AI relationship, Customers may: + +(a) **Full Platform Access:** +- Access all Platform features and functionality +- Create and configure their own Specialists +- Access Catalogs from other Knowledge Partners (subject to those Partners' terms) + +(b) **Partner-Specific Content:** + +**Knowledge Partner Catalogs:** +- If Knowledge Partner maintains Catalog availability post-termination, Customers retain access +- If Knowledge Partner withdraws Catalog, Customers lose access (but may transition to alternative Catalogs) + +**Expert Partner Specialists:** + +- **Pre-IP Transfer:** Ask Eve AI determines whether Specialists remain available to Customers. Generally: + - Ask Eve AI may continue offering Specialists to existing Customers (revenue share to Partner continues per Section 15.3) + - Ask Eve AI may discontinue Specialists if maintenance burden is excessive + +- **Post-IP Transfer:** Partner (IP owner) determines whether Specialists remain available: + - If Partner permits continued use, Customers retain access (licensing terms to be negotiated) + - If Partner withdraws Specialists, Customers lose access but may seek alternative solutions + +## 15.3 Revenue Share During Transition + +For Customers who transition to direct Ask Eve AI relationships: + +### (a) Management Partners + +**Transition Revenue Share:** +- **Months 1-6 post-transition:** Partner receives 50% of previous revenue share percentage +- **Months 7-12 post-transition:** Partner receives 25% of previous revenue share percentage +- **Month 13+:** No revenue share + +**Calculation Example:** +- If Partner's revenue share was 30% of Customer fees pre-termination: +- Months 1-6: Partner receives 15% (50% of 30%) +- Months 7-12: Partner receives 7.5% (25% of 30%) +- Month 13+: Partner receives 0% + +**Conditions:** +- Revenue share continues only if Customer continues Platform services +- If Customer churns, revenue share ceases immediately +- Partner must issue proper invoices per Section 9.3 + +### (b) Knowledge Partners + +**Catalog Usage:** +- If Partner maintains Catalog availability: Revenue share continues at contracted rates +- If Partner withdraws Catalog: No revenue share + +**Negotiated Terms:** +- Parties may negotiate different terms for Catalog licensing post-termination +- Long-term Catalog maintenance may warrant ongoing compensation + +### (c) Expert Partners + +**Pre-IP Transfer:** +- If Ask Eve AI continues offering Specialists to Customers: Revenue share per original Addendum terms continues +- Continues until IP transfer milestone reached, then transitions to post-IP transfer model + +**Post-IP Transfer:** +- If Partner (IP owner) permits continued Specialist use: Licensing terms negotiated separately +- May include per-use fees, subscription fees, or one-time licensing payments +- No automatic revenue share; requires new agreement + +## 15.4 Transition Process and Cooperation + +### (a) Notice to Customers (30 Days Before Termination) + +Ask Eve AI shall notify affected Customers of: +- Partnership termination and effective date +- Customer options per Section 15.1 +- Pricing for direct Ask Eve AI relationship +- Process for continuing service or exporting data +- Timeline and next steps + +### (b) Partner Cooperation Requirements + +Partner shall: + +(i) **Facilitate Smooth Transition:** +- Respond to Customer questions about transition +- Not interfere with Customer decisions +- Not disparage Ask Eve AI or encourage Customers to churn +- Provide necessary documentation and information + +(ii) **Complete Ongoing Work:** +- Fulfill existing support commitments +- Complete in-progress projects or implementations +- Transfer knowledge to Ask Eve AI or Customers as needed + +(iii) **Data and Configuration Transfer:** +- Provide Customer data exports if requested +- Document Customer-specific configurations +- Provide access to Partner-maintained documentation + +(iv) **Financial Settlement:** +- Issue final invoices for services rendered +- Pay all outstanding Platform fees to Ask Eve AI +- Settle any disputed amounts in good faith + +### (c) Ask Eve AI Support During Transition + +Ask Eve AI shall: +- Provide technical assistance for Customer transitions +- Maintain Platform availability and stability during transition +- Honor existing Customer data and configurations +- Provide documentation and training materials to transitioning Customers + +## 15.5 Customer Opt-Out During Term + +Nothing in this Agreement prevents Customers from independently: + +(a) **Discovering Ask Eve AI:** +- Finding Ask Eve AI through their own research or marketing channels +- Subscribing directly to Ask Eve AI if they choose +- Using Platform features beyond those provided by Partner + +(b) **Terminating Partner Relationship:** +- Ending their relationship with Partner to work directly with Ask Eve AI +- Partner not entitled to compensation for Customer self-migration +- Customer transition provisions of this Article 15 do not apply (not triggered by Agreement termination) + +(c) **Using Multiple Partners:** +- Accessing Specialists and Catalogs from Partners in different Domains +- Maintaining relationships with multiple Partners simultaneously +- Combining Partner Services with direct Ask Eve AI features + +**Clarification:** Sections 15.1-15.4 apply only when the **Partnership Agreement terminates**. Customer-initiated changes during the Partnership Term are governed by the relationship between Customer, Partner, and Ask Eve AI as it exists at that time. + +--- + +# ARTICLE 16: GENERAL PROVISIONS + +## 16.1 Assignment + +(a) **Partner Assignment:** +- Partner may not assign, transfer, or delegate any rights or obligations under this Agreement without Ask Eve AI's prior written consent +- Consent not required for assignment to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of Partner's assets, provided the assignee assumes all obligations +- Any attempted assignment in violation of this section is void + +(b) **Ask Eve AI Assignment:** +- Ask Eve AI may assign this Agreement or any rights hereunder without Partner's consent + +(c) **Binding on Successors:** +- Subject to the foregoing restrictions, this Agreement binds and benefits the Parties' successors and permitted assigns + +## 16.2 Dispute Resolution + +(a) **Informal Negotiation (Mandatory First Step):** +- Before initiating formal legal proceedings, the Parties agree to attempt to resolve disputes through good faith negotiations +- Either Party may initiate negotiations by sending written notice describing the dispute +- Senior representatives of both Parties shall meet (in person or virtually) within thirty (30) days +- Parties shall negotiate in good faith for thirty (30) days + +(b) **Formal Proceedings:** +- If informal negotiations fail, either Party may pursue formal legal proceedings +- Proceedings may include Belgian bailiff (deurwaarder/huissier de justice) or court action +- Each Party bears its own costs unless court awards costs to prevailing party + +(c) **Equitable Relief:** +- Notwithstanding the above, either Party may seek immediate injunctive or other equitable relief for: + - Breaches of confidentiality + - Intellectual property infringement + - Violations of non-compete or non-solicitation provisions + - Other situations where irreparable harm may occur + +## 16.3 Governing Law and Jurisdiction + +(a) **Governing Law:** +- This Agreement is governed exclusively by Belgian law +- Without regard to conflict of laws principles +- Excluding the United Nations Convention on Contracts for the International Sale of Goods + +(b) **Exclusive Jurisdiction:** +- Any litigation relating to this Agreement shall be submitted to the exclusive jurisdiction of the courts of Ghent (Gent), Belgium +- Both Parties irrevocably submit to such jurisdiction +- Both Parties waive any objections to venue or forum non conveniens + +(c) **Language:** +- All proceedings shall be conducted in English or Dutch as determined by the court + +## 16.4 Severability + +(a) If any provision of this Agreement is held invalid, illegal, or unenforceable: +- The invalidity does not affect other provisions of the Agreement +- The Agreement shall be construed as if the invalid provision were not included +- The invalid provision shall be reformed to the maximum extent enforceable + +(b) If any provision is held unenforceable due to breadth or scope: +- The provision shall be interpreted to be only so broad as is enforceable +- Courts may modify the provision to make it enforceable + +## 16.5 Force Majeure + +(a) **Excuse from Performance:** +- Neither Party liable for inadequate performance caused by conditions beyond reasonable control, including: + - Natural disasters (earthquakes, floods, fires, storms) + - Acts of war, terrorism, or civil unrest + - Riots or labor disputes not involving the Party's own employees + - Governmental actions, laws, or regulations + - Internet or telecommunications failures beyond the Party's network + - Epidemics or pandemics + - Failure of third-party infrastructure providers (Sub-Processors) + +(b) **Exceptions:** +- Force majeure does not excuse payment obligations already due +- Does not excuse breaches that occurred before the force majeure event + +(c) **Notice and Mitigation:** +- Party affected shall promptly notify the other Party +- Notification must include expected duration of the event +- Affected Party shall use commercially reasonable efforts to mitigate impact and resume performance + +(d) **Extended Force Majeure:** +- If force majeure continues for more than ninety (90) days: + - Either Party may terminate this Agreement upon written notice + - No termination fees or penalties apply + - Parties settle accrued obligations on a pro-rata basis + +## 16.6 Entire Agreement and Amendments + +(a) **Entire Agreement:** +- This Agreement (including all Annexes, Addenda, and Exhibits) constitutes the entire agreement between the Parties +- Supersedes all prior or contemporaneous agreements, understandings, negotiations, and communications (written or oral) +- No representations, warranties, or agreements exist except as expressly stated herein + +(b) **Order of Precedence:** +In the event of conflict between documents, the following order applies: +1. Addenda (partner-specific terms) +2. Annexes (partner-type specific terms) +3. Main Agreement +4. Exhibits (incorporated documents) + +(c) **Amendments:** +- This Agreement may only be amended by written instrument signed by authorized representatives of both Parties +- Email exchanges do not constitute amendments unless explicitly stated and confirmed +- Course of dealing or performance does not amend this Agreement + +(d) **Addenda Execution:** +- New Addenda may be added during the Term by mutual written agreement +- Addenda must reference this Agreement and be signed by both Parties +- Addenda automatically incorporate all terms of this Agreement unless explicitly stated otherwise + +## 16.7 Notices + +(a) **Form and Delivery:** +All notices under this Agreement must be in writing and delivered by: +- Personal delivery (effective upon delivery) +- Email to designated address (effective upon confirmation of receipt) +- Registered mail with return receipt (effective three (3) business days after mailing) + +(b) **Notice Addresses:** + +**To Ask