General terms and conditions for Aleph Alpha’s AI-as-a-service offering
Aleph Alpha GmbH
Grenzhöfer Weg 36
11. July 2023
§ 1 Subject matter of this document
This page includes the general terms and conditions that govern Aleph Alpha’s non-binding offer of Services on its Website (“Terms & Conditions”). Customer accepts these Terms & Conditions by registering on the Website and ordering the Services online, that reference these Terms & Conditions, which then creates an offer to Aleph Alpha. If the individual accepting these Terms & Conditions is acting on behalf of a company or other legal entity, such individual represents that they have the authority to bind such entity to these Terms & Conditions, in which case the term “Customer” shall refer to such legal entity. Aleph Alpha accepts Customer’s offer by granting access to the Services as described in these Terms & Conditions. Aleph Alpha reserves the right to reject a Customer’s offer or to cancel the confirmation sent or withdraw the access granted to Customer, if the contracting requirement in Secion 2 below is not fully met by Customer.
§ 2 Important precondition for the conclusion of the Order
- Customer ordering the Services needs to be a business customer, which means a natural or legal person who, when concluding the Order, acts solely in exercise of its trade, business or profession. Meeting these requirements is a precondition for the conclusion of the Order between Customer and Aleph Alpha.
- Customer confirms that it has obtained the information available under https://docs.aleph-alpha.com/ and that, in Customer’s view, this constitutes technical documentation and intelligible instructions for use of the Services.
- If Customer uses the Services to process Personal Data, the terms of the Data Processing Addendum available below are hereby incorporated by reference into these Terms & Conditions. Upon request to firstname.lastname@example.org Customer will receive a signed version of the Data Processing Addendum if needed.
§ 3 Provision of the Services
- Aleph Alpha will provide to Customer access to the Services and a right to use as described in these Terms & Conditions. Customer agrees that Aleph Alpha shall have the right to use Affiliates and subcontractors in order to provide Customer with the Services, provided that Aleph Alpha will remain responsible for the acts and omissions of such entities as if they were its own.
- Aleph Alpha has the right, but is not obliged, to temporarily or permanently suspend or block Customer’s access to the Services if and to the extent that Customer infringes these Terms & Conditions.
- Aleph Alpha will maintain appropriate operational safeguards for the protection of the security, confidentiality and integrity of Customer Data during the Term.
- Services are provided on an “as is” basis. This means that the Services are provided without any warranties or guarantees, express or implied. Aleph Alpha does not make any representations or warranties regarding the quality, functionality, accuracy, usability, or reliability of the Services. The use of the Services is at Customer’s own operational risk. Customer is solely responsible for the selection, use, and results obtained from the Services. Customer is solely responsible for ensuring that its use of the Services complies with all Laws, including any specific national or sectoral regulatory requirements applicable to Customer.
- Services are not a knowledge base, research tool or reference work. The Output of the Services is a mathematical calculation of probabilities in the sense of the model, which is significantly based on the training data. Customer understands and accepts that, given the probabilistic nature of machine learning, use of the Services in some situations may produce erroneous results that do not accurately reflect real people, places, facts, or the desired Output. Customer therefore has the sole responsibility to evaluate the suitability of the Output on a case-by-case basis, in particular by human verification of the results of the Output. Customer furthermore understands and acknowledges that artificial intelligence and machine learning are research and technology areas that are rapidly evolving.
- It cannot be ensured that Output is unique compared to (i) the Output of other customers and (ii) already existing works. Customer must therefore ensure that a sufficient distance to already existing works is maintained when reusing the Output.
- SLA and Support
1. Aleph Alpha will provide the Services in accordance with an availability of 99 % on an annual average, measured at the output point of the Aleph Alpha or third party data center. Emergency maintenances are exempted from this availability as well as any unavailability caused by circumstances beyond Aleph Alpha’s reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, epidemic, pandemic (e.g. Covid-19), act of terror, strike or other labor problem (other than one involving Aleph Alpha’s own employees), internet service provider failure or delay, cybersecurity or denial of service attacks which are not in Aleph Alpha’s responsibility.
2. If Customer becomes aware of an outage, malfunction or degradation of the availability of the Services, Customer shall promptly inform Aleph Alpha and describe the symptoms of the issue in a detailed and reproducible manner, by sending an email to email@example.com. Customer grants Aleph Alpha an irrevocable, exclusive, sub-licensable right, unlimited in terms of content, time and place, to use, anonymise and analyse feedback of Customer regarding the Services. Aleph Alpha shall treat this feedback as Confidential Information unless it has been anonymised.
Aleph Alpha tries to analyse and rectify such faults during its normal business hours, 9:00 through 17:00 CET on working days in the State of Baden-Württemberg, Germany.
- Aleph Alpha reserves the right to modify the Services, provided that (a) such modification shall not result in a material decrease of the overall functionality of the Services, (b) such modification is necessary for Aleph Alpha to comply with changes in the Laws or a court decision, or (c) such modification is necessary in order to eliminate a software vulnerability. In addition and beyond the aforementioned cases, Aleph Alpha shall have a right to modify the Services, if it announces such material modification to Customer no later than six weeks prior to such modification taking effect. If Customer does not object to such modification within a period of two weeks from the receipt of Aleph Alpha’s notification, the change becomes part of Services. If Customer objects to such modifications Aleph Alpha shall have the right to terminate the affected Services with two weeks prior notice to Customer.
§ 4 Customer’s Rights and Use Restrictions
- Customer’s Rights to Access and Use the Services. During the Term and subject to these Terms & Conditions, Aleph Alpha grants Customer a simple, non-exclusive, non-transferable right to access and to use the Services for Customer’s and Customer’s Affiliates’ internal business purposes. Customer will comply with any Laws applying to the Output, for example any labeling obligation. Customer may provide Users with the access credentials to access and use the Services. Customer is responsible for all actions taken by Users or by anyone using the credentials to access the Services administered by Customer. As the Services are provided like a Software-as-a-Service basis, Customer will not receive any hardware or physical or digital copies of the Services or the underlying object or source code for them.
