Terms of service

Last modified: 25 July 2023

INTRODUCTION

Context operates a platform providing analytics for text interfaces that it makes available as a service, including any Premium Service Features identified in the Order Form (the "Context Service"). 

This Agreement (comprising these Terms of Service and any Order Form) sets out the terms and conditions upon which you may use the Context Service and any application or functionality that Context makes available through the Context Service.

By using the Context Service or signing an Order Form, you agree to and accept these Terms of Service. 

1. Information about Context 

   The Context Service is provided by Get Context Analytics Ltd (trading as Context), a company registered in England and Wales (company number: 14858286) with its registered address at 9th floor, 107 Cheapside, London, United Kingdom, EC2V 6DN ("Context"). 

2. Interpretation

   In these Terms of Service, save where the context requires otherwise, the following words and expressions have the following meaning:

   "Agreement" means the agreement for the provision of the Context Service between the Client and Context, comprising the Terms of Service and any Order Form; 

   “API Key” means any API key supplied by Context to the Client as part of the SDK; 

   "Authorised User" means a person who is authorised by the Client in accordance with the terms of this Agreement to access the Context Service;

   "Business Day" means a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business;

   “Chat Transcript” means a text transcript of interactions between the Client’s end users and the Client’s text interface;

   "Client" means you;

   “Client Branding” has the meaning given to it in clause 11.7;

   "Client Data" means the content and data that the Client or any Authorised Users make available to Context and that is hosted by Context in connection with the provision of the Context Service, including all Generative AI Inputs, Generative AI Outputs, and Chat Transcripts; 

   “Client System” means the Client’s IT systems, to be connected to the Context Service using the SDK; 

   "Commencement Date" means the date on which Context starts providing the Context Services to the Client;

   "Confidential Information" means information which is identified as confidential or proprietary by either party, or by the nature of which is clearly confidential or proprietary; 

   “Context Service” has the meaning given in the Introduction;

   "DPA" has the meaning given to it in clause 12.1;

   “Enterprise Tier Client” means a Client that has signed up for the ‘Enterprise Tier’ and executed an Order Form;

   “Excess Fees” means the fees for exceeding the Service Limits, as set out on the Website;

   "Extended Term" means: (i) for Enterprise Tier Clients, the period set out in the Order Form; and (ii) for all other Clients, the period set out for that Tier on the Website; 

   "Fees" means the Service Fees and any Excess Fees;

   “Free Tier Client” means a client that has signed up for the ‘Free’ Tier;

   “Generative AI Client-generated Output” means an output received by the Client from the Generative AI Solution, following submission of a Generative AI Input by the Client without Context’s involvement;  

   “Generative AI Context-generated Output” means an output received by Context from the Generative AI Solution, following submission by Context of a Generative AI Input when acting as intermediary between the Client and the Generative AI Solution;

   “Generative AI Input” means an input to the Generative AI Solution provided by the Client to Context;

   “Generative AI Output” means a Generative AI Client-generated Output or Generative AI Context-generated Output;

   “Generative AI Solution” means GPT3.5, GPT4, and any other generative AI or large language text interface that Context supports and is agreed in writing by the Parties to be used in conjunction with the Context Service;

   "Group" means, in relation to a company, that company, any subsidiary or holding company (each having the meanings in sections 1161 and 1162 of the Companies Act 2006) from time to time of that company, and any subsidiary from time to time of a holding company of that company;

   "Initial Term" means: (i) for Enterprise Tier Clients, the period set out in the Order Form; and (ii) for all other Clients, the period set out for the relevant Tier on the Website; 

   "Order Form" means, for Enterprise Tier Clients, the order form signed (whether electronically or otherwise) by the parties, and which, amongst other things, identifies the Client, the Premium Service Features (if any), and sets out the Fees; 

   "Premium Service Features" means the additional features and functionalities of the version of the Context Service, as identified in the Order Form, to which the Client is granted access in accordance with the Agreement;

   “Results” means analytics of Generative AI Inputs and Generative AI Outputs, presented by Context to the Client through the Context Service;

   "SDK" means the software code supplied by Context to be embedded in the Client System (including API keys), and any related documentation relating to the connection of the Context Service with the Client System;

   "Service Fees" means: (i) for Enterprise Clients, the fees set out in the Order Form; and (ii) for all other Clients, the fees set out for the relevant Tier on the Website

   “Service Limits” means: (i) for Enterprise Tier Clients, the usage limits set out in the Order Form; (ii) for all other Clients, the usage limits as set out on the Website; 

   “Standard Tier Client” means a client that has signed up for the ‘basic’ or ‘growth’ Tier;

   "Term" means the Initial Term and any Extended Term(s); 

   "Terms of Service" means these terms and conditions of service, as amended by Context from time to time, and available at https://with.context.ai/terms; 

   “Tier” means the tier of Context Services the Client has selected on sign-up, as set out on the Website.

   "Third Party Sites" has the meaning given in clause 9.6; 

   "Trial" means a free trial of the Context Service for the Trial Period;

   "Trial Period" means the period specified in the Order Form;

   "Trial Period Commencement Date" means the date from which the Client will have access to the Context Service on a trial basis, as set out in the Order Form;

   "User Account" means an account that an Authorised User uses to access the Context Service;

   “Website” means https://context.ai; 

   "VAT" means value added tax (and any equivalent tax payable in any jurisdiction); and

   "Virus" means any thing or device (including any software, code, file or program) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware, or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any program or data, including the reliability of any program or data (whether by re-arranging, altering or erasing the program or data in whole or part or otherwise); or adversely affect the user experience, including works, Trojan horses, viruses and other similar things or devices.

3. Trial

   1. If the parties have agreed a Trial in the Order Form, the Agreement will start on the Trial Commencement Date and will continue (subject to earlier termination in accordance with clause 3.2 or clause 15) for the Trial Period. Following expiry of the Trial Period, the Agreement will automatically renew for the Initial Term unless otherwise agreed by the Client and Context in writing. 

