1. Scope

1.1   These Terms of Service (“Terms”) apply to the use of the Free Version of the MOSTLY AI synthetic data platform (“Service”) provided by MOSTLY AI Solutions MP GmbH, Landstraßer Hauptstraße 71/2, 1030 Vienna, Austria (“Provider”) to legal entities or individuals (“Customer”).

2. Registration and Acceptance of the Terms

2.1 By successfully registering for the Service, the Customer enters into an agreement with the Provider that is subject to these Terms (“Agreement”).

3. Service Description

3.1 The Provider provides the Customer access to the Service as set out in this Agreement for the purpose of enabling the Customer to perform data synthesis. The Customer may either use the Service free of charge. The Customer may not use the Service in violation of applicable law.

3.2 The Service consists of features that – among other things – allow the Customer to (i) upload personal data as defined in Article 4(1) GDPR to the Service (“Personal Data”), (ii) generate and/or train a model based on that Personal Data (“Model”), (iii) use the Model to generate production data applicable to a given situation that is not obtained by direct measurement (“Synthetic Data”), and (iv) generate reports concerning the quality of that Synthetic Data (“Reports”).

3.3 Subject to the Customer’s compliance with the instructions contained in the user interface of the Service and any warnings contained in the Reports, the Provider warrants that the Synthetic Data as such will not qualify as personal data under the GDPR.

3.4 The Provider will retain the Personal Data only until the Model has been generated or trained. The Provider retains the right to use Reports to improve its services.

4. Uptime and Customer Support

4.1 The Provider will provide basic support at no additional charge. The Provider will make commercially reasonable efforts to make the Service available 24 hours a day, 7 days a week, except for: (a) planned downtime (which the Provider aims to schedule outside of normal business hours), or (b) any unavailability caused by circumstances beyond the Provider’s reasonable control. The Provider reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part of it) with or without notice at any time and from time to time.

5. Fair Use Policy

5.1 The Customer shall not use the Service in any way that could impair the Provider’s ability to provide the Service, the functioning of the Service or the use of the Service by other customers.

5.2 The Provider might implement certain limits (e.g. number of synthesis runs per month) to enforce the Fair Use Policy.

6.  Suspension of Service

6.1 The Provider shall have the right to suspend the Service for the Customer in case of any violation of the Fair Use Policy (see Section 5) until the violation has ceased and the Customer has remedied the consequences of the violation.

7. Intellectual Property Licenses

7.1 For the duration of this Agreement, the Provider grants the Customer a non-exclusive, non-sublicensable, non-transferrable limited license to use the Service for its own purposes and in accordance with this Agreement. The Provider retains all rights under copyright law to the Service and full ownership of the Service.

7.2 For the duration of this Agreement, the Customer grants the Provider a non-exclusive, non-transferrable, non-sublicensable license to reproduce and create derivate works of the Model for the purpose of improving the Service.

8. Data Ownership, Data Protection and Confidentiality

8.1 The Customer shall retain full ownership of any Personal Data as well as any Synthetic Data.

8.2 The parties shall observe their respective obligations under the EU General Data Protection Regulation (“GDPR”). By concluding this Agreement, the Customer and the Provider enter into the Data Processing Agreement set out in Annex 1 which shall constitute an integral part of these Terms.

8.3 The Provider shall keep confidential and shall not disclose or allow to be disclosed in whole or in part without prior written consent to any third party any Personal Data, Synthetic Data, the Model or the Reports.

9. Warranty and Liability

9.1 Neither party shall be liable for any damages except for cases of intent or very gross negligence. Section 1298 sentence 2 Austrian General Civil Code shall not apply.

9.2 Moreover, neither party shall be liable for any indirect, incidental, special, or consequential damages, including any damages for lost profits incurred by either Party or any third party.

9.3 In any case, the Provider’s yearly aggregate liability shall be limited to the sum of 3,000,000 EUR.

9.4 Except for the warranties expressly provided in these Terms, the Provider hereby disclaims any and all warranties. The Service is provided on an “as-is” basis. The exclusive remedy for breach of any warranty shall be the right to have the Service brought into conformity with this Agreement.

9.5 The Customer warrants that it has a sufficient legal basis to synthesize the Personal Data in full compliance with applicable law.

11. Termination

11.1 Either Party may terminate this Agreement for convenience. The deletion of the Customer’s registered account constitutes a termination of this Agreement.

12. Amendments

12.1 The Provider reserves the right to amend these Terms at its sole discretion. If the amendment includes material changes to the content, Provider will send an email notice to the last known contact details of the Customer. If the Customer does not object to such proposed amendment within a period of four weeks of receipt of such notice, the Customer shall be deemed to have consented to the amendment. If the Customer objects to the proposed amendment, the Customer shall not be entitled to continue using the Service.

