Last Updated: June 12, 2026

Backstory Terms of Service

These Backstory Terms of Service ("Agreement") are entered into between People.ai, Inc. d/b/a Backstory ("Backstory"), a Delaware corporation located at 548 Market Street #58279, San Francisco, CA 94104-5401, and the entity or person that accepts this Agreement or enters into an Order Form referencing it ("Customer"). This Agreement is effective on the earlier of the date Customer accepts it online, enters into an Order Form or other ordering document referencing it, or first accesses or uses the Services (the "Effective Date").

By accepting this Agreement online, entering into an Order Form referencing it, or using the Services, Customer agrees to be bound by this Agreement.

For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Provision of Services.

1.1 Services and Order Forms. Backstory will make the Services available to Customer during each applicable Order Form term, subject to this Agreement, the DPA, and the applicable Order Form. Each Order Form will identify the Services purchased, quantities or usage metrics, applicable subscription term, fees, billing schedule, support package, and any other expressly stated commercial terms applicable to that Order Form. Except as expressly stated in Section 13.4, an Order Form does not amend this Agreement.

1.2 Access and Users. Subject to this Agreement, Customer may permit its authorized Users to access and use the Services solely for Customer's internal business purposes. Access may be controlled through a compatible third-party identity provider. Customer is responsible for configuring and administering its identity provider, designating administrators, and managing User access, including promptly removing access for departed or unauthorized individuals. Unless otherwise expressly stated in an applicable Order Form, subscriptions are purchased for named Users and may be reassigned only to replacement individuals who permanently succeed former Users who no longer require access to the Services. Customer will not permit more than one individual to share a single User subscription.

1.3 Customer Affiliates. Customer may permit its Affiliates and their employees and contractors working for the benefit of Customer or such Affiliates to act as Users under Customer's account, provided Customer remains responsible for their compliance with this Agreement. Alternatively, a Customer Affiliate may enter into an Order Form or Statement of Work under this Agreement, in which case references to "Customer" in this Agreement will be deemed to refer to that Customer Affiliate solely for purposes of that Order Form or Statement of Work.

1.4 Professional Services. If Backstory agrees to provide implementation, training, consulting, configuration, or other professional services, those services will be described in one or more Order Forms or Statements of Work. Except as expressly stated in an Order Form or Statement of Work, Professional Services are separate from the subscription Services and do not include custom development or deliverables that transfer ownership of Backstory intellectual property.

1.5 Support and Availability. During the applicable subscription term, Backstory will provide Support Services and use commercially reasonable efforts to meet the support and availability commitments set forth in Exhibit A.

2. Customer Responsibilities.

2.1 General Responsibilities. Customer is responsible for: (a) all access to and use of the Services and Backstory Materials by or through its Users, Customer Systems, and Access Credentials; (b) the accuracy, quality, legality, and appropriateness of Customer Data; (c) using commercially reasonable efforts to prevent unauthorized access to or use of the Services and to notify Backstory promptly of any such unauthorized access or use; and (d) using the Services in compliance with applicable Laws.

2.2 Customer Systems and Third-Party Services. Customer is responsible for its Customer Systems and for obtaining and maintaining all rights, consents, and permissions necessary for Backstory to access, receive, use, transmit, and process Customer Data and other information from Customer Systems and Third-Party Services as contemplated by this Agreement. Customer's use of any Third-Party Services is governed solely by Customer's agreement with the applicable third party.

2.3 Suspension. Backstory may suspend Customer's or any User's access to the Services if Backstory reasonably determines that: (a) Customer's or a User's use poses a security risk to the Services or to any other customer, user, or vendor; (b) Customer or a User is using the Services in violation of this Agreement, the Documentation, or applicable Law; (c) Customer's or a User's use is fraudulent, abusive, or could materially harm Backstory, the Services, or others; or (d) Customer fails to pay undisputed amounts when due and remains delinquent after the applicable notice and cure period. When reasonably practicable under the circumstances, Backstory will provide prior notice, limit any suspension to the affected Users, accounts, or functionality, and restore access promptly after the issue is resolved.

3. Security and Privacy.

3.1 Security Program. Backstory will maintain and enforce commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, acquisition, disclosure, alteration, loss, or destruction, appropriate to the nature of the Services and the sensitivity of the Customer Data processed by Backstory. Such safeguards will include, as appropriate, access controls, system and network protections, transmission and storage protections, personnel security measures, incident response procedures, and periodic testing or assessment of relevant controls. Backstory may update its security program from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Data during the applicable Order Form term.

3.2 Security Incidents. Backstory will notify Customer without undue delay after confirming a Security Incident involving Customer Data in Backstory's systems and will take reasonable steps to contain, investigate, and remediate the Security Incident. The DPA will govern Backstory's obligations with respect to any Personal Data Breach involving Personal Data.

3.3 Data Processing Addendum. To the extent Backstory processes Personal Data on Customer's behalf in connection with the Services, the DPA applies and is incorporated by reference. If there is a conflict between this Agreement and the DPA with respect to privacy, data protection, or cross-border transfer issues, the DPA controls.

4. Fees and Payment.

4.1 Fees. Customer will pay the fees set forth in each applicable Order Form or Statement of Work. Except as expressly stated in this Agreement, an Order Form, or a Statement of Work, subscriptions are non-cancellable and fees are non-refundable. Fees are payable in U.S. dollars unless the applicable Order Form expressly states otherwise.

4.2 Invoicing and Payment. Backstory will invoice Customer as set forth in the applicable Order Form or Statement of Work. Unless the applicable Order Form or Statement of Work expressly provides otherwise, subscription fees will be invoiced in advance.

4.2A Additional Users; No Mid-Term Reduction. If Customer exceeds the number of permitted Users or other purchased usage metrics set forth in an applicable Order Form, Backstory may notify Customer of the overdeployment. Within thirty (30) days after that notice, Customer will either: (a) purchase the additional capacity, Users, or usage rights effective as of the date the overdeployment began, at the pricing set forth in the applicable Order Form or, if no such pricing applies, at Backstory's then-current list price; or (b) reduce usage to the permitted level. If Customer does neither within that period, Backstory may invoice Customer for the excess usage at the applicable rate for the remainder of the then-current subscription term, and Customer will pay such invoice in accordance with this Agreement. As Backstory provides subscription-based Services, purchased User counts and other committed subscription minimums may not be reduced during the then-current subscription term unless expressly stated in the applicable Order Form.

4.3 Overdue Amounts. If Customer fails to pay an undisputed invoice when due, Backstory may, after providing written notice and a ten (10) day opportunity to cure, charge interest on overdue amounts at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by Law and may suspend the affected Services until the overdue amounts are paid in full. Customer must notify Backstory of any invoice dispute within sixty (60) days after the invoice date, or Customer waives the dispute. Backstory will not exercise its rights under this Section with respect to amounts reasonably disputed in good faith while the Parties are actively working to resolve the dispute. Customer will reimburse Backstory for reasonable costs of collection of overdue undisputed amounts, including reasonable attorneys' fees and court costs, to the extent permitted by applicable Law.

