MOSTLY GENERATE SaaS Terms of Service
1.1 These Terms of Service (“Terms”) apply to the use of MOSTLY GENERATE (“Service”) provided by MOSTLY AI Solutions MP GmbH, Hegelgasse 21/3, 1010 Vienna, Austria (“Provider”) to legal entities or individuals (“Customer”).
2. Registration and Acceptance of the Terms
2.1 By registering for the Service, the Customer enters into an agreement with the Provider that is subject to these Terms (“Agreement”). The Agreement is formed when and if the Provider accepts the registration (“Effective Date”).
2.2 Where an individual is registering for the Service on behalf of a legal entity, the individual warrants that any details provided on the legal entity are correct.
2.3 In the case of a registration on behalf of a legal entity, the individual also warrants that he or she is authorized to act on behalf of this legal entity and to legally bind the legal entity to these Terms. In the case of a registration in the individual’s own name, the individual confirms and warrants that he or she is not a consumer and is exclusively acting in his or her capacity as an entrepreneur.
2.4 The Customer shall keep its password and any other authenticating information strictly confidential and shall prevent any unauthorized access to or use of the Service by any third parties using the Customer’s account.
3. Service Description
3.1 The Provider shall provide the Customer access to the Service as set out in this Agreement for the purpose of enabling the Customer to perform data synthesization. The Customer may not use the Service in violation of applicable law.
3.2 The Service consists of features that allow the Customer to (i) upload personal data as defined in Article 4(1) GDPR to the Service (“Personal Data”), (ii) generate and/or train a model based on that Personal Data (“Model”), (iii) use the Model to generate production data applicable to a given situation that is not obtained by direct measurement (“Synthetic Data”), and (iv) generate reports concerning the quality of that Synthetic Data (“Reports”).
3.3 Subject to the instructions contained in the user interface of the Service and any warnings contained in the Reports, the Provider warrants that the Synthetic Data as such will not qualify as personal data under the GDPR. Any third-party legal opinion provided to the Customer to that effect shall not be considered legal advice to the Customer but is rather provided for informational purposes only.
3.4 The Provider will retain
(i) the Personal Data only until the Model has been generated or trained and
(ii) the Synthetic Data as well as the Model only until the expiration or termination of the Agreement.
The Provider retains the right to use Reports to improve its services.
3.5 The Service is offered in different configurations (“Service Configuration”), the details of which are set out on the Provider’s website.
4. Uptime and Customer Support
4.1 The Provider will provide basic support at no additional charge. Basic support includes commercially reasonable efforts to make the Service available 24 hours a day, 7 days a week, except for: (a) planned downtime (which the Provider aims to schedule outside of normal business hours), or (b) any unavailability caused by circumstances beyond the Provider’s reasonable control, including without limitation, acts of God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, pandemics, strikes or other labor problems (other than those involving the Provider’s employees), Internet service provider failures or delays, or denial of service attacks.
5. Payment Obligations and Subscription Periods
5.1 The Customer may either purchase a subscription for the Service (“Standard Subscription”) of a duration (“Subscription Period”) of one month (“Monthly Subscription”) or one year (“Yearly Subscription”).
5.2 The Customer shall pay the Provider the service fee applicable to the Service Configuration and Subscription type chosen by the Customer as set out on the Provider’s website (“Service Fee”).
5.3 If the Customer resides within Austria, the fee charged by the Provider includes the local value added tax. The Provider will not charge any VAT if the Customer resides outside Austria, but within the European Union, and can provide a valid VAT registration number. If the Customer resides outside the European Union or within the European Union but does not have a valid VAT registration number, all fees are exclusive of duties and taxes imposed by governing authorities. In this case, the Customer is responsible for payment of all such taxes and duties.
5.4 The Customer shall pay the service fee for the entire Subscription Period in advance without any deduction using the payment methods set out in the registration process.
5.5 The Provider will invoice the Customer in the first week of the Subscription Period.
6. Trial Subscription
6.1 Notwithstanding Section 5, a first-time Customer may choose to subscribe for the Service free of charge for a duration of one week (“Trial Subscription”). A Customer may obtain a Trial Subscription only once.