Eve AI:** +- Email: legal@Ask Eve AI.com +- Physical: Toekomststraat 62, 9800 Deinze, Belgium +- Attention: Legal Department + +**To Partner:** +- As specified in the signature block or as updated by written notice + +(c) **Change of Address:** +- Either Party may change its notice address by providing written notice to the other Party +- Changes effective five (5) business days after notice received + +## 16.8 Independent Contractors + +(a) The Parties are independent contractors and nothing in this Agreement creates: +- A partnership or joint venture +- An employment relationship +- An agency relationship +- A franchise relationship +- Any fiduciary duties between the Parties + +(b) Neither Party has authority to: +- Bind the other Party to any obligation +- Make representations on behalf of the other Party +- Incur liabilities in the other Party's name + +(c) Each Party responsible for: +- Its own employees, contractors, and taxes +- Its own insurance and benefits +- Compliance with employment and tax laws + +## 16.9 Waiver + +(a) **No Implied Waiver:** +- Failure or delay in exercising any right does not waive that right +- Single or partial exercise does not preclude further exercise +- Waiver of one breach does not waive subsequent breaches + +(b) **Written Waiver Required:** +- Waivers must be in writing and signed by authorized representative +- Waivers effective only for specific instance stated +- Do not constitute ongoing waivers + +## 16.10 Counterparts and Electronic Signatures + +(a) **Counterparts:** +- This Agreement may be executed in counterparts +- Each counterpart constitutes an original +- All counterparts together constitute one agreement + +(b) **Electronic Signatures:** +- Electronic signatures are valid and binding +- Includes digital signatures, scanned signatures, and qualified electronic signatures under eIDAS Regulation +- Email PDF with signature has same effect as original + +## 16.11 Language + +(a) This Agreement is executed in English + +(b) If translated into other languages: +- English version is the official version +- In case of discrepancies, English version prevails +- Translations provided for convenience only + +## 16.12 Interpretation + +(a) **Headings:** Section and article headings are for convenience only and do not affect interpretation + +(b) **Singular/Plural:** Words in singular include plural and vice versa as context requires + +(c) **Gender:** Masculine includes feminine and neuter + +(d) **Including:** "Including" means "including without limitation" + +(e) **Business Days:** "Days" means calendar days unless specified as "business days" (Monday-Friday, excluding Belgian public holidays) + +(f) **References:** References to "Articles," "Sections," "Annexes," etc. are to provisions of this Agreement unless otherwise stated + +## 16.13 Third-Party Beneficiaries + +This Agreement is solely for the benefit of the Parties and does not confer any rights upon any third parties, including Customers, except: + +(a) Customers have rights under Article 15 (Customer Transition) upon Partnership termination + +(b) Affiliates covered by indemnification provisions have enforcement rights + +(c) No other third parties may enforce any provision of this Agreement + +## 16.14 Publicity and Announcements + +(a) **Mutual Consent Required:** +- Neither Party may issue press releases or public announcements about this Agreement without the other Party's prior written consent +- Consent not to be unreasonably withheld + +(b) **Permitted Disclosures:** +- Partner may identify itself as an Ask Eve AI partner +- Partner may use approved marketing materials and trademarks per Article 5.4 +- Either Party may disclose existence of partnership (but not specific terms) in normal business communications +- Disclosures required by law or regulatory authority permitted (with notice per Section 13.4(c)) + +(c) **Customer References:** +- Partner may reference Customers as users of Partner Services (subject to Customer consent) +- Partner shall obtain Customer consent before using Customer name, logo, or testimonials +- Ask Eve AI may reference Partner as a partner but not disclose Partner's Customers without consent + +--- + +# EXHIBITS + +The following Exhibits are incorporated into and form part of this Agreement: + +## Exhibit A: Pricing and Fees +[Attached separately - Standard platform pricing schedule applicable to all partners] + +## Exhibit B: Data Protection Agreement (DPA) +[Reference to Ask Eve AI's standard DPA v2.0 or current version] + +## Exhibit C: Security Requirements +[Reference to security standards outlined in Article 3.2 and Ask Eve AI's published security documentation] + +## Exhibit D: Terms of Service +[Reference to Ask Eve AI's standard Terms of Service v1.0 or current version] + +--- + +# ANNEXES + +The following Annexes contain partner-type specific terms. Only Annexes checked in Article 2.1 apply to Partner. + +## Annex 1: Knowledge Partner Terms +[To be completed based on whether Partner is a Knowledge Partner] + +## Annex 2: Expert Partner Terms +[To be completed based on whether Partner is an Expert Partner] + +## Annex 3: Management Partner Terms +[To be completed based on whether Partner is a Management Partner] + +--- + +# ADDENDA + +Partner-specific commercial terms, IP transfer arrangements, revenue thresholds, and custom provisions will be documented in separately executed Addenda that reference this Agreement. + +Addenda shall be numbered sequentially (Addendum 1, Addendum 2, etc.) and each Addendum shall: +- Reference this Partnership Agreement +- Specify the effective date +- Identify the specific products, Specialists, or arrangements covered +- Be signed by authorized representatives of both Parties + +--- + +# SIGNATURE PAGE + +**Partnership Agreement between Ask Eve AI and [Partner Name]** + +The Parties acknowledge having read and understood this Agreement, including all Annexes, Addenda, and Exhibits, and agree to be bound by the terms and conditions herein. + +**Ask Eve AI (Flow IT BV)** + +Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Name: Pieter Laroy + +Title: Managing Director + +Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +--- + +**PARTNER: [Partner Legal Name]** + +Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Name: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Title: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +--- + +**Executed Documents:** +- ☐ Main Partnership Agreement +- ☐ Annex 1: Knowledge Partner Terms (if applicable) +- ☐ Annex 2: Expert Partner Terms (if applicable) +- ☐ Annex 3: Management Partner Terms (if applicable) +- ☐ Addendum [Number]: [Description] (if applicable) +- ☐ Exhibit A: Pricing and Fees +- ☐ Exhibit B: Data Protection Agreement (Reference) +- ☐ Exhibit C: Security Requirements (Reference) +- ☐ Exhibit D: Terms of Service (Reference) + +--- + +## DOCUMENT CONTROL + +**Document Title:** Ask Eve AI Partnership Agreement +**Version:** 1.0 +**Date:** [Effective Date] +**Status:** Template for Execution +**Author:** Ask Eve AI Legal +**Approved By:** [Name, Title] + +**Revision History:** + +| Version | Date | Author | Changes | +|---------|------|--------|---------| +| 1.0 | [Date] | Ask Eve AI Legal | Initial template creation | +| | | | | + +--- + +## QUICK REFERENCE GUIDE + +**For Ask Eve AI Team:** + +**Before Partner Signs:** +- [ ] Determine partner type(s) (Knowledge / Expert / Management) +- [ ] Complete applicable Annex(es) with specific terms +- [ ] Create Addendum if custom IP transfer or revenue arrangements needed +- [ ] Complete Exhibit A with agreed pricing +- [ ] Review non-compete scope (Territory and Domain) appropriate for partner +- [ ] Confirm insurance requirements if Management Partner + +**After Partner Signs:** +- [ ] Provide partner access to Platform and partner portal +- [ ] Set up billing and invoicing systems +- [ ] Register partner in CRM +- [ ] Schedule onboarding/training session +- [ ] Provide marketing materials and brand guidelines + +**For Partners:** + +**Key Obligations to Remember:** +- First and second-line customer support (Article 8) +- GDPR compliance and customer DPA collection (Article 6) +- Thorough testing of all Partner Services (Article 3.3) +- Security requirements implementation (Article 3.2) +- Monthly payment of platform fees (Article 9) +- Non-compete restrictions during term + 12-18 months (Article 3.5) + +**Key Rights:** +- Set own customer pricing with markup (Article 9.1) +- Access to third-line Ask Eve AI support (Article 4.4) +- Revenue share or compensation per Addendum +- Customer relationships preserved through Article 15 +- IP ownership per applicable Annex and Addendum + +--- + +## CHECKLIST FOR PARTNER ONBOARDING + +**Phase 1: Legal and Compliance (Week 1)** +- [ ] Partnership Agreement executed +- [ ] All Annexes completed and signed +- [ ] Addendum(s) executed (if applicable) +- [ ] Insurance certificates received (if Management Partner) +- [ ] GDPR compliance documentation reviewed +- [ ] Security requirements acknowledged + +**Phase 2: Technical Setup (Week 1-2)** +- [ ] Partner admin accounts created +- [ ] Partner portal access provided +- [ ] API credentials generated (if applicable) +- [ ] Test tenant/environment set up +- [ ] Documentation and training materials shared + +**Phase 3: Business Setup (Week 2-3)** +- [ ] Billing contact information confirmed +- [ ] Payment method configured +- [ ] Usage reporting access provided +- [ ] Marketing materials and brand assets shared +- [ ] Co-marketing opportunities discussed + +**Phase 4: Go-Live Preparation (Week 3-4)** +- [ ] Partner Services tested in staging environment +- [ ] First customer(s) identified +- [ ] Customer onboarding process reviewed +- [ ] Support escalation procedures confirmed +- [ ] Launch plan agreed + +--- + +## APPENDIX: DEFINITIONS OF PARTNER TYPES + +### Knowledge Partner (Annex 1) +**What they do:** Provide domain expertise and structured knowledge through Catalogs on the Platform. + +**Key characteristics:** +- Create and maintain Catalogs of domain-specific information +- Responsible for accuracy and updates of content +- Customers access their Catalogs for information and guidance +- Revenue typically through usage-based fees or subscription share + +**Examples:** +- Legal knowledge provider creating library of employment law information +- HR specialist providing recruitment best practices and templates +- Industry expert providing sector-specific market intelligence + +### Expert Partner (Annex 2) +**What they do:** Co-develop AI Specialists with Ask Eve AI for specific business functions. + +**Key characteristics:** +- Work with Ask Eve AI to design, configure, and train AI Specialists +- Provide domain expertise for Specialist logic and workflows +- Thoroughly test Specialists before customer deployment +- May receive IP transfer of Specialists upon revenue milestones +- Development costs borne by Ask Eve AI initially, recovered through revenue share + +**Examples:** +- Recruitment firm co-developing AI recruiter Specialist +- Legal practice co-developing contract review Specialist +- Financial advisor co-developing investment analysis Specialist + +### Management Partner (Annex 3) +**What they do:** Manage complete customer relationships, acting as primary