   2. During the Trial Period, either party may terminate the Agreement on written notice to the other party with immediate effect. 

4. Duration;

   1. Unless the parties have agreed a Trial in the Order Form, the Agreement shall commence on the Commencement Date and, subject to earlier termination in accordance with clause 4.2 or clause 15, shall continue for the Term.

   2. The Initial Term shall automatically extend for an Extended Term at the end of the Initial Term and at the end of each Extended Term thereafter, unless either party gives written notice to the other party to terminate the Agreement at the end of the Initial Term or the then-current Extended Term (as applicable), such notice to be given no later than thirty (30) days prior to the expiry of the Initial Term or Extended Term (as applicable).    

5. Access to the Context service

   1. Context grants the Client (and to each member of the Client's Group that agrees to these Terms of Service) a non-exclusive, non-transferable licence from the Commencement Date for the Term to access, use, and permit Authorised Users to access and use the Context Service, in accordance with and subject to the terms and conditions of the Agreement, for the Client's internal business purposes only. 

   2. The Client may not sublicence the rights granted in clause 5.1 other than to allow Authorised Users to access and use the Context Service. 

   3. The Client may grant Authorised Users access to the Context Service provided that the Client:

      1. does not make or give any representations, warranties or other promises concerning the Context Service unless agreed by Context in writing from time to time;

      2. ensures that all Authorised Users are aware of the terms of the Agreement and act in compliance with them;

      3. ensures that the terms on which the Authorised User is granted access to the Context Service protect Context and its proprietary rights in the Context Service to the same extent as set out in the Agreement including, in particular, clause 11 and clause 13 (and the Client will take reasonable steps to enforce such terms Context's request); and

      4. ensures that Context is not liable to the Authorised Users in any way. 

   4. The Client must treat any API Key, username, and password used to access the Context Service or a User Account as Confidential Information, and must not disclose such information to any third party (other than to Authorised Users) and must take appropriate safeguards in accordance with good industry practice to prevent unauthorised access to the Context Service. 

   5. The Client shall procure that each Authorised User keeps secure and confidential any username and password provided to, or created by, that Authorised User for their use of the Context Service, and that they will not disclose such username and password to any third party, including any other Authorised Users or persons within the Client's organisation, company or business.

   6. The Client is responsible for maintaining the confidentiality of its login details for its Client Account and for any activities that occur under its Client Account, including the activities of Authorised Users. 

   7. Context encourages the Client to use, and to encourage Authorised Users to use "strong" passwords (using a combination of upper and lower case letters, numbers and symbols) with its User Accounts. 

   8. The Client must prevent any unauthorised access to, or use of, the Context Service, and must promptly notify Context in the event of any such unauthorised access or use.  If the Client has any concerns about the login details for any User Account, or thinks any of them may have been misused, the Client shall notify Context at [email protected]. The Client must immediately notify Context if the Client becomes aware that the login details of any Authorised User are lost, stolen, or otherwise compromised. 

   9. The Client is responsible for making all arrangements necessary for Authorised Users to gain access to the Context Service, including setting up all User Accounts using the appropriate features and functionalities of the Context Service. 

   10. The Client shall not at any time, whether during or after the Term, accept any commission or payment for, or otherwise seek to profit financially or otherwise from granting access to the Context Service to any Authorised User or third party. 

   11. The Client shall indemnify and defend Context, and its agents and contractors from and against any and all losses, damages, claims, liabilities or expenses (including reasonable lawyer's fees) arising out of a claim brought by an Authorised User or any other third party relating to the Client's use of the Context Service, including where Context acts as intermediary between the Client and the Generative AI Solution as set out in clause 7.2 (except to the extent caused Context's negligence).  

6. Beta Services

   1. At Context’s discretion, Context may introduce certain new features on the Context Services on a preview, early access or beta basis at no additional cost ("Beta Services"). 

   2. Notwithstanding anything to the contrary in the Terms of Service, Beta Services are provided "AS IS" to allow testing and evaluation of the relevant feature. Context make no representations or warranties as to the performance, quality or functionality of Beta Services or their effect on the Context Service and Context does not guarantee that Beta Services (or the Context Service when used in conjunction with any Beta Services) will be generally available, uninterrupted or error-free. 

   3. Notwithstanding anything to the contrary in the Terms of Service and to the extent permitted by law, Context disclaims all warranties for Beta Services, including any implied warranties of merchantability, satisfactory quality or fitness for a particular purpose.

7. Use of generative AI solutions

   1. The Client shall provide Context with:

      1. Chat Transcripts (whether comprising human-to-human interactions or Generative AI Inputs and corresponding Generative AI Client-generated Outputs); or

      2. Generative AI Inputs only.

   2. If the Client elects to provide Generative AI Inputs only (in accordance with clause 7.1(b)), Context will use reasonable endeavours to submit such Generative AI inputs to the Generative AI Solution and return Generative AI Context-generated Outputs to the Client, provided that:

      1. the Parties acknowledge that Context will at all times act only as intermediary between the Client and the Generative AI Solution;

      2. the Client shall ensure that:

         1. in respect of the Generative AI Inputs, it has complied with the provisions of clause 9.2;

         2. it has the right to provide the Generative AI Inputs to Context; and

         3. it has procured the right for Context to submit such Generative AI Inputs to the Generative AI Solution (including where the Generative AI Solution will use the Generative AI Inputs to improve and modify the Generative AI Solution); and

   3. Context shall not be liable to the Client in any way for any Generative AI Context-generated Outputs.

8. SDK

   1. The Client shall embed the SDK in the Client System, and Context grants the Client (and to each member of the Client's Group that agrees to these Terms of Service) a non-exclusive, non-transferable, non-sublicensable licence to download, install and use the SDK for the purpose of accessing the Context Service, in accordance with and subject to the terms and conditions of the Agreement.