- Customer’s Rights to Input. Aleph Alpha will not use Input to improve the Services or further train own or third-parties’ GPT Models or other artificial intelligence technology.
- Technical System Requirements.
If technical system requirements by the Customer are necessary to enjoy the Services, Aleph Alpha shall inform Customer of such requirements in an appropriate manner, for example by including these on the Website. Customer is solely responsible for meeting the technical system requirements.
- Customer’s Responsibilities.
Customer will (a) be responsible for Customer’s Users’ compliance with these Terms & Conditions, (b) be responsible for the accuracy, quality and legality of Customer Data and Customer’s use of Customer Data with the Services, (c) keep any keys and access secrets, user names and passwords as well as other access data secret, will not pass them on to unauthorized third parties, will protect them from access by third parties by taking suitable measures in accordance with current requirements and use commercially reasonable efforts to prevent unauthorized access to or use of the Services and notify Aleph Alpha promptly of any unauthorized access or use, (d) use the Services only in accordance with these Terms & Conditions and the Laws, (e) be responsible for Customer’s internet connection to access the Services, and (f) comprehensively monitor any Input before being transferred to Aleph Alpha and to immediately stop usage of the Services and inform Aleph Alpha in the event of a violation of the provisions in these Terms & Conditions. Any use of the Services in breach of the foregoing by Customer or Customer’s Users, that in Aleph Alpha’s judgment threatens the security, integrity, or availability of the Services, may result in an immediate suspension of the Services, however Aleph Alpha will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to such suspension.
- Usage Limits. The Services are subject to the usage limits specified on the Website or in the Order in terms of Input and payment credits allowing the use of tokens and similar.
- Usage Restrictions. Customer shall not (a) make any of the Services available to anyone other than Customer’s company or Users, or use any of the Services for the benefit of anyone other than Customer or Customer’s Affiliates, (b) sell, resell, license, sublicense, distribute, rent or lease any Service or include any Services in a service bureau or outsourcing offering, (c) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third party intellectual or privacy rights, (d) use the Services to generate Malicious Code, (e) interfere with or disrupt the integrity or performance of the Services, (f) attempt to gain unauthorized access to the Services or its related systems or networks, (g) permit direct or indirect access to or use of the Services in a way that circumvents a contractual usage limit, or use the Services to access, copy or use any of Aleph Alpha’s intellectual property except as permitted under these Terms & Conditions, (h) modify, copy, reproduce or create derivative works of the Services or any part, feature, function or user interface thereof, (i) frame or mirror any part of the Services, other than framing on Customer’s own intranets or otherwise for Customer’s own internal business purposes or as permitted by Aleph Alpha, (j) except to the extent permitted by the Laws, disassemble, reverse engineer, or decompile the Services or access it to (1) build a competitive product or service, (2) build a product or service using similar ideas, features, functions or graphics of the Services, (3) copy any ideas, features, functions or graphics of the Services, or (4) determine whether the Services are within the scope of any patent, or (k) use the Services in violation of the Laws, including, without limitation, Export Control Laws and Laws regulating artificial intelligence.
- Further restrictions specific to the Services. Customer shall not (i) directly or indirectly use the Services and the generation of the Output to develop or train GPT Models or comparable artificial intelligence models, (for example in the form of training based on generated embeddings); (ii) except as permitted under these Terms & Conditions, use automated or programmatic methods other than API Requests to extract data or generate Output from the Services, including scraping, web harvesting or web data extraction; (iii) represent that the Output from the Services was generated by humans when it was not; or (iv) use or exploit the Services or the rights granted under these Terms & Conditions in any manner beyond these Terms & Conditions.
- Inacceptable Use of the Services by Customer. Customer shall not use the Services for illegal purposes, in particular Customer may not use the Services
1. to defame (including but not limited to libel and slander), abuse, harass, stalk, threaten or otherwise violate the rights of others (including but not limited to their general right of privacy);
2. to process, publish, distribute, or disseminate obscene, adult-oriented, pornographic or unlawful material or information to harm minors in any way;
3. to send or upload materials containing viruses, trojans, worms, cancelbots or other harmful programs and malware;
4. to upload materials that contain software or other copyrighted, trademarked, patented, personally owned or otherwise legally protected material to the extent that Customer does not have the necessary rights, licenses or consents;
5. to interfere with or disrupt the Services or the networks or servers connected to Aleph Alpha;
6. to interfere with the use or enjoyment of the Services;
7. to promote unlawful activities;
8. to pursue unlawful purposes; or
9. to promote content that has been indexed as harmful to young persons.
- License by Customer to Aleph Alpha. Customer grants Aleph Alpha and Aleph Alpha’s Affiliates and applicable subcontractors a worldwide, limited-term license to process and use Customer Data as necessary for Aleph Alpha to provide the Services to Customer in accordance with these Terms & Conditions. Subject to the limited license granted herein, Aleph Alpha acquires no right, title, or interest from Customer under these Terms & Conditions in or to any Customer Data. In addition, Customer grants Aleph Alpha and Aleph Alpha’s Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use, distribute, disclose and make available and incorporate into the Services any suggestion, enhancement request, recommendation, correction, or other feedback provided by Customer or Customer’s Users relating to the operation of the Services.
§ 5 Fees and Payment (only applicable if Fees are agreed)
- Fees. The applicable fees (“Fees”) are indicated in the Order or on the Website including the currency. Unless otherwise stated there, all Fees shall be payable in Euro. The applicable value added or sales tax is shown prior to the Order, provided that Customer selected the correct country of Customer’s location or Customer’s company’s registered address.