4.4 Taxes. Fees and other amounts payable under this Agreement are exclusive of taxes, duties, levies, or similar governmental assessments, including sales, use, value-added, or withholding taxes (collectively, "Taxes"). Customer is responsible for any and all Taxes associated with its purchases under this Agreement, other than taxes imposed on Backstory's income, property, payroll, or employees.

4.5 Resellers. If Customer purchases subscriptions through a Backstory-authorized reseller, Customer's payment obligations will be governed by Customer's agreement with that reseller. Backstory will not be responsible for any reseller-specific promises, discounts, warranties, or obligations not expressly set forth in this Agreement. If the reseller fails to remit payment to Backstory for the Services, Backstory may suspend Customer's access to the Services upon notice to Customer.

4.6 Purchase Orders and Invoicing Portals. A purchase order, vendor onboarding form, customer portal, click-through, or similar customer document will not modify this Agreement, the DPA, or any Order Form unless expressly agreed in a writing signed by authorized representatives of both Parties. If Customer requires Backstory to submit invoices or billing statements through an invoicing portal or similar billing system, Customer is responsible for any fees, costs, or expenses charged to Backstory for use of that system.

5. License, Ownership, Customer Data, and AI.

5.1 Access Rights. Subject to this Agreement, Backstory grants Customer a non-exclusive, non-transferable, non-sublicensable right during the applicable Order Form term to access and use the Services and Backstory Materials solely for Customer's internal business purposes and solely by its authorized Users.

5.2 Documentation License. Subject to this Agreement, Backstory grants Customer a non-exclusive, non-transferable, non-sublicensable license during the applicable Order Form term to use the Documentation solely in connection with Customer's permitted use of the Services.

5.3 Use Restrictions. Customer will not, and will not permit any third party to: (a) copy, modify, or create derivative works of the Services or Documentation except as expressly permitted by this Agreement; (b) rent, lease, sell, sublicense, distribute, or otherwise make the Services available to third parties on a service bureau or similar basis; (c) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or underlying ideas, algorithms, structure, or organization of the Services, except to the limited extent such restriction is prohibited by applicable Law; (d) remove proprietary notices from the Services or Documentation; or (e) use the Services in any manner that infringes, misappropriates, or otherwise violates any person's rights or applicable Law.

5.4 Customer Data. As between the Parties, Customer owns all right, title, and interest in and to the Customer Data. Customer grants Backstory and its subprocessors a non-exclusive, worldwide, royalty-free right during the applicable term to host, copy, transmit, display, modify, and otherwise process Customer Data solely as necessary to: (a) provide, operate, secure, maintain, support, and improve the Services and Professional Services; (b) generate, use, and disclose Service Data and De-Identified Data; (c) develop, train, tune, validate, and improve machine learning and artificial intelligence capabilities used in connection with the Services; and (d) comply with applicable Law and enforce this Agreement. Notwithstanding the foregoing, Backstory will not use Customer Data, or permit Customer Data to be used: (i) to improve a third party's generative artificial intelligence model or large language model; (ii) to generate output for other customers, third parties, or individuals using Customer-specific data or confidential information; or (iii) in a manner that identifies Customer except as expressly permitted by this Agreement. For clarity, Backstory's internal use of Customer Data under this Section must remain tied to the Services, Service improvement, security, analytics, model performance, or related product development, and does not transfer ownership of Customer Data to Backstory.

5.5 Backstory Materials; Service Data; Model Artifacts. Backstory owns all right, title, and interest in and to the Services, Documentation, Backstory Materials, Service Data, De-Identified Data, model weights, parameters, embeddings, classifiers, training techniques, system prompts, workflows, and other data, analytics, and artifacts generated, developed, or derived by or for Backstory in connection with the Services, excluding Customer Data, Personal Data to the extent governed by the DPA, and AI Inputs and AI Outputs owned by Customer under Section 5.6. Nothing in this Agreement gives Customer any ownership interest in the Services or Backstory Materials.

5.6 AI Inputs and AI Outputs. To the extent the Services include AI Features, Customer may submit prompts, queries, files, records, or other input to those AI Features ("AI Inputs") and may receive generated responses, summaries, recommendations, classifications, or other output from those AI Features ("AI Outputs"). As between the Parties, and to the extent permitted by applicable Law, Customer owns its AI Inputs and AI Outputs, except to the extent any AI Output incorporates or reflects Backstory Materials, Service Data, Enrichment Data, or non-customer-specific model artifacts, all of which remain owned by Backstory. Customer is responsible for its AI Inputs and for its review and use of AI Outputs.

5.7 AI Feature Terms. Customer acknowledges that AI Features may produce inaccurate, incomplete, biased, offensive, or misleading results, including hallucinations and other errors, and that AI Outputs may require human review before use. Customer will not use AI Features: (a) in violation of applicable Law; (b) to violate the rights of others; (c) to make decisions producing legal effects or similarly significant effects concerning an individual without appropriate human review and compliance with applicable Law; (d) in a manner that could materially harm the Services or impair others' use of the Services; or (e) to assist or encourage any of the foregoing. Certain AI Features may utilize third-party AI services, including Microsoft Azure OpenAI Service, and Customer authorizes Backstory to engage such providers as subprocessors in accordance with the DPA and applicable subprocessor notices. Excessive use of AI Features may result in temporary throttling.

5.8 Enrichment Data. To the extent the Services include Enrichment Data or other Backstory-provided supplemental data that is not Customer Data, Backstory retains ownership of that Enrichment Data. During the applicable Order Form term, Customer may use Enrichment Data solely as incorporated in the Services, the Documentation, or the applicable Order Form. Any broader or post-termination rights with respect to Enrichment Data must be expressly stated in the applicable Order Form.

5.9 Feedback. Customer may provide suggestions, comments, or other feedback regarding the Services ("Feedback"). Feedback is provided voluntarily and without restriction. Customer grants Backstory a non-exclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license to use, disclose, reproduce, modify, and otherwise exploit Feedback for any purpose, without compensation or attribution to Customer.

6. Confidentiality.

6.1 Confidential Information. "Confidential Information" means information disclosed by or on behalf of a Party ("Disclosing Party") to the other Party ("Receiving Party") that is designated as confidential or that reasonably should be understood to be confidential given its nature and the circumstances of disclosure. Backstory Confidential Information includes, but is not limited to, trade secrets, proprietary technology, business and marketing plans, the Services, Documentation, Backstory Materials, security information, audits, reports, and non-public product plans.

6.2 Exclusions. Confidential Information does not include information that the Receiving Party can demonstrate: (a) is or becomes publicly available without breach of this Agreement; (b) was known to the Receiving Party without confidentiality restriction before receipt from the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) is independently developed without use of or reference to the Disclosing Party's Confidential Information, all evidenced in documentation with the burden of proof on the Receiving Party.