9. Client's obligations

   1. The Client:

      1. must comply with all applicable laws and regulations with respect to its use of the Context Service and its activities under the Agreement;

      2. must use the Context Service in accordance with the terms of the Agreement and shall be responsible for any acts and omissions in connection with the use of the Context Service by its Authorised Users;

      3. must ensure that the Client ends an Authorised User's right to access and use the Context Service, if the Authorised User ceases its employment or other relationship with the Client;

      4. must notify Context in writing if there are any changes to any of the Client's contact details as set out in the Order Form; 

      5. must ensure that its network and systems, including its internet browser and operating systems, comply with any relevant specifications provided by Context in writing (including e-mail) from time to time;

      6. is solely responsible for procuring and maintaining its network connections and telecommunications links from its systems in order to access and use the Context Service; and 

      7. must not do, or allow any Authorised Users or other persons to do, any of the following:

         1. access, store, distribute, or transmit any Virus through the Context Service; 

         2. give any false or misleading information or permit another person to use the Context Service under the Client’s name or on the Client’s behalf (other than its Authorised Users);

         3. impersonate any person, or misrepresent your identity or affiliation with any person or give the impression they are linked to Context, if this is not the case;

         4. use the Context Service in a manner that is illegal or causes damage or injury to any person or property;

         5. use the Context Service other than for its intended purpose as set out in these Terms of Service;

         6. use any automated system, including without limitation "robots", "spiders", or "offline readers", to access the Context Service in a manner that sends more request messages to the Context Service than a human can reasonably produce in the same period of time by using a conventional online web browser; 

         7. attempt to interfere with or compromise the integrity or security of the Context Service; or

         8. use the Context Service if Context has suspended or disabled the Client or any Authorised User’s access to it.

   2. The Client shall not, and shall procure that Authorised Users do not, submit or upload any Client Data:

      1. in respect of which the Client does not hold appropriate usage rights; 

      2. that does not comply with the terms and conditions of use of the Generative AI Solution; or

      3. which in Context’s reasonable opinion is:

         1. defamatory to any person, deceptive, obscene, offensive, harmful or inflammatory;

         2. bullying, insulting, threatening, intimidating or humiliating;

         3. promoting or depicting sexually explicit material, violence, discrimination based on race, sex, religion, nationality, disability, sexual orientation or age, or is otherwise prejudicial to human dignity-ty; 

         4. material depicting child sexual abuse; and/or

         5. unlawful in any way or in breach of another party's rights (including intellectual property rights), or advocating, promoting or inciting any party to commit or assist any unlawful or criminal act.

   3. Context reserves the right, without liability or prejudice to its other rights under the Agreement, to disable all or any User Accounts or access to all or any part of the Context Service by any Authorised User, for any breach of any provision of clause 9.1 or 9.2 above.

   4. The Client shall indemnify, and keep indemnified, Context and its agents and contractors from and against any and all losses, damages, claims, liabilities or expenses (including reasonable lawyer’s fees) arising from the Client’s breach of any provision of clause 9.1 or 9.2 above.

   5. Context may monitor the Client's and Authorised Users' use of the Context Service to ensure the quality of, and improve, the Context Service, and verify the Client's compliance with the Agreement. 

   6. The Context Service may contain links to, or call the servers of, third party websites, data or services that are not under Context's control, solely at the direction of and/or as a convenience to the Client, including Generative AI Solutions ("Third Party Sites"). As such, Context is not responsible for, and makes no express or implied warranties with regard to, the information, content or other material, products, or services that are contained on or are accessible through, or the policies regarding use and privacy in respect of, Third Party Sites. Access to and use of Third Party Sites, including information, content, material, products, and services on such websites or available through such websites, is solely at the Client's risk. 

10. Audit

    1. Context may, on reasonable notice to the Client, audit the Client’s use of the Context Service and its compliance with the Agreement.

    2. The Client will grant to Context, or its agent or representative, all necessary access rights to the Client's systems, property, records, hardware or software belonging to or under the control of the Client to allow such audit to be carried out and shall furnish Context, its agent or representative, with such information in respect of the use of the Context Service as Context may reasonably require.

    3. If any audit pursuant to clause 10.1 or otherwise reveals any use of the Context Service not in accordance with the Agreement, without prejudice to any remedies Context may have in respect of a breach by the Client of its obligations under the Agreement, the Client shall, within twenty one (21) days of receipt of an invoice for the same, pay to Context its reasonable fees and expenses incurred in carrying out the audit.

11. Intellectual property rights

    1. Context is the owner or licensee of all intellectual property rights in the Context Service. These works are protected by copyright and other laws and treaties around the world. All such rights are reserved. Except as expressly set out in the Agreement, Context does not grant to the Client any rights to or licenses in respect of the Context Service.

    2. The Client will not, when using the Context Service: 

       1. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Context Service in any form or media or by any means; 

       2. attempt to adapt, modify, duplicate, create derivative works from, record or otherwise reproduce any part of the SDK;

       3. attempt to reverse compile, disassemble, reverse engineer, or otherwise reduce to human-perceivable form all or any part of the Context Service;

       4. access all or any part of the Context Service in order to build a product or service which competes with the Context Service, or use or attempt to use the Context Service to directly compete with Context; 

       5. erase or remove any proprietary or intellectual property notice contained in the Context Service or SDK; or

       6. make any copies of the SDK other than such copies as are reasonably necessary for the purposes of backup and security (provided that any such copies shall at all times be owned by Context). 

    3. The Client hereby grants Context a non-exclusive, irrevocable, worldwide, royalty-free, sub-licensable licence to access, download and use the Client Data for the purpose of:

       1. providing the Context Service to the Client, including, where relevant, use of Generative AI Solutions in accordance with clause 7; and

       2. analysing the Client Data (including Generative AI Inputs and Generative AI Outputs) in accordance with the functionalities of the Context Service and providing and the Results.

    4. The Client will own all Results (except to the extent the Results incorporate any templates or pre-existing materials of Context or third-party materials), provided however that the Client acknowledges that: 

       1. due to the nature of generative AI, the Client’s Results may be similar or identical to results produced by or on behalf of third parties; and

       2. the Client will not own, and shall not attempt to enforce any rights against such third parties in respect of, such similar or identical results.