13 Miscellaneous

13.1 These Terms and any information provided during the registration process comprise the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior agreements, written or oral, between the parties with respect to the Service. Any terms and conditions of the Customer, including those in orders, acceptances, confirmations, or other communications with the Customer shall not apply even if the Provider has not rejected them expressly.

13.2 Any amendments and additions to this Agreement as well as notifications between the parties require written or electronic form to be effective. This form requirement also applies to any deviations from this clause.

13.3 If any provision of this Agreement should be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced, to the extent permitted by law, by a provision that most closely reflects the economic intent of the invalid provision.

13.4 The Provider reserves the right to transfer this Agreement to an affiliated company without permission of the Customer.

13.5 This Agreement is subject to Austrian law, with the exception of the rules of private international law and the UN Convention on Contracts for the International Sale of Goods (CISG). Any and all disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the competent court for the first district of the City of Vienna, Austria.

Annex 1: Data Processing Agreement

1. Definitions

In addition to the definitions set out in the Terms, the following definitions shall apply for this Data Processing Agreement:

1.1 The term “Personal Data Breach”, as used herein, shall have the same meaning as “personal data breach” under Article 4(12) GDPR.

1.2 The term “Processing Service” or “Processing Services”, as used herein, shall mean the (processing) services rendered by the Processor under the Agreement.

1.3 The term “Processor”, as used herein, shall refer to the Provider.

1.4 The term “Controller”, as used herein, shall refer to the Customer.

1.5 The term “DPA”, as used herein, shall refer to this Data Processing Agreement.

2. Duration, Subject-Matter, Nature and Purpose of the Processing

2.1 For the duration of the Agreement, the Processor performs, on behalf of the Controller, data synthesis services. The purpose of the processing is to enable the Customer the synthesis of Personal Data.

3. Right to Instruction

3.1 Unless otherwise required by EU or Member State law to which the Processor is subject, the Processor shall process the personal data only on documented instructions from the Controller. Unless otherwise agreed between the Parties, the Controller may only issue instructions to the Processor using the user interface of the Service.

3.2 The Processor shall immediately inform the Controller if, without seeking internal or external legal advice, it considers that an instruction issued by the Controller violates the GDPR or other data protection provisions of the EU or a Member State in a way that is apparent to a layperson. The Processor shall not be obliged to seek legal advice in connection with the performance of this DPA and will not provide any such legal advice to the Controller.

3.3 If such notification is permissible, the Processor shall inform the Controller if it is obliged, under EU or Member State law, to process personal data contrary to or without the instructions of the Controller.

4. Confidentiality

4.1 The Processor shall ensure that any persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Data Security

5.1 The Processor takes all measures required under Article 32 GDPR. The Processor fulfills this obligation by implementing the measures set out in Exhibit 1.

5.2 The Processor shall inform the Controller of any Personal Data Breach, insofar as such breach concerns personal data processed by the Processor on behalf of the Controller and results in a risk to the rights and freedoms of natural persons. This information shall be provided without undue delay after the Processor becomes aware of such a breach.

5.3 The information provided to the Controller pursuant to Section 5.2 shall include the following, to the extent feasible under the circumstances:

a. the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b. the likely consequences of the Personal Data Breach; and

c. the measures taken or proposed to be taken by the Processor to address the Personal Data Breach.

6. Sub-Processing

6.1 The Controller hereby authorizes the Processor to engage the entities listed in Exhibit 2 as a sub-processor.

6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors or sub-processors (hereinafter collectively “Sub-Processors”), thereby giving the Controller the opportunity to object to and prohibit such changes. If the Controller does not object within two weeks, the addition or replacement shall be deemed to have been approved.

6.3 If an objection is raised in accordance with Section 6.2, the Processor shall be entitled to terminate the Agreement as well as this DPA at any time, subject to giving two weeks’ prior notice.

6.4 Where the Processor engages another Sub-Processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-Processor by means of a contract. This contract shall in particular provide sufficient guarantees by the Sub-Processor to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable data protection law.

6.5 Subject to the limitations of liability set out in the Agreement, where a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the performance of that Sub-Processor’s obligations.

6.6 Notwithstanding Section 5, where

a. the Processor informs the Controller of the use of any Sub-Processors and includes or makes available upon request information on the contractual terms offered by such Sub-Processors, including the technical and organizational measures implemented by such Sub-Processors (“Sub-Processing Terms”), and

b. the Controller approves or is deemed to have approved such Sub-Processors pursuant to Sections 6.1 or 6.2 these Sub-Processing Terms shall be considered to be in full compliance with the terms of this DPA, including Sections 5 and 6.

7. Assistance

7.1 The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is feasible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under applicable data protection law.

7.2 The Processor may choose to fulfil its obligation under Section 7.1 by forwarding requests received from data subjects to the Controller.

