Decisions AI Terms of Service

Last updated: June 13, 2024

Decisions AS ("Decisions") and the Customer have entered into an agreement (the "Terms of Service") pursuant to which Decisions has agreed to provide to the Customer its meeting solution software and associated services. These additional terms and conditions set out herein are applicable to the Decisions AI add-on service ("Decisions AI"), formerly known as MeetingCulture.ai, if and when the Customer uses or orders Decisions AI as an addition to Decisions' general meeting solution software.

We may revise these terms for Decisions AI and the Decisions AI Privacy Statement from time to time, please review these frequently to check for any changes. We will inform of any changes by posting these on the website. The effective date of these terms and the Decisions AI Privacy Statement is the date of the latest revision. By continuing to use Decisions AI and the website after the effective date, the Customer agrees to be bound by the revised Agreement. If the Customer does not agree to the revisions then use must stop.

Decisions AI operates using Microsoft Azure OpenAI Services, provided by Microsoft Corporation and its affiliates ("Microsoft") through an API integration with Azure's OpenAI models (the "Integration"). The Customer's utilization of Decisions AI is governed by Microsoft's distinct terms of use (the "Microsoft Terms") and also by the guidelines concerning data, privacy, and security, which can be found here: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy. The Microsoft Terms applicable at any point can be accessed here: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/code-of-conduct.

Upon ordering Decisions AI from Microsoft AppSource, Azure Portal, or any other applicable point of purchase where Decisions AI is offered, the Customer acknowledges and agrees to the separate Microsoft Terms and the data, privacy, and security guidelines. Capitalized terms maintain the meanings attributed to them in the Terms of Service.

(i) The Customer acknowledges and accepts that the Microsoft Terms apply alongside the Terms of Service. Excluding the commercial terms within the Terms of Service, encompassing sections on Fees, Termination, and Governing law, legal venue and notice, these Microsoft Terms hold precedence in the event of any conflict.

(ii) The Customer further acknowledges and accepts that Decisions can only provide Decisions AI as long as Decisions maintains a valid agreement with Microsoft Azure OpenAI Services. Decisions reserves the right to transition to similar third-party providers at any time, given reasonable notice to the Customer.

(iii) The Customer recognizes that the Integration used by Decisions AI is subject to certain API rate limits. These restrictions limit the frequency, input amount, and/or output words a user can access the service within a defined time period ("API Rate Limits"). Decisions reserves the right to suspend the Customer (user and/or organization), temporarily or permanently, based on either the exceedance of the API Rate Limits agreed upon between Decisions and the Customer, or the API Rate Limits imposed on Decisions by Microsoft, at its sole discretion.

(iv) Decisions does not offer any SLA guarantees relating to Decisions AI, nor is Decisions responsible or liable to the Customer for any Decisions AI failure attributable to Microsoft Azure OpenAI Services. For the avoidance of doubt, Decisions' responsibility and liability to the Customer can never exceed Microsoft's responsibility and liability towards Decisions as outlined in the Microsoft Terms.

(v) The Microsoft terms are applicable "as is" at any time. If Microsoft adjusts, improves, or alters their services or service terms and conditions provided to Decisions, Decisions may, at any time with reasonable notice, make corresponding changes to the service and service terms and conditions towards the Customer. Customers will be notified if such changes significantly impact the services delivered.

(vi) The use of Decisions AI may necessitate the collection and processing of personal data. Therefore, usage is conditioned upon the Customer entering into a data processing agreement with Decisions. In this agreement, the Customer is the controller, Decisions is the processor, and Microsoft Azure OpenAI Services is a sub-processor, as detailed in Appendix 1.

Appendix 1: Decisions AI Data Processing agreement

This data processing agreement (the "Agreement") is entered into between:

(1) The entity which has procured the Decisions Services (as defined in Section 1.1 below) from Decisions AS (the "Customer" or "Controller"); and

(2) Decisions AS, a private limited liability company incorporated under the laws of Norway with business registration number 916 584 075and registered business address Gaustadalléen 21, 0349 Oslo, Norway (the "Provider" or "Processor").

Each party hereinafter referred to as "Party" and jointly referred to as the "Parties".

1 Background and scope

1.1 This Agreement and its appendices are concluded pursuant to, and is an integral part of, the service terms entered into between the Parties (the "Main Agreement"), under which the Provider has agreed to provide to the Customer its Decisions AI add-on (the "Decisions Services"). By ordering the Decisions Services and accepting the Main Agreement in the order form in Microsoft AppSource, Azure Portal or other relevant place of purchase where the Decisions Services are made available, the Customer acknowledges that it has read this Agreement and agrees to the terms of this Agreement.