    5. The Client hereby grants Context a non-exclusive, irrevocable, perpetual, worldwide, royalty-free and sub-licensable licence to access, download and use the Client Data to:

       1. develop, test, improve and alter the functionality of the Context Service, Results, and machine learning model performance, and create datasets for training or evaluation, provided that any such datasets or developments or improvements to machine learning models will not retain information identifying the Client or its users; and

       2. produce anonymised or anonymised and aggregated statistical reports and research.

    6. The Client represents and warrants to Context that it has the necessary right, title, interest and consent, in each case as necessary to allow Context to use the Client Data in accordance with the Agreement. The Client shall maintain a backup of the Client Data and Context shall not be responsible or liable for the deletion, correction, alteration, destruction, damage, loss, disclosure or failure to store any Client Data. 

    7. Context may use the Client's name, logo, and related trade marks in any of Context's publicity or marketing materials (whether in printed or electronic form) for the purpose of highlighting that the Client uses the Context Service and alongside any testimonials that the Client has agreed to give. The Client grants Context such rights as are necessary to use its name, logo, related trade marks and testimonials (“Client Branding”) for the purpose of this clause 11.6, provided that Context shall remove any such Client Branding from its publicity or marketing materials within 10 business days of the Client’s written request.

    8. The Client agrees to provide regular feedback to Context in relation to its use of the Context Service. By submitting feedback, the Client acknowledges that Context may use and allow others to use this feedback in the Context Service or otherwise without any restriction and without payment of any kind to the Client. 

12. Data Protection

    1. The data processing addendum available at https://with.context.ai/terms#dpa (the "DPA") shall apply to the parties' Processing of any Personal Data (each as defined in the DPA) contained in the Client Data in connection with the provision or receipt of the Context Service (as applicable).

13. Confidential information

    1. Each party may be given access to Confidential Information from the other party in order to perform its obligations under the Agreement. A party's Confidential Information shall not be deemed to include information that:

       1. is or becomes publicly known other than through any act or omission of the receiving party;

       2. was in the other party's lawful possession before the disclosure; 

       3. is lawfully disclosed to the receiving party by a third party without restriction on disclosure; 

       4. is independently developed by the receiving party, which independent development can be shown by written evidence; or 

       5. is required to be disclosed by law, by any court of competent jurisdiction, or by any regulatory or administrative body.

    2. Each party shall hold the other party's Confidential Information in confidence and, unless required by law, shall not make the other party's Confidential Information available for use for any purpose other than as needed to perform the terms of the Agreement. 

    3. Each party shall take all reasonable steps to ensure that the other party's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of the Agreement. 

    4. Each party shall take a backup of its own Confidential Information and shall not be responsible to the other party for any loss, destruction, alteration, or disclosure of Confidential Information. 

14. Fees and Payments

    1. In this clause 14, references to the Client exclude Free Tier Clients and Clients using the Context Service during a Trial Period. 

    2. The Client agrees, to the extent its use of the Context Service exceeds the Service Limits, that it will be liable for Excess Fees in respect of any such use.

    3. The Client will pay: (i) the Service Fees each month in advance; (ii) the Excess Fees in accordance with clause 14.2, in each case in accordance with this clause 14. 

    4. Context shall submit an invoice to the Client each month in respect of the Fees.

    5. Context may use a third party payment processing provider (e.g. Stripe) to process payments, and the Client’s use of such third party’s services is subject to their terms and conditions.

    6. If Context has not received payment in full within 30 days of the date of the relevant invoice, and without prejudice to any other rights and remedies available to Context: 

       1. interest shall accrue on such due amounts at an annual rate equal to 3% over the then current base lending rate of Barclays Bank PLC at the due date for payment of the relevant Fees, commencing on the due date for payment and continuing until the Fees have been paid in full, whether before or after judgment; and 

       2. the Client shall reimburse Context for all reasonable costs and expenses (including reasonable lawyers' fees) incurred by Context in collecting any overdue amounts. 

    7. If Context has not received payment in full within thirty (30) days of the date of the relevant invoice, and without prejudice to any other rights and remedies available to Context, Context may, without liability to the Client, suspend or temporarily disable all or part of the Client's access to the Context Service and Context shall be under no obligation to provide any access to the Context Service while the relevant sum remains unpaid.

    8. All amounts and Fees stated or referred to in the Agreement: 

       1. are payable in GBP or USD; and 

       2. are exclusive of VAT unless otherwise expressly stated, which shall be paid at the same time as payment of the Fees. 

    9. Unless otherwise agreed between the parties in writing, Context may increase the Fees upon giving at least thirty (30) days' notice in writing to the Client, such increase to take effect from the commencement of the Extended Term following expiry of such notice. If the Client is unhappy with the increase, the Client may give notice to terminate the Agreement at the end of the Initial Term or the then-current Extended Term (as applicable) by providing at least fifteen (15) days' written notice to Context, such notice to expire no later than the end of the Initial Term or the then-current Extended Term (as applicable). The Fees will not increase during the notice period.

15. Suspension and Termination  

    1. Without prejudice to any other rights or remedies available to Context, if the Client fails to pay any sum due to Context and such sum remains outstanding for a further thirty (30) days following notice requiring such sum to be paid, Context may immediately terminate the Agreement on giving notice to the Client, without liability for Context to the Client. 

    2. Without prejudice to any other rights and remedies available to Context, Context may terminate the Agreement by notice with immediate effect, or such notice as Context may in its sole discretion elect to give, if the Client: 

       1. infringes Context's intellectual property rights in the Context Service; 

       2. is in breach of clauses 9.2, 11.2 or 13; or

       3. is in breach of any applicable law. 

    3. Without prejudice to any other rights and remedies available to Context, Context may immediately suspend any User Account, and the Client's or any Authorised User's right to access and use the Context Service without giving prior notice to the Client, if:

       1. the Client’s use of the Context Service exceeds the Service Limits;

       2. the Client is in material or persistent breach of any of the terms of the Agreement;

       3. in Context's reasonable determination, the Client is suspected of being in material breach of any of the terms of the Agreement, 

       and for the purposes of this clause 15.3, the parties acknowledge that any breach of clauses 9.2, 11.2 or 13 will be a material breach of the Agreement. 

