Skypoint logo

SKYPOINT AI PLATFORM MASTER SERVICES AGREEMENT

This Skypoint AI Platform (AIP) Master Services Agreement (“Agreement”) is entered into by and between Skypoint Cloud Inc., a Delaware corporation (“Skypoint”), with a place of business at 500 SW 116th Ave, 4th Floor, Suite 152, Portland, OR 97225, and the entity identified as “Customer” (“Customer”). Skypoint and Customer are referred to jointly as the “parties,” and individually as a “party.”

RECITALS

WHEREAS, Customer seeks to access certain Services to meet its information technology needs; and WHEREAS, Skypoint desires to provide such Services to Customer in accordance with the terms and conditions of this Agreement;
NOW, THEREFORE, in consideration of the mutual covenants and promises herein, and for other valuable consideration, the receipt and sufficiency of which are acknowledged, the parties agree as follows:

1. SERVICES

1.1 Purpose

This Agreement governs the terms under which Skypoint will provide:
  1. Subscription Services – hosted “software as a service” enabling access to certain software applications (each, a “Platform,” along with any related documentation, programming, and user interfaces). These Subscription Services are further defined in each Order Form.
  2. Professional Services (also referred to as “Forward Deployed Engineering”), including but not limited to implementation, customization, integration, data import/export, monitoring, technical support, maintenance, training, backup/recovery, and change management. Such Professional Services relate to Customer’s use of the Subscription Services and each Platform. These services are further described in each Statement of Work or Work Order.
An Order Form and a Statement of Work or Work Order may be collectively referred to as a “Statement of Services.”

1.2 The Services; Access and Use License

During the Term, and subject to the terms of this Agreement:
  • 1. Skypoint will use commercially reasonable efforts to provide Customer with the Professional Services described herein.
  • 2. Skypoint grants Customer and its Authorized Users a worldwide, non-exclusive, non-sublicensable, nontransferable license to access and use the Platform solely for Customer’s internal business purposes.

1.3 Subscription Services

Each Order Form will specify and describe the Subscription Services (including applicable user limitations, fees, subscription term, etc.) to be delivered in accordance with the warranties stated herein. In the event of any conflict between this Agreement and an Order Form, the terms of this Agreement control.

1.4 Professional Services

Each Statement of Work will specify and describe the Professional Services (including milestones, fees, term, etc.) to be delivered in accordance with the warranties stated herein. In the event of any conflict between this Agreement and a Statement of Work, the terms of this Agreement control.

1.5 Changes to the Platform

Skypoint may modify any Platform at its discretion to (a) maintain or enhance the quality, delivery, performance, or competitiveness of its products or services, or (b) comply with applicable law. Such modifications and changes remain subject to the license granted in this Section. Skypoint will endeavor to notify Customer in advance of material changes that may disrupt the Platform.

1.6 AI Agents, Agentic Applications, and Use

The Platform includes, and may in the future include, various AI agents and agentic applications (collectively, “AI Agents”) developed by Skypoint, including but not limited to agents providing documentation assistance, automation, and clinical decision support. Performance will necessarily change as underlying models and training data evolve. Any such AI Agents are provided to assist Customer’s users (“Authorized Users”) with administrative, workflow, or clinical tasks, and are not intended to replace the independent clinical judgment or decision-making of licensed professionals. AI Outputs may be inaccurate, incomplete, or time-sensitive. Customer must independently verify all Outputs before use. Customer bears sole responsibility for determining regulatory classification (including, but not limited to, FDA, HIPAA, state privacy) that may apply to any use case.

2. PLATFORM ACCESS AND AUTHORIZED USERS

2.1 Administrative Users

During the Platform setup process, Customer will designate an administrative owner for its tenant.

2.2 Authorized Users

  • Customer may permit the number of its employees and/or independent contractors specified on an Order Form (“Customer Users”) to use the Platform on Customer’s behalf.
  • If a Platform allows, Customer may also permit a certain number of designated third parties (“Vendor Users,” and collectively with Customer Users, “Authorized Users”) to access the Platform in connection with their activities for Customer.
  • Authorized User subscriptions are assigned to specific individuals and cannot be used by more than one person but may be reassigned to new Authorized Users who replace former Authorized Users no longer needing access.