1.2 Within the scope of the Main Agreement, and in order to provide the Decisions Services, personal data (the “personal data”) shall be transferred to and processed by the Processor.

1.3 The Parties wish to set out the conditions for this processing in this Agreement in accordance with Article 28 of the General Data Protection Regulation 2016/679 of 27 April 2016 ("GDPR").

1.4 This Agreement sets out the rights and obligations of the Controller and the Processor, when processing personal data on behalf of the Controller. In the context of the Main Agreement the Processor shall process personal data on behalf of the Controller in accordance with the Agreement.

1.5 In addition to the processing of personal data in connection with the Main Agreement, the Parties are aware that the Processor may also process personal data in quality of controller for its own purposes, such as (i) complying with applicable laws and regulations, (ii) requests and communications with authorities, and (iii) for administration, accounting and risk evaluation purposes.

1.6 Notwithstanding the content of this Agreement, the Parties shall comply with their respective responsibilities and obligations pursuant to EU or Member State law.

1.7 To the extent that the Controller would not be considered as a controller, but, instead, as a processor under applicable legislation on the protection of personal data for (some part of) the personal data processed by the Processor on behalf of the Controller under the Main Agreement, the Controller shall ensure that it has the required permission to conclude the Agreement with respect to the relevant personal data. With regard to such personal data, the Processor shall be considered as a sub-processor. The Agreement shall in such case be applicable mutatis mutandis.

2 Definitions

2.1 "Applicable Data Protection Law", means the General Data Protection Regulation (EU) Regulation 2016/679 ("GDPR"), the Norwegian Personal Data Act of 15 June 2018 no. 15 and any legislation implementing GDPR, as well as any other legislation regarding processing of personal data.

2.2 "personal data", means any information relating to an identified or identifiable natural person ("data subject") that the Processor processes on behalf of the Controller; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.3 "processing", means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.4 "special categories of personal data", means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation and data relating to criminal convictions and offenses.

2.5 "EU or Member State law" refers to any regulations or laws applicable to a country that has implemented the GDPR and is a member of the European Economic Area (EEA).

2.6 Words, abbreviations and expressions not defined herein shall have the content ascribed to them in the Main Agreement and Applicable Data Protection Law, unless otherwise appears from the context or is expressly stated below.

3 Description of the processing

3.1 A description of the processing of personal data of the data subjects concerned, in particular the categories of personal data and the purpose and nature of the processing for which the personal data is processed on behalf of the Controller, is included in Appendix A.

4 The obligations, rights and responsibilites of the controller

4.1 The Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data. The initial instructions by the Controller is for the Processor to process personal data on behalf of the Controller within the scope of the Main Agreement, for the purposes of providing the Decisions Services, as further specified in this Agreement. If the Controller wishes to issue additional or different instructions at a later stage, these instructions shall be provided in writing.

4.2 The Controller represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the personal data to the Processor and to authorize Processor to use, disclose, retain and otherwise process that Customer Data as contemplated by this Agreement, the Main Agreement and/or other processing instructions provided to the Processor.

4.3 The Controller shall comply with all applicable Data Protection Law.

4.4 The Controller shall reasonably cooperate with the Processor to assist the Processor in performing any of its obligations with regard to any requests from the Controller's data subjects.

4.5 The Controller represents, warrants and covenants that it shall only transfer personal data to the Processor using secure, reasonable and appropriate mechanisms.

4.6 The Controller shall not provide personal data to the Processor except through agreed mechanisms. For example, the Controller shall not include personal data other than technical contact information in technical support tickets, or transmit personal data to the Processor by email.

4.7 In the event that Processor violates this Agreement or the Applicable Data Protection Law, the Controller may require the Processor to stop further processing of the personal data with immediate effect.

5 General obligations of the processor

5.1 The Processor undertakes to process personal data on behalf of the Controller in accordance with Applicable Data Protection Law, the Main Agreement, this Agreement with appendices and any subsequent agreement between the Parties.

5.2 The Processor shall process personal data only on documented instructions from the Controller, unless it is subject to a legal obligation whereby it is required to perform another processing activity. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. For the avoidance of doubt, the Parties agree that the Processor shall process personal data (i) for the purpose of providing and supporting the Decisions Services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring), and (ii) for the purpose of improving the Decisions Services, and that such processing constitutes as complying with Controller's instructions.