    4. Without prejudice to any other rights and remedies available to it, either party may terminate the Agreement at any time with immediate effect on giving notice in writing to the other party, if that other party: 

       1. is in material or persistent breach of any of the terms of the Agreement and either that breach is incapable of remedy, or, if capable of remedy, the other party fails to remedy the breach within thirty (30) days after receiving written notice requiring it to remedy the breach; or  

       2. is unable to pay its debts (within the meaning of section 123 of the Insolvency Act 1986), or becomes insolvent, or is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction), or has an administrative or other receiver, manager, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets, or enters into or proposes any composition or arrangement with its creditors generally, or is subject to any analogous event or proceeding in any applicable jurisdiction. 

    5. On termination of the Agreement for any reason:

       1. all rights and licenses granted under the Agreement shall immediately terminate and the Client's right to access and use, and grant Authorised Users the right to access and use the Context Service and the SDK will end; 

       2. each party shall return to the other party or (at the other party's request) destroy, and make no further use of, any Confidential Information (and all copies thereof) belonging to the other party (provided that each party may retain documents and materials containing Confidential Information to the extent required by law or any applicable governmental or regulatory authority). 

    6. Context shall permit the Client to download any Client Data from the Context Service for a period of sixty (60) days after the expiry or termination of the Agreement. Context may thereafter:

       1. delete any Client Data at any time;

       2. retain Client Data upon expiry or termination of the Agreement in order to comply with applicable law, or as Context may deem necessary to prosecute or defend any legal claim (in which case Context may retain Client Data for a reasonable period of time pending resolution of such obligation or issue),

       in each case subject to the DPA.

    7. Termination of the Agreement for whatever reason shall not affect any rights or remedies of the parties that have accrued up to the date of termination. 

    8. Any provision of the Agreement that expressly or by implication is intended to come into force or continue in force on or after expiry or termination of the Agreement shall survive and continue in full force and effect. 

16. Limited warranty

    1. The Context Service is provided on an "AS IS" basis and Context gives no representations, warranties, conditions or other terms of any kind in respect of the Context Service, whether express or implied, including (but not limited to) warranties of satisfactory quality, merchantability, fitness for a particular purpose, or non-infringement.  

    2. Except as expressly provided for in the Agreement: 

       1. all representations, warranties, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by law, excluded from the Agreement; and 

       2. Context will not be responsible for any interruptions, delays, failures, or non-availability affecting the Context Service or the performance of the Context Service which are caused by third party services (including Third Party Sites and Generative AI Solutions), errors or bugs in third party software, hardware, or the Internet on which Context relies to provide the Context Service, or any changes to the Context Service made by or on behalf of the Client, and the Client acknowledges that Context does not control such third party services and that such errors and bugs are inherent in the use of such software, hardware, generative AI and the Internet. 

17. Context's liability

    1. Subject to clause 17.2, Context will not be liable to the Client, whether in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or otherwise, for any loss arising under or in connection with the Agreement in conditions that fall into any of the following categories: loss (whether direct or indirect) of profit, goodwill, business, business opportunity, revenue, turnover or reputation; loss (whether direct or indirect) of anticipated saving or wasted expenditure; loss of or damage to data; or any special, indirect or consequential damage or loss, costs or expenses.  

    2. Nothing in the Agreement excludes or limits Context's liability for death or personal injury caused by Context's negligence, or for fraud or fraudulent misrepresentation. 

    3. Context's total liability in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or otherwise, arising under or in connection with the Agreement shall in all circumstances be limited in any calendar year:

       1. for any liability arising: (i) if the Client is a Free Tier Client; (ii) during the Trial Period; or (iii) in respect of any Beta Services, to £1; and

       2. for all other liabilities, to the aggregate Fees paid by the Client to Context in such calendar year.

18. Changes to the Context service

    The Client recognises that Context is always innovating and finding ways to improve the Context Service with new features and services. The Client therefore agrees that the Context Service may change from time to time and no warranty, representation or other commitment is given in relation to the continuity of any functionality of the Context Service.  

19. General

    1. Written communications 

       Applicable laws may require that some of the information or communications that Context sends to the Client should be in writing. When using the Context Service, the Client accepts that communication with Context will mainly be electronic. Context will contact the Client by e-mail or provide the Client with information by posting notices on the Context Service. For contractual purposes, the Client agrees to this electronic means of communication and the Client acknowledges that all contracts, notices, information and other communications that Context provides to the Client electronically comply with any legal requirement that such communications be in writing. 

    2. Notices

       All notices given by the Client to Context must be submitted to [email protected]. Context may give notice to the Client at either the e-mail or postal address the Client provides to Context, or any other way that Context deems appropriate. Notice will be deemed received and properly served immediately when posted on the Context Service or 24 hours after an e-mail is sent or three days after the date of posting of any letter. In proving the service of any notice, it will be sufficient to prove, in the case of a letter, that such letter was properly addressed, stamped and placed in the post and, in the case of an e-mail that such e-mail was sent to the specified e-mail address of the addressee. 

    3. Transfer of any rights and obligations

       The Client may not transfer, assign, charge or otherwise deal in the Agreement, or any of the Client's rights or obligations arising under the Agreement, without Context's prior written consent. 

    4. Events outside a party's control

       Neither party shall be liable to the other party for any delay or non-performance of any of its obligations under the Agreement arising from any cause beyond its control including, without limitation, any of the following: telecommunications failure, Internet failure, act of God, act of a third party unless an approved sub-contractor of Context, governmental act, war, fire, flood, explosion, or civil commotion. Notwithstanding the foregoing, nothing in this clause shall excuse the Client from any payment obligation under the Agreement. 

    5. Third party rights

       Other than as expressly stated in the Agreement, a person who is not a party to the Agreement may not enforce any of its terms under the Contracts (Rights of Third Parties) Act 1999. 