- Payment. Customer agrees to pay the Fees in advance at Aleph Alpha’s choice a) at the time of Customer’s Order by purchasing credits for the use of tokes or similar, or b) no later than fourteen (14) days from the date of an invoice which will be sent electronically to the email address provided by Customer. If Customer is purchasing by credit card, then Customer a) authorizes Aleph Alpha or Aleph Alpha’s payment service provider to charge Customer’s credit card for all amounts due; and b) agrees to provide updated credit card information to Aleph Alpha as needed to pay the Fees or other amounts owed. Customer is responsible a) for providing complete and accurate billing and contact information to Aleph Alpha, and b) for notifying Aleph Alpha of any changes to such information. Unless otherwise stated on the Order, Customer agrees to pay by bank transfer to Aleph Alpha’s bank account stated on the invoice.
- Taxes. Aleph Alpha will invoice and charge Customer the applicable value added tax together with the Fees. Customer is responsible for paying all Taxes associated with its Order. If Aleph Alpha has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section, Aleph Alpha will invoice Customer and Customer will pay that amount unless Customer provides Aleph Alpha with a valid tax exemption certificate authorized by the appropriate taxing authority. If Customer is required to withhold or deduct any Taxes from the Fees or expenses, then Customer agrees to increase the amount payable to Aleph Alpha by the amount of such Taxes so that Aleph Alpha receives the full amount of all Fees. All Fees, expenses and other amounts paid under these Terms & Conditions are non-refundable unless otherwise agreed in the Terms & Conditions.
- Overdue Charges. Any undisputed Fees that are not paid within the aforementioned payment terms are subject to late payment fees including the applicable legal interest rate for late payment and any reasonable collection cost.
- Suspension of Services. If Customer doesn’t pay undisputed Fees to Aleph Alpha within the agreed payment term, Aleph Alpha may, without limiting its other rights and remedies, suspend the Services until such amounts are paid in full, provided that, except for payments by credit card, Aleph Alpha will give Customer at least 10 days’ prior notice that Customer’s payment is overdue before suspending the Services to Customer.
§ 6 Confidential Information
- Both Parties may exchange Confidential Information during the Term. The Receiving Party (a) will not disclose Confidential Information of the Disclosing Party to any third party unless the Disclosing Party approves the disclosure in writing or the disclosure is otherwise permitted under this Section; (b) will use the same degree of care to protect Confidential Information of the Disclosing Party as it uses to protect its own Confidential Information of similar nature, but in no event less than reasonable care; and (c) may disclose Confidential Information of the Disclosing Party only to its employees, Affiliates and contractors with a need to know, and to its accountants, auditors and legal counsel, in each case, who are under a written obligation or other professional obligation to keep such information confidential using standards of confidentiality no less restrictive than those required by this Section. This obligation shall continue for a period of three years after the termination of these Terms & Conditions. Upon written request of the Disclosing Party, the Receiving Party will promptly return or destroy all Confidential Information, except for Confidential Information stored in routine back-up media not accessible during the ordinary course of business.
- Information is in any case not considered Confidential Information, if (a) the information is or becomes publicly available other than as a result of the Receiving Party’s breach of this Agreement; (b) the Receiving Party, at the time of disclosure, knows or possesses the information without obligation of confidentiality or thereafter obtains the information from a third party not under an obligation of confidentiality; (c) the Receiving Party independently develops the information without use of the Disclosing Party’s Confidential Information; or (d) the information is generally known, is or later becomes publicly available without breach of these Terms & Conditions or is easily developed by someone with ordinary skills in the business of the Receiving Party without use of the Confidential Information.
- The Receiving Party may disclose Confidential Information if it is required to do so by Laws or court order but, where legally permissible and feasible, will provide advance notice to the Disclosing Party to enable the Disclosing Party to seek a protective order or other similar protection.
§ 7 Mutual Indemnification for Third Party Claims
- Indemnification by Aleph Alpha. a) Aleph Alpha will defend Customer against any claim, suit or proceeding made or brought against Customer by a third party alleging that the Services infringe such third party’s valid EU patent, copyright or trademark (a “Claim Against Customer”), provided that Customer: (i) promptly gives Aleph Alpha written notice of the Claim Against Customer, (ii) gives Aleph Alpha sole control of the defense and settlement of the Claim Against Customer, and (iii) gives Aleph Alpha all reasonable assistance, at Aleph Alpha’s expense. b) If Aleph Alpha receives information about an infringement or misappropriation claim related to the Services, Aleph Alpha may in its sole discretion and at no cost to Customer (i) modify the Services so that they are no longer claimed to infringe or misappropriate, (ii) obtain a license for Customer’s continued use of the Services in accordance with these Terms & Conditions, or (iii) if the aforementioned options (i) and (ii) are not commercially reasonably available, terminate the Services upon 30 days’ written notice and refund Customer any prepaid fees covering the remainder of the Term of the terminated Services. c) The above defense and indemnification obligations do not apply if (i) the allegation does not specifically state that the Services are the basis of the Claim Against Customer; (ii) a Claim Against Customer arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Aleph Alpha, if the Services or use thereof would not infringe without such combination; (iii) a Claim Against Customer arises from Services which Customer receive for free with no charge; or (iv) a Claim Against Customer arises from Customer Data, a third party application or Customer’s breach of these Terms & Conditions or other provisions agreed between Customer and Aleph Alpha.
- Indemnification by Customer. a) Customer will defend Aleph Alpha against any claim, suit or proceeding made or brought against Aleph Alpha by a third party arising from (i) Customer’s use of the Services in an unlawful manner or in violation of these Terms & Conditions or other provisions agreed between Customer and Aleph Alpha, (ii) any Customer Data or Customer’s use of Customer Data with the Services, or (iii) a third party application provided by Customer (each a “Claim Against Aleph Alpha”). Customer will indemnify Aleph Alpha from any damages, attorney fees and costs finally awarded against Aleph Alpha as a result of such Claim Against Aleph alpha, or for any amounts paid by Aleph Alpha under a settlement of such Claim Against Aleph Alpha approved by Customer in writing, provided that Aleph Alpha: (I) promptly gives Customer written notice of the Claim Against Aleph Alpha, (II) gives Customer sole control of the defense and settlement of the Claim Against Aleph Alpha, and (III) gives Customer all reasonable assistance, at Customer’s expense. The above defense and indemnification obligations do not apply if a Claim Against Aleph Alpha arises from Aleph Alpha’s breach of these Terms & Conditions or other provisions agreed between Customer and Aleph Alpha.