2.3 Authorized User Conditions

Each Authorized User must agree to abide by this Agreement as a condition of accessing the Platform. Customer is responsible for ensuring compliance by all Authorized Users and must promptly notify Skypoint of any known or suspected breach by an Authorized User. Customer is liable for any breaches of this Agreement by its Authorized Users.

2.4 Account Responsibility

Customer is responsible for (i) ensuring both it and its Authorized Users use the Subscription Services and Platform in compliance with this Agreement, and (ii) securing its Skypoint account credentials and files. Skypoint will, however, require each Authorized User to set up Single Sign-On and Multi-Factor Authentication before using the Platform.

3. ADDITIONAL RESTRICTIONS AND RESPONSIBILITIES

3.1 Software Restrictions

Customer shall not (nor allow or encourage any third party to):
  1. Reverse engineer, decompile, or otherwise discover or derive source code, object code, or underlying structure, ideas, or algorithms related to the Platform or any related software (“Software”).
  2. Modify, translate, or create derivative works based on the Platform or Software.
  3. Use the Platform or Software for timesharing or service bureau purposes.
  4. Remove or obscure any proprietary notices.
  5. Use the Software or Platform to develop or sell a product that competes with the Software or Platform.
For clarity, Software and the Services constitute Skypoint’s Confidential Information, and are subject to Section 5 below.

3.2 Customer Compliance

Customer and its Authorized Users must use the Platform, Software, and Services in full compliance with this Agreement and all applicable laws, including those pertaining to privacy and security of protected or confidential information. Skypoint may suspend Customer’s account if Customer violates this Agreement, provided Skypoint uses commercially reasonable efforts to notify Customer and allow time to cure prior to suspension. Skypoint reserves the right to monitor Customer’s use of the Platform without being obligated to do so.

3.3 Cooperation

Customer agrees to cooperate and assist as reasonably requested by Skypoint so Skypoint can fulfill its obligations under this Agreement, including giving Skypoint reasonable access to Customer’s premises and IT infrastructure as needed.

3.4 Training and Education

Customer will use commercially reasonable efforts to ensure its Authorized Users are adequately trained to use the Platform and will ensure each Platform is used in compliance with this Agreement.

3.5 Customer Systems

Customer is responsible for maintaining the functionality and security of all equipment and ancillary services it owns or licenses (e.g., hardware, servers, operating systems, networking) that connect to or facilitate Customer’s use of the Platform.

3.6 Export Restrictions

Customer shall not remove or export any Software or Platform-related materials in violation of U.S. or foreign law.

3.7 DFARS

The Software, Platform, Services, and any related documentation are “commercial computer software” and “commercial computer software documentation” as defined by the Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR). Any use, modification, or disclosure by the U.S. Government is governed solely by the terms of this Agreement.

3.8 Clinical Decision Support and Human Oversight

(a) Customer acknowledges and agrees that all AI Agents, including those that provide clinical decision support or documentation suggestions, are intended solely as tools to assist qualified healthcare professionals.

 (b) The Platform and AI Agents do not independently diagnose, treat, or make final clinical decisions. All clinical content, recommendations, and outputs are for informational purposes only and require review, validation, and final approval by a licensed healthcare provider.

(c) Authorized Users are responsible for reviewing and verifying the accuracy of any AI-generated content before including it in any clinical documentation, order, or workflow.

(d) Skypoint provides prominent warnings and user interface notifications requiring end users to review, edit, and attest to the accuracy of any documentation or recommendation generated by the Platform or AI Agents.

(e) Customer shall implement written policies, audit logging, and periodic human review to ensure safe and compliant use of AI Agents.

(f) Customer shall not use AI Agents for life-critical or legally determinative decisions without Skypoint’s prior written consent.

Violations of this Section 3.8 are subject to the indemnity in Section 10.3 and the liability cap in Section 11.