    6. Variation

       Context may update these Terms of Service from time to time on giving the Client at least thirty (30) days' notice in writing, with any amendments to take effect on the next due date for payment of the Service Fees, save that any variation required by applicable law will be effective immediately. If the Client does not accept the variation, the Client may, without prejudice to the Client's obligation to pay any accrued Excess Fees, terminate this Agreement by providing at least fifteen (15) days' written notice to Context, such notice to expire no later than the day before the next due date for payment of the Service Fees.  The Client’s continued use of the Context Service after Context makes any changes to these Terms of Service will indicate the Client’s agreement to those changes. 

    7. Waiver

       No forbearance or delay by either party in enforcing its rights shall prejudice or restrict the rights of that party, and no waiver of any such rights or any breach of any contractual terms shall be deemed to be a waiver of any other right or of any later breach. 

    8. Severability 

       If any provision of the Agreement is judged to be illegal or unenforceable, the continuation in full force and effect of the remainder of the provisions of the Agreement shall not be prejudiced. 

    9. Entire agreement

       This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

    10. Law and jurisdiction

        This Agreement shall be governed by, and construed in accordance with, English law, and each party hereby submits to the exclusive jurisdiction of the courts of England and Wales.  

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the agreement entered into between the Client and Context for the provision of the Context Service, comprising the terms of service at https://context.ai/policies/terms-and-conditions and any Order Form or such other terms as the parties may agree (the "Agreement"), in relation to the transfer and processing of Covered Data in connection with the provision of the Context Service.

1. DEFINITIONS

   Capitalised terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalised terms used in this DPA will be defined as follows:

   "Adequate Jurisdiction" means the UK, EEA or a country or territory deemed to provide adequate protection for the rights and freedoms of individuals, as set out in: (a) the Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018; and (b) with respect to Data Subjects in the EEA, a decision of the European Commission.

   "Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR and the US Data Protection Laws. 

   "Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.

   "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.

   "Controller Purposes" means: (a) undertaking internal research and development to develop, test, improve and alter the functionality of the Context Service, Results, and machine learning model performance; (b) creating anonymised datasets for training or evaluation of the Context Service; and (c) administering the Client's relationship with Context under the Agreement.

   "Covered Data" means Personal Data that is: (a) contained in the Client Data; or (b) obtained, developed, produced or otherwise Processed by Context, or its agents or subcontractors, for the purposes of providing the Context Service, in each case as further described in Schedule 1.

   "Data Subject" means a natural person whose Personal Data is Processed.

   "Deidentified Data" means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

   "EEA" means the European Economic Area.

   "GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3 of the Data Protection Act 2018. 

   "Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.

   "Personal Data" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Applicable Data Protection Laws.

   "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. "Process", "Processes" and "Processed" will be interpreted accordingly.

   "Prohibited Personal Data" means: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws; (b) biometric identifiers or templates; (c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard); (d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999; (e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver's license or passport numbers or other governmentally-issued identification numbers); (f) information relating to individuals under the age of 13; (g) education records, as defined under the Family Educational Rights and Privacy Act of 1974; (h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.

   "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

   "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

   "Sub-processor" means, with respect to any Processing performed by Context as a processor or service provider, an entity appointed by Context to Process Covered Data on its behalf.

   "US Data Protection Laws" means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the California Invasion of Privacy Act, Cal. Penal Code § 630, et seq. ("CIPA"), the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).

   The terms "controller", "processor", "business" and "service provider" have the meanings given to them in the Applicable Data Protection Laws.

2. INTERACTION WITH THE AGREEMENT

   This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

3. ROLE OF THE PARTIES

   The parties acknowledge and agree that:

   1. save as set out in paragraph 3(b), Context acts as a processor or service provider in the performance of its obligations under the Agreement and this DPA and Client acts as a controller or business; and

   2. for the purposes of the GDPR, Context acts as a controller with respect to the Processing of Covered Data for the Controller Purposes.

4. PROCESSING OF PERSONAL DATA

   1. The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.

   2. Context shall comply with its obligations under Applicable Data Protection Laws. Save with respect to any Processing of Covered Data for the Controller Purposes, Context will only Process Covered Data on behalf of and under the instructions of Controller, unless processing is permitted under Applicable Data Protection Laws or required to comply with applicable law in the UK (in which case Context shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).

   3. The Agreement and this DPA shall constitute Client's instructions for the Processing of Covered Data. Client may issue further written instructions in accordance with this DPA.

   4. Without limiting the foregoing, Context is prohibited from:

      1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

      2. sharing Covered Data with any third party for cross-context behavioural advertising;

      3. retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;

      4. retaining, using, or disclosing Covered Data outside of the direct business relationship between the parties; and

      5. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Context receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

   5. Context will:

      1. provide Client with information to enable Client to conduct and document any data protection assessments required under Applicable Data Protection Laws; and 

      2. promptly inform Client if, in its opinion, an instruction from Client infringes Applicable Data Protection Laws.

5. COMPLIANCE

   1. Client shall comply with its obligations as a controller, business or equivalent term under the Applicable Data Protection Laws, and shall:

      1. provide such information to Data Subjects regarding the Processing of their Covered Data in connection with the Client's use of the Context Service as required under Applicable Data Protection Laws;

      2. provide Data Subjects with any information made available to the Client by Context in respect of Context's Processing of Covered Data for the Controller Purposes, including the privacy notice set out at https://context.ai/policies/privacy-policy;

      3. ensure that any Generative AI Input does not contain any Prohibited Personal Data;

      4. to the extent required for the lawful Processing of Covered Data under Applicable Data Protection Laws, including Context's collection and Processing of Covered Data for the Controller Purposes, obtain valid consents from Data Subjects for such Processing in the form required under Applicable Data Protection Laws; and

      5. implement appropriate technical and organisational measures to give effect to Data Subject rights under Applicable Data Protection Laws, and shall comply with requests from Data Subjects to exercise their rights under Applicable Data Protection Laws within the timeframe and subject to any exemptions prescribed in the Applicable Data Protection Laws.