6.3 Obligations. During the Term or for as long as there is an operational Order Form, subscription, or Statement of Work, and for five (5) years thereafter, the Receiving Party will: (a) use the Disclosing Party's Confidential Information only as necessary to exercise its rights or perform its obligations under this Agreement; (b) not disclose the Confidential Information except to its and its Affiliates, employees, contractors, independent contractors, consultants, representatives, directors, officers, auditors, accountants, attorneys, investors, financing sources, or advisers who have a need to know and are bound by confidentiality obligations at least as protective as those in this Agreement; and (c) protect the Confidential Information using at least reasonable care and in no event less than the degree of care it uses to protect its own similarly sensitive information. The obligations in this Section 6.3 survive indefinitely with respect to trade secrets.

6.4 Compelled Disclosure. The Receiving Party may disclose Confidential Information to the extent required by applicable Law or valid legal process, provided that, to the extent legally permitted, the Receiving Party gives prompt notice to the Disclosing Party and reasonable cooperation, at the Disclosing Party's expense, to seek confidential treatment, a protective order, or another appropriate remedy.

7. Representations, Warranties, and Disclaimer.

7.1 Mutual Representations and Warranties. Each Party represents and warrants that: (a) it is duly organized, validly existing, and in good standing under the Laws of its jurisdiction of organization; (b) it has the power and authority to enter into this Agreement and perform its obligations; and (c) this Agreement constitutes a legal, valid, and binding obligation of that Party, enforceable against it in accordance with its terms.

7.2 Backstory Warranties. Backstory represents and warrants that, during the applicable Order Form term: (a) it will provide the Services in a professional and workmanlike manner consistent with generally accepted industry standards; (b) the Services will perform materially in accordance with the applicable Documentation under normal use; (c) it will not materially decrease the overall functionality of the Services during the applicable Order Form term; (d) Professional Services, if any, will be performed in a professional and workmanlike manner; (e) it has sufficient rights to grant the access and use rights granted under this Agreement; and (f) it has used commercially reasonable efforts to ensure that the Services do not contain Malicious Code.

7.3 Customer Warranties. Customer represents and warrants that: (a) it has all rights, permissions, and consents necessary to provide Customer Data and authorize Backstory to process Customer Data as contemplated by this Agreement; (b) Customer Data and Customer's use of the Services will not violate applicable Law, third-party rights, or Customer's own published privacy notices; and (c) Customer's use of the Services in connection with Third-Party Services will comply with the terms governing those Third-Party Services.

7.4 Exclusive Warranty Remedies. If Backstory materially breaches the warranties in Section 7.2(a), 7.2(b), or 7.2(d), Customer's exclusive remedies are, at Backstory's option, to re-perform the non-conforming Services or Professional Services, repair or replace the materially affected Services, or, if Backstory cannot do so within a commercially reasonable period, terminate the affected Order Form or Statement of Work and receive a pro rata refund of prepaid fees for the terminated, unused portion of the affected Services or Professional Services. The remedies in this Section 7.4 are Customer's sole and exclusive remedies, and Backstory's sole and exclusive liability, for breach of Section 7.2(a), 7.2(b), or 7.2(d).

7.5 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES, DOCUMENTATION, BACKSTORY MATERIALS, AI FEATURES, AI OUTPUTS, ENRICHMENT DATA, PROFESSIONAL SERVICES, AND ANY RELATED DELIVERABLES ARE PROVIDED "AS IS." BACKSTORY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. BACKSTORY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS, OR THAT THIRD-PARTY SERVICES WILL BE COMPATIBLE WITH OR AVAILABLE FOR THE SERVICES. THIRD-PARTY SERVICES ARE NOT WARRANTED BY BACKSTORY.

8. Indemnification.

8.1 Backstory Indemnity. Backstory will defend Customer from and against any third-party claim alleging that the Services or Backstory Materials, when used by Customer as expressly permitted under this Agreement, infringe or misappropriate a United States patent, copyright, trademark, or trade secret, and Backstory will indemnify Customer for resulting damages, costs, and expenses finally awarded or agreed in settlement, provided that Backstory will have no obligation to the extent the claim arises from: (a) Customer Data; (b) modifications to the Services not made by Backstory; (c) combination of the Services with products, services, data, or processes not provided or approved in a signed writing by Backstory; (d) Customer's use of the Services outside the scope of this Agreement, the Documentation, or the applicable Order Form; or (e) Customer's violation of applicable Law.

8.2 Mitigation Options. If the Services become, or in Backstory's reasonable opinion are likely to become, the subject of a claim under Section 8.1, Backstory may, at its expense and option: (a) procure for Customer the right to continue using the affected Services; (b) modify or replace the affected Services so that they become non-infringing while materially preserving functionality; or (c) terminate the affected Services and refund any prepaid fees covering the unused portion of the terminated Services.

8.3 Customer Indemnity. Customer will defend Backstory from and against any third-party claim arising from: (a) Customer Data; (b) Customer's use of the Services in violation of this Agreement, the Documentation, or applicable Law; (c) Customer's combination of the Services with products, services, data, or processes not provided or approved by Backstory, where the claim would not have arisen but for that combination; or (d) an allegation that Customer Data, AI Inputs, or materials supplied by Customer infringe, misappropriate, or otherwise violate a third party's rights. Customer will indemnify Backstory for resulting damages, costs, and expenses finally awarded or agreed in settlement.

8.4 Indemnification Procedures. The indemnified Party must: (a) promptly notify the indemnifying Party of the claim, provided that a delay in notice relieves the indemnifying Party only to the extent it is materially prejudiced by the delay; (b) grant the indemnifying Party sole control of the defense and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying Party's expense. The indemnifying Party may not settle any claim in a manner that admits fault of, or imposes non-monetary obligations on, the indemnified Party without the indemnified Party's prior written and signed consent, not to be unreasonably withheld, conditioned, or delayed.

8.5 Exclusive Remedy. THIS SECTION 8 STATES EACH PARTY'S SOLE AND EXCLUSIVE LIABILITY, AND THE OTHER PARTY'S SOLE AND EXCLUSIVE REMEDY, FOR THE THIRD-PARTY CLAIMS DESCRIBED IN THIS SECTION 8.

9. Limitation of Liability.

9.1 Excluded Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, OR ENHANCED DAMAGES, OR FOR LOST PROFITS, LOST REVENUES, LOSS OF GOODWILL, OR DIMINUTION IN VALUE, ARISING OUT OF OR RELATING TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9.2 General Cap. EXCEPT AS PROVIDED IN SECTION 9.3, EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL AMOUNTS PAID OR PAYABLE BY CUSTOMER TO BACKSTORY UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

9.3 Exceptions. The exclusions and limitations in Sections 9.1 and 9.2 will not apply to: (a) either Party's obligations under Section 8; or (b) Customer's payment obligations or Customer's breach of Section 5.3. Notwithstanding the foregoing, Backstory's aggregate liability arising from a material breach of Section 3 or the DPA will not exceed two (2) times the total amounts paid or payable by Customer to Backstory under this Agreement in the twelve (12) month period preceding the event giving rise to the claim.