4. SUPPORT SERVICES

Skypoint will provide support in accordance with the Service Level Agreement (the “SLA”) incorporated herein by reference.

5. CONFIDENTIALITY

5.1 Confidential Information

Each party, as a Receiving Party, may gain access to the other party’s (the Disclosing Party’s) business, technical, or financial information that is confidential (“Confidential Information”). Skypoint’s Confidential Information includes non-public information about the Platform and Software, while Customer’s Confidential Information includes non-public data that Customer provides or that is stored via the Platform (“Customer Data”). The terms and conditions of this Agreement, including pricing, are Skypoint’s Confidential Information.

5.2 Exceptions

Confidential Information does not include information that the Receiving Party can document:
  • 1. Is or becomes publicly available without breach of any obligation hereunder.
  • 2. Was already lawfully known to the Receiving Party without restriction.
  • 3. Was disclosed to the Receiving Party without confidentiality obligations by a third party with the lawful right to do so.
  • 4. Was independently developed without using or referencing the Disclosing Party’s Confidential Information.

5.3 Non-Use and Non-Disclosure

The Receiving Party agrees to:
  • 1. Exercise the same degree of care to protect the Disclosing Party’s Confidential Information as it uses for its own similar information, and not less than a reasonable degree of care.
  • 2. Keep such Confidential Information confidential and not use, sell, reproduce, transfer, or disclose it to any third party except (i) to employees, legal or financial advisors, or contractors who have a need to know and are bound by confidentiality obligations at least as stringent as those herein, or (ii) as otherwise authorized by this Agreement.
  • 3. Not use the Disclosing Party’s Confidential Information for any purpose other than to perform this Agreement or as otherwise permitted under this Agreement.

5.4 Compelled Disclosure

If the Receiving Party is required by law or court order to disclose Confidential Information, it must give prompt written notice (unless legally prohibited) and use reasonable efforts to secure confidential treatment of such information.

5.5 Protection of Customer Data

Both parties will comply with the Data Processing Addendum (the “DPA”) attached as Exhibit A, which is incorporated by reference.

5.6 Remedies

The Receiving Party acknowledges that a breach of confidentiality may cause irreparable harm to the Disclosing Party not fully compensable by monetary damages. Accordingly, the Disclosing Party is entitled to seek injunctive relief, without posting bond or proving actual damages, in addition to any other available remedies.

5.7 AI Liability and Future Agents

This Agreement applies to all current and future AI Agents and agentic applications made available by Skypoint through the Platform, including agents developed or deployed after the Effective Date. Skypoint may update or enhance AI Agents at its sole discretion, provided such enhancements remain subject to the user responsibilities, disclaimers, and limitations of liability set forth herein. Skypoint may modify, suspend, or decommission any AI Agent at any time without liability. All future AI Agents remain subject to the liability cap and disclaimers in Section 9 and Section 11, regardless of when released.

5.8 Third-Party Components.

The Platform and AI Agents may incorporate or interoperate with third-party software, models, or content. SKYPOINT DISCLAIMS ALL LIABILITY FOR, AND MAKES NO WARRANTIES WITH RESPECT TO, SUCH THIRD-PARTY COMPONENTS

6. PROPRIETARY RIGHTS

6.1 Ownership

Customer Data. Customer retains all rights, title, and interest in its Customer Data.

Skypoint Intellectual Property (IP). Skypoint owns and retains all rights, title, and interest in and to:

  • 1. The Platform, Software, and Services, including all improvements or modifications.
  • 2. Any technology developed in connection with providing the Services; and
  • 3. All intellectual property rights in or related to any of the foregoing (collectively, “Services IP”).

If Customer acquires any right, title, or interest in the Services IP, Customer assigns all such rights to Skypoint.

6.2 Customer Data License

Customer grants Skypoint a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free license to use Customer Data solely to provide the Services to Customer. Skypoint may create and use Aggregated Data that does not identify Customer or any individual, for any lawful purpose. Aggregated Data remains Skypoint’s exclusive property. Although the Platform may perform some data backup functions, Customer should maintain its own backups. Upon the expiration or termination of this Agreement, Customer will no longer have access to Customer Data via Skypoint or the Platform.