7.3 Moreover, the Processor shall assist the Controller with ensuring compliance with the Controller’s obligations under applicable data protection law, including Articles 32 to 36 of the GDPR. The Processor shall do so by (i) taking the measures set forth in Section 4 (“Confidentiality”) and Section 5 (“Data Security”) of this DPA; (ii) notifying the Controller of a Personal Data Breach pursuant to Section 5.2; and (iii) providing the information set forth in Exhibit 1 of this DPA.

8. Return of Personal Data

8.1 The Controller acknowledges that the Processor will delete Personal Data prior to the end of the provision of the Processing Services as set out in the Terms. Should any Personal Data remain at the end of the provision of the Processing Services, the Controller hereby instructs the Processor to delete such Personal Data.

9. Audit

9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

9.2 The Processor shall allow for pre-notified inspections to be carried out during business hours by the Controller or an independent third party. Such inspections shall be carried out at reasonable intervals and in a manner that does not interfere with the business of the Processor. Costs arising from such audits shall be borne by the Controller. The Processor shall be entitled to reasonable remuneration for all services rendered in connection with its support of inspections.

9.3 The Processor may also fulfil its obligations under Section 9.2 by having an independent third party carry out an audit at least every three years and providing the summary audit report to the Controller. Moreover, as regards a particular Sub-Processor, the Processor may fulfill its obligations under Section 9.2 by exercising its audit rights as provided in the agreement concluded between the Processor and the Sub-Processor or providing the Controller with the audit reports received from the Sub-Processor.

Exhibit 1: Technical and Organizational Measures for the Protection of Personal Data

1) Preventive Security Measures – Measures to Prevent a Successful Attack

a) Technical measures

(i) Logical access control: Access rights are granted according to the “need-to-know” principle.

(ii) Authentication: Personal data is accessible only after successful authentication.

(iii) Password security: Passwords used for authentication consist of at least 8 characters, lower and upper case letters, numbers, and special characters. Passwords are stored encrypted only.

(iv) Encryption on the transmission path: Personal data is encrypted if transmitted over the Internet, at least to the extent sensitive data is concerned.

(v) Encryption at rest: Any Personal Data uploaded to the Service will be encrypted at rest.

(vi) Encryption of mobile devices: Mobile devices and mobile data carriers are encrypted, at least in case of sensitive data being stored on these devices.

vii) Network security: A firewall is used that separates the internal network from the Internet and – to the extent feasible – blocks incoming malicious network traffic.

(viii) Measures against malicious software: Anti-virus software is used on all PCs and laptops to the extent feasible. All incoming emails are automatically scanned for malicious software.

(ix) Management of security vulnerabilities: To the extent feasible, the automatic installation of security updates is activated on all devices. Otherwise, relevant security updates will be installed within a reasonable time.

b) Organizational measures

(i) Clear responsibilities: Internal responsibilities for data security issues are defined.

(ii) Confidentiality requirements of employees: Employees are obliged to maintain secrecy beyond the duration of their employment. Employees may only transfer personal data to third parties at the explicit instruction of a supervisor.

(iii) Training and information activities: Employees are trained on data security issues (internally or externally) and adequately informed about data security issues (such as password security).

(iv) Orderly termination of employment relationships: There is a process in place to deactivate all accounts within a reasonable time after the effectiveness of the termination of an employment relationship.

(v) Management of computer hardware: Records are kept of the distribution of end devices to specific employees (e.g., PC, laptop, mobile phone).

(vi) Input control: Control procedures are implemented to control the accuracy of personal data.

(vii) No duplicates of user accounts: Each person should have their own user account. The sharing of user accounts is prohibited.

(viii) Limited use of administrative accounts: User accounts with administrative rights are only used in exceptional cases. IT systems are normally used without administrative rights.

(ix) Selection of service providers: When selecting service providers, the data security level offered by the service provider is taken into account. Service providers that are considered a processor are only used after execution of a DPA.

(x) Secure data disposal: Paper documents containing personal data is generally shredded or handed over to an external service provider for secure destruction. Storage media are completely overwritten or physically destroyed or otherwise disposed of in a secure manner.

c) Physical measures

(i) Physical access control: Access to business premises where personal data is processed is only permitted for non-employees if accompanied by a company employee or after authorization by a company employee.

(ii) Measures against burglary: Access to business premises where personal data is processed is equipped with adequate burglary protection (e.g., with security doors).

(iii) Special protection of computer hardware: Access to premises where computer servers are located is protected by special security measures (for example, by additional locks and/or CCTV surveillance).

(iv) Key management: Keys that grant access to the premises or parts thereof are only provided to trustworthy individuals, and only to the extent and as long as these persons require a separate key.