10. Term and Termination.

10.1 Agreement Term. This Agreement begins on the Effective Date and continues until all Order Forms, subscriptions, and Statements of Work entered into under this Agreement have expired or been terminated, unless this Agreement is earlier terminated in accordance with this Section 10.

10.2 Order Form Terms; No Default Renewal. Each Order Form will specify the applicable subscription term, start date, end date, renewal election, notice period, and any pricing adjustment for a renewal term. No subscription renews automatically unless the applicable Order Form expressly states that it does. If an Order Form is silent on renewal, the subscription expires at the end of the stated term. The MSA does not create any default renewal right, default renewal notice period, or default renewal pricing uplift. Unless the applicable Order Form expressly states otherwise, any discounts, promotions, special pricing, free units, overprovisioned units, or non-standard payment terms granted for an initial term will not apply to any renewal term.

10.3 Termination for Cause. Either Party may terminate this Agreement, an Order Form, or a Statement of Work if the other Party materially breaches this Agreement, the applicable Order Form, or the applicable Statement of Work and fails to take appropriate steps to cure the breach within thirty (30) days after written notice, unless the breach is incapable of cure, in which case termination may be immediate. Backstory may terminate this Agreement or suspend the applicable Services if Customer fails to pay an undisputed amount when due and does not cure within fifteen (15) days after written notice.

10.4 Effect of Termination or Expiration. Upon expiration or termination of this Agreement or an affected Order Form: (a) Customer's rights to access and use the terminated Services and related Backstory Materials end; (b) Customer will pay all undisputed amounts accrued and payable through the effective date of termination; and (c) Backstory will return or delete Customer Data in accordance with this Agreement, the DPA, and the applicable Documentation. Expiration or termination does not relieve Customer of any obligation to pay fees accrued or due before the effective date of termination. For clarity, expiration or termination does not require Backstory to delete or cease use of Service Data, De-Identified Data, or internal model artifacts that do not identify Customer, except to the extent required by applicable Law or the DPA.

10.5 Survival. Sections 4, 5, 6, 7.5, 8, 9, 10.4, 10.5, 11, 12, and 13, together with any other provisions that by their nature should survive, will survive expiration or termination of this Agreement.

11. Beta Services and Free Services.

11.1 Beta Services. If Backstory makes Beta Services available to Customer, including Beta Services identified in an Order Form, those Beta Services are provided for evaluation purposes only and may be modified, suspended, or discontinued at any time. Beta Services are provided "AS IS," without warranties, service levels, support commitments, maintenance commitments, or indemnification obligations, and Customer uses Beta Services at its own risk. Unless expressly stated in an applicable Order Form, Beta Services are not for production use.

11.2 Free Services. Backstory may make certain Services available free of charge. Free Services are provided "AS IS," without warranties, support commitments, indemnification obligations, service levels, or liability, except to the extent such exclusion is prohibited by applicable Law. Backstory may modify or discontinue Free Services at any time without liability. Customer remains fully responsible for its use of Free Services and for compliance with this Agreement.

12. Definitions.

12.1 "Access Credentials" means any username, password, key, token, certificate, authentication credential, or other access-control mechanism used to access the Services.

12.2 "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership or control of more than fifty percent (50%) of the voting interests of the applicable entity.

12.3 "AI Features" means artificial intelligence or machine learning functionality made available as part of the Services, including generative AI features.

12.4 "AI Inputs" and "AI Outputs" have the meanings given in Section 5.6.

12.5 "Beta Services" means Services, features, functionality, or components that are not generally available to customers or are provided for evaluation, testing, feedback, pilot, preview, or limited-release purposes.

12.6 "Confidential Information" has the meaning given in Section 6.1.

12.7 "Customer Data" means all information, data, content, records, files, materials, and other content submitted to, ingested by, transmitted through, or otherwise made available to Backstory by or on behalf of Customer in connection with the Services, excluding Service Data, Enrichment Data, and De-Identified Data.

12.8 "Customer Systems" means Customer's information technology systems, networks, devices, databases, software, identity providers, and other systems or services used by Customer in connection with the Services.

12.9 "De-Identified Data" means data derived from Customer Data that does not identify Customer, any User, or any natural person and cannot reasonably be used to do so.

12.10 "Documentation" means Backstory's standard user and technical documentation for the Services made available to Customer.

12.11 "DPA" means the Data Processing Addendum entered into by the Parties, as amended from time to time.

12.12 "Enrichment Data" means data or information generated or supplied by Backstory as part of the Services to enhance, revise, augment, score, classify, summarize, or otherwise enrich Customer Data or related records.

12.13 "Free Services" means Services made available by Backstory free of charge.

12.14 "Laws" means all applicable laws, statutes, ordinances, regulations, rules, and orders.

12.15 "Malicious Code" means any virus, worm, Trojan horse, logic bomb, spyware, ransomware, or other malicious code designed to disrupt, disable, damage, exfiltrate, or otherwise impair systems or data.

12.16 "Order Form" means an ordering document, quote, order form, or similar written document executed by the Parties or otherwise accepted by Backstory that references this Agreement and identifies any of the Services, subscriptions, fees, and commercial terms purchased by Customer.

12.17 "Backstory Materials" means the Services, Documentation, Backstory websites, user interfaces, software, APIs, workflows, templates, reports, analytics, models, processes, know-how, and other technology or materials provided or used by Backstory in connection with the Services, excluding Customer Data and AI Outputs owned by Customer under Section 5.6.

12.18 "Personal Data" has the meaning given in the DPA.

12.19 "Professional Services" means consulting, implementation, configuration, training, or similar services described in a Statement of Work.

12.20 "Security Incident" means unauthorized access to, or unauthorized acquisition, use, disclosure, alteration, loss, or destruction of, Customer Data in Backstory's possession or control. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Data, such as pings, port scans, denial-of-service attempts, or other network attacks that do not result in unauthorized access.

12.21 "Service Data" means data regarding the configuration, performance, integrity, availability, usage, telemetry, and operation of the Services.

12.22 "Services" means Backstory's cloud-based products, applications, platforms, and related hosted services identified in an Order Form, and any associated AI Features, but excluding Professional Services.

12.23 "Statement of Work" means a written statement of work executed by the Parties that describes Professional Services purchased under this Agreement.

12.24 "Support Services" means the support services described in Exhibit A or otherwise expressly identified in an applicable Order Form.

12.25 "Third-Party Services" means third-party products, platforms, databases, communication services, and applications that interface with or interoperate with the Services.

12.26 "User" means an individual authorized by Customer to access or use the Services on Customer's behalf.