   2. Context will not be liable to Client, whether in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or otherwise, for any loss arising under or in connection with Context's Processing of Covered Data to the extent such loss was caused (in whole or in part) by Client's failure to comply with its obligations under paragraph 5.1.

   3. Client shall indemnify and defend Context, and its agents and contractors from and against any and all losses, damages, claims, liabilities or expenses (including reasonable lawyer's fees) arising out of any claim brought against Context alleging that the Processing of Covered Data for the Controller Purposes:

      1. is an unlawful interception of communications under CIPA or any equivalent wiretapping or other legislation governing the privacy of communications;

      2. otherwise breaches Applicable Data Protection Laws,

      in each case to the extent caused by a failure by the Client to comply with its obligations under paragraph 5.1.

6. CONFIDENTIALITY AND DISCLOSURE

   1. Context shall:

      1. limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and 

      2. ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

7. SUB-PROCESSORS

   1. Context may Process Covered Data anywhere that Context or its Sub-processors maintain facilities, subject to the remainder of this paragraph 7.

   2. Client grants Context general authorisation to engage any of the Sub-processors listed in Schedule 3, as amended in accordance with clause 7.4 (the "Authorised Sub-processors"), to Process Covered Data.

   3. Context shall:

      1. enter into a written agreement with each Authorised Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Context's obligations under this DPA; and 

      2. remain liable for each Authorised Sub-processor’s compliance with the obligations under this DPA.

   4. Context will provide Client with at least thirty (30) days’ notice of any proposed changes to the Authorised Sub-processors. Client shall notify Context if it objects to the proposed change to the Authorised Sub-processors by providing Context with written notice of the objection within thirty (30) days after Context has provided notice to Client of such proposed change (an "Objection"). 

   5. In the event Client submits an Objection to Context, Context and Client shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Context and Client are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Client may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Context. 

8. DATA SUBJECT RIGHTS REQUESTS

   1. Context will notify Client without undue delay of any request received by Context or any Authorised Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a "Data Subject Request"). 

   2. Other than in respect of any Processing of Covered Data for the Controller Purposes, Client will have sole discretion in responding to the Data Subject Request, and Context shall not respond to the Data Subject Request, save that Context may advise the Data Subject that their request has been forwarded to Client.

   3. Context will provide Client with reasonable assistance as necessary for Client to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

9. SECURITY

   1. Context will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data. 

   2. When assessing the appropriate level of security, Context shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

   3. The parties agree that such technical and organisational security measures shall include the measures set out in Schedule 4.

10. INFORMATION AND AUDIT

    1. Context shall notify Client promptly if Context determines that it can no longer meet its obligations under Applicable Data Protection Laws.

    2. Client may take reasonable and appropriate steps to:

       1. ensure that Context uses Covered Data in a manner consistent with Client's obligations under Applicable Data Protection Laws; and

       2. upon reasonable notice, stop and remediate unauthorised use of Covered Data.

    3. Client may, not more than once a year, audit Context's compliance with this DPA. The parties agree that all such audits will be conducted:

       1. upon reasonable written notice to Context; 

       2. only during Context's normal business hours; and

       3. in a manner that does not materially disrupt Context's business or operations.

    4. With respect to any audits conducted in accordance with paragraph 10.3:

       1. Client may engage a third-party auditor to conduct the audit on its behalf;

       2. Context shall not be required to facilitate any such audit unless and until the parties have agreed in writing the scope and timing of such audit.

    5. Client shall promptly notify Context of any non-compliance discovered during an audit.

    6. The results of the audit shall be Context's Confidential Information.

    7. Context shall provide to Client upon request, or may provide to Client in response to any audit request submitted by Client to Context, the following:

       1. data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or

       2. such other documentation reasonably evidencing the implementation of the technical and organisational data security measures in accordance with industry standards. 

    8. If an audit requested by Client is addressed in the documents or certification provided by Context in accordance with paragraph 10.7, and:

       1. the certification or documentation is dated within twelve (12) months of Client's audit request; and

       2. Context confirms that there are no known material changes in the controls audited,

       Client agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

11. SECURITY INCIDENTS

    1. Context shall notify Client in writing without undue delay, and in any event within forty-eight (48) hours, after becoming aware of any Security Incident. 

    2. Context shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Client timely information about the Security Incident, to the extent known to Context or as the information becomes available to Context, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. 

    3. Context shall provide reasonable assistance with Client's investigation of any Security Incidents and any of Client's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.

    4. Context's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by Context of any fault or liability with respect to the Security Incident.

12. TERM, DELETION AND RETURN

    1. This DPA shall commence on the Commencement Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Context's deletion or anonymisation of all Covered Data as described in this DPA.

    2. Context shall:

       1. if requested to do so by Client within fifteen (15) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by Client, or provide a self-service functionality allowing Client to download such Covered Data; and 

       2. on expiry of the Retention Period, delete all copies of Covered Data Processed by Context or any Authorised Sub-processors, other than any Covered Data Processed for the Controller Purposes.

13. INTERNATIONAL TRANSFERS OF PERSONAL DATA

    1. Context shall not transfer any Covered Data to a recipient outside of the UK unless:

       1. the recipient is in an Adequate Jurisdiction; or

       2. the transfer is governed by an agreement incorporating:

          1. standard data protection clauses approved under Section 119A of the Data Protection Act 2018; and

          2. with respect to Data Subjects in the EEA, the Standard Contractual Clauses.

    2. The Approved Addendum shall, as further set out in Schedule 2, apply to the transfer of any Covered Data from Context to Client, and form part of this DPA, to the extent that the Client is not in an Adequate Jurisdiction. 

    3. The parties agree that execution of the Agreement shall have the same effect as signing the Approved Addendum.

14. DEIDENTIFIED DATA

    If Context receives Deidentified Data from or on behalf of Client, Context shall:

    1. take reasonable measures to ensure the information cannot be associated with a Data Subject;

    2. publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and

    3. contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.