customer contact. + +**Key characteristics:** +- Own customer relationship and all customer touchpoints +- Provide first and second-line support +- Responsible for customer success and satisfaction +- Guarantee payment to Ask Eve AI regardless of customer payment +- Must collect signed DPA and T&Cs from each customer +- Required to maintain professional liability insurance +- Revenue through margin on Ask Eve AI platform fees + +**Examples:** +- System integrator managing enterprise deployments +- Consulting firm providing managed AI services +- Technology partner offering white-label AI solutions + +**Note:** Partners can be multiple types simultaneously (e.g., Expert + Management Partner). + +--- + +## CONTACT INFORMATION + +**For Questions About This Agreement:** + +**Legal and Contractual Matters:** +Email: legal@Ask Eve AI.com +Subject line: "Partnership Agreement - [Partner Name]" + +**Billing and Payment:** +Email: finance@Ask Eve AI.com +Subject line: "Billing - [Partner Name]" + +**Technical Support (for Partners):** +Partner Portal: [URL when available] +Email: partners@Ask Eve AI.com +Subject line: "Support - [Partner Name] - [Brief Description]" + +**Security and Compliance:** +Email: security@Ask Eve AI.com +Subject line: "Security - [Partner Name]" + +**General Partnership Inquiries:** +Email: partnerships@Ask Eve AI.com + +--- + +## NOTES FOR LEGAL REVIEW + +**Before finalizing this template, the following should be reviewed by Belgian legal counsel:** + +1. **Non-Compete Enforceability:** + - 18-month customer non-solicitation duration (Section 3.5(b)) + - 12-month technology restriction (Section 3.5(c)) + - Geographic and domain scope limitations + - Individual employee carve-outs + +2. **IP Transfer Mechanics:** + - Revenue-based IP transfer triggers (to be specified in Addenda) + - Tax implications of IP transfers + - Valuation methodologies for transfers + - Ongoing platform dependency after transfer + +3. **Liability Caps:** + - 12-month fee cap (Section 12.2) + - Exceptions in Section 12.3 + - Compliance with mandatory Belgian law + +4. **Data Protection:** + - Controller/Processor/Sub-Processor relationships (Article 6) + - DPA flow-down requirements (Section 6.4) + - Data breach notification timelines (Section 6.3) + - GDPR indemnification scope (Section 6.5) + +5. **Insurance Requirements:** + - Mandatory amounts for Management Partners (€250K-500K) + - Professional liability vs. cyber liability requirements + - Belgian insurance market standards + +6. **Termination Provisions:** + - Performance-based termination (Section 14.4) + - Customer transition rights (Article 15) + - Revenue share during transition (Section 15.3) + +7. **Force Majeure:** + - Extended force majeure termination (90 days) + - Exclusions from force majeure excuse + +8. **Dispute Resolution:** + - Mandatory informal negotiation (Section 16.2(a)) + - Exclusive jurisdiction of Ghent courts (Section 16.3) + +--- + +**END OF PARTNERSHIP AGREEMENT TEMPLATE** + +--- + +**IMPLEMENTATION NOTES:** + +This template provides the foundation for Ask Eve AI's partnership program. To use this agreement: + +1. **Customize Article 2.1** with specific Territory, Domain(s), and Partner Type(s) +2. **Complete applicable Annexes** (1, 2, and/or 3) with detailed terms +3. **Create Addendum** for partner-specific commercial terms, especially: + - IP transfer revenue thresholds (Expert Partners) + - Revenue share percentages (Management Partners) + - Custom pricing arrangements + - Specific Specialist or Catalog details +4. **Update Exhibit A** with current pricing +5. **Attach references** to current DPA and Terms of Service versions + +**Remember:** This is a template. Each partnership may require customization based on specific business arrangements, partner capabilities, and market conditions. \ No newline at end of file diff --git a/content/terms/1.0/1.0.0.md b/content/terms/1.0/1.0.0.md index 95cb4aa..8ce2023 100644 --- a/content/terms/1.0/1.0.0.md +++ b/content/terms/1.0/1.0.0.md @@ -18,7 +18,7 @@ To access certain features of the Service, you must register for an account. You ### 4. Privacy -Your use of the Service is also governed by our Privacy Policy, which can be found [here](/content/privacy). +Your use of the Service is also governed by our Privacy Policy, which can be found [here](/content/dpa). ### 5. Intellectual Property diff --git a/content/terms/1.1/1.1.0.md b/content/terms/1.1/1.1.0.md new file mode 100644 index 0000000..ba97fdb --- /dev/null +++ b/content/terms/1.1/1.1.0.md @@ -0,0 +1,454 @@ +# Terms of Service + +## Ask Eve AI + +**Version 1.0.0** +**Effective Date: October 3, 2025** + +--- + +## Introduction + +These Terms of Service ("Terms") constitute a legally binding agreement between **Flow IT BV**, with registered office at Toekomststraat 62, 9800 Deinze, Belgium, with company number BE0877.273.542, operating under the trademark **Ask Eve AI** ("Ask Eve AI," "AskEveAI," "we," "us," or "our"), and the Customer (as defined below) that governs the use of the Services (as defined below). + +By signing up to use the Services, accessing the Services, or clicking to accept these Terms, you ("Customer," "you," or "your") agree to be bound by these Terms. You represent that you are lawfully able to enter into contracts and, if you are entering into these Terms on behalf of an entity, that you have legal authority to bind that entity. + +**For commercial customers**: Your use of the Services is also subject to our [Data Protection Agreement](link-to-dpa), which governs the processing of personal data. In the event of any conflict between these Terms and the Data Protection Agreement regarding data protection matters, the Data Protection Agreement shall prevail. + +--- + +## 1. Services + +### 1.1 Provision of Services + +1. Upon payment of the applicable fees, Ask Eve AI grants to Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Ask Eve AI platform ("Platform" or "Services") during the term as stated in these Terms and as specified in the applicable subscription for Customer's business operations. + +2. Ask Eve AI may subcontract to third parties any part of the Services. In particular, Ask Eve AI utilizes third-party service providers to provide, amongst others, connectivity, AI services (including large language models), data centre services, database services, content delivery, and security services. A complete list of Sub-Processors is available in Annex 1 of our Data Protection Agreement. + +3. Customer must provide accurate and up-to-date account information. Customer is responsible for all activities that occur under its account, including the activities of any authorized user or Partner. Customer shall: + - Notify Ask Eve AI immediately of any unauthorized use of any password, API key, or user ID, or any other known or suspected breach of security + - Use reasonable efforts to stop any unauthorized use of the Services that is known or suspected by Customer + - Not provide false identity information to gain access to or use the Services + - Maintain proper access controls for all users and API credentials + +### 1.2 Limitations on Use of Services + +1. **Prohibited Actions**: Customer shall not: + - Remove any identification, proprietary, copyright, or other notices in the Services or documentation + - Represent that output was human-generated when it was not + - Reverse engineer the Services into source code, decompile, disassemble, or analyze the Services by "reverse engineering" + - Create derivative works of the Services + - Merge the Services with other software + - Sublicense, sell, lease, or otherwise encumber rights granted by Ask Eve AI (unless expressly authorized by Ask Eve AI in writing) + - Use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services + - Use the Services in any way that is unlawful, illegal, fraudulent, or harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity + - Attempt to gain unauthorized access to any portion of the Services or related systems or networks + - Overload, flood, or perform denial-of-service attacks on the Services + - Use automated means to access the Services except through approved APIs and within documented rate limits + +2. **Prohibited Content**: Customer shall not use the Services to create, upload, transmit, distribute, or store content that: + - Is illegal, including content depicting or facilitating child exploitation, terrorism, illegal drugs, or other criminal activity + - Contains malware, viruses, or malicious code + - Infringes intellectual property rights, including pirated material or unauthorized use of trademarks + - Constitutes spam, phishing attempts, or fraudulent schemes + - Includes personal data without proper consent or legal basis under applicable data protection laws + - Promotes hate speech, violence, or discrimination + - Attempts to manipulate AI systems to produce harmful, misleading, or unauthorized outputs + - Creates deepfakes or other misleading content intended to deceive + - Violates any applicable laws or regulations + +3. **Enforcement**: In case of infringement of these limitations, Ask Eve AI reserves all rights to prove and obtain compensation for its full damages incurred by such infringement. This provision does not prevent Ask Eve AI from obtaining equitable relief in summary or other proceedings. Ask Eve AI may immediately suspend or terminate access to the Services upon discovery of any violation. + +### 1.3 Acceptable Use and Compliance + +1. **Data Protection Compliance**: + - **Customers** and **Partners** must comply with all applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Belgian Data Protection Act, when using the Services. + - Customers and Partners are responsible for obtaining all necessary consents, authorizations, and legal bases required to process personal data through the Services. + - Customers and Partners must ensure their end users are properly informed about data processing activities and that appropriate privacy notices are provided. + - Although Ask Eve AI provides consent management functionality within the Platform, Customers and Partners remain solely responsible for ensuring their use of the Services complies with all applicable data protection requirements. + +2. **Customer and Partner Indemnification for GDPR Violations**: Customer and Partner agree to indemnify, defend, and hold Ask Eve AI harmless from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to Customer's or Partner's failure to comply with GDPR or other applicable data protection laws. + +3. **Export Controls and Trade Compliance**: Customer certifies that it will comply with all applicable EU trade restrictions, export controls, and economic sanctions. Customer represents and warrants that it will not use the Services in any country or territory subject to EU or international sanctions, or in violation of any applicable trade restrictions. + +--- + +## 2. Content + +### 2.1 Input and Output + +1. Customer may provide input to the Services ("Input") and receive output from the Services based on the Input ("Output"). Input and Output are collectively "Content." + +2. Customer is responsible for all Content, including ensuring that it does not violate any applicable law or these Terms. Customer represents and warrants that it has all