13. General Terms.

13.1 Force Majeure. Neither Party will be liable for delay or failure to perform its obligations under this Agreement (other than payment obligations) to the extent caused by circumstances beyond its reasonable control, including natural disasters, war, terrorism, riots, labor disputes not involving that Party's own employees, governmental action, failures of utilities, or failures of third-party hosting or telecommunications providers.

13.2 Independent Contractors. The Parties are independent contractors. Nothing in this Agreement creates a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.

13.3 Publicity. Each Party may identify the other Party by name and logo in factual customer or vendor lists, subject to the other Party's trademark usage guidelines and any reasonable written brand-use restrictions provided in advance. Any case study, reference call, webinar, testimonial, press release, quote, or other promotional activity beyond factual name-and-logo identification must be expressly elected in the applicable Order Form, and Customer will participate only to the scope expressly described there.

13.4 Order of Precedence; Entire Agreement. This Agreement, together with each applicable Order Form, Statement of Work, Exhibits thereto, and the DPA, constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior or contemporaneous agreements or understandings relating to that subject matter. In the event of a conflict: (a) the DPA controls for privacy, data protection, security-incident response, and cross-border transfer issues; (b) a Statement of Work or product-specific addendum controls only for the specific Professional Services or product-specific subject matter it expressly addresses; (c) this Agreement controls generally; and (d) an Order Form controls only with respect to expressly stated commercial terms for the applicable purchase, such as the Services purchased, quantities, usage metrics, fees, billing schedule, subscriptions, subscription term dates, renewal election, support package selection, and publicity election. No Order Form, purchase order, vendor onboarding form, click-through, or customer portal term will amend this Agreement or the DPA unless expressly stated in a writing signed by authorized representatives of both Parties.

13.5 Notices. Notices under this Agreement must be in writing and will be deemed given when received if delivered personally, sent by nationally recognized overnight courier, or sent by certified or registered mail, return receipt requested, to the address specified in the applicable Order Form or such other address designated by written notice. Email notice is also required. Operational communications may be sent by email or through the Services.

13.6 Amendments; Waivers. No amendment or modification of this Agreement is effective unless in writing and signed by authorized representatives of both Parties. No waiver of any provision of this Agreement will be effective unless in writing and signed by the Party granting the waiver. A waiver of one breach is not a waiver of any other breach.

13.7 Severability. If any provision of this Agreement is held unenforceable, that provision will be enforced to the maximum extent permitted by Law and the remaining provisions will remain in full force and effect.

13.8 Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign this Agreement without consent to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its assets relating to this Agreement, provided the assignee agrees in writing to be bound by this Agreement. Any attempted assignment in violation of this Section is void.

13.9 Governing Law and Venue. This Agreement is governed by the Laws of the State of California, excluding its conflict of laws rules. The state and federal courts located in San Francisco County, California will have exclusive jurisdiction over any dispute arising out of or relating to this Agreement, and each Party irrevocably consents to that jurisdiction and venue.

13.10 No Third-Party Beneficiaries. This Agreement is for the sole benefit of the Parties and their permitted successors and assigns. Except as expressly stated otherwise, nothing in this Agreement confers any legal or equitable right or remedy on any other person or entity.

13.11 Equitable Relief. Each Party acknowledges that a breach of Section 6, and in the case of Customer a breach of Section 5.3, may cause irreparable harm for which monetary damages may be an inadequate remedy. Accordingly, the non-breaching Party may seek equitable relief, including injunctive relief and specific performance, in addition to any other remedies available at law or in equity.

13.12 Insurance. Backstory will maintain insurance coverage in such types and amounts as it customarily maintains for similarly situated businesses in its industry. Upon Customer's written request, Backstory will provide a current certificate of insurance evidencing such coverage. Any certificate of insurance is provided for informational purposes only and does not amend, extend, or alter the coverage afforded by Backstory's insurance policies or create any rights in favor of Customer. Backstory will not be required to name Customer or any third party as an additional insured, loss payee, or otherwise amend any insurance policy unless the Parties expressly agree otherwise in a written amendment signed by authorized representatives of both Parties.

Exhibit A - Support and Service Level Exhibit

1. Definitions.

1.1 "Business Day" means any day other than Saturday, Sunday, or a day on which commercial banks in San Francisco, California are authorized or required by Law to close.

1.2 "Business Hours" means 8:00 a.m. to 6:00 p.m. Pacific Time on Business Days.

1.3 "Error" means a reproducible failure of the Services to operate in all material respects in accordance with the Documentation.

1.4 "Support Hours" means 8:00 a.m. to 6:00 p.m. Pacific Time on Business Days.

2. Training

Unless training services are expressly included in an applicable Order Form or Statement of Work, Backstory is not obligated to provide formal end-user training. Customer is responsible for training its Users and administrators on Customer's internal processes and permitted use of the Services.

3. Maintenance and Updates.

3.1 SaaS Updates. Backstory may provide updates, fixes, enhancements, new releases, and other improvements to the Services that Backstory generally makes available to similarly situated customers without additional charge, provided such items are not separately marketed or sold as paid products, add-ons, or premium features.

3.2 Package Services. If Customer uses package-based services or app marketplace components, Backstory may update those components from time to time. Where practicable, Backstory will provide reasonable advance notice before pushing updates to Customer's environment.

4. Support Services.

4.1 Support Availability. During the applicable Order Form term, Backstory will provide Support Services for the then-current version of the Services during Support Hours.

4.2 Support Requests. Customer may submit support requests by email, webchat, or other support channels designated by Backstory. Customer will include a reasonable description of the reported issue and any supporting information reasonably requested by Backstory.

4.3 Customer Contacts. Customer will designate one or more administrators to act as primary liaisons with Backstory for support matters.

4.4 Response Times. Backstory will respond to support requests within the target response times below, measured from receipt during Support Hours or, if received outside Support Hours, from the beginning of the next Support Hours. Resolution targets are goals and not guarantees.

Severity	Definition	Response Time	Resolution Target
1	Business Critical Failure: disables a critical function of the Services or puts data integrity at risk, and no reasonable workaround is available.	2 hours	Work begins promptly after response; status updates every 2 Support Hours until restored.
2	Significant Business Impact: materially impairs a material function of the Services or materially limits administrator access.	4 hours	Work begins promptly after response; status updates every 8 Support Hours until resolved or stabilized.
3	Minor Service Error: affects a limited function or a small number of users and a workaround is available.	8 hours	Work begins promptly after response; status updates every 3 Business Days until resolved or deferred to a release.
4	Low Impact / General Assistance: minor issues, usability questions, design issues, or routine service requests.	24 hours	Resolved, if at all, in the ordinary course or a future release; status updates every 5 Business Days as appropriate.

5. Availability.

5.1 Availability Requirement. Subject to the exceptions below, Backstory will use commercially reasonable efforts to make the Services available at least 99.5% of the time in each calendar month during the applicable subscription term. "Available" means that the Services are materially operable for access and use over the internet in material conformity with the Documentation.