- Exclusive Remedy. This Section states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against the other Party for any third party claim described in this Section.
§ 8 Limitation of Liability
- Unlimited Liability. The Parties will be mutually liable for damages without limitation:
1. resulting from intentional or gross negligence misconduct of the Parties, its legal representatives or vicarious agents,
2. resulting from a breach of a guarantee taken over by the respective Party,
3. resulting from a defect that is maliciously concealed,
4. resulting from an injury to life, body or health, and
5. according to the German Product Liability Act.
- Without prejudice to the above Unlimited Liability, the following applies:
1. Liability for Breach of Cardinal Duties. If cardinal duties are infringed due to slight negligence and if, as a consequence, the achievement of the objective of these Terms & Conditions is endangered, or in the case of a slightly negligent failure to comply with duties, the very discharge of which is an essential prerequisite for the proper performance of these Terms & Conditions, the Parties’ liability shall be limited to foreseeable damage typical for the contract. In all other respects, any liability for damage caused by slight negligence shall be excluded. The Parties agree that any damages or costs due to loss of profits, Customer Data, use or goodwill will be considered as damages that are not foreseeable within the meaning of this Section.
2. Liability Cap. Unless the Parties are liable in accordance with Section 8.1. above, in no event will the aggregate liability of each Party together with all of its Affiliates arising out of or in any way connected to these Terms & Conditions exceed the total amount of Fees paid by Customer under these Terms & Conditions in the twelve (12) months immediately preceding the first claim to arise under the Agreement (“Liability Cap”). The Liability Cap will not limit Customer’s payment obligations under Section 5 above.
3. Scope of the Liability. Except for liability in accordance with Section 8.1., the above limitations of liability will apply to all claims for damages, irrespective of the legal basis, including claims for tort damages. The above limitations of liability also apply in the case of claims for a Party’s damages against the respective other Party’s employees, vicarious agents or legal representatives.
4. Aleph Alpha’s Liability for free Services. If Customer receives the Services for free without any Fees payable to Aleph Alpha, Aleph Alpha’s liability for slight negligence is excluded and Section 8.2.1. is therefore not applicable. In addition, the Liability Cap stated in Section 8.2.2. shall amount to one thousand (1.000,00) Euro.
- Statute of Limitations. Claims for damages and indemnification on part of the Customer arising out of or in connection with these Terms & Conditions shall become time-barred within one year after the beginning of the regular limitation period.
§ 9 Term and Termination
- Term. These Terms & Conditions commence on the date on which Customer gets access to the Services online on the Website, where these Terms & Conditions are referenced. These Terms & Conditions remain effective either for the period of time stated on the Website or Order, or in case of absence of such information for an indefinite period of time unless terminated by either Party with a one (1) month prior notice to the other Party.
- Termination by Customer or Aleph Alpha. Each Party may terminate the Services at any time by sending a one (1) month prior notice to the other Party. In addition, each Party may terminate the Services immediately for cause, upon written notice: (i) if the other Party breaches any material provision of these Terms & Conditions and fails to cure such breach within a reasonable period of time (if such time limit is not dispensable based on the Laws) after written notice thereof by the non-breaching Party; or (ii) if the other Party terminates or suspends its business, becomes subject to any bankruptcy or insolvency proceeding that is not dismissed within sixty (60) days, or becomes insolvent or subject to direct control by a trustee, receiver, or similar authority.
- Effect of Termination or Expiration. Upon termination or expiration of these Terms & Conditions all of Customer’s rights documented in these Terms & Conditions and the provisioning of the Services by Aleph Alpha will terminate. However, Section 6 above covering confidentiality remains unaffected.
§ 10 General Terms
- Governing Law and Venue. These Terms & Conditions and any claim, controversy or dispute arising out of or related to these Terms & Conditions shall be governed by and construed in accordance with the laws of Germany without giving effect to any conflicts of law provision. The courts of Heidelberg, Germany (Regional Court, Landgericht) shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms & Conditions (including any non-contractual disputes or claims). To the extent permissible, the United Nations Convention on Contracts for the International Sale of Goods will not apply.
- Anti-Corruption. Both Parties shall comply with the applicable anti-corruption regulations.
- Export. The Services may not be used by a Customer or any Users based in any U.S. or EU embargoed country. Customer and Aleph Alpha each represent that it is not on any U.S. or EU embargoed or denied-party list and will inform the other Party if it gets on such list, which will result in an immediate termination right for the other Party. Furthermore, both parties shall comply with the Export Control Laws. Aleph Alpha is not obliged to perform any obligation under these Terms & Conditions to the extent that the performance of such obligation would breach Export Control Laws or expose Aleph Alpha to any risk of enforcement action, punitive or restrictive measures, or other adverse action under Export Control Laws.
- Notices. All notices, consents, waivers and other communications required or permitted by these Terms & Conditions must be in English or German, in writing via mail or electronically via email.
- Relationship of the Parties. The Parties are independent contractors, and at no time will either Party be deemed to be the agent or employee of the other Party. No joint venture, partnership, agency, or other relationship will be created or implied between the Parties as a result of these Terms & Conditions. Except as expressly set forth in these Terms & Conditions, each Party will bear full and sole responsibility for its own expenses and costs of operation. Furthermore, neither Party will have the authority to, and will not purport to, enter into any contract on behalf of the other Party, or commit it to any obligation.
- Third Party Beneficiaries. There are no third party beneficiaries under these Terms & Conditions.
- Waiver. No failure or delay by either Party in exercising any right under these Terms & Conditions will constitute a waiver of that right.