5.3 If the Processor goes beyond its mandate or determines the purpose and means of the processing itself, it shall be considered as a controller for that processing activity.

5.4 The Processor shall promptly notify the Controller when the Processor considers an instruction given by the Controller to be in breach with the Applicable Data Protection Law or any other legal requirement concerning data protection of EU or Member State law.

5.5 The Processor undertakes to, upon reasonable notice and appropriate confidentiality agreements, provide the Controller with all information necessary for the Controller to demonstrate that the processing is being carried out in accordance with the Applicable Data Protection Laws.

6 Assistance from the processor to the controller

6.1 If the data subject contacts the Processor directly or issues a request to the Processor for exercising its rights laid down in Chapter III GDPR, the Processor shall without undue delay refer the data subject to the Controller.

6.2 Taking into account the nature of the processing, the Processor shall by appropriate technical and organisation measures, provide reasonable assistance to the Controller for the fulfilment of the Controller's obligation to respond to requests for exercising the data subjects' rights laid down in Applicable Data Protection Law.

6.3 If relevant, the Processor shall furthermore, taking into account the nature of the processing and the information available to the Processor, reasonably assist the Controller in ensuring compliance with:

a) the Controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);

b) the Controller’s obligation to consult the competent supervisory authority, the competent supervisory authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;

c) the obligations in Article 32 GDPR.

7 Confidentiality

7.1 Processor shall take commercially reasonable steps to ensure that persons authorised to process the personal data are committed to processing the information confidentially by a confidentiality statement in an employment contract or in another agreement with the Processor, if such person is not subject to an appropriate statutory duty of confidentiality.

7.2 The duty of confidentiality described in clauses 7.1 and 7.2 above shall survive the termination of this Agreement.

8 Security of processing

8.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in accordance with Article 32 GDPR, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

8.2 The Processor shall maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of Customer Data and to protect the rights of the subjects of that Customer Data.

8.3 In case of accidental or unlawful destruction, loss, unauthorised access to or processing of the personal data (“Data Breach”), the Processor shall inform the Controller thereof without undue delay after becoming aware of the Data Breach. The Controller shall notify the Data Breach to the competent data protection authority and/or the data subjects in accordance with Articles 33 and 34 GDPR.

8.4 The Processor shall provide all reasonable assistance to the Controller in order to allow the Controller to carry out its obligations under Articles 33 and 34 GDPR. In the event that the Controller is obliged to communicate a Data Breach to the data subjects pursuant to GDPR, the Processor shall assist the Controller in doing so, including by providing the information required for the Controller to be able to communicate the breach in a clear and lawful manner. The Controller shall bear any costs related to such communication to the data subject.

9 Use of sub-processors

9.1 The Processor has the Controller’s general authorisation for engaging another processor (the “Sub-Processor”) for the fulfilment of the Agreement. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 14 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-processor(s). Such information may be provided via email, a posting or notification on an online portal for the Processor's services, or by other reasonable means.

9.2 If the Controller objects to the intended changes to the Sub-Processors, the Controller shall notify the Processor within 14 days after notification has been provided in accordance with Section 9.1. The Parties shall try to agree on how the change is to be handled. If the Parties do not agree, either Party shall have the right to terminate the Agreement with effect from when the changes in the Sub-processor's enter into force. The list of Sub-Processors already authorised by the Controller can be found in Appendix B.

9.3 Where the Processor engages a Sub-Processor pursuant to this Section 9, the same data protection obligations as set out in this Agreement shall be imposed on the Sub-Processor by way of a written contract, and the Processor shall ensure that any use of Sub-Processors is performed in accordance with Applicable Data Protection Law.

9.4 Where a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-Processor's obligations under the Agreement.

10 Transfer of data to countries outside the EU/EEA

10.1 Any transfer of personal data to third countries or international organisations by the Processor shall always take place in compliance with Chapter V GDPR.

10.2 The Controller agrees that where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V GDPR, the Processor and the Sub-Processor can ensure compliance with Chapter V of GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met.

10.3 In case transfers to third countries or international organisations, which the Processor has not been instructed to perform by the Controller, is required under EU or Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.