6.3 No Other Rights

No rights or licenses are granted under this Agreement other than those expressly stated.

7. FEES & PAYMENT

7.1 Fees

Customer will pay Skypoint the fees set forth in each applicable Statement of Services (“Fees”) in accordance with the payment terms therein. Fees may include charges for usage in excess of any specified capacity.

7.2 Renewal Fees

Sixty (60) days prior to the end of a current subscription term, Skypoint will provide Customer with a renewal notice specifying the renewal term and associated fees. If Customer confirms the renewal, Skypoint will issue an Order Form for signature. Upon execution, Skypoint will invoice Customer for the renewal fee, payable within thirty (30) days. Unless otherwise specified in an Order Form, each “Renewal Fee” equals the Service Fee or the previous Renewal Fee, possibly prorated or adjusted as mutually agreed and described on the Order Form.

7.3 Reimbursable Expenses

If applicable, Customer will reimburse Skypoint for any reasonable, pre-approved out-of-pocket expenses incurred by Skypoint while performing Professional Services.

7.4 Payment

Skypoint will invoice Customer for Fees. Undisputed invoice amounts are due within thirty (30) days of invoice receipt (unless otherwise stated in the Order Form). Late payments on undisputed amounts accrue interest at 1.5% per month or the highest rate permitted by law, whichever is lower. Skypoint may suspend Services for unpaid, undisputed invoices not cured within ten (10) days of providing notice.

7.5 Payment Disputes

If Customer believes it has been incorrectly billed, it must contact Skypoint within thirty (30) days of the first billing statement that includes the error. Customer should contact Skypoint’s customer support or its account manager for resolution.

7.6 Taxes

Customer is responsible for all taxes associated with Skypoint’s provision of Services, except for Skypoint’s income or capital taxes.

7.7 No Deductions or Setoffs

All payments owed to Skypoint under this Agreement must be made in full, without any setoff or deduction unless require by applicable law.

8. TERM AND TERMINATION

8.1 Term

This Agreement remains in effect as long as any Statement of Services is active, unless terminated earlier in accordance with this Agreement (“Term”). Each Statement of Services begins on its “Services Effective Date” and continues for the stated “Service Term.”
  • Each Order Form will renew upon mutual agreement (reached no later than thirty (30) days prior to expiration of the then-current term) for an additional (i) one (1) year if the original term is one (1) year or longer, or (ii) a term equal to the original Service Term if it was shorter than one (1) year (each a “Renewal Term”).

8.2 Termination

  • Skypoint may terminate this Agreement upon written notice if there are no active Statements of Services.
  • Either party may terminate this Agreement if the other party fails to pay any undisputed amount when due and does not cure such failure within ten (10) days, or otherwise materially breaches this Agreement and fails to cure within thirty (30) days after written notice.

8.3 Effect of Termination

Upon termination of the Agreement, all Statements of Services end, and Customer must immediately stop using and accessing the Subscription Services. Skypoint ceases providing Professional Services. If Skypoint terminates for Customer’s non-payment or material breach, all Fees for Services rendered through the termination date become immediately due.

8.4 Survival

Sections 3.1, 5, 6, 7 (to the extent any fees remain unpaid), 8.4, and 10–18 survive termination or expiration, while all other rights and obligations cease.

9. WARRANTY AND DISCLAIMER

9.1 Warranties

  • Skypoint warrants it will provide the Professional Services in a professional and workmanlike manner.
  • Each party represents it has the legal authority to enter this Agreement.
  • Customer warrants it owns or has the necessary rights and consents to use and provide all Customer Data used through the Services.
  •  

9.2 Specially Protected Data

Unless agreed upon in writing, Customer will not provide Skypoint with any data subject to heightened legal protections (e.g., Social Security numbers, credit or debit card numbers, protected health information, or similar). Customer agrees not to include such data in Customer Data unless specifically addressed in writing, including compliance requirements under HIPAA, HITECH, FCRA, GLBA, COPPA, etc.