- Severability. If any provision of these Terms & Conditions is held by a court of competent jurisdiction to be invalid or unenforceable, the provisions will be deemed null and void, and the remaining provisions of these Terms & Conditions will remain in effect.
- Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other Party’s prior written consent (not to be unreasonably withheld); provided, however, either Party may assign its rights or obligations hereunder in its entirety, without the other Party’s consent to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.
- Entire Agreement and Order of Precedence. These Terms & Conditions will constitute the exclusive terms and conditions with respect to the subject matter of the agreement between the Parties with regard to the Services, unless otherwise agreed. Customer acknowledges that in entering into these Terms & Conditions, Customer has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of Aleph Alpha in relation to the subject-matter of these Terms & Conditions at any time before its signature, other than those which are set out in these Terms & Conditions. The Parties agree that these Terms & Conditions may be agreed to online on the Website or executed by electronic signature. The Parties agree that any terms presented by Customer conflicting with these Terms & Conditions, for example Customer’s general procurement terms or similar, shall have no effect.
- Publicity. Aleph Alpha may reference Customer’s relationship with Aleph Alpha in the normal course of business, including but not limited to during earnings calls, conversations with investors, discussions with analysts, meetings with the press, customer briefings, general marketing activities and in regulatory filings.
§ 11 Definitions
“Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party, where “control” is the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
“Aleph Alpha” means Aleph Alpha GmbH, Grenzhöfer Weg 36, 69123 Heidelberg, Germany or the Aleph Alpha legal entity mentioned in the Order.
“API” means an application programming interface.
“API Request” means Customer’s access and use of the Services via the Aleph Alpha API as access between HTTP endpoints as specified on the Website.
“Claim Against Aleph Alpha” shall have the meaning as described in Section 7.2.
“Claim Against Customer” shall have the meaning as described in Section 7.1.
“Confidential Information” means any and all information disclosed by the Disclosing Party to the Receiving Party during the term in a manner clearly indicating its confidential nature or which, in the absence of such indication, would under the circumstances appear to a reasonable person to be confidential or proprietary. Such information shall include but not be limited to information relating to operations, plans, strategies, concepts, proposals, pricing, intentions, know-how, trade secrets, market information, copyright and other intellectual property rights (whether registered or not), software, market opportunities, strategies, details of customers and potential customers, details of competitors and potential competitors, business and/or financial affairs including any such information relating to, disclosed or provided by an employee or contractor of the parties as information, as well as information that forms a business secret based on Laws, such as the EU Trade Secrets Directive, (EU) 2016/943.
“Customer” means the Party using the Services for the benefit of its business.
“Customer Data” means electronic data and information submitted by Customer and Customer’s Users to the Services, excluding content from Aleph Alpha and third party applications.
“Data Processing Addendum” means the document available below that is hereby incorporated by reference into these Terms & Conditions.
“Disclosing Party” means Customer or Aleph Alpha disclosing Confidential Information to the other Party under these Terms & Conditions.
“Export Control Laws” means export and import control regulations and sanctions laws, including but not limited to the laws and regulations of the Federal Republic of Germany, the European Union, the United Kingdom and the United States of America, to the extent applicable to the provision and use of the Services
“Fees” means the fees for the Services, if any, as stated on the Website or Order. Aleph Alpha is entitled to increase the fees for the Services from time to time.
“GPT Models” mean General Pre-trained Transformer Models based on artificial intelligence technology.
“Input” means any data submitted by Customer within the use of the Services (e.g. as a prompt).
“Laws” means any applicable law, rule, decision, order, regulation, judgment, and requirement of any government authority having jurisdiction over the parties or Services.
“Liability Cap” shall have the meaning as described in Section 8.3.
“Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and trojan horses.
“Order” means Customer’s online purchase, order confirmation by Aleph Alpha or other ordering document for the Services to be provided hereunder that is agreed between Customer and Aleph Alpha.
“Output” means the data transferred by the Services to Customer based on Customer’s Input.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Receiving Party” means Customer or Aleph Alpha receiving Confidential Information from the other Party under these Terms & Conditions.
“Services” means the artificial intelligence as a service offering by Aleph Alpha hosted by Aleph Alpha or third parties, by using a large language model, that is accessible as a web-based service on the Website via the internet and as further described in any service description available on the Website.
“Taxes” means any form of taxation of whatever nature and by whatever authority imposed, for example value added tax, sales tax or withholding tax, exclusive of any Taxes based on the net income of the receiving Party.
“Term” means the term stated on Customer’s Order.
“Terms & Conditions” means these general terms and conditions forming the agreement between Customer and Aleph Alpha.
“Users” means a natural person who is authorized by Customer in compliance with these Terms & Conditions to access the Services either on the Website or via API Requests, for example Customer’s or Customer’s Affiliate’s employees, consultants, subcontractors, agents, and business partners who are directly involved in the utilization of the Services.
“Website” means https://www.aleph-alpha.com and its subpages.
Data Processing Addendum
Agreement on commissioned processing pursuant to Art. 28 paragraph 3 DS-GVO between Customer and Aleph Alpha (“Data Processing Addendum”, or “DPA”)
§ 1 Scope of application
This DPA shall apply to all processing operations pursuant to Art. 4 No. 2 of the GDPR in which the Aleph Alpha processes personal data within the meaning of Art. 4 No. 1 of the GDPR. In the following, the term data is used synonymously for personal data. Customer is the data controller pursuant to Art. 4 No. 7 DS-GVO, and Aleph Alpha the data processor pursuant to Art. 4 No. 8. The data that Customer may enter into Aleph Alpha’s systems is governed by the General Terms and Conditions for Aleph Alpha’s AI as a Service offering, as amended from time to time (hereinafter the “Main Agreement”).
§ 2 Subject and duration of the order
- The subject of the Data Processing Addendum is the provision of language models and API services by Aleph Alpha and the use thereof by Customer.
- The term of this DPA corresponds to the term of the Main Agreement.