15. GENERAL

    1. The parties hereby certify that they understand the requirements in this DPA and will comply with them.

    2. The parties agree that any limitations on either Party's liability under the Agreement shall not apply to any claims, losses or damages arising in respect of a breach of the SCCs.

    3. The parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

---

Categories of Data Subjects	Customers of the Client ("Customers") Employees, contractors and agents of the Client ("Personnel")
Categories of Personal Data	Customers: Personal data contained in the Generative AI Input Personal data contained in the Generative AI Output Personnel: Name and contact details (email address and phone number) Role and position at Client Content of communications from Personnel to Context (including requests and responses relating to IT support)
Special categories of Personal Data	None
Frequency of the transfer	Continuous
Nature of the Processing	Collection, storage, deletion, rectification, aggregation
Purposes of the data transfer and further Processing	Provision of the Services, namely: Fulfilment of product orders by Customers Processing of product returns from Customers Reporting and stock management Provision of IT support
Retention period	The duration of the Agreement
Subprocessors	As set out in Schedule 4

---

With respect to any transfers referred to in clause 13, the Approved Addendum shall be completed as follows:

Table 1

	Exporter	Importer
Parties' details	Get Context Analytics Ltd (as further identified in the Agreement)	The Client (as further identified in the Order Form)
Contact person	[email protected]	The Client Contact identified in the Order Form

Table 2

Addendum EU SCCs

The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
4		Yes	No			Yes

Table 3

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set out above under Table 1

Annex 1B: Description of Transfer: As set out in Schedule 1 to this DPA

Table 4

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19: ☐ Importer ☒ Exporter ☐ neither Party

---

Name of Sub-processor	Description of Processing
Render Services, Inc.	Cloud hosting
OpenAI, L.L.C.	Machine learning services
Google Cloud EMEA Limited	Cloud hosting and infrastructure services
Cloudflare	DNS and network services
AC PM LLC (d/b/a Postmark)	Transactional email services

---

Introduction

Context employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction. 

Governance and Policies

Context assigns personnel with responsibility for the determination, review and implementation of security polices and measures.

Context:

• has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;

• reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.

Context establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.

Breach response

Context has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated.

Intrusion, anti-virus and anti-malware defences

Context IT systems used to process personal data have appropriate, industry standard data security software installed on them, including firewall, anti-virus, anti-spyware and anti-malware.

Context:

• carries out regular penetration testing and vulnerability scanning;

• collects, maintains and reviews event logs;

• monitors all traffic leaving the organisation and unauthorised use of encryption;

• deploys data loss prevention tools at network and host level;

• uses a third-party intrusion protection system.

Access controls

Context limits access to personal data by implementing appropriate access controls, including:

• limiting administrative access privileges and use of administrative accounts;

• changing all default passwords before deploying operating systems, assets or applications;

• requiring authentication and authorisation to gain access to IT systems (i.e. requiring users to enter a user id and password before they are permitted access to IT systems);

• only permitting user access to personal data which the user needs to access for his/her job role or the purpose they are given access to Context’s IT systems for (i.e. Context implements measures to ensure least privilege access to IT systems);

• having in place appropriate procedures for controlling the allocation and revocation of personal data access rights.  For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;

• encouraging users to use strong passwords, such as passwords with over eight characters, combination of upper and lower case letters, numbers and special characters;

• use of multi-factor authentication;

• automatic timeout and locking of user terminals if left idle;

• blocking access to IT system after multiple failed attempts to enter correct authentication and/or authorisation details;

• monitoring and logging access to IT systems;

• monitoring and logging amendments to data or files on IT systems.

Availability and Back-up personal data

Context has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated.

Context regularly backs-up information on IT systems and keeps back-ups in separate locations.  Back-ups of information are tested periodically.

Segmentation of personal data

Context:

• separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes; and

• does not use live data for testing its systems.

Disposal of IT equipment

Context:

• has in place processes to securely remove all personal data before disposing of IT systems;

• uses appropriate technology to purge equipment of data and/or destroy hard disks.

Encryption

Context uses encryption technology where appropriate to protect personal data held electronically, including:

• encryption of data at rest using industry standard AES-256 bit encryption;

• encryption of data in transit using industry standard TLS 1.2 or higher.

Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.

Transmission or transport of personal data

Appropriate controls are implemented by Context to secure personal data during transmission or transit, including:

• use of VPNs;

• encryption in transit;

• logging personal data when transmitted electronically;

• logging personal data when transported physically;

• ensuring physical security for personal data when transported on portable electronic devices or in paper form.  

Device hardening

Context removes unused software and services from devices used to process personal data.

Context ensures that default passwords that are provided by hardware and software producers are not used.

Asset and Software management

Context maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.

Context:

• documents and implements rules for acceptable use of IT assets.

• requires network level authentication and uses client certificates to validate and authenticate systems;

• deploys automated patch management tools and software update tools for operating systems and software;

• proactively monitors software vulnerabilities and promptly implements any out of cycle patches; 

• permits the use of only the latest versions of fully supported web browsers and email clients.

Context stores all API keys securely, including as follows:

• Context stores API keys directly in its environment variables;

• Context does not store API keys on client side;

• Context does not publish API key credentials in online code repositories (whether private or not); and

• Context uses API key management tools to retrieve and manage credentials for large development projects.

Staff training and awareness

Context's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.

Context carries out:

• regular staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures);

• appropriate screening and background checks on individuals that have access to sensitive personal data.

Context ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.

Staff are subject to disciplinary measures for breaches of Context’s policies and procedures relating to data privacy and security.

Selection of service providers and commission of services

Context assesses service providers’ ability to meet their security requirements before engaging them.  

Context has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Context’s instructions. 

Context conducts audits of vendors (including subprocessors) that have access to Context's data either through physical inspection by appropriately qualified security auditors or by reviewing vendors' security accreditation (such as ISO 27001 or SOC II) reports.

Context's breach response protocol and agreements with vendors provide for the audit of vendors (and subprocessors) following receipt of any notice of a security incident from that vendor.