9.3 Compliance with Data Privacy and Security Laws

If Customer Data or use of the Platform involves Specially Protected Data and is thus subject to relevant data privacy laws, the parties will execute any required Data Privacy and Security Addendum. Skypoint makes no representations or warranties of compliance with such data privacy laws in the absence of a separate, written addendum.

9.4 Disclaimer

EXCEPT AS EXPRESSLY STATED HEREIN OR IN A STATEMENT OF SERVICES, SKYPOINT DOES NOT WARRANT THAT ACCESS TO OR USE OF THE PLATFORMS, SOFTWARE, OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, NOR DOES IT WARRANT ANY SPECIFIC RESULTS FROM THEIR USE. SKYPOINT MAKES NO WARRANTY REGARDING SERVICES PROVIDED BY THIRD-PARTY TECHNOLOGY PROVIDERS. EXCEPT AS SET FORTH HEREIN, THE PLATFORM, SOFTWARE, AND SERVICES ARE PROVIDED “AS IS.” TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, EACH PARTY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

9.4 AI Disclaimer

THE PLATFORM AND ALL AI AGENTS ARE PROVIDED “AS IS,” “AS AVAILABLE,” AND WITHOUT WARRANTY OF ANY KIND. SKYPOINT DISCLAIMS ALL WARRANTIES—EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE—INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ACCURACY OR RELIABILITY OF OUTPUTS. THE PLATFORM IS NOT A MEDICAL DEVICE AND HAS NOT BEEN CLEARED OR APPROVED BY THE U.S. FDA OR ANY OTHER REGULATOR.

10. INDEMNITY

10.1 Indemnification by Skypoint

Skypoint will defend Customer and its affiliates (and their directors, officers, agents, and employees) from any third-party claims alleging that (a) the Services or their authorized use infringe another party’s intellectual property rights, or (b) Skypoint has breached this Agreement. Skypoint will indemnify Customer for any related damages, losses, or costs (including reasonable attorney fees) awarded in connection with or paid in settlement of such a claim. This indemnity does not apply if the alleged infringement arises from:
  • 1. Components not provided by Skypoint.
  • 2. Customer specifications.
  • 3. Modifications by Customer after delivery by Skypoint.
  • 4. Combination with other products not furnished by Skypoint.
  • 5. Customer continuing allegedly infringing activity after being provided modifications or corrections that would have avoided the infringement.
  • 6. Use of Services not in strict compliance with this Agreement.
If a court of competent jurisdiction holds the Platform to be infringing, or if Skypoint reasonably believes it to be infringing, Skypoint may: (a) modify or replace the Platform with a non-infringing version of similar or improved functionality, (b) obtain a license for Customer to continue using the Platform, or (c) terminate this Agreement and refund Customer any prepaid fees for the remaining subscription period. The remedies under this Section 10.1 are Customer’s exclusive remedies for infringement claims.

10.2 Clinical Responsibility; Indemnification

(a) Customer acknowledges that it and its Authorized Users are solely responsible for

(i) reviewing, validating, and approving all AI-generated outputs prior to use;

(ii) ensuring that every use of the Platform or an AI Agent complies with applicable laws, regulations, and professional-practice standards; and

(iii) implementing and maintaining written policies, audit logging, and appropriate human oversight commensurate with the intended use.

(b) To the fullest extent permitted by law, Customer shall defend, indemnify, and hold harmless Skypoint, its Affiliates, and their respective officers, directors, employees, agents, and licensors (collectively, “Skypoint Indemnitees”) from and against any and all claims, demands, actions, investigations, liabilities, damages, judgments, settlements, penalties, fines, losses, costs, and expenses (including reasonable attorneys’ fees and costs of investigation) arising out of or related to:

(i) Customer’s or any Authorized User’s use or misuse of the Platform, an AI Agent, or any AI-generated output;

(ii) any failure to provide the human review or oversight required under this Agreement;

(iii) Customer Data, prompts, or instructions supplied to the Platform or an AI Agent;

(iv) Customer’s or any Authorized User’s violation of law or regulation, including without limitation privacy, security, export-control, intellectual-property, or healthcare laws; or

(v) allegations that an AI-generated output infringes, misappropriates, or otherwise violates a third-party right where such allegation results from Customer’s prompts, data, or use case.