- The DPA shall apply, without prejudice to the preceding paragraph, for as long as Aleph Alpha processes personal data of the Customer (including backups).
- Customer may terminate the Main Agreement in whole or in part without notice period if Aleph Alpha fails to comply with its obligations under this DPA, violates provisions of the GDPR or other applicable data protection regulations intentionally or with gross negligence, or is unable or unwilling to carry out an instruction of the Customer, or if Aleph Alpha opposes the control rights of the Customer in a manner contrary to the DPA. In particular, non-compliance with the obligations agreed in this DPA and derived from Art. 28 DS-GVO constitutes a material breach.
§ 3 Concretization of the content of the DPA
- The nature and purpose of the intended processing of personal data are set forth in the Main Agreement.
- The subject of processing by Aleph Alpha are the following categories of data subjects with the associated types of personal data: Checking of texts and generation of text variants based on entered data of customers, employees, interested parties and other data subjects on the part of the Customer. The specific categories of data subjects and categories of personal data depend exclusively on the intended use of the language models and API services by Aleph Alpha. In the case of use of the language models and API services by employees of the Customer, their business e-mail address and IP address are processed to enable access and administration.
- The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the DPA in the European Economic Area. Any relocation to a third country requires the prior and documented instruction by the Customer and may only happen if the special requirements of Art. 44 et seq. in Chapter V of the GDPR are met (e.g. adequacy decision, appropriate safeguards such as standard data protection clauses or Binding Corporate Rules).
§ 4 Responsibility and authority to issue instructions
- Aleph Alpha may collect, process or use data exclusively within the scope of the Main Agreement and in accordance with the documented instructions of Customer, unless it is obliged to process data under the law of the Member State or under Union law. Customer shall confirm verbal instructions without delay (at least in text form). The initial instructions of the Customer shall be determined by this DPA.
- Customer shall be entitled to issue instructions at any time. This includes instructions with regard to the release, correction, deletion and blocking of data. Aleph Alpha shall inform Customer immediately if it is of the opinion that an instruction violates data protection regulations. Aleph Alpha shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the person responsible at the Customer. Aleph Alpha may refuse to carry out an instruction that is obviously unlawful. All instructions issued shall be documented by both, the Customer and Aleph Alpha and shall be kept for the duration of their validity and subsequently for three further calendar years.
- Changes to the object of processing with process changes shall be jointly agreed and documented in writing. Aleph Alpha may only provide information to third parties or a data subject with the prior written consent of the Customer. If a data subject contacts Aleph Alpha directly for information, Aleph Alpha shall forward this request to the Customer without delay.
- Aleph Alpha shall not use the data for any other purposes and shall in particular not be entitled to pass data on to third parties. Copies and duplicates shall not be made without the knowledge of the Customer. Aleph Alpha may not correct, delete or restrict the processing of the data processed under the order on its own authority, but only in accordance with documented instructions from the Customer. Insofar as a data subject contacts Aleph Alpha directly in this regard or with regard to further rights pursuant to Chapter 3 of the GDPR, Aleph Alpha shall forward this request to the Customer without delay.
- To the extent covered by the scope of services, the rights of data subjects to information, correction, restriction of processing, deletion and data portability shall be ensured directly by Aleph Alpha in accordance with documented instructions from the Customer.
- Aleph Alpha shall provide the Customer, at the Customer’s request, with information for inclusion in the processing directory to be maintained by Customer pursuant to Article 30 of the GDPR.
- Insofar as the data is processed in private residences (teleworking or working from home by employees of Aleph Alpha), the measures pursuant to Article 32 of the GDPR must also be ensured in this case.
§ 5 Further obligations of Aleph Alpha
- In addition to the contractual provisions of this DPA and those of the Main Agreement, Aleph Alpha shall be subject to the following further obligations.
- Aleph Alpha shall ensure that the employees involved in the processing of the Customer’s personal data maintain the confidentiality of the data in accordance with Articles 28 paragraph 3, 29, 32 DS-GVO and that they are correspondingly obligated to maintain data secrecy and have previously been familiarized with the data protection provisions relevant to them. This also includes the instruction about the instruction and purpose limitation existing in this order processing relationship.
- Aleph Alpha shall ensure an adequate level of protection through technical and organizational measures, that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a possible breach of rights due to security breaches and allow for immediate detection of relevant breach events.
- If Aleph Alpha is obliged to appoint a data protection officer in accordance with the applicable regulations, it shall provide the Customer with the contact details of the data protection officer for the purpose of direct contact.
- Aleph Alpha shall inform the Customer without undue delay of inspections and measures by the supervisory authorities or, if a supervisory authority is investigating Aleph Alpha for violations of data protection provisions, insofar as they are or could be related to this commissioned processing.
- Insofar as the Customer is exposed to an inspection by the supervisory authority, administrative offense or criminal proceedings, the liability claim of a data subject or a third party, another claim or a request for information in connection with the data processing by Aleph Alpha, Aleph Alpha shall support the Customer to the best of its ability.
- Aleph Alpha shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
- Aleph Alpha shall immediately report any breaches of the protection of personal data to the Customer in such a way that the Customer can fulfill its legal obligations, in particular pursuant to Art. 33, 34 of the GDPR. He shall prepare documentation on the entire process, which he shall make available to the Customer for further measures.
- Aleph Alpha shall be obligated to support the Customer within the scope of its duty to inform the data subjects and to provide the Customer with all relevant information without undue delay in this context.
- Insofar as the Customer is obliged to carry out a data protection impact assessment, Aleph Alpha shall support it, taking into account the type of processing and the information available to it. The same shall apply to any existing obligation to consult the competent data protection supervisory authority.
- This DPA does not release Aleph Alpha from compliance with other requirements of the GDPR.
§ 6 Technical-organizational measures and their control
- Aleph Alpha shall take all necessary technical-organizational measures in its area of responsibility pursuant to Art. 32 GDPR to protect personal data and shall provide the Customer with the documentation for review, see Annex “Technical-organizational measures“. If accepted by the Customer, the documented measures shall become the basis of the DPA. If the review or an audit by the Customer reveals a need for adaptation, this shall be implemented by mutual agreement.