rights, licenses, and permissions needed to provide Input to the Services. + +### 2.2 Ownership + +1. **Customer Ownership**: Customer: + - Retains all ownership rights in Input + - Owns all Output generated by the Services based on Customer's Input + - Owns all specialist configurations, prompts, business logic, and custom implementations created by Customer on the Platform + +2. **Ask Eve AI Assignment**: Ask Eve AI hereby assigns to Customer all of our right, title, and interest, if any, in and to Output generated specifically for Customer. + +3. **Platform Ownership**: Ask Eve AI retains all ownership rights in and to the Platform itself, including all software, improvements, enhancements, modifications, AI models, core functionality, and intellectual property rights related thereto. + +### 2.3 Non-Unique Outputs + +Due to the nature of AI services and machine learning generally, Output may not be unique. Other users may receive similar output from the Services. Ask Eve AI's assignment of Output to Customer does not extend to other users' output or any third-party output. + +### 2.4 Use of Content by Ask Eve AI + +Ask Eve AI may use Content to: +- Provide, maintain, develop, and improve the Services +- Comply with applicable law +- Enforce our terms and policies +- Keep the Services safe and secure +- Generate aggregated or de-identified data for research, development, and model improvement, subject to the opt-out provisions in our Data Protection Agreement + +### 2.5 Nature of AI and Customer Responsibilities + +1. **AI Limitations**: Artificial intelligence and machine learning are rapidly evolving fields. Ask Eve AI is constantly working to improve the Services to make them more accurate, reliable, safe, and beneficial. However, given the probabilistic nature of machine learning, use of the Services may, in some situations, result in Output that does not accurately reflect real people, places, or facts. + +2. **Customer Acknowledgments**: When Customer uses the Services, Customer understands and agrees that: + - **Output may not always be accurate**: Customer should not rely on Output from the Services as a sole source of truth or factual information, or as a substitute for professional advice + - **Human review required**: Customer must evaluate Output for accuracy and appropriateness for its use case, including using human review as appropriate, before using or sharing Output from the Services + - **No automated decisions affecting individuals**: Customer must not use any Output relating to a person for any purpose that could have a legal or material impact on that person, such as making credit, educational, employment, housing, insurance, legal, medical, or other important decisions about them, without appropriate human oversight and intervention + - **Potential for inappropriate content**: The Services may provide incomplete, incorrect, or offensive Output that does not represent Ask Eve AI's views + - **No endorsements**: If Output references any third-party products or services, it does not mean the third party endorses or is affiliated with Ask Eve AI + +--- + +## 3. Intellectual Property + +### 3.1 Ask Eve AI Ownership + +Except as expressly set forth in these Terms, Ask Eve AI owns and retains all right, title, and interest in and to the Services, including: +- The Platform with all software, improvements, enhancements, or modifications thereto +- Any software, applications, inventions, or other technology developed as part of any maintenance or support +- All AI models, algorithms, and training methodologies +- All Intellectual Property Rights related to any of the foregoing + +"Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, moral rights, and other similar rights. + +### 3.2 Reservation of Rights + +All rights in and to Ask Eve AI not expressly granted to Customer in these Terms are reserved by Ask Eve AI. No license is granted to Customer except as to use of the Services as expressly stated herein. These Terms do not grant Customer: +- Any rights to the Intellectual Property Rights in the Platform or Services +- Any rights to use the Ask Eve AI trademarks, logos, domain names, or other brand features unless otherwise agreed in writing + +### 3.3 Partner Implementations + +Where Partners implement functionality on the Platform involving Ask Eve AI: +- Partners retain ownership of their specific implementations, configurations, and custom code +- Partners grant Ask Eve AI a license to host, operate, and provide their implementations as part of the Services +- Ask Eve AI retains ownership of the underlying Platform infrastructure and core functionality +- Partners are responsible for ensuring their implementations comply with these Terms and all applicable laws + +--- + +## 4. Pricing and Payment + +### 4.1 Subscription Model + +1. **Paid Subscriptions**: Customer can only purchase a paid subscription ("Paid Subscription") by paying Basic Fees in advance on a monthly or yearly basis, or at another recurring interval agreed upon prior to purchase, through a third-party payment platform as indicated by Ask Eve AI. + +2. **Third-Party Payment Terms**: Where payment is processed through a third-party payment platform, the separate terms and conditions of that payment platform shall apply in addition to these Terms. + +### 4.2 Fee Structure + +1. **Basic Fees**: Prepaid fees for the base subscription tier, covering specified usage limits for the billing period. Basic Fees must be paid in advance for each billing period to maintain access to the Services. + +2. **Additional Fees**: Additional Fees will be charged to Customer on a monthly basis on top of the Basic Fees when the effective usage of the Services exceeds the usage limits covered by the Basic Fee for the respective month. Additional Fees will be calculated and invoiced to Customer through the same third-party payment platform. + +3. **Overage Options**: + - Customer may enable or disable overage usage for each service element (storage, embeddings, interactions) as defined in the subscription agreement + - If overage is disabled and usage limits are reached, Services will be suspended until the next billing period or until Customer enables overage + - Customer may request changes to overage settings mid-period by contacting Ask Eve AI or their managing Partner + - Usage metrics are displayed in the administrative interface + +### 4.3 Payment Terms + +1. **Currency and Taxes**: All prices are quoted in EUR unless otherwise agreed. Tax rates are calculated based on the information Customer provides and the applicable rate at the time of payment. Prices do not include VAT, which will be added at the applicable rate. + +2. **Billing Cycle**: Unless otherwise specified between the Parties, Paid Subscriptions will continue indefinitely until cancelled. Customer will receive a recurring invoice on the first day of each billing period for Basic Fees and will authorize the applicable third-party payment platform to charge the payment method for the then-current subscription fee. + +3. **Payment Deadline**: Payment of each invoiced amount for Additional Fees, taxes included, must be completed within thirty (30) days after the date of the invoice. + +4. **Late Payment**: Any payment after the fixed payment date shall be subject to delay interest for late payment in accordance with the Law of 2 August 2002 on combating late payment in commercial transactions, calculated at the legal interest rate as determined by the Belgian government. This provision shall not in any event exclude the possible payment of damages. + +5. **Invoice Complaints**: Complaints relating to invoices must be notified to Ask Eve AI directly and in writing within fifteen (15) days after the invoice date via registered letter or via a proven received email to finance@askeveai.com, stating the precise nature and extent of the complaints. + +### 4.4 Cancellation and Refunds + +1. **Customer Cancellation**: Customer may cancel a Paid Subscription at any time by following the cancellation instructions provided in the administrative interface or by contacting Ask Eve AI. Unless otherwise stated, cancellation will take effect at the end of the billing period in which Customer cancels. + +2. **No Refunds**: Ask Eve AI does not offer refunds or reimbursements for partial subscription periods unless otherwise agreed between the Parties in writing. + +3. **Ask Eve AI Termination**: In addition to, and without prejudice to any other rights Ask Eve AI may have under these Terms, Ask Eve AI reserves the right to terminate a Paid Subscription at any time upon at least fourteen (14) days' notice. Unless Ask Eve AI notifies Customer otherwise, Ask Eve AI will grant Customer access to the Paid Subscription for the remainder of the then-current billing period. + +### 4.5 Price Changes + +Ask Eve AI may from time to time change the prices for Paid Subscriptions, including recurring Basic Fees and Additional Fees, in response to circumstances such as: +- Changes to product offerings and features +- Changes in business operations or economic environment +- Changes in costs from subcontractors or service providers +- Security, legal, or regulatory reasons + +Ask Eve AI will provide reasonable notice of price changes by any reasonable means, including by email or in-app notice, which will in any event not be less than fourteen (14) days. Price changes will become effective at the start of the next subscription period following the date of the price change. + +Subject to applicable law, Customer will have accepted the new price by continuing to use the Services after the new price comes into effect. If Customer does not agree to a price change, Customer may reject the change by unsubscribing from the applicable Paid Subscription before the price change comes into effect. + +--- + +## 5. Suspension and Termination + +### 5.1 Suspension for Non-Payment + +1. **Basic Fees**: If Basic Fees are not paid when due, Ask Eve AI reserves the right to immediately suspend Customer's access to the Services without prior notice. + +2. **Additional Fees**: If Additional Fees are not paid within thirty (30) days of the invoice date, Ask Eve AI may suspend Customer's access to the Services. + +3. **Reactivation**: Suspended accounts may be reactivated upon payment of all outstanding amounts. However, time elapsed during suspension still counts toward the applicable billing period, and no pro-rata refunds or credits will be provided. + +### 5.2 Immediate Termination by Ask Eve AI + +Ask Eve AI reserves the right to suspend or terminate Customer's access to the Services or delete Customer's account immediately without any notice, compensation, or court intervention if Ask Eve AI determines: + +1. Customer has breached these Terms, including violation of Section 1.2 (Limitations on Use of Services) or Section 1.3 (Acceptable Use and Compliance) +2. Customer becomes insolvent, files a petition of bankruptcy (or any similar petition under any insolvency law of any jurisdiction), ceases its activities, or proposes any dissolution +3. Ask Eve AI must do so to comply with applicable law +4. Customer's use of the Services could cause risk or harm to Ask Eve AI, its users, or anyone else + +### 5.3 Service Discontinuation + +Ask Eve AI may decide to