5.2 Exceptions. Availability calculations exclude downtime or degradation caused by: (a) Customer's or its Users' misuse of the Services; (b) failures of Customer Systems, internet connectivity, or Third-Party Services; (c) general internet or network issues outside Backstory's reasonable control; (d) Customer's failure to meet minimum technical requirements; (e) Scheduled Downtime; (f) emergency downtime required to mitigate or remediate a real and immediate threat to the Services; or (g) a force majeure event.

5.3 Scheduled Downtime. Backstory will use commercially reasonable efforts to schedule routine maintenance outside 9:00 a.m. to 5:00 p.m. Pacific Time and to provide reasonable advance notice of scheduled downtime when practicable.

Data Processing Addendum

This Data Processing Addendum ("Addendum") supplements the Terms of Service ("Agreement") entered into between People.ai, Inc. d/b/a Backstory ("Backstory" or "Company") and the entity or person that accepts the Agreement or enters into an Order Form referencing it ("Customer"). This Addendum is effective on the earlier of the date Customer accepts it and the Agreement online, enters into an Order Form or other ordering document referencing it, or first accesses or uses the Services (the "Effective Date"), to the extent required under applicable Data Protection Laws. This Addendum incorporates the terms of the Agreement, and capitalized terms not defined in this Addendum have the meanings set forth in the Agreement.

Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

"Authorized Sub-Processor" means any third party engaged by Backstory to Process Personal Data on behalf of Customer in connection with the Services.

"Customer Account Data" means Personal Data that relates to Customer's relationship with Backstory, including the names or contact details of individuals authorized by Customer to access Customer's account and billing information associated with Customer's account.

"Customer Usage Data" means Service usage data collected and Processed by Backstory in connection with the provision, security, support, optimization, and maintenance of the Services, including activity logs, telemetry, performance metrics, and data used to identify, investigate, or prevent misuse of the Services.

"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003; (c) the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinances; and (d) any laws implementing, replacing, amending, or supplementing the foregoing.

"EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, updated, or replaced from time to time.

"Personal Data" and the terms "Controller," "Processor," "Process," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" have the meanings given to them under applicable Data Protection Laws.

"Restricted Transfer" means a transfer of Personal Data that requires an approved transfer mechanism under applicable Data Protection Laws because the transfer is made to a country or recipient that is not covered by an applicable adequacy decision or another valid transfer mechanism.

"Services" has the meaning set forth in the Agreement.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, as amended, updated, or replaced from time to time.

Scope and Roles of the Parties

Customer may act as either a Controller or a Processor with respect to Personal Data Processed under the Agreement. Except as expressly set forth in Section 11 of this Addendum, Backstory will Process Personal Data only as a Processor or Sub-Processor, as applicable, on behalf of Customer.

Customer is responsible for complying with Data Protection Laws in connection with its use of the Services, including establishing an appropriate legal basis for Processing, providing required notices, and responding to Data Subject requests. If Customer acts as a Processor, Customer represents that its relevant Controller has authorized Customer's appointment of Backstory as a sub-processor and the Processing described in the Agreement and this Addendum.

The subject matter, duration, nature, and purpose of the Processing, as well as the categories of Data Subjects and categories of Personal Data, are described in Exhibit A.

Processing Instructions

Backstory will Process Personal Data only on Customer's documented instructions as set forth in the Agreement, this Addendum, any applicable Order Form or Statement of Work, and Customer's configuration and use of the Services, unless otherwise required by applicable law.

Customer instructs Backstory to Process Personal Data as necessary to provide, host, secure, support, maintain, improve, and modify the Services and to perform Backstory's obligations under the Agreement and this Addendum, in each case as described in the Agreement and Exhibit A and consistent with applicable Data Protection Laws.

If applicable law requires Backstory to Process Personal Data other than on Customer's instructions, Backstory will inform Customer before such Processing unless applicable law prohibits that notice on important grounds of public interest.

Backstory will promptly inform Customer if, in Backstory's opinion, an instruction infringes applicable Data Protection Laws.

Confidentiality

Backstory will ensure that any person it authorizes to Process Personal Data is subject to an appropriate obligation of confidentiality.

Backstory may disclose Personal Data to its Affiliates, Authorized Sub-Processors, auditors, advisers, and other third parties to the extent reasonably necessary to perform its obligations under the Agreement or this Addendum, provided those recipients are subject to appropriate confidentiality and data protection obligations.

Authorized Sub-Processors

Customer provides general written authorization for Backstory to engage Authorized Sub-Processors as necessary to provide the Services.

Backstory will maintain a current list of its Authorized Sub-Processors at https://www.backstory.ai/product/sub-processors (the "Sub-Processor URL"). Backstory will provide at least thirty (30) days' notice before authorizing a new Authorized Sub-Processor to Process Personal Data by updating the Sub-Processor URL.

Customer may object to a new Authorized Sub-Processor by providing written notice to Backstory within ten (10) business days after the applicable update to the Sub-Processor URL, provided the objection is based on reasonable grounds relating to data protection. The parties will work in good faith to address the objection. If Backstory cannot provide a commercially reasonable alternative, Customer may exercise its rights under the Agreement with respect to the affected Services.

Backstory will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations materially comparable to those imposed on Backstory under this Addendum. Backstory will remain responsible for the performance of its Authorized Sub-Processors to the extent required by applicable Data Protection Laws.

To the extent required under the EU SCCs or other applicable transfer mechanism, Backstory will make available copies of relevant sub-processing terms upon Customer's written request, subject to reasonable redactions for confidential or commercially sensitive information.

Security of Personal Data

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of natural persons, Backstory will maintain appropriate technical and organizational measures designed to protect Personal Data.

Exhibit C describes the technical and organizational measures implemented by Backstory. Backstory may update those measures from time to time, provided that any such update does not materially diminish the overall security of the Services.

Transfers of Personal Data

Customer acknowledges that Backstory may transfer Personal Data to countries outside the jurisdiction in which the Personal Data was collected, including the United States, as necessary to provide the Services. To the extent a transfer is covered by an adequacy decision or another valid transfer mechanism under applicable Data Protection Laws, the parties may rely on that mechanism and the transfer provisions below will apply only to the extent still required.

For Restricted Transfers subject to the GDPR, the EU SCCs are incorporated by reference into this Addendum and completed as follows: (a) Module One (Controller to Controller) applies when Backstory Processes Personal Data as a Controller pursuant to Section 11; (b) Module Two (Controller to Processor) applies when Customer is a Controller and Backstory Processes Personal Data as a Processor; and (c) Module Three (Processor to Processor) applies when Customer is a Processor and Backstory Processes Personal Data as a Sub-Processor. For each applicable module: Clause 9, Option 2 (general written authorization) applies, and the notice period for changes to sub-processors will be as set forth in the Authorized Sub-Processors section of this Addendum; Clause 11, optional language, does not apply; all square brackets in Clause 13 are removed; Clause 17, Option 1, will be governed by Irish law; Clause 18(b) will be resolved before the courts of the Republic of Ireland; Exhibit B to this Addendum contains the information required by Annex I and Annex III of the EU SCCs; Exhibit C contains the information required by Annex II of the EU SCCs; and, by entering into this Addendum, the parties are deemed to have signed the EU SCCs, including their Annexes.