11 Access to information and performance of audits

11.1 Once per calendar year and whenever there are reasonable indications of a breach of the Agreement or Applicable Data Protection Law, for example but not limited to, in the case of a Data Breach, the Controller is entitled (to mandate an auditor) to conduct an audit or inspection of the Processor’s processing of the personal data upon reasonable prior notification to the Processor and appropriate confidentiality agreements. The Processor shall make available all information necessary for the performance of the audit/inspection by the Controller or an auditor. The audit/inspection shall be restricted in scope, manner and duration to what is reasonably necessary to achieve its purpose and may not unnecessarily interrupt the Processor’s operations.

11.2 The Processor shall set aside the resources (mainly time) required for the Controller to be able to perform the audit/inspection. The Controller shall bear all (other) reasonable costs of the audit/inspection.

11.3 Based on the results of such an audit/inspection, the Controller may request further measures to be taken to ensure compliance with Applicable Data Protection Law and the Agreement.

12 Duration and termination of the agreement

12.1 The Agreement enters into force simultaneously with the Main Agreement and remains in effect as long as the Processor processes personal data on behalf of the Controller pursuant to the Main Agreement.

12.2 Upon termination of the Agreement and/or the Main Agreement, the Processor shall terminate the processing, unless the Parties decide otherwise. The Processor shall delete or return, at the choice of the Controller, all the personal data in its possession, as well as every existing copy or back-up made, unless the storage of the personal data is legally required.

12.3 The Processor shall ensure that any Sub-Processor shall terminate the processing of the personal data and delete all the personal data from its files upon termination of the Agreement.

12.4 Both Parties shall be entitled to require the Agreement renegotiated if changes to the law or inexpediency of the Agreement should give rise to such renegotiation.

13 Liability

13.1 The Parties' liability for damage suffered by a data subject or other natural persons which is due to a violation Applicable Data Protection Law shall follow the provisions of Article 82 of the GDPR. The Parties are individually liable for administrative fines imposed pursuant to Article 83 of the GDPR. As between the Parties (inter partes) the Processor’s liability under the Agreement shall correspond to the regulation on limitation of liability as set out in the Main Agreement.

13.2 The Processor shall not be liable:

a) for any indirect or consequential damage, loss of profits, loss of turnover, lost business opportunities or reputational damage suffered by the Controller.

b) for any damage suffered by the data subjects or other natural persons due to identity theft, data theft or cybercrime, if the technical and organisational measures provided for in Section 8.2 of the Agreement have been implemented.

c) for non-performance or delay in performance caused by any event beyond the reasonable control of the Processor.

14 Notice

14.1 Notices or communication pursuant to this Agreement shall be sent in writing to the Parties’ given contact persons as defined in the Main Agreement.

15 Legal venue and governing law

15.1 Unless otherwise agreed in the Main Agreement, this Agreement shall be governed by the laws of Norway, with Oslo District Court as the legal venue.

***

Appendix A – data processing details

1. The subject-matter and the nature of the processing

The processing of personal data that the Processor carries out on behalf of the Controller consists of making available the Decisions Services which includes processing activities such as collection, storage, analysis, modification, hosting, backup, erasure, and such other applicable services as described in the Main Agreement.

2. The purpose of the processing

The purpose of the processing under the Agreement is to be able to provide and support the Decisions Services pursuant to the Main Agreement (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring), and the purpose of improving the Decisions Services.

3. The duration of the processing/criteria to determine the duration

The processing is not limited in time and will last until the Agreement/Main Agreement is terminated.

4. Categories of data subjects

The affected data subjects are: Employees of the Controller and/or other users given access to the Decisions Services by the Controller.

5. Types of personal data

The type of personal data processed are: Name, contact information, demographic information, and other information provided by the user in unstructured data. The Controller, including its users, may, at their own discretion, upload or input different types of personal data to the Decisions Services, and such personal data will also be processed by the Processor.

The following special categories of personal data are processed: No special categories of personal data are intended to be processed unless the user includes it in unstructured data.

Appendix B – approved sub-processors

List of approved Sub-Processors at the time of signing the Agreement

Name of Sub-Processor Description of the processing activity Personal data concerned Location of the processing Data processing agreement entered into
Microsoft Azure

Analyzing input data and creating output through machine learning models.

List of sub-processors for further processing by Microsoft Azure can be found here: https://servicetrust.microsoft.com/ViewPage/PrivacyDataProtection

Name,

Contact information,

Demographic information,

Information provided by the user in unstructured data

EU (default)

[The Controller can choose to configure the location of processing to US or EU]
Yes, including Standard Contractual Clauses for the third-country transfer. Microsoft Azure privacy policy may be found here: https://privacy.microsoft.com/en-us/privacystatement