7. Fair Use Policy
7.1 For the duration of the Trial Subscription, the Customer shall not use the Service in any way that could impair the Provider’s ability to provide the Service, the functioning of the Service or the use of the Service by other customers.
8. Suspension of Service
8.1 The Provider shall have the right to suspend the Service for the Customer in case of
- a payment default by the Customer, including statutory default interest;
- any violation of the Fair Use Policy (see Section 7) until the violation has ceased and the Customer has remedied the consequences of the violation.
8.2 The Subscription Period shall not be affected by such suspension.
9. Intellectual Property Licenses
9.1 For the duration of this Agreement, the Provider grants the Customer a non-exclusive, non-sublicensable, non-transferrable limited license to use the Service for its own purposes and in accordance with this Agreement. The Provider retains all rights under copyright law to the Service and full ownership of the Service.
9.2 For the duration of this Agreement, the Customer grants the Provider a non-exclusive, non-transferrable, non-sublicensable license to reproduce and create derivate works of the Model for the purpose of improving the Service.
10. Data Ownership, Data Protection and Confidentiality
10.1 The Customer shall retain full ownership of any Personal Data as well as any Synthetic Data.
10.2 The parties shall observe their respective obligations under the EU General Data Protection Regulation (“GDPR”). By concluding this Agreement, the Customer and the Provider enter into the Data Processing Agreement set out in Annex 1 which shall constitute an integral part of these Terms.
10.3 The Provider shall keep confidential and shall not disclose or allow to be disclosed in whole or in part without prior written consent to any third party any Personal Data, Synthetic Data, the Model or the Reports.
11. Warranty and Liability
11.1 Neither party shall be liable for any damages except for cases of intent or very gross negligence. § 1298 sentence 2 Austrian General Civil Code shall not apply.
11.2 Moreover, neither party shall be liable for any indirect, incidental, special, or consequential damages, including any damages for lost profits incurred by either Party or any third party.
11.3 In any case, the Provider’s yearly aggregate liability shall be limited to the sum of 3,000,000 EUR.
11.4 Except for the warranties expressly provided in these Terms, the Provider hereby disclaims any and all warranties. The exclusive remedy for breach of any warranty shall be the right to have the Service brought into conformity with this Agreement.
11.5 The Customer warrants that it has a sufficient legal basis to synthesize the Personal Data in full compliance with applicable law.
12.1 If the Customer has purchased a Standard Subscription, the Provider may refer to the Customer as a user of the Service and use the Customer’s logo for marketing purposes, unless the Customer opts out of this marketing use by sending an email to [[email protected]]. The Customer’s opt-out shall not affect the rightfulness of any references by the Provider to the Customer before the opt-out (in particular with regard to printed marketing materials).
13. Term and Termination
13.1 This Agreement is concluded for the duration of the Subscription Period. The Subscription and this Agreement shall automatically renew unless this Agreement is terminated as set out under this Section 13.
13.2 Either Party may terminate this Agreement for convenience at the end of the current Subscription Period, subject to giving one day’s prior notice.
13.3 Notwithstanding the above, in case of a Trial Subscription, this Agreement shall terminate automatically at the end of the Subscription Period.
14. Notice and Amendments
14.1 The Provider may provide legal notice to the contact details provided by the Customer during the registration process or updated by the Customer thereafter. The Customer shall ensure that its contact details are accurate and always up to date.
14.2 Amendments to these Terms or the Service Fee require the consent of both parties. The Provider may propose any amendment to these Terms by sending a notice to the last known contact details of the Customer. If the Customer does not object to such proposed amendment within a period of four weeks of receipt of such notice, the Customer shall be deemed to have consented to the amendment. If the Customer objects to the proposed amendment, the Provider shall have the right to terminate this Agreement at the end of the then current Subscription Period, subject to giving four weeks’ prior notice.
15.1 The Provider reserves the right to transfer this Agreement to an affiliated company without permission of the Customer.
16.1 These Terms and any information provided during the registration process comprise the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior agreements, written or oral, between the parties with respect to the Service. Any terms and conditions of the Customer, including those in orders, acceptances, confirmations, or other communications with the Customer shall not apply even if the Provider has not rejected them expressly.
16.2 Any amendments and additions to this Agreement as well as notifications between the parties require written or electronic form to be effective. This form requirement also applies to any deviations from this clause.