2) Detective security measures – measures to detect an attack

a) Technical Measures

(i) Scans for malware: Scans for malware (anti-virus scans) are regularly performed to identify malicious software.

(ii) Automatic checks of log files: To the extent that security log files of several systems are collected on a centralized system, log files are automatically evaluated in order to detect possible security breaches.

(iii) Security mailing lists: An employees of the company or an external service provider is required to subscribe to relevant mailing lists for the announcement of new IT security threats (e.g., mailing lists of the manufacturers of the software used) to recognize current threat situations.

b) Organizational measures

(i) Employee security incident detection: All relevant employees are instructed on the detection and reporting of security breaches (e.g., lost computer hardware, anti-virus software alerts).

(ii) Reporting systems: There are technical procedures in place that enable employees to report anomalies and suspected security breaches of technical systems.

(iii) External persons: All employees are instructed to confront non-employees that are not accompanied by an employee should they be met on the premises in areas that are not open to visitors.

(iv) Audits: Audits and/or spot checks are performed regularly to identify potential weaknesses that could threaten the security of personal data.

(v) Checking of log files: Log files, if kept, are checked at regular intervals (e.g., with regard to unsuccessful authentication attempts).

c) Physical measures

(i) Fire alarms: To the extent appropriate with regard to the size and nature of the business facilities, fire alarms that are automatically triggered by smoke are installed.

(ii) Reactive security measures – response to an attack

d) Technical Measures

(i) Data backup: Data backups are created regularly and stored securely.

(ii) Data recovery concept: A concept for the rapid restoration of data backups has been developed in order to allow for the timely restoration of regular operation after a security breach.

(iii) Automatic removal of malware: The anti-virus software used automatically removes malware.

e) Organizational measures

(i) Reporting obligation for employees: All employees are instructed to immediately report security breaches.

(ii) Communication with external service providers: All service providers are provided with contact details to report security breaches.

(iii) Incident response process: A process has been defined to ensure adequate and timely response to security incidents. All employees have been instructed to follow that process.

f) Physical measures

(i) Fire extinguishers: There is a suitable number of fire extinguishers at the premises where personal data is processed. Employees have been made aware of the location of these fire extinguishers.

(ii) Fire alarm: In case that there is a fire detector that does not have an automatic connection to the fire department, an appropriate process ensures that the fire department can be contacted manually.

3) Deterrent security measures – measures to reduce attacker motivation

a) Technical Measures

(i) Automatic alerts: Users receive automatic alerts on risk-prone IT use (such as through the web browser if an encrypted web site does not use correct SSL / TLS certificates).

b) Organizational measures

(i) Sanctions in the case of attacks by own employees: All employees are or have been made aware that attacks on company-owned IT systems are not tolerated and that such attacks may result in serious consequences under employment law, including dismissal.

(ii) Logging of access: Any access to IT systems holding personal data is logged.

Exhibit 2: List of Sub-Processors

NameAddressContractual Terms
Amazon Web Services EMEA SARL38 Avenue John F. Kennedy, L-1855, Luxembourghttps://aws.amazon.com/agreement
Auth0®, Inc.10800 NE 8th Street, Suite 600, Bellevue, WA 98004, United Stateshttps://auth0.com/docs/compliance
Cloudflare, Inc.101 Townsend St, San Francisco, CA 94107, United Stateshttps://www.cloudflare.com/gdpr/introduction
Google Ireland LimitedGordon House, Barrow Street, Dublin 4, Irelandhttps://cloud.google.com/terms
HotJar LtdHotjar Ltd. Dragonara Business Centre. 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141https://hotjar.eu1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCD2mDe9uD-eIJ_NMJ6uyc7WXcZ7Ck3KLJRpHO4IuDfWAOtPeZXiFCOXpG4oF174H0*
Heap Inc.225 Bush St #200, San Francisco, CA 94104, USAhttps://assets.ctfassets.net/jicu8fwm4fvs/6AWQISW2unz8gv0mqnhGXj/2f230d661cb669f14c71e747c049d566/DPA-contracts_heapanalytics.com.pdf
Google LLC1600 Amphitheatre Parkway, Mountain View, California 94043, United Stateshttps://developers.google.com/terms
Mailgun Technologies, Inc.535 Mission St. – 14th Floor, San Francisco, CA 94105, United Stateshttps://www.mailgun.com/gdpr
Recurly, Inc.400 Alabama St., Suite 202, San Francisco, CA 94110, United Stateshttps://info.recurly.com/hubfs/legal/Recurly-EU-Personal-Data-Processing-Agreement.pdf
Stripe Payments Europe, Ltd.https://stripe.com/dpa/legal
Zendesk, Inc.1019 Market Street, San Francisco, CA 94103, United Stateshttps://www.zendesk.com/company/privacy-and-data-protection

Last Modified: 25 October 2022