(c) Customer’s obligations under this Section 10.3 survive any expiration or termination of this Agreement and are not subject to any limitation or exclusion of liability set forth in Section 11.

11. LIMITATION OF LIABILITY

EXCEPT IN CONNECTION WITH EITHER PARTY’S INDEMNIFICATION OBLIGATIONS OR A BREACH OF SECTION 5 (“CONFIDENTIALITY”):
  • 1. NEITHER PARTY’S AGGREGATE LIABILITY UNDER THIS AGREEMENT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, WILL EXCEED THE TOTAL FEES PAID OR OWED BY CUSTOMER DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
  • 2. NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUE, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
FOR CLAIMS REGARDING EITHER PARTY’S INDEMNIFICATION OBLIGATIONS OR BREACH OF CONFIDENTIALITY, THE MAXIMUM AGGREGATE LIABILITY WILL NOT EXCEED THE TOTAL FEES PAID OR OWED BY CUSTOMER DURING THE THIRTY-SIX (36) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THESE LIMITATIONS APPLY TO THE MAXIMUM EXTENT PERMITTED BY LAW.

12. GOVERNING LAW AND DISPUTE RESOLUTION

This Agreement is governed by the laws of the State of Oregon, without regard to conflict-of-laws rules. The Uniform Computer Information Transactions Act and the United Nations Convention on Contracts for the International Sale of Goods do not apply. Any dispute arising out of or relating to this Agreement will be resolved exclusively by binding arbitration under the Commercial Arbitration Rules of the American Arbitration Association (“AAA”), with one arbitrator knowledgeable in government contracting and “software as a service” arrangements. The arbitration will be in Portland, Oregon. Unless otherwise agreed, each party will bear its own costs and attorney fees and share equally in arbitrator and AAA fees. The arbitrator’s decision is final and may be enforced in any court of competent jurisdiction.

13. SECURITY

Skypoint is HITRUST r2 and SOC 2 Type 2 certified; however, security certifications are subject to change without notice. The Platform may be hosted or maintained using Microsoft Azure, Google Cloud Platform, Databricks, or other third-party cloud service providers. Skypoint adheres to the security measures offered by these providers and cannot implement additional or alternative security controls beyond those they provide.

14. PUBLICITY

Customer agrees that Skypoint may identify Customer as a user of the Services and use Customer’s logo in Skypoint’s promotional materials, subject to Customer’s prior written approval for each such use. Each party may disclose the existence and key terms of this Agreement in connection with financings, mergers, reorganizations, or similar transactions.

15. NOTICES

All notices under or regarding this Agreement shall be in writing and addressed to the parties’ respective addresses as provided on an Order Form. Notices are deemed received on the date actually received. Either party may update its notice address by providing written notice to the other in accordance with this Section.

16. FORCE MAJEURE

Neither party is liable for delays or failures in performance resulting from acts beyond its reasonable control, including acts of God, war, terrorism, riots, fires, floods, power outages, strikes, or changes in law. The affected party will promptly notify the other party, giving full details, and use commercially reasonable efforts to mitigate the impact.

17. ASSIGNMENT

Neither party may assign this Agreement without the other’s prior written consent, except that no consent is required for an assignment to an affiliate or in connection with a merger, reorganization, consolidation, or sale of assets. Skypoint may sublicense its obligations with Customer’s prior written consent. Use of third-party technology or hosting providers does not constitute a sublicense under this Agreement.

18. GENERAL PROVISIONS

If any provision of this Agreement is deemed unenforceable, it shall be limited to the extent necessary for the Agreement to remain otherwise in full force. This Agreement, together with any Statement of Services and exhibits, is the complete and exclusive statement of the parties’ understanding, superseding all prior agreements and communications regarding its subject matter. All amendments or waivers must be in writing and signed by both parties. No partnership, agency, or joint venture is created by this Agreement, and neither party has authority to bind the other. Section headings are for reference only and do not affect interpretation. Terms such as “herein,” “hereof,” “hereto,” and “include” (and its variations) are construed without limitation.