discontinue the Services. In such case, Ask Eve AI will give Customer advance notice and a refund for any prepaid, unused Services on a pro-rata basis. + +### 5.4 Data Upon Termination + +1. **License Suspension**: When a subscription is suspended or cancelled, Customer loses access to the Services, but tenant data is not automatically deleted. Customer may resume access by reactivating the subscription and paying applicable fees. + +2. **Tenant Termination**: Customer may request full termination of its tenant account and deletion of all associated tenant data by contacting Ask Eve AI. Upon such request: + - Tenant-specific content will be isolated and marked for deletion + - Deletion will occur within ninety (90) days as specified in the Data Protection Agreement + - Financial and billing records will be retained for seven (7) years as required by Belgian law + - User accounts will be disabled to maintain audit trail integrity + +3. **Data Export**: Customer may export accessible data through the API while subscription remains active and fees are current. Ask Eve AI does not provide separate data export services. + +--- + +## 6. Warranties and Disclaimers + +### 6.1 Service Availability + +Ask Eve AI strives to provide high availability of the Services but does not guarantee any specific uptime or service level. Ask Eve AI reserves the right to: +- Perform scheduled maintenance between 22:00 and 05:00 CET without prior notice +- Perform scheduled maintenance outside these hours with at least seven (7) days' advance notice +- Perform emergency maintenance at any time without notice when necessary to protect the security, integrity, or availability of the Services + +### 6.2 Warranty Disclaimer + +THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE FULLEST EXTENT PERMITTED BY LAW, ASK EVE AI AND ITS PARTNERS MAKE NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. + +Specifically, Ask Eve AI does not warrant that: +- The Services will meet Customer's performance requirements or operate in accordance with Customer's expectations +- The Services will be uninterrupted, secure, or error-free +- Any errors or defects will be corrected +- The Services will be free from viruses or other harmful components +- Results obtained from use of the Services will be accurate or reliable + +Customer acknowledges that before entering into these Terms, Customer has evaluated the Services and accepts responsibility for selection of the Services, their use, and the results to be obtained therefrom. + +### 6.3 AI-Specific Disclaimers + +Neither Ask Eve AI nor its partners make any warranty about: +- The accuracy, completeness, or appropriateness of any Output generated by the Services +- Any content or information in or from an end user or Customer account +- The reliability of AI models or the absence of AI hallucinations, errors, or biases +- The suitability of Output for any particular purpose or decision-making process + +Customer accepts and agrees that any use of Output from the Services is at Customer's sole risk and that Customer will not rely on Output as a sole source of truth or factual information, or as a substitute for professional advice. + +--- + +## 7. Limitation of Liability + +### 7.1 Liability Cap + +TO THE FULLEST EXTENT PERMITTED BY LAW, THE TOTAL AGGREGATE LIABILITY OF ASK EVE AI UNDER THESE TERMS SHALL BE LIMITED TO THE TOTAL AMOUNT OF BASIC FEES PAID BY CUSTOMER TO ASK EVE AI DURING THE THREE (3) MONTHS IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO THE LIABILITY. ADDITIONAL FEES (OVERAGE) ARE EXCLUDED FROM THIS CALCULATION. + +### 7.2 Exclusion of Consequential Damages + +IN NO EVENT SHALL ASK EVE AI BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO: +- Loss of profits or revenue +- Loss of business or anticipated savings +- Loss of goodwill or reputation +- Loss of data or information +- Business interruption +- Cost of procurement of substitute services +- Any other indirect or consequential loss or damage + +This exclusion applies regardless of the legal theory on which the claim is based (contract, tort, negligence, strict liability, or otherwise) and whether or not Ask Eve AI has been advised of the possibility of such damages. + +### 7.3 Specific Exclusions + +Ask Eve AI shall have no liability whatsoever for: +- **AI Output**: Any damages or claims resulting from Customer's use of, reliance on, or decisions made based on Output generated by the Services +- **Third-Party Services**: Deficiencies in infrastructure services or third-party software provided by Ask Eve AI's Sub-Processors, beyond the liability such Sub-Processors have toward Ask Eve AI +- **Customer Content**: Any claims arising from Customer's Input, including claims of infringement, defamation, or violation of privacy rights +- **End User Claims**: Claims brought by Customer's end users arising from Customer's use of the Services +- **Unauthorized Use**: Damages resulting from unauthorized access to or use of Customer's account +- **Force Majeure**: Events beyond Ask Eve AI's reasonable control, including acts of God, natural disasters, war, terrorism, riots, labor disputes, governmental actions, internet disturbances, epidemics, pandemics, or failures of third-party infrastructure providers + +### 7.4 Customer Indemnification + +Customer shall, at its own expense, indemnify, defend, and hold Ask Eve AI harmless from and against any claim(s), damages, losses, liabilities, costs, and expenses (including reasonable legal fees) brought against Ask Eve AI by a third party arising out of or related to: +- Customer's use of Output obtained from the Services +- Customer's breach of these Terms +- Customer's violation of any applicable laws or regulations +- Customer's violation of any third-party rights +- Customer's failure to comply with GDPR or other data protection laws + +### 7.5 Mandatory Liability + +Nothing in these Terms shall limit or exclude liability to the extent such limitation or exclusion is prohibited by mandatory applicable law, including liability for: +- Death or personal injury caused by negligence +- Fraud or fraudulent misrepresentation +- Intentional misconduct or gross negligence +- Any other liability that cannot be excluded or limited under Belgian or EU law + +### 7.6 Basis of the Bargain + +Customer acknowledges and agrees that the limitations of liability set forth in this Section 7 are fundamental elements of the basis of the bargain between Ask Eve AI and Customer, and that Ask Eve AI would not be able to provide the Services on an economically reasonable basis without these limitations. + +--- + +## 8. Confidential Information + +### 8.1 Mutual Confidentiality Obligations + +1. **Ask Eve AI's Confidential Information**: Customer acknowledges that information and data (including general business information) it receives from Ask Eve AI concerning the Services and any documentation related to the Services are confidential and proprietary and a valuable commercial asset of Ask Eve AI. + +2. **Customer's Confidential Information**: Ask Eve AI acknowledges that general business information and Customer data it receives from Customer is confidential and proprietary. + +3. **Confidentiality Obligations**: Both Parties agree to: + - Keep confidential information received from the other Party in confidence + - Not disclose any such information to third parties without prior written consent of the disclosing Party + - Not use confidential information for its own benefit or purposes other than fulfilling contractual obligations + - Disclose confidential information only to employees or advisors who require the information to enable that Party to fulfill its contractual obligations and who are bound by similar confidentiality obligations + +### 8.2 Exclusions from Confidentiality + +A Party's Confidential Information shall not be deemed to include information that: +- Is or becomes publicly known other than through any act or omission of the receiving Party +- Was in the receiving Party's lawful possession before the disclosure +- Is lawfully disclosed to the receiving Party by a third party without restriction on disclosure +- Is independently developed by the receiving Party, which independent development can be shown by written evidence +- Is required to be disclosed by law, by any court of competent jurisdiction, or by any regulatory or administrative body + +--- + +## 9. Data Protection + +### 9.1 Data Protection Agreement + +For commercial customers, the processing of personal data is governed by our Data Protection Agreement, which is incorporated into these Terms by reference. The Data Protection Agreement can be found at [link to DPA]. + +### 9.2 Precedence + +In the event of any conflict between these Terms and the Data Protection Agreement regarding data protection matters, the Data Protection Agreement shall prevail. + +### 9.3 Customer Responsibilities + +Customer is responsible for: +- Ensuring it has a lawful basis for processing personal data through the Services +- Providing appropriate privacy notices to data subjects +- Obtaining necessary consents where required +- Responding to data subject rights requests +- Implementing appropriate technical and organizational measures for data it controls + +--- + +## 10. General Provisions + +### 10.1 Assignment + +Customer may not assign any part of these Terms without Ask Eve AI's prior written consent, except that no such consent will be required with respect to an assignment of these Terms to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Any other attempt to transfer or assign is void. + +Ask Eve AI may assign these Terms or any rights hereunder without Customer's consent. + +### 10.2 Dispute Resolution + +1. **Informal Negotiation**: Before initiating any formal legal proceedings, the Parties agree to first attempt to resolve any dispute, claim, or controversy arising out of or relating to these Terms through good faith negotiations for a period of thirty (30) days. + +2. **Formal Proceedings**: If the dispute cannot be resolved through informal negotiation, either Party may pursue formal legal proceedings, including through a Belgian bailiff (deurwaarder/huissier de justice) or other legal collection methods available under Belgian law. + +### 10.3 Governing Law and Jurisdiction + +These Terms are exclusively governed by Belgian law, without regard to its conflict of laws principles. Any litigation relating to the conclusion, validity, interpretation, and/or performance of these Terms, or any other dispute concerning or related to these Terms, shall be submitted to the exclusive jurisdiction of the courts of Ghent (Gent), Belgium. + +### 10.4 Severability + +If any provision of these Terms is held to be void, invalid, or unenforceable under applicable law, this shall not cause the other provisions of these Terms to be void or unenforceable. In such cases, the Parties shall replace the affected provision with a different provision that is not void or unenforceable and that represents the same intention that the Parties had with the original provision. + +### 10.5 Force Majeure + +Neither Ask Eve AI nor Customer will be liable for inadequate performance to the extent caused by a condition that was beyond the Party's reasonable control, including but not limited to