For Restricted Transfers subject to the UK GDPR, the UK Addendum is incorporated by reference into and forms part of this Addendum. The UK Addendum is deemed completed as follows: Table 1 (Parties) is completed with the information set forth in Exhibit B; the Start Date is the effective date of this Addendum or, if later, the effective date of the Agreement; Table 2 is completed by selecting the relevant EU SCCs as incorporated by this Addendum; Table 3 is completed with the information in Exhibit B and Exhibit C; and Table 4 provides that either party may end the UK Addendum in accordance with Section 19 of the UK Addendum.

For Restricted Transfers subject to Swiss data protection law, the EU SCCs will apply with the following modifications, to the extent required: references in the EU SCCs to the GDPR will be interpreted to include the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinances; the Federal Data Protection and Information Commissioner will be the competent authority where the Restricted Transfer is governed by Swiss data protection law; and references to "Member State" in the EU SCCs will not be interpreted in a manner that prevents Data Subjects in Switzerland from exercising their rights or bringing claims in Switzerland in accordance with the EU SCCs.

If Backstory receives a binding request from a public authority for disclosure of Personal Data, Backstory will, to the extent legally permitted, notify Customer, challenge or narrow the request where reasonably appropriate, and disclose only the minimum amount of Personal Data required.

Rights of Data Subjects

If Backstory receives a request from a Data Subject relating to Personal Data Processed on Customer's behalf, Backstory will, to the extent legally permitted, notify Customer and direct the Data Subject to Customer. Taking into account the nature of the Processing, Backstory will provide reasonable assistance to Customer in responding to Data Subject requests, to the extent Customer cannot reasonably address the request through the Services.

Taking into account the nature of the Processing and the information available to Backstory, Backstory will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with Supervisory Authorities, records of Processing, and other obligations under Data Protection Laws that are applicable to Customer as Controller or Processor. To the extent legally permitted, Customer will reimburse Backstory for reasonable documented costs incurred for assistance that is materially beyond the standard functionality of the Services or Backstory's ordinary obligations under applicable Data Protection Laws.

Actions and Access Requests; Audits

Upon Customer's written request and subject to reasonable confidentiality restrictions, Backstory will make available information reasonably necessary to demonstrate compliance with this Addendum, including relevant audit reports or certifications. If those materials are insufficient under applicable Data Protection Laws, Backstory will permit an audit or inspection by Customer or Customer's independent third-party auditor, provided that the audit: (a) is conducted on reasonable advance written notice; (b) occurs no more than once in any twelve (12) month period unless required by a competent Supervisory Authority or following a confirmed Personal Data Breach; (c) is conducted during normal business hours in a manner that minimizes disruption to Backstory's operations; and (d) is limited to systems, facilities, and records relevant to Customer's Personal Data. Customer will bear its own costs and reimburse Backstory for reasonable costs directly incurred in connection with any audit not satisfied by documentation already provided.

Personal Data Breach

Backstory will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data Processed on Customer's behalf.

Backstory will take reasonable steps to contain, investigate, mitigate, and remediate the effects of a Personal Data Breach, to the extent the remediation is within Backstory's reasonable control.

Taking into account the nature of the Processing and the information available to Backstory, Backstory will provide Customer with reasonable cooperation and information necessary for Customer to comply with applicable breach notification obligations.

Backstory's notification or response under this section is not an acknowledgment of fault or liability.

Return and Deletion

Upon expiration or termination of the Services, Backstory will, at Customer's choice and subject to the Agreement, delete or return Personal Data, unless applicable law requires continued retention. Backstory may retain Personal Data in routine backup systems until deletion occurs in the ordinary course, provided such retained data remains protected in accordance with this Addendum and is not otherwise actively Processed except as required by law.

If return or deletion is impracticable or prohibited by applicable law, Backstory will continue to protect the retained Personal Data in accordance with this Addendum and will limit any further Processing to what is required by applicable law. Information that has been de-identified or aggregated such that it no longer constitutes Personal Data may be retained and used in accordance with the Agreement and applicable law.

Backstory will provide a certification of deletion upon Customer's written request to the extent required by applicable Data Protection Laws or an applicable transfer mechanism.

Company's Role as a Controller

The parties acknowledge and agree that, with respect to Customer Account Data and Customer Usage Data, Backstory is an independent Controller and not a joint Controller with Customer.

Backstory may Process Customer Account Data and Customer Usage Data as a Controller: (i) to manage the parties' relationship; (ii) for billing, accounting, audit, tax, and compliance purposes; (iii) to monitor, investigate, prevent, and detect fraud, security incidents, misuse of the Services, and other harmful or unlawful activity; (iv) for identity verification and access management; (v) to provide, optimize, secure, and maintain the Services; and (vi) as otherwise permitted by applicable Data Protection Laws.

Backstory will Process Customer Account Data and Customer Usage Data in accordance with its privacy policy available at https://www.backstory.ai/privacy.

Priority; Liability; and Supersession

If there is a conflict between this Addendum and the Agreement, this Addendum will control with respect to the Processing of Personal Data, privacy, data protection, and information security matters. If there is a conflict between this Addendum and the EU SCCs or the UK Addendum, the EU SCCs or the UK Addendum, as applicable, will control solely to the extent required for the relevant Restricted Transfer.

Any claims brought in connection with this Addendum will be subject to the exclusions, limitations, and allocation of risk set forth in the Agreement, except to the extent prohibited by applicable Data Protection Laws or the EU SCCs or UK Addendum.

As of its effective date, this Addendum supersedes any prior data processing addendum, data transfer addendum, or standard contractual clauses amendment between the parties under the Agreement, solely with respect to the subject matter of this Addendum.

‍

Exhibit A

Details of Processing

Field	Details
Nature and Purpose of Processing	Backstory will Process Personal Data as necessary to provide, host, support, secure, maintain, improve, and modify the Services under the Agreement, including related analytics, troubleshooting, service improvement, and feature development activities expressly permitted by the Agreement, and in accordance with Customer's documented instructions set forth in the Agreement and this Addendum.
Duration of Processing	Backstory will Process Personal Data for the duration of the Agreement and any applicable Order Form, and thereafter only for so long as necessary to return or delete the Personal Data in accordance with the Return and Deletion section of this Addendum or as otherwise required by applicable law.
Categories of Data Subjects	Data Subjects may include Customer's prospects, customers, business partners, vendors, employees, contractors, representatives, and Customer's end users, in each case to the extent their Personal Data is included in Customer Data.
Categories of Personal Data	Categories of Personal Data may include identification and contact data; professional and employment information; communications, meeting, and activity data; CRM and account record data; device and usage data; and any other Personal Data included in Customer Data.
Sensitive Data or Special Categories of Data	None are intentionally required for the ordinary use of the Services. Customer will not provide special categories of Personal Data unless expressly agreed in writing and only to the extent permitted by applicable Data Protection Laws.