EXHIBIT A

DATA PROCESSING ADDENDUM (“DPA”)

This DPA is incorporated into the Master SaaS and Services Agreement (“Master Agreement”) between CUSTOMER (“Customer”) and Skypoint Cloud Inc. (“Vendor”).

1. Definitions

Capitalized terms in this DPA that are not defined herein have the meanings ascribed in the Master Agreement. The following terms have the meanings set forth below:
  1. CCPA: California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.
  2. Data Protection Law: Any privacy, data protection, and security laws or regulations applicable to Personal Data processed under the Master Agreement (e.g., GDPR, CCPA).
  3. GDPR: Regulation (EU) 2016/679 on data protection and privacy.
  4. Personal Data: Any data deemed “personal data” or “personal information” under Data Protection Law that Vendor processes in connection with the Services.
  5. Security Breach: Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  6. Services: The services provided under the Master Agreement.
References to “process” and “processor” follow the GDPR’s definitions; references to “sell” and “service provider” follow the CCPA’s definitions.

2. Data Processing and Protection

2.1 Vendor Responsibilities

  • Vendor will process Personal Data only in accordance with Customer’s documented instructions, including with respect to international transfers if applicable.
  • Vendor will comply with all applicable Data Protection Laws and will not use Personal Data for purposes beyond providing the Services under the Master Agreement.
  • Vendor will not sell Personal Data, nor retain, use, or disclose Personal Data outside of its direct business relationship with Customer. Vendor may process Personal Data to enhance or improve Vendor’s services, so long as it does not create individual profiles for use by any entity other than Customer.

2.2 Confidentiality

Vendor will treat all Personal Data as Customer’s Confidential Information and ensure employees and others processing the data are subject to written confidentiality obligations.

2.3 Security

Vendor will protect Personal Data as required by Data Protection Law and in accordance with Attachment 2 (Data Security Attachment).

2.4 Return or Disposal

Upon Customer’s request, or upon termination of the Master Agreement (unless required by law to retain), Vendor will return or securely delete Personal Data, including any existing copies.

3. Assistance

3.1 Data Subject Rights

Vendor will promptly inform Customer of any individual’s request to exercise data rights. Vendor will assist Customer, where possible, in responding to such requests.

3.2 Security Assistance

Vendor will cooperate with Customer to ensure Vendor’s compliance with required security measures, including audits under Section 4.

3.3 Data Protection Impact Assessments

Vendor will reasonably assist Customer in fulfilling obligations under GDPR Articles 35 and 36.

3.4 Security Breach Notification

  • Vendor will maintain and document an incident management procedure.
  • Vendor will notify Customer promptly upon becoming aware of a Security Breach.
  • Vendor will provide reasonable assistance to help Customer meet any regulator or data subject notification obligations under Data Protection Law.

4. Audits

Vendor will obtain and share results of an independent security review (e.g., SOC2 Type II or ISO 27001) at least annually. Vendor will also provide information needed to demonstrate compliance with this DPA and cooperate with audits conducted by Customer or its designated auditor (reasonably acceptable to Vendor) in accordance with the conditions stated.

5. Subprocessors

Customer authorizes Vendor to use subcontractors to process Personal Data. Vendor will ensure all Subprocessors are under data protection obligations at least as protective as this DPA. Vendor will remain liable for Subprocessors’ performance.

6. Data Transfers

If Personal Data originating in the EEA, UK, or Switzerland is transferred outside those areas, the parties will use the EU Standard Contractual Clauses or another lawful transfer mechanism. If there is a conflict between this DPA or the Master Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses control.

7. Vendor Indemnification

Vendor will defend, indemnify, and hold harmless Customer and its affiliates for any third-party claims or investigations (and associated damages, fines, fees, etc.) arising from Vendor’s breach of this DPA or Vendor’s negligence or willful misconduct with respect to Personal Data.

8. Miscellaneous

If there is any conflict between this DPA and the Master Agreement, this DPA prevails. Except as specifically modified