natural disaster, act of war or terrorism, riot, labor condition, governmental action, internet disturbance, epidemic, pandemic, or failure of third-party infrastructure providers. + +Any delay resulting from such causes shall extend performance accordingly or excuse performance, in whole or in part, as may be reasonable under the circumstances. In such an event, each Party shall notify the other Party of the expected duration of the force majeure event. + +### 10.6 Modification of Terms + +1. **Notice of Changes**: Ask Eve AI reserves the right to modify these Terms at any time. We will provide reasonable notice of any material changes to these Terms by any reasonable means, including by email, in-app notification, or by posting notice of the changes on our website, which notice will in any event be provided at least fourteen (14) days before the changes take effect. + +2. **Acceptance**: Customer's continued use of the Services after such modifications will constitute acceptance of the modified Terms. If Customer does not agree to the modified Terms, Customer must discontinue use of the Services and may cancel the subscription in accordance with Section 4.4. + +3. **Non-Material Changes**: Ask Eve AI may make non-material changes (such as corrections of typos, clarifications, or updates to contact information) without advance notice. + +### 10.7 Entire Agreement + +These Terms, together with the Data Protection Agreement and any other documents expressly incorporated by reference, constitute the entire agreement between the Parties concerning the subject matter hereof and supersede all prior agreements, understandings, and arrangements, whether written or oral, relating to such subject matter. + +### 10.8 No Waiver + +The failure of either Party to enforce any provision of these Terms shall not constitute a waiver of that provision or any other provision. No waiver shall be effective unless made in writing and signed by an authorized representative of the waiving Party. + +### 10.9 Notices + +All notices required or permitted under these Terms shall be in writing and shall be deemed given: +- When delivered personally +- When sent by confirmed email to the email address provided by the receiving Party +- Three (3) business days after being sent by registered mail to the address provided by the receiving Party + +Notices to Ask Eve AI should be sent to: legal@askeveai.com + +### 10.10 Language + +These Terms are executed in English. In case of any discrepancy between language versions, the English version shall prevail. + +### 10.11 Survival + +The following provisions shall survive termination or expiration of these Terms: Sections 2.2 (Ownership), 3 (Intellectual Property), 6.2 and 6.3 (Disclaimers), 7 (Limitation of Liability), 8 (Confidential Information), and 10 (General Provisions). + +--- + +## Contact Information + +For questions about these Terms, please contact: + +**Ask Eve AI (Flow IT BV)** +Toekomststraat 62 +9800 Deinze +Belgium +Company Number: BE0877.273.542 + +Email: legal@askeveai.com +Website: https://askeveai.com + +--- + +**By using the Services, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service.** + +--- + +*Last updated: October 3, 2025* \ No newline at end of file diff --git a/docker/compose_dev.yaml b/docker/compose_dev.yaml index bf48947..150319b 100644 --- a/docker/compose_dev.yaml +++ b/docker/compose_dev.yaml @@ -86,6 +86,7 @@ services: - ../scripts:/app/scripts - ../patched_packages:/app/patched_packages - ./eveai_logs:/app/logs + - ../db_backups:/app/db_backups depends_on: db: condition: service_healthy diff --git a/docker/eveai_ops/Dockerfile b/docker/eveai_ops/Dockerfile index c5beaa8..2276ce2 100644 --- a/docker/eveai_ops/Dockerfile +++ b/docker/eveai_ops/Dockerfile @@ -2,3 +2,5 @@ FROM registry.ask-eve-ai-local.com/josakola/eveai-base:latest # Copy the source code into the container. COPY eveai_ops /app/eveai_ops COPY migrations /app/migrations +COPY db_backups /app/db_backups + diff --git a/eveai_app/templates/navbar.html b/eveai_app/templates/navbar.html index 03cc0f2..dfe07ed 100644 --- a/eveai_app/templates/navbar.html +++ b/eveai_app/templates/navbar.html @@ -70,6 +70,7 @@ {% if current_user.is_authenticated %} {{ dropdown('Tenants', 'source_environment', [ {'name': 'Tenants', 'url': 'user/tenants', 'roles': ['Super User', 'Partner Admin']}, + {'name': 'Consent Versions', 'url': 'user/consent_versions', 'roles': ['Super User']}, {'name': 'Tenant Overview', 'url': 'user/tenant_overview', 'roles': ['Super User', 'Partner Admin', 'Tenant Admin']}, {'name': 'Edit Tenant', 'url': 'user/tenant/' ~ session['tenant'].get('id'), 'roles': ['Super User', 'Partner Admin', 'Tenant Admin']}, {'name': 'Tenant Partner Services', 'url': 'user/tenant_partner_services', 'roles': ['Super User', 'Partner Admin', 'Tenant Admin']}, diff --git a/eveai_app/templates/user/consent_version.html b/eveai_app/templates/user/consent_version.html new file mode 100644 index 0000000..da26bde --- /dev/null +++ b/eveai_app/templates/user/consent_version.html @@ -0,0 +1,75 @@ +{% extends 'base.html' %} +{% from "macros.html" import render_field, render_included_field %} + +{% block title %}Create or Edit Consent Version{% endblock %} + +{% block content_title %}Create or Edit Consent Version{% endblock %} +{% block content_description %}Create or Edit Consent Version{% endblock %} + +{% block content %} +
+ {{ form.hidden_tag() }} + {% set disabled_fields = [] %} + {% set exclude_fields = [] %} + {% for field in form %} + {{ render_field(field, disabled_fields, exclude_fields) }} + {% endfor %} + + +
+{% endblock %} + + +{% block content_footer %} + +{% endblock %} + +{% block scripts %} + + +{% endblock %} \ No newline at end of file diff --git a/eveai_app/templates/user/edit_consent_version.html b/eveai_app/templates/user/edit_consent_version.html new file mode 100644 index 0000000..667be87 --- /dev/null +++ b/eveai_app/templates/user/edit_consent_version.html @@ -0,0 +1,75 @@ +{% extends 'base.html' %} +{% from "macros.html" import render_field, render_included_field %} + +{% block title %}Create or Edit Consent Version{% endblock %} + +{% block content_title %}Create or Edit Consent Version{% endblock %} +{% block content_description %}Create or Edit Consent Version{% endblock %} + +{% block content %} +
+ {{ form.hidden_tag() }} + {% set disabled_fields = ["consent_type"] %} + {% set exclude_fields = [] %} + {% for field in form %} + {{ render_field(field, disabled_fields, exclude_fields) }} + {% endfor %} + + +
+{% endblock %} + + +{% block content_footer %} + +{% endblock %} + +{% block scripts %} + + +{% endblock %} \ No newline at end of file diff --git a/eveai_app/views/basic_views.py b/eveai_app/views/basic_views.py index fd7b1dc..ccbe908 100644 --- a/eveai_app/views/basic_views.py +++ b/eveai_app/views/basic_views.py @@ -118,7 +118,7 @@ def view_content(content_type): Show content like release notes, terms of use, etc. Args: - content_type (str): Type content (eg. 'changelog', 'terms', 'privacy') + content_type (str): Type content (eg. 'changelog', 'terms', 'dpa') """ try: major_minor = request.args.get('version') @@ -135,14 +135,14 @@ def view_content(content_type): titles = { 'changelog': 'Release Notes', 'terms': 'Terms & Conditions', - 'privacy': 'Privacy Statement', + 'dpadpa': 'Data Privacy Agreement', # Voeg andere types toe indien nodig } descriptions = { 'changelog': 'EveAI Release Notes', 'terms': "Terms & Conditions for using AskEveAI's Evie", - 'privacy': "Privacy Statement for AskEveAI's Evie", + 'dpadpa': "Data Privacy Agreement for AskEveAI's Evie", # Voeg andere types toe indien nodig } diff --git a/eveai_app/views/list_views/user_list_views.py b/eveai_app/views/list_views/user_list_views.py index 02d76d4..faf9b5e 100644 --- a/eveai_app/views/list_views/user_list_views.py +++ b/eveai_app/views/list_views/user_list_views.py @@ -3,7 +3,8 @@ from flask_security import roles_accepted from sqlalchemy.exc import SQLAlchemyError import ast -from common.models.user import Tenant, User, TenantDomain, TenantProject, TenantMake, PartnerTenant, PartnerService +from common.models.user import Tenant, User, TenantDomain, TenantProject, TenantMake, PartnerTenant, PartnerService, \ + ConsentVersion from common.services.user import UserServices, PartnerServices from common.utils.eveai_exceptions import EveAINoSessionPartner, EveAINoManagementPartnerService from common.utils.security_utils import current_user_has_role @@ -287,6 +288,8 @@ def get_tenant_makes_list_view(tenant_id): # Tenant Partner Services list view helper + + def get_tenant_partner_services_list_view(tenant_id): """Generate the tenant partner services list view configuration for a specific tenant""" # Get partner services for the tenant through PartnerTenant association @@ -328,3 +331,48 @@ def get_tenant_partner_services_list_view(tenant_id): 'form_action': url_for('user_bp.tenant_partner_services'), 'description': f'Partner Services for tenant {tenant_id}' } + + +def get_consent_versions_list_view(): + """Generate the tenant makes list view configuration for a specific tenant""" + # Get makes for the tenant + query = ConsentVersion.query.filter_by().order_by(ConsentVersion.id) + consent_versions = query.all() + + # Prepare data for Tabulator + data = [] + for cv in consent_versions: + data.append({ + 'id': cv.id, + 'consent_type': cv.consent_type, + 'consent_version': cv.consent_version, + 'consent_valid_from': cv.consent_valid_from.strftime('%Y-%m-%d') if cv.consent_valid_from else '', + 'consent_valid_to': cv.consent_valid_to.strftime('%Y-%m-%d') if cv.consent_valid_to else '', + }) + + # Column Definitions + columns = [ + {'title': 'ID', 'field': 'id', 'width': 80}, + {'title': 'Consent Type', 'field': 'consent_type'}, + {'title': 'From', 'field': 'consent_valid_from'}, + {'title': 'To', 'field': 'consent_valid_to'} + ] + + actions = [ + {'value': 'edit_consent_version', 'text': 'Edit Consent Version', 'class': 'btn-primary', 'requiresSelection': True}, + {'value': 'create_consent_version', 'text': 'Create Consent Version', 'class': 'btn-success', 'position': 'right', 'requiresSelection': False}, + ] + + initial_sort = [{'column': 'id', 'dir': 'asc'}] + + return { + 'title': 'Consent Versions', + 'data': data, + 'columns': columns, + 'actions': actions, + 'initial_sort': initial_sort, + 'table_id': 'consent_versions_table', + 'form_action': url_for('user_bp.handle_consent_version_selection'), + 'description': f'Consent Versions' + } + diff --git a/eveai_app/views/security_views.py b/eveai_app/views/security_views.py index 9d2264c..3d0fded 100644 --- a/eveai_app/views/security_views.py +++ b/eveai_app/views/security_views.py @@ -10,7 +10,8 @@ from datetime import datetime as dt, timezone as tz from itsdangerous import URLSafeTimedSerializer from sqlalchemy.exc import SQLAlchemyError -from common.models.user import User +from common.models.user import User, ConsentStatus +from common.services.user import TenantServices from common.utils.eveai_exceptions import EveAIException, EveAINoActiveLicense from common.utils.nginx_utils import prefixed_url_for from eveai_app.views.security_forms import SetPasswordForm, ResetPasswordForm, ForgotPasswordForm @@ -56,8 +57,24 @@ def login(): db.session.commit() if current_user.has_roles('Super User'): return