Terms and Conditions

These terms and conditions apply to all offers, quotations, agreements and deliveries by CivAI, unless the parties have explicitly agreed otherwise in writing.

If the customer uses general terms and conditions, including public sector procurement terms, these only apply if CivAI has explicitly accepted them in writing.

In the event of a conflict between documents, the following order of precedence applies, with the higher-listed document prevailing over the lower-listed document:

• the agreement or order confirmation including special terms
• the Data Processing Agreement insofar as it concerns the processing of personal data
• any agreed SLA or support and security annex
• public sector procurement terms accepted in writing insofar as expressly agreed
• these terms and conditions

Deviations and supplementary arrangements are only binding if they are recorded in writing.

Quotations are non-binding and valid for the period stated in the quotation, or 30 days if no period is stated.

An agreement is formed upon written confirmation by CivAI, signature by the parties, or the actual commencement of the services at the customer's request.

Changes in scope, number of users, integrations, security requirements or delivery model are recorded in writing. CivAI may apply additional costs and an adjusted schedule for these.

CivAI grants the customer a non-exclusive, non-transferable right to use the services for the customer's internal purposes for the duration of the agreement.

The customer is responsible for managing accounts, roles and authorisations within its own organisation. The customer ensures appropriate security of access credentials and uses MFA or SSO where available.

It is not permitted to use the services for:

• unlawful, discriminatory or misleading purposes
• uploading or distributing malware, harmful content or carrying out attacks on systems
• processing special categories of personal data, criminal data or BSN (Dutch citizen service number) without explicit written agreement and appropriate safeguards
• automated decision-making with legal or similarly significant effects without human review
• reverse engineering, circumventing security measures or copying functionality in violation of the law

In case of serious or repeated misuse, CivAI may restrict or suspend access. Where the customer is a public sector customer, CivAI takes reasonable continuity and exit arrangements into account.

For project-based delivery such as custom integrations, migrations or configurations, the acceptance arrangements set out in the quotation or project annex apply. Failing that, an acceptance period of 10 working days after delivery applies. Within this period, the customer notifies in writing which defects prevent acceptance. If timely rejection does not occur, the deliverable is deemed accepted.

CivAI strives for high availability of the SaaS services. Specific availability percentages, response times, escalation and any service credits are recorded in an SLA where agreed.

Scheduled maintenance is announced in advance where possible. Emergency maintenance or security patches may be carried out without prior notice if necessary for security and stability.

Support is provided through agreed channels and on the basis of the agreed support hours.

CivAI takes appropriate technical and organisational measures in accordance with Article 32 of the AVG (GDPR) and the state of the art. CivAI organises its security on a risk-driven basis and aligns where appropriate with common standards such as ISO 27001 and relevant government frameworks such as BIO 2.0.

On request, CivAI may provide a security pack with a description of measures, processes, audit reports or summaries of independent assessments insofar as available.

Where the customer reasonably requires this and insofar as legally permitted, CivAI ensures that staff with structural access to production environments or customer data can submit a Certificate of Good Conduct (VOG).

The parties comply with applicable anti-bribery and anti-corruption legislation. CivAI may issue reasonable integrity statements in tender procedures.

Insofar as CivAI processes personal data on behalf of the customer, CivAI acts as processor and the customer as controller. The parties cause a Data Processing Agreement to apply to that processing.

CivAI does not use customer content for training public or generic AI models, unless the parties expressly agree otherwise in writing.

CivAI maintains an up-to-date list of sub-processors and notifies changes in accordance with the Data Processing Agreement.

If the customer falls under the Dutch Open Government Act (Woo) or comparable rules, the customer may be required to make information public.

The customer informs CivAI in good time, where possible, of any intended disclosure that affects CivAI. Within a reasonable period, CivAI may indicate, with reasons, which information it considers to constitute company or manufacturing data or confidential security information.

The customer is responsible for archiving and compliance with archiving legislation. CivAI facilitates the export of data and relevant log files in common formats in accordance with the agreement and any exit arrangements.

All intellectual property rights in the software, models, documentation and methods developed by CivAI rest with CivAI or its licensors.

The customer retains ownership of the content provided by or on behalf of the customer.

Output that is generated based on the customer's content is considered the customer's content. The customer is responsible for the use of output and for compliance with third-party rights in both input and output.

The customer ensures appropriate human review before output is used for communication, decision-making or actions that may affect data subjects.

CivAI will comply with the obligations under the AI Act applicable to CivAI insofar as and from the moment those obligations apply. On request, CivAI shall reasonably make available to the customer information needed for the customer's compliance, insofar as that information is within CivAI's control.

The customer remains responsible for the intended use of the services, internal governance, user instructions, transparency towards data subjects where required, and taking appropriate measures where the use of the services may qualify as high-risk under the AI Act.

If the customer uses the services in a context that may qualify as high-risk under the AI Act, the parties make additional written arrangements. Where appropriate, alignment may be sought with the AI module of the model agreement ARBIT 2022 or a comparable framework.

The parties shall keep confidential information confidential and use it solely for the performance of the agreement. This obligation remains in force for as long as the information has a confidential nature.

Rates, invoicing moments and any pricing models follow from the agreement.

The payment term is 30 days unless otherwise agreed.

CivAI may apply annual indexation based on the consumer price index of the Dutch CBS (Statistics Netherlands) or a comparable index, with 30 days' notice.

CivAI is not liable for indirect damages such as consequential damages, lost profits or reputational damage.

CivAI's total liability for direct damages is limited to twice the amount that the customer paid to CivAI in the 12 months prior to the event causing the damage, excluding VAT. If the customer has been a customer for less than 12 months, liability is limited to the amount paid during that period.

The limitations of liability do not apply in the case of intent or wilful recklessness on the part of CivAI, nor for liability that cannot be excluded by law, such as death or personal injury.

CivAI maintains appropriate business liability insurance and, where relevant, professional liability insurance. Upon request, CivAI provides proof of insurance.

Neither party is required to perform if it is prevented from doing so by force majeure. Force majeure includes failures at suppliers, network outages, cyber incidents, government measures, pandemics, war or terrorism.

The term and termination options follow from the agreement.

In the event of an attributable failure on the part of the customer, CivAI may suspend the services after prior notice of default, unless urgency prevents this.

After termination, CivAI facilitates data export and deletes customer data in accordance with the agreement and the Data Processing Agreement.

On request, CivAI cooperates with reasonable exit or migration support at agreed rates. Where applicable, the parties align with regulations on data portability and switching of cloud services.

CivAI may change these terms in the event of changed legislation, product development or security reasons. Changes are announced at least 30 days in advance. If a change is materially disadvantageous to the customer, the customer may terminate the agreement as of the effective date of the change.

Dutch law applies to the agreement. Disputes are submitted to the competent court in The Hague, unless the parties agree in writing to mediation or arbitration.