- Technical and organizational measures are subject to technical progress. In this respect, Aleph Alpha shall be permitted to implement alternative adequate measures in the future. In doing so, the security level of the measures specified in the Annex “Technical-organizational measures” must not be undercut. Significant changes shall be documented.
- Upon request, Aleph Alpha shall provide the Customer with the information required to comply with its obligation to control the order processing and shall make the relevant evidence available. Due to the Customer’s control obligation before the start of the data processing and during the term of the order processing, Aleph Alpha shall ensure that the Customer can assure the compliance with the technical and organizational measures taken. For this purpose, Aleph Alpha shall provide the Customer with evidence of the implementation of the technical and organizational measures upon request.
- Evidence of the implementation of the technical-organizational measures for compliance with the specific requirements of data protection in general as well as those relating to the Order may be provided by compliance with approved codes of conduct pursuant to Art. 40 GDPR; certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR; current test certificates, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors); suitable certification by IT security or data protection audit (e.g. according to “BSI-Grundschutz” or ISO 27001).
- Customer shall have the right to carry out inspections in consultation with Aleph Alpha or to have them carried out by inspectors to be named in individual cases. Customer shall have the right to satisfy itself of Aleph Alpha’s compliance with this DPA in its business operations during normal business hours by means of spot checks, which must generally be notified in advance.
- Customer may inspect the adequacy of the measures for compliance with the technical and organizational requirements pursuant to the GDPR at Aleph Alpha’s premises at any time during normal business hours without disrupting the business operations. As a rule, however, the Customer will take Aleph Alpha’s operating procedures into account and announce inspections well in advance.
§ 7 Deletion and return of data
- Copies or duplicates of the data shall not be made without the knowledge of the Customer. Excluded from this are security copies, insofar as they are necessary to ensure proper data processing, as well as data required with regard to compliance with statutory retention obligations.
- Data carriers and data records provided shall remain the property of the Customer. If the property or the personal data of the Customer to be processed at Aleph Alpha should be endangered by measures of third parties (such as by seizure or attachment), by insolvency or composition proceedings or by other events, Aleph Alpha shall notify the Customer without undue delay. A right of retention is excluded.
- After completion of the contractually agreed work or earlier upon request by the Customer, but at the latest upon termination of the Main Agreement, Aleph Alpha shall hand over to the Customer or, after prior consent, destroy in accordance with data protection law, all documents, processing and utilization results created and data files related to the data processing relationship that have come into its possession. The same shall apply to test and scrap material. The protocol of the deletion shall be submitted upon request.
§ 8 Subcontractor
- Orders may only be placed with subcontractors as sub-processors by Aleph Alpha with the prior express written consent of the Customer. Services which Aleph Alpha uses from third parties as an ancillary service to support the execution of the data processing, for example telecommunications services and maintenance, shall not be deemed to be services provided by subcontractors within the meaning of this provision (on the other hand, maintenance and testing services for IT systems which are related to a service provided by Aleph Alpha under this DPA shall not be deemed to be an ancillary service but shall be deemed to be an order placed with a subcontractor). However, Aleph Alpha shall be obligated to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Customer’s data, even in the case of externally contracted ancillary services.
- If subcontractors are engaged as sub-processors by Aleph Alpha, Aleph Alpha shall ensure that its contractual agreements with the subcontractor are designed in such a way that the level of data protection at least corresponds to the agreement between the Customer and Aleph Alpha and that all statutory and contractual obligations are observed and the responsibilities are clearly delineated. The contract with the subcontractor must be in writing, which may also be in an electronic format (Art. 28 paragraph 4 and 9 GDPR).
- In the contractual agreement with the subcontractor as sub-processor, the Customer shall be granted control and inspection rights in accordance with this DPA. Likewise, the Customer shall be entitled, upon written request, to receive information from Aleph Alpha about the essential content of the DPA and the implementation of the subcontractor’s obligations relevant to data protection.
- Aleph Alpha shall be liable to the Customer for the subcontractor’s compliance as sub-processor with the data protection obligations contractually imposed on it by Aleph Alpha in accordance with this DPA.
- The transfer of personal data of the Customer by Aleph Alpha to the subcontractor as sub-processor and the subcontractor’s first activity shall be permitted only after all requirements for subcontracting have been met. Compliance with and implementation of the technical-organizational measures at the subcontractor shall be monitored by Aleph Alpha, taking into account the risk at the subcontractor, prior to the processing of personal data and then on a regular basis. Aleph Alpha shall make the control results available to the Customer upon request. Aleph Alpha shall also ensure that the Customer can exercise its rights under this DPA (in particular its control rights) also directly against the subcontractor.
- If the subcontractor as sub-processor provides the agreed service outside the EU/EEA, Aleph Alpha shall ensure that it is admissible under data protection law by taking appropriate measures. The same shall apply if service providers within the meaning of para. 1 sentence 2 are to be used.
- All contractual provisions in the contractual chain shall also be imposed on the further subcontractor as sub-sub-processor.
§ 9 Fringe benefits
Sections 1 to 8 shall apply accordingly if the testing or maintenance of automated processes or of data processing systems is carried out by other bodies on a commissioned basis and access to personal data of this commissioned processing cannot be excluded.
§ 10 Liability
- Customer and Aleph Alpha shall be liable vis-à-vis data subjects in accordance with the provision set out in Article 82 of the GDPR. Aleph Alpha shall coordinate any fulfillment of liability claims with Customer.
- Aleph Alpha shall indemnify Customer against all claims asserted by data subjects against Customer due to the breach of an obligation imposed on Aleph Alpha by the GDPR or the failure to comply with or breach of an instruction issued by Customer in this DPA or a separate instruction.
- The Parties shall each indemnify themselves against liability if and to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82 paragraph 5 of the GDPR shall apply.