16.3 If any provision of this Agreement should be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced, to the extent permitted by law, by a provision that most closely reflects the economic intent of the invalid provision.
16.4 This Agreement is subject to Austrian law, with the exception of the rules of private international law and the UN Convention on Contracts for the International Sale of Goods (CISG). Any and all disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the court having subject matter jurisdiction for the first district of the City of Vienna, Austria.
Annex 1: Data Processing Agreement
In addition to the definitions set out in the Terms, the following definitions shall apply for this Data Processing Agreement:
1.1 The term “Personal Data Breach”, as used herein, shall have the same meaning as “personal data breach” under Article 4(12) GDPR.
1.2 The term “Processing Service” or “Processing Services”, as used herein, shall mean the (processing) services rendered by the Processor under the Agreement.
1.3 The term “Processor”, as used herein, shall refer to the Provider.
1.4 The term “Controller”, as used herein, shall refer to the Customer.
1.5 The term “DPA”, as used herein, shall refer to this Data Processing Agreement.
2. Duration, Subject-Matter, Nature and Purpose of the Processing
2.1 For the duration of the Agreement, the Processor performs, on behalf of the Controller, data synthesization services. The purpose of the processing is to enable the Customer the synthesization of Personal Data.
3. Right to Instruction
3.1 Unless otherwise required by EU or Member State law to which the Processor is subject, the Processor shall process the personal data only on documented instructions from the Controller. This includes the transfer of personal data to a third country or an international organization. Unless otherwise agreed between the Parties, the Controller may only issue instructions to the Processor using the user interface of the Service.
3.2 The Processor shall immediately inform the Controller if, without seeking internal or external legal advice, it considers that an instruction issued by the Controller violates the GDPR or other data protection provisions of the EU or a Member State in a way that is apparent to a layperson. The Processor shall not be obliged to seek legal advice in connection with the performance of this DPA and will not provide any such legal advice to the Controller.
3.3 If such notification is permissible, the Processor shall inform the Controller if it is obliged, under EU or Member State law, to process personal data contrary to or without the instructions of the Controller.
4.1 The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Data Security
5.1 The Processor takes all measures required under Article 32 GDPR. The Processor fulfills this obligation by implementing the measures set out in Exhibit 1.
5.2 The Processor shall inform the Controller of any Personal Data Breach, insofar as such breach concerns personal data processed by the Processor on behalf of the Controller and results in a risk to the rights and freedoms of natural persons. This information shall be provided without undue delay after the Processor becomes aware of such a breach.
5.3 The information provided to the Controller pursuant to Section 5.2 shall include the following, to the extent feasible under the circumstances:
a. the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b. the likely consequences of the Personal Data Breach; and
c. the measures taken or proposed to be taken by the Processor to address the Personal Data Breach.
6.1 The Controller hereby authorizes the Processor to engage the entities listed in Exhibit 2 as a sub-processor.
6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors or sub-processors (hereinafter collectively “Sub-Processors”), thereby giving the Controller the opportunity to object to and prohibit such changes. If the Controller does not object within two weeks, the addition or replacement shall be deemed to have been approved.
6.3 If an objection is raised in accordance with Section 6.2, the Processor shall be entitled to terminate the Agreement as well as this DPA at any time, subject to giving two weeks’ prior notice.
6.4 Where the Processor engages another Sub-Processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-Processor by means of a contract. This contract shall in particular provide sufficient guarantees by the Sub-Processor to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable data protection law.
6.5 Subject to the limitations of liability set out in the Agreement, where a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the performance of that Sub-Processor’s obligations.
6.6 Notwithstanding Section 5, where
a. the Processor informs the Controller of the use of any Sub-Processors and includes or makes available upon request information on the contractual terms offered by such Sub-Processors, including the technical and organizational measures implemented by such Sub-Processors (“Sub-Processing Terms”), and
b. the Controller approves or is deemed to have approved such Sub-Processors pursuant to Sections 6.1 or 6.2 these Sub-Processing Terms shall be considered to be in full compliance with the terms of this DPA, including Sections 5 and 6.
7.1 The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is feasible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under applicable data protection law, including Chapter III of the GDPR.