redirect(prefixed_url_for('user_bp.tenants', for_redirect=True)) - else: - return redirect(prefixed_url_for('user_bp.tenant_overview', for_redirect=True)) + if current_user.has_roles('Partner Admin'): + return redirect(prefixed_url_for('user_bp.tenants', for_redirect=True)) + consent_status = TenantServices.get_consent_status(user.tenant_id) + match consent_status: + case ConsentStatus.CONSENTED: + return redirect(prefixed_url_for('user_bp.tenant_overview', for_redirect=True)) + case ConsentStatus.NOT_CONSENTED: + if current_user.has_roles('Tenant Admin'): + return redirect(prefixed_url_for('user_bp.tenant_consent', for_redirect=True)) + else: + return redirect(prefixed_url_for('user_bp.no_consent', for_redirect=True)) + case ConsentStatus.RENEWAL_REQUIRED: + if current_user.has_roles('Tenant Admin'): + return redirect(prefixed_url_for('user_bp.tenant_consent_renewal', for_redirect=True)) + else: + return redirect(prefixed_url_for('user_bp.consent_renewal', for_redirect=True)) + case _: + return redirect(prefixed_url_for('basic_bp.index', for_redirect=True)) else: flash('Invalid username or password', 'danger') current_app.logger.error(f'Invalid username or password for given email: {user.email}') diff --git a/eveai_app/views/user_forms.py b/eveai_app/views/user_forms.py index 41bba46..a9547d1 100644 --- a/eveai_app/views/user_forms.py +++ b/eveai_app/views/user_forms.py @@ -192,6 +192,7 @@ class TenantMakeForm(DynamicFormBase): self.allowed_languages.choices = [(details['iso 639-1'], f"{details['flag']} {details['iso 639-1']}") for name, details in lang_details.items()] + class EditTenantMakeForm(DynamicFormBase): id = IntegerField('ID', widget=HiddenInput()) name = StringField('Name', validators=[DataRequired(), Length(max=50), validate_make_name]) @@ -212,5 +213,22 @@ class EditTenantMakeForm(DynamicFormBase): self.default_language.choices = choices +class ConsentVersionForm(FlaskForm): + consent_type = SelectField('Consent Type', choices=[], validators=[DataRequired()]) + consent_version = StringField('Consent Version', validators=[DataRequired(), Length(max=20)]) + consent_valid_from = DateField('Consent Valid From', id='form-control datepicker', validators=[DataRequired()]) + consent_valid_to = DateField('Consent Valid To', id='form-control datepicker', validators=[Optional()]) + + def __init__(self, *args, **kwargs): + super(ConsentVersionForm, self).__init__(*args, **kwargs) + # Initialise consent types + self.consent_type.choices = [(t, t) for t in current_app.config['CONSENT_TYPES']] + + +class EditConsentVersionForm(FlaskForm): + consent_type = StringField('Consent Type', validators=[DataRequired()]) + consent_version = StringField('Consent Version', validators=[DataRequired(), Length(max=20)]) + consent_valid_from = DateField('Consent Valid From', id='form-control datepicker', validators=[DataRequired()]) + consent_valid_to = DateField('Consent Valid To', id='form-control datepicker', validators=[Optional()]) diff --git a/eveai_app/views/user_views.py b/eveai_app/views/user_views.py index 64407bb..1f480b0 100644 --- a/eveai_app/views/user_views.py +++ b/eveai_app/views/user_views.py @@ -6,13 +6,15 @@ from flask_security import roles_accepted, current_user from sqlalchemy.exc import SQLAlchemyError, IntegrityError import ast -from common.models.user import User, Tenant, Role, TenantDomain, TenantProject, PartnerTenant, TenantMake +from common.models.user import User, Tenant, Role, TenantDomain, TenantProject, PartnerTenant, TenantMake, \ + ConsentVersion from common.extensions import db, security, minio_client, simple_encryption, cache_manager from common.utils.dynamic_field_utils import create_default_config_from_type_config from common.utils.security_utils import send_confirmation_email, send_reset_email from config.type_defs.service_types import SERVICE_TYPES from .user_forms import TenantForm, CreateUserForm, EditUserForm, TenantDomainForm, TenantSelectionForm, \ - TenantProjectForm, EditTenantProjectForm, TenantMakeForm, EditTenantForm, EditTenantMakeForm + TenantProjectForm, EditTenantProjectForm, TenantMakeForm, EditTenantForm, EditTenantMakeForm, ConsentVersionForm, \ + EditConsentVersionForm from common.utils.database import Database from common.utils.view_assistants import prepare_table_for_macro, form_validation_failed from common.utils.simple_encryption import generate_api_key @@ -25,7 +27,7 @@ from common.utils.mail_utils import send_email from eveai_app.views.list_views.user_list_views import get_tenants_list_view, get_users_list_view, \ get_tenant_domains_list_view, get_tenant_projects_list_view, get_tenant_makes_list_view, \ - get_tenant_partner_services_list_view + get_tenant_partner_services_list_view, get_consent_versions_list_view from eveai_app.views.list_views.list_view_utils import render_list_view user_bp = Blueprint('user_bp', __name__, url_prefix='/user') @@ -693,6 +695,87 @@ def tenant_partner_services(): return render_list_view('list_view.html', **config) +@user_bp.route('/consent_versions', methods=['GET', 'POST']) +@roles_accepted('Super User') +def consent_versions(): + config = get_consent_versions_list_view() + return render_list_view('list_view.html', **config) + + +@user_bp.route('/handle_consent_version_selection', methods=['POST']) +@roles_accepted('Super User') +def handle_consent_version_selection(): + action = request.form['action'] + if action == 'create_consent_version': + return redirect(prefixed_url_for('user_bp.consent_version', for_redirect=True)) + consent_version_identification = request.form.get('selected_row') + consent_version_id = ast.literal_eval(consent_version_identification).get('value') + + if action == 'edit_consent_version': + return redirect(prefixed_url_for('user_bp.edit_consent_version', consent_version_id=consent_version_id, for_redirect=True)) + + # Altijd teruggaan naar de tenant_makes pagina + return redirect(prefixed_url_for('user_bp.consent_versions', for_redirect=True)) + + +@user_bp.route('/consent_version', methods=['GET', 'POST']) +@roles_accepted('Super User') +def consent_version(): + form = ConsentVersionForm() + if form.validate_on_submit(): + new_consent_version = ConsentVersion() + form.populate_obj(new_consent_version) + set_logging_information(new_consent_version, dt.now(tz.utc)) + + try: + db.session.add(new_consent_version) + db.session.commit() + flash('Consent Version successfully added!', 'success') + current_app.logger.info(f'Consent Version {new_consent_version.consent_type}, version {new_consent_version.consent_version} successfully added ') + # Enable step 2 of creation of retriever - add configuration of the retriever (dependent on type) + return redirect(prefixed_url_for('user_bp.consent_versions', for_redirect=True)) + except SQLAlchemyError as e: + db.session.rollback() + flash(f'Failed to add Consent Version. Error: {e}', 'danger') + current_app.logger.error(f'Failed to add Consent Version. Error: {str(e)}') + + return render_template('user/consent_version.html', form=form) + + +@user_bp.route('/consent_version/', methods=['GET', 'POST']) +@roles_accepted('Super User') +def edit_consent_version(consent_version_id): + """Edit an existing Consent Version.""" + # Get the Consent Version or return 404 + cv = ConsentVersion.query.get_or_404(consent_version_id) + + # Create form instance with the tenant make + form = EditConsentVersionForm(request.form, obj=cv) + + if form.validate_on_submit(): + # Update basic fields + form.populate_obj(cv) + # Update logging information + update_logging_information(cv, dt.now(tz.utc)) + + # Save changes to database + try: + db.session.add(cv) + db.session.commit() + flash('Consent Version updated successfully!', 'success') + current_app.logger.info(f'Consent Version {cv.id} updated successfully') + except SQLAlchemyError as e: + db.session.rollback() + flash(f'Failed to update Consent Version. Error: {str(e)}', 'danger') + current_app.logger.error(f'Failed to update Consent Version {consent_version_id}. Error: {str(e)}') + return render_template('user/consent_version.html', form=form, consent_version_id=consent_version_id) + + return redirect(prefixed_url_for('user_bp.consent_versions', for_redirect=True)) + else: + form_validation_failed(request, form) + + return render_template('user/edit_consent_version.html', form=form, consent_version_id=consent_version_id) + def reset_uniquifier(user): security.datastore.set_uniquifier(user) diff --git a/eveai_chat_client/static/assets/js/composables/useContentModal.js b/eveai_chat_client/static/assets/js/composables/useContentModal.js index d654526..9846ae6 100644 --- a/eveai_chat_client/static/assets/js/composables/useContentModal.js +++ b/eveai_chat_client/static/assets/js/composables/useContentModal.js @@ -110,7 +110,7 @@ export function useContentModal() { throw new Error(data.error || 'Onbekende fout bij het laden van content'); } } else if (data.content !== undefined) { - // Legacy format without success property (current privacy/terms endpoints) + // Legacy format without success property (current dpa/terms endpoints) modalState.content = data.content || ''; modalState.version = data.version || ''; } else if (data.error) { diff --git a/eveai_chat_client/static/assets/vue-components/ConsentRichText.vue b/eveai_chat_client/static/assets/vue-components/ConsentRichText.vue index c083d4a..9d5f94d 100644 --- a/eveai_chat_client/static/assets/vue-components/ConsentRichText.vue +++ b/eveai_chat_client/static/assets/vue-components/ConsentRichText.vue @@ -24,19 +24,19 @@ export default { props: { template: { type: String, required: true }, asButton: { type: Boolean, default: false }, - ariaPrivacy: { type: String, default: 'Open privacy statement in a dialog' }, - ariaTerms: { type: String, default: 'Open terms and conditions in a dialog' } + ariaPrivacy: { type: String, default: 'Open Data Privacy Agreement in a dialog' }, + ariaTerms: { type: String, default: 'Open Terms and Conditions in a dialog' } }, - emits: ['open-privacy', 'open-terms'], + emits: ['open-dpa', 'open-terms'], computed: { linkTag() { return this.asButton ? 'button' : 'a'; }, nodes() { - // Parse only allowed tags ... and ... + // Parse only allowed tags ... and ... const source = (this.template || ''); - // 2) parse only allowed tags ... and ... + // 2) parse only allowed tags ... and ... const pattern = /<(privacy|terms)>([\s\S]*?)<\/\1>/gi; const out = []; let lastIndex = 0; @@ -48,9 +48,9 @@ export default { out.push({ type: 'text', text: source.slice(lastIndex, start) }); } out.push({ - type: tag, // 'privacy' | 'terms' + type: tag, // 'dpa' | 'terms' label: (label || '').trim(), - aria: tag === 'privacy' ? this.ariaPrivacy : this.ariaTerms + aria: tag === 'dpa' ? this.ariaPrivacy : this.ariaTerms }); lastIndex = start + full.length; } @@ -62,7 +62,7 @@ export default { }, methods: { emitClick(kind) { - if (kind === 'privacy') this.$emit('open-privacy'); + if (kind === 'dpa') this.$emit('open-dpa'); if (kind === 'terms') this.