- Unless otherwise provided above, the liability under this DPA shall be the same as under the Main Agreement.
§ 11 Final provisions
- Should individual provisions of this DPA be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the other provisions.
- Amendments and supplements to this DPA and its Annexes – including any warranties of Aleph Alpha – shall require a written agreement and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to any waiver of this formal requirement.
- Applicable law and place of jurisdiction shall be determined by the Main Agreement.
- The Annex “Technical and Organizational Measures” is an integral part of this DPA.
Annex “Technical-organizational measures” to the DPA
Section 6 of the DPA refers to this Annex for the specification of the technical-organizational data protection measures.
§ 1 Technical and organizational security measures
The parties of the DPA are legally obligated to define the technical and organizational security measures within the scope of the commissioned processing.
§ 2 Internal organization of Aleph Alpha
Aleph Alpha shall design its internal organization in such a way that it meets the special requirements of data protection. In particular, measures shall be taken that are appropriate depending on the type of personal data or data categories to be protected.
§ 3 Specification of individual measures
In detail, the following measures are determined (Art. 32 GDPR):
- Access control. Unauthorized persons must be denied access to data processing systems with which personal data are processed or used: Aleph Alpha’s subcontractor’s premises and thus also the office of Aleph Alpha are VS-NfD secured and equipped with access control systems, separation systems, magnetic cards, gatekeepers, monitoring devices, door locks and other security systems.
Aleph Alpha’s subcontractor’s data center in Bayreuth, Germany, is located on a site with only one access road. This road is monitored 24/7 with cameras and alarm systems. The other sides of the property are secured with fences and additional cameras. There are only two access points to the data center itself. One via the delivery door at a height of 5.5 meters. This door has no fixed access (ladder or similar). In addition, this door is guarded 24/7 with two cameras. The recording of the data runs for several months and can be accessed at any time.
The second access via the main entrance is secured by 3 doors in a row, each secured by an individual system. Digital locks with 512-bit encryption as well as chip cards and hand vein scanners are used. The data center is fully video monitored in all areas. In addition, motion detectors are used to trigger an alarm for the responsible employees. Access is only permitted in the Aleph Alpha’s subcontractor’s company to authorized personnel.
- Access control. Data processing systems must be prevented from being used by unauthorized persons:Access to productive systems shall be restricted to a limited group of users. User management follows an orderly on- and off-boarding process in compliance with a (minimum) four-eyes principle. User authentication follows the current password policy.
- Access control. It must be ensured that those authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage: The data is stored and processed on Aleph Alpha’s subcontractor’s own servers. An authorization concept ensures access to personal data in line with requirements. Access is granted according to the least-privilege principle and in compliance with a “segregation of duties” principle. Access levels are reviewed at regular intervals to ensure compliance with the above principles.
- Separation control. It must be ensured that data collected for different purposes can be processed separately: Strictly separate production and test systems are used, each with its own user administration.
- Anonymization/pseudonymization. Ensure that personal data is processed in a manner that minimizes risk: Data is encrypted during transmission using state-of-the-art methods. No prompts and no texts of tasks sent to the API are stored permanently, unless the Customer has enabled this. No information about the API request input data is recorded in logs. Only meta-data is stored, never the content of the API request. The user-related information (e.g. e-mail address) is always kept and processed only on exactly those systems where it is necessary.
- Disclosure control. Ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to check and determine to which entities personal data is intended to be transmitted by means of data transmission facilities: communication shall take place only via secure connections. Use of “LetsEncrypt” as an issuing authority for SSL security certificates. Self-signed certificates are not used.
- Input control. It must be ensured that it can be subsequently checked and determined whether and by whom personal data have been entered into data processing systems, changed or removed: Through the use of special software, accesses to the systems processing Customer data are logged and recorded within the scope of the technical possibilities. In this way, it is also possible to check retrospectively which user has made which entries into the system. Customer data, however, is only recorded upon explicit request.
- Availability control. It must be ensured that personal data is protected against accidental destruction or loss: Where data is subject to an agreed storage requirement, regular backups are taken for all relevant systems. These are distributed across multiple storage locations to ensure loss.
- Rapid recoverability. It must be ensured that the availability of personal data and access to them is quickly restored in the event of a physical or technical incident: The backups from item 8 are quickly recoverable for further processing.
- Order control. It must be ensured that personal data processed under the order can only be processed in accordance with the instructions of the Customer: We shall only provide the hardware in accordance with the Customer’s wishes. The use of and access to it will be set up as requested by the Customer. System communications on processing hardware take place on dedicated systems in physically or logically separate network environments.
- Data protection management. It must be ensured that data protection management guarantees the verification: Aleph Alpha is currently establishing data protection management in accordance with ISO 27001 with the support of TÜV NORD.
- Incident response management. The process manual regulates the monitoring, incident management, problem management, service request fulfillment and security incident handling processes. All employees are trained to mark data protection-relevant events in the ticket system accordingly. Automatic mechanisms stored accordingly notify the relevant managers and/or the data protection officer. These specially trained roles decide whether and how other parties are informed. The manual is part of the ISMS & Data Protection Management of Aleph Alpha and Alpha Layer. The certification according to 27001 currently being prepared with TÜV NORD.
Annex “List of subcontractors” to the DPA
- Company: Alpha Layer GTS GmbH, Röntgenstr. 14, 95478 Kemnath, Germany.
Type of data processing: Alpha Layer GTS GmbH is a wholly owned subsidiary of Aleph Alpha GmbH and operates the IT and data center infrastructure of Aleph Alpha. The entire IT infrastructure of Aleph Alpha and Alpha Layer is located in Germany.
- Company: Stripe Payments Europe Limited, The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland.
Type of data processing: Stripe Payments Europe Limited is only used to process payments and in the context of invoicing the Customer. As the parent company Stripe Inc. is based in the USA, we also ensure the guarantees required by data protection law, including standard contractual clauses and (once available) a corresponding adequacy decision.