7.2 The Processor may choose to fulfil its obligation under Section 7.1 by forwarding requests received from data subjects to the Controller.
7.3 Moreover, the Processor shall assist the Controller with ensuring compliance with the Controller’s obligations under applicable data protection law, including Articles 32 to 36 of the GDPR. The Processor shall do so by (i) taking the measures set forth in Section 4 (“Confidentiality”) and Section 5 (“Data Security”) of this DPA; (ii) notifying the Controller of a Personal Data Breach pursuant to Section 5.2; and (iii) providing the information set forth in Exhibit 1 of this DPA.
8. Return of Personal Data
8.1 The Controller acknowledges that the Processor will delete Personal Data prior to the end of the provision of the Processing Services as set out in the Terms. Should any Personal Data remain at the end of the provision of the Processing Services, the Controller hereby instructs the Processor to delete such Personal Data.
9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
9.2 The Processor shall allow for pre-notified inspections to be carried out during business hours by the Controller or an independent third party. Such inspections shall be carried out at reasonable intervals and in a manner that does not interfere with the business of the Processor. Costs arising from such audits shall be borne by the Controller. The Processor shall be entitled to reasonable remuneration for all services rendered in connection with its support of inspections.
9.3 The Processor may also fulfil its obligations under Section 9.2 by having an independent third party carry out an audit at least every three years and providing the summary audit report to the Controller. Moreover, as regards a particular Sub-Processor, the Processor may fulfill its obligations under Section 9.2 by exercising its audit rights as provided in the agreement concluded between the Processor and the Sub-Processor or providing the Controller with the audit reports received from the Sub-Processor.
Exhibit 1: Technical and Organizational Measures for the Protection of Personal Data
1) Preventive Security Measures – Measures to Prevent a Successful Attack
a) Technical measures
(i) Logical access control: Access rights are granted according to the “need-to-know” principle.
(ii) Authentication: Personal data is accessible only after successful authentication.
(iii) Password security: Passwords used for authentication consist of at least 8 characters, lower and upper case letters, numbers, and special characters. Passwords are stored encrypted only.
(iv) Encryption on the transmission path: Personal data is encrypted if transmitted over the Internet, at least to the extent sensitive data is concerned.
(v) Encryption at rest: Any Personal Data uploaded to the Service will be encrypted at rest.
(vi) Encryption of mobile devices: Mobile devices and mobile data carriers are encrypted, at least in case of sensitive data being stored on these devices.
vii) Network security: A firewall is used that separates the internal network from the Internet and – to the extent feasible – blocks incoming malicious network traffic.
(viii) Measures against malicious software: Anti-virus software is used on all PCs and laptops to the extent feasible. All incoming emails are automatically scanned for malicious software.
(ix) Management of security vulnerabilities: To the extent feasible, the automatic installation of security updates is activated on all devices. Otherwise, relevant security updates will be installed within a reasonable time.
b) Organizational measures
(i) Clear responsibilities: Internal responsibilities for data security issues are defined.
(ii) Confidentiality requirements of employees: Employees are obliged to maintain secrecy beyond the duration of their employment. Employees may only transfer personal data to third parties at the explicit instruction of a supervisor.
(iii) Training and information activities: Employees are trained on data security issues (internally or externally) and adequately informed about data security issues (such as password security).
(iv) Orderly termination of employment relationships: There is a process in place to deactivate all accounts within a reasonable time after the effectiveness of the termination of an employment relationship.
(v) Management of computer hardware: Records are kept of the distribution of end devices to specific employees (e.g., PC, laptop, mobile phone).
(vi) Input control: Control procedures are implemented to control the accuracy of personal data.
(vii) No duplicates of user accounts: Each person should have their own user account. The sharing of user accounts is prohibited.
(viii) Limited use of administrative accounts: User accounts with administrative rights are only used in exceptional cases. IT systems are normally used without administrative rights.
(ix) Selection of service providers: When selecting service providers, the data security level offered by the service provider is taken into account. Service providers that are considered a processor are only used after execution of a DPA.
(x) Secure data disposal: Paper documents containing personal data is generally shredded or handed over to an external service provider for secure destruction. Storage media are completely overwritten or physically destroyed or otherwise disposed of in a secure manner.
c) Physical measures
(i) Physical access control: Access to business premises where personal data is processed is only permitted for non-employees if accompanied by a company employee or after authorization by a company employee.