$emit('open-terms'); } } diff --git a/eveai_chat_client/static/assets/vue-components/DynamicForm.vue b/eveai_chat_client/static/assets/vue-components/DynamicForm.vue index f25c767..d92697f 100644 --- a/eveai_chat_client/static/assets/vue-components/DynamicForm.vue +++ b/eveai_chat_client/static/assets/vue-components/DynamicForm.vue @@ -480,7 +480,7 @@ export default { // Modal handling methods openPrivacyModal() { - this.loadContent('privacy'); + this.loadContent('dpa'); }, openTermsModal() { @@ -494,15 +494,15 @@ export default { retryLoad() { // Retry loading the last requested content type const currentTitle = this.contentModal.modalState.title.toLowerCase(); - if (currentTitle.includes('privacy')) { - this.loadContent('privacy'); + if (currentTitle.includes('dpa')) { + this.loadContent('dpa'); } else if (currentTitle.includes('terms')) { this.loadContent('terms'); } }, async loadContent(contentType) { - const title = contentType === 'privacy' ? 'Privacy Statement' : 'Terms & Conditions'; + const title = contentType === 'dpa' ? 'Data Privacy Agreement' : 'Terms & Conditions'; const contentUrl = `${this.apiPrefix}/${contentType}`; // Use the composable to show modal and load content diff --git a/eveai_chat_client/static/assets/vue-components/FormField.vue b/eveai_chat_client/static/assets/vue-components/FormField.vue index 4a2b130..6de1755 100644 --- a/eveai_chat_client/static/assets/vue-components/FormField.vue +++ b/eveai_chat_client/static/assets/vue-components/FormField.vue @@ -104,12 +104,12 @@ > {{ field.name }} - + privacy statement and the terms and conditions", - ariaPrivacy: 'Open privacy statement in a dialog', + consentRich: "I agree with the dpa statement and the terms and conditions", + ariaPrivacy: 'Open dpa statement in a dialog', ariaTerms: 'Open terms and conditions in a dialog' }; @@ -259,8 +259,8 @@ export default { // 4) Ultimate fallback (should not happen): provide a safe default return { - consentRich: "I agree with the privacy statement and the terms and conditions", - ariaPrivacy: 'Open privacy statement in a dialog', + consentRich: "I agree with the dpa statement and the terms and conditions", + ariaPrivacy: 'Open dpa statement in a dialog', ariaTerms: 'Open terms and conditions in a dialog' }; }, @@ -332,7 +332,7 @@ export default { } }, openPrivacyModal() { - this.$emit('open-privacy-modal'); + this.$emit('open-dpa-modal'); }, openTermsModal() { this.$emit('open-terms-modal'); diff --git a/eveai_chat_client/views/chat_views.py b/eveai_chat_client/views/chat_views.py index 1a8e440..3093237 100644 --- a/eveai_chat_client/views/chat_views.py +++ b/eveai_chat_client/views/chat_views.py @@ -387,35 +387,35 @@ def translate(): @chat_bp.route('/privacy', methods=['GET']) def privacy_statement(): """ - Public AJAX endpoint for privacy statement content + Public AJAX endpoint for dpa statement content Returns JSON response suitable for modal display """ try: - # Use content_manager to get the latest privacy content - content_data = content_manager.read_content('privacy') + # Use content_manager to get the latest dpa content + content_data = content_manager.read_content('dpa') if not content_data: - current_app.logger.error("Privacy statement content not found") + current_app.logger.error("Data Privacy Agreement content not found") return jsonify({ - 'error': 'Privacy statement not available', - 'message': 'The privacy statement could not be loaded at this time.' + 'error': 'Data Privacy Agreement not available', + 'message': 'The Data Pdpa Agreement could not be loaded at this time.' }), 404 current_app.logger.debug(f"Content data: {content_data}") # Return JSON response for AJAX consumption return jsonify({ - 'title': 'Privacy Statement', + 'title': 'Data Privacy Agreement', 'content': content_data['content'], 'version': content_data['version'], 'content_type': content_data['content_type'] }), 200 except Exception as e: - current_app.logger.error(f"Error loading privacy statement: {str(e)}") + current_app.logger.error(f"Error loading Data Privacy Agreement: {str(e)}") return jsonify({ 'error': 'Server error', - 'message': 'An error occurred while loading the privacy statement.' + 'message': 'An error occurred while loading the Data Privacy Agreement.' }), 500 diff --git a/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_4.py b/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_4.py index 694c650..1306421 100644 --- a/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_4.py +++ b/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_4.py @@ -92,7 +92,7 @@ NO_CONTACT_DATA_QUESTIONS = [ "Unfortunately, we can only move forward if you provide your contact details. Would you still consider sharing them with us?", "It’s totally your choice, of course. But without your contact details, we can’t proceed further. Would you be open to sharing them?", "We’d love to keep going, but we can only do so if we have your contact details. Would you like to provide them now?", - "Your privacy matters, and we respect your decision. Just know that without your contact details, we’ll need to end the process here. Still interested in moving forward?", + "Your dpa matters, and we respect your decision. Just know that without your contact details, we’ll need to end the process here. Still interested in moving forward?", "It’s a shame to stop here, but we do need your contact info to proceed. Would you like to share it so we can continue?" ] CONTACT_DATA_PROCESSED_MESSAGE = "Thank you for allowing us to contact you." diff --git a/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_5.py b/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_5.py index e244003..27808a6 100644 --- a/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_5.py +++ b/eveai_chat_workers/specialists/traicie/TRAICIE_SELECTION_SPECIALIST/1_5.py @@ -147,7 +147,7 @@ NO_CONTACT_DATA_QUESTIONS = [ "Unfortunately, we can only move forward if you provide your contact details. Would you still consider sharing them with us?", "It’s totally your choice, of course. But without your contact details, we can’t proceed further. Would you be open to sharing them?", "We’d love to keep going, but we can only do so if we have your contact details. Would you like to provide them now?", - "Your privacy matters, and we respect your decision. Just know that without your contact details, we’ll need to end the process here. Still interested in moving forward?", + "Your dpa matters, and we respect your decision. Just know that without your contact details, we’ll need to end the process here. Still interested in moving forward?", "It’s a shame to stop here, but we do need your contact info to proceed. Would you like to share it so we can continue?" ] CONTACT_DATA_QUESTIONS = [ diff --git a/migrations/public/versions/411f5593460e_tenantconsent_model_creation.py b/migrations/public/versions/411f5593460e_tenantconsent_model_creation.py new file mode 100644 index 0000000..01d741f --- /dev/null +++ b/migrations/public/versions/411f5593460e_tenantconsent_model_creation.py @@ -0,0 +1,51 @@ +"""TenantConsent model creation + +Revision ID: 411f5593460e +Revises: 057fb975f0e3 +Create Date: 2025-10-09 07:32:04.598209 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '411f5593460e' +down_revision = '057fb975f0e3' +branch_labels = None +depends_on = None + + +def upgrade(): + op.create_table('tenant_consent', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('tenant_id', sa.Integer(), nullable=False), + sa.Column('partner_id', sa.Integer(), nullable=False), + sa.Column('partner_service_id', sa.Integer(), nullable=False), + sa.Column('user_id', sa.Integer(), nullable=False), + sa.Column('consent_type', sa.String(length=50), nullable=False), + sa.Column('consent_date', sa.DateTime(), server_default=sa.text('now()'), nullable=False), + sa.Column('consent_dpa_version', sa.String(length=20), nullable=False), + sa.Column('consent_t_c_version', sa.String(length=20), nullable=False), + sa.Column('consent_data', sa.JSON(), nullable=False), + sa.Column('created_at', sa.DateTime(), server_default=sa.text('now()'), nullable=False), + sa.Column('created_by', sa.Integer(), nullable=True), + sa.Column('updated_at', sa.DateTime(), server_default=sa.text('now()'), nullable=False), + sa.Column('updated_by', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['created_by'], ['public.user.id'], ), + sa.ForeignKeyConstraint(['partner_id'], ['public.partner.id'], ), + sa.ForeignKeyConstraint(['partner_service_id'], ['public.partner_service.id'], ), + sa.ForeignKeyConstraint(['tenant_id'], ['public.tenant.id'], ), + sa.ForeignKeyConstraint(['updated_by'], ['public.user.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['public.user.id'], ), + sa.PrimaryKeyConstraint('id'), + schema='public' + ) + + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_table('tenant_consent', schema='public') + # ### end Alembic commands ### diff --git a/migrations/public/versions/8bfd440079a5_add_consentversion_model.py b/migrations/public/versions/8bfd440079a5_add_consentversion_model.py new file mode 100644 index 0000000..1fbfe42 --- /dev/null +++ b/migrations/public/versions/8bfd440079a5_add_consentversion_model.py @@ -0,0 +1,36 @@ +"""Add ConsentVersion model + +Revision ID: 8bfd440079a5 +Revises: 411f5593460e +Create Date: 2025-10-09 14:12:41.318538 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '8bfd440079a5' +down_revision = '411f5593460e' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('consent_version', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('consent_type', sa.String(length=50), nullable=False), + sa.Column('consent_version', sa.String(length=20), nullable=False), + sa.Column('consent_valid_from', sa.DateTime(), server_default=sa.text('now()'), nullable=False), + sa.Column('consent_valid_to', sa.DateTime(), nullable=True), + sa.PrimaryKeyConstraint('id'), + schema='public' + ) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_table('consent_version', schema='public') + # ### end Alembic commands ### diff --git a/migrations/public/versions/f5f1a8b8e238_adding_tracking_information_to_.py b/migrations/public/versions/f5f1a8b8e238_adding_tracking_information_to_.py new file mode 100644 index 0000000..bc6a1a9 --- /dev/null +++ b/migrations/public/versions/f5f1a8b8e238_adding_tracking_information_to_.py @@ -0,0 +1,37 @@ +"""Adding Tracking information to ConsentVersion + +Revision ID: f5f1a8b8e238 +Revises: 8bfd440079a5 +Create Date: 2025-10-09 15:30:00.046174 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = 'f5f1a8b8e238' +down_revision = '8bfd440079a5' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + with op.batch_alter_table('consent_version', schema=None) as batch_op: + batch_op.add_column(sa.Column('created_at', sa.DateTime(), server_default=sa.text('now()'), nullable=False)) + batch_op.add_column(sa.Column('created_by', sa.Integer(), nullable=True)) + batch_op.add_column(sa.Column('updated_at', sa.DateTime(), server_default=sa.text('now()'), nullable=False)) + batch_op.add_column(sa.Column('updated_by', sa.Integer(), nullable=True)) + + # ### end Alembic commands ### + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + with op.batch_alter_table('consent_version', schema=None) as batch_op: + batch_op.drop_column('updated_by') + batch_op.drop_column('updated_at') + batch_op.drop_column('created_by') + batch_op.drop_column('created_at') + + # ### end Alembic commands ### diff --git a/scripts/db_backup.sh b/scripts/db_backup.sh index 829a797..e467691 100755 --- a/scripts/db_backup.sh +++ b/scripts/db_backup.sh @@ -1,7 +1,7 @@ #!/bin/bash # Configuration -DEV_DB_HOST="localhost" +DEV_DB_HOST="db" DEV_DB_PORT="5432" DEV_DB_NAME="eveai" DEV_DB_USER="luke"