Exhibit B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK Addendum.

Data exporter(s):

Field	Details
Customer Name and Address	As it appears on the Services ordering document
Customer Contact	As it appears on the Services ordering document
Activities relevant to the data transferred under these Clauses	Receipt of the Services pursuant to the Agreement
Role	Controller and/or Processor, as applicable

Data importer(s):

Field	Details
Name	People.ai, Inc. d/b/a Backstory
Address	548 Market Street # 58279, San Francisco, CA, 94104-5401
Contact person's name, position and contact details	Backstory Privacy Team, privacy@backstory.ai
Activities relevant to the data transferred under these Clauses	Provision of the Services pursuant to the Agreement
Role	Processor and/or Sub-Processor; Controller where the Company's Role as a Controller section applies

Description of the Transfer:

Field	Details
Data Subjects	Data Subjects may include Customer's prospects, customers, business partners, vendors, employees, contractors, representatives, and Customer's end users, in each case to the extent their Personal Data is included in Customer Data.
Categories of Personal Data	Categories of Personal Data may include identification and contact data; professional and employment information; communications, meeting, and activity data; CRM and account record data; device and usage data; and any other Personal Data included in Customer Data.
Special Category Personal Data (if applicable)	None are intentionally required for the ordinary use of the Services. If Customer provides special category data, the parties will address it in writing and Process it only as permitted by applicable law.
Nature of the Processing	Provision, hosting, support, security, maintenance, improvement, and modification of the Services in accordance with the Agreement and this Addendum.
Purposes of Processing	Processing on behalf of Customer to provide the Services, perform Backstory's obligations under the Agreement and this Addendum, and support any Processing initiated by Users in their use of the Services.
Duration of Processing and Retention (or the criteria to determine such period)	For the term of the Agreement and any applicable Order Form, and thereafter for so long as necessary to return or delete the Personal Data in accordance with this Addendum or as otherwise required by applicable law.
Frequency of the transfer	Continuously during the term of the Agreement, as initiated by Customer's use of the Services.
Recipients of Personal Data transferred to the Data Importer	Backstory's current Authorized Sub-Processors, together with their processing activities and locations, are maintained at https://www.backstory.ai/product/sub-processors and are incorporated into this Exhibit B by reference.

Competent Supervisory Authority

The competent Supervisory Authority will be determined in accordance with Clause 13 of the EU SCCs.

List of Authorized Sub-Processors:

Entity Name	Sub-processing Activities	Entity Country
Amazon Web Services, Inc.	Cloud service provider	United States
APIHub, Inc. dba Clearbit	Processing operational customer data	United States
Databricks	Operations	United States
Microsoft Corporation	Azure generative AI Services	United States
Twillio, Inc. (Segment)	Processing operational customer data	United States
Functional Software, Inc. d/b/a Sentry	Processing operational customer data	United States
Snowflake, Inc.	Data analysis	United States
Sumo Logic, Inc.	Operations	United States
Amplitude, Inc.	Processing operational customer data	United States
Peaberry Software Inc. dba Customer.io	Processing operational customer data	United States
Intercom, Inc.	Processing operational customer data	United States
Crowdstrike, Inc.	Operations	United States
Salesforce, Inc.	Processing operational customer data	United States

Exhibit C - Description of the Technical and Organisational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Appendix 2 of the UK Addendum.

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	All Personal Data in transit between the Services and Customer interfaces is encrypted using TLS 1.2 or higher. Backstory encrypts Personal Data at rest using at least AES-256-bit key length encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	The Services are deployed on a distributed and scalable third-party hosting provider (for example, AWS). Service availability and status updates, including historical information, are made available at https://status.people.ai/. Backstory maintains business continuity and disaster recovery programs that are regularly reviewed and tested.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Backstory backs up system configurations at least daily so that updates can be rolled back to a previously stable state. In the event restoration from backups is required, Backstory restores systems to the last known stable version and re-ingests Customer Data from Customer's third-party systems where applicable.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Backstory maintains an information security program aligned to recognized industry frameworks, including NIST and ISO. Backstory engages external auditors at least annually for certifications and assessments, including SOC 2 Type II and ISO 27001-related audits, conducts internal security assessments at least annually, and performs annual independent penetration testing of the production environment.
Measures for user identification and authorization	Backstory maintains centralized authentication and authorization services supporting single sign-on (SSO) and multi-factor authentication (MFA). Access is granted based on role and least privilege, and access entitlements are reviewed regularly.
Measures for the protection of data during transmission	Network connections across public networks are encrypted using TLS 1.2 or higher.
Measures for the protection of data during storage	Backstory uses AES-256-bit encryption or greater for data at rest. Access to data stores is role-based, limited to approved use cases, and reviewed regularly.
Measures for ensuring physical security of locations at which personal data are processed	Backstory relies on the physical security protections provided by its third-party hosting providers. Information regarding AWS physical security practices is generally available at https://aws.amazon.com/security.
Measures for ensuring events logging	Backstory maintains logging and monitoring in the production environment, including logging of user actions where appropriate. Logs are centralized, access is role-based, and alerts for unexpected or unusual behavior are routed to the information security team for review and investigation.
Measures for ensuring system configuration, including default configuration	Backstory establishes baseline configurations for systems and services within the production environment. These configurations are required for new systems and are reviewed and updated as needed to meet security requirements.
Measures for internal IT and IT security governance and management	Backstory's information security management program is reviewed through regular governance processes, including review of security metrics, access entitlement reviews, threat intelligence, incidents, vulnerabilities, risks, and remediation activities.
Measures for certification/assurance of processes and products	Backstory maintains certifications and assessments for its information security program, including SOC 2 Type II, ISO 27001, ISO 27701, ISO 27017, and CSA STAR, and completes additional security assessments, such as penetration testing, on a recurring basis.
Measures for ensuring data minimisation	Backstory incorporates data minimization into its design and review processes. New uses of data are reviewed against data minimization requirements before release.
Measures for ensuring data quality	Backstory Processes Customer Data supplied by Customer. Customer is responsible for the accuracy of Customer Data provided to Backstory, and Backstory maintains controls intended to support integrity and consistency of data within the Services.
Measures for ensuring limited data retention	Backstory retains Personal Data in accordance with the Agreement, this Addendum, applicable law, and Backstory's documented retention and deletion practices.
Measures for ensuring accountability	Backstory requires employees to sign confidentiality obligations, acknowledge applicable security policies, and complete security awareness training at least annually and upon material policy changes.
Measures for allowing data portability and ensuring erasure	Backstory supports export, return, and deletion of Customer Data in accordance with the Agreement and this Addendum and implements procedures intended to ensure deletion when required.