(ii) Measures against burglary: Access to business premises where personal data is processed is equipped with adequate burglary protection (e.g., with security doors).
(iii) Special protection of computer hardware: Access to premises where computer servers are located is protected by special security measures (for example, by additional locks and/or CCTV surveillance).
(iv) Key management: Keys that grant access to the premises or parts thereof are only provided to trustworthy individuals, and only to the extent and as long as these persons require a separate key.
2) Detective security measures – measures to detect an attack
a) Technical Measures
(i) Scans for malware: Scans for malware (anti-virus scans) are regularly performed to identify malicious software.
(ii) Automatic checks of log files: To the extent that security log files of several systems are collected on a centralized system, log files are automatically evaluated in order to detect possible security breaches.
(iii) Security mailing lists: An employees of the company or an external service provider is required to subscribe to relevant mailing lists for the announcement of new IT security threats (e.g., mailing lists of the manufacturers of the software used) to recognize current threat situations.
b) Organizational measures
(i) Employee security incident detection: All relevant employees are instructed on the detection and reporting of security breaches (e.g., lost computer hardware, anti-virus software alerts).
(ii) Reporting systems: There are technical procedures in place that enable employees to report anomalies and suspected security breaches of technical systems.
(iii) External persons: All employees are instructed to confront non-employees that are not accompanied by an employee should they be met on the premises in areas that are not open to visitors.
(iv) Audits: Audits and/or spot checks are performed regularly to identify potential weaknesses that could threaten the security of personal data.
(v) Checking of log files: Log files, if kept, are checked at regular intervals (e.g., with regard to unsuccessful authentication attempts).
c) Physical measures
(i) Fire alarms: To the extent appropriate with regard to the size and nature of the business facilities, fire alarms that are automatically triggered by smoke are installed.
(ii) Reactive security measures – response to an attack
d) Technical Measures
(i) Data backup: Data backups are created regularly and stored securely.
(ii) Data recovery concept: A concept for the rapid restoration of data backups has been developed in order to allow for the timely restoration of regular operation after a security breach.
(iii) Automatic removal of malware: The anti-virus software used automatically removes malware.
e) Organizational measures
(i) Reporting obligation for employees: All employees are instructed to immediately report security breaches.
(ii) Communication with external service providers: All service providers are provided with contact details to report security breaches.
(iii) Incident response process: A process has been defined to ensure adequate and timely response to security incidents. All employees have been instructed to follow that process.
f) Physical measures
(i) Fire extinguishers: There is a suitable number of fire extinguishers at the premises where personal data is processed. Employees have been made aware of the location of these fire extinguishers.
(ii) Fire alarm: In case that there is a fire detector that does not have an automatic connection to the fire department, an appropriate process ensures that the fire department can be contacted manually.
3) Deterrent security measures – measures to reduce attacker motivation
a) Technical Measures
(i) Automatic alerts: Users receive automatic alerts on risk-prone IT use (such as through the web browser if an encrypted web site does not use correct SSL / TLS certificates).
b) Organizational measures
(i) Sanctions in the case of attacks by own employees: All employees are or have been made aware that attacks on company-owned IT systems are not tolerated and that such attacks may result in serious consequences under employment law, including dismissal.
(ii) Logging of access: Any access to IT systems holding personal data is logged.
Exhibit 2: List of Sub-Processors
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855, Luxembourg
AWS Customer Agreement available at https://aws.amazon.com/agreement/
10800 NE 8th Street, Suite 600, Bellevue, WA 98004, United States
101 Townsend St, San Francisco, CA 94107, United States
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
Google Cloud Platform Terms of Service available at https://cloud.google.com/terms
1600 Amphitheatre Parkway, Mountain View, California 94043, United States
Google APIs Terms of Service available at https://developers.google.com/terms
Mailgun Technologies, Inc.
535 Mission St. – 14th Floor, San Francisco, CA 94105, United States
400 Alabama St., Suite 202, San Francisco, CA 94110, United States
Stripe Payments Europe, Ltd.
1019 Market Street, San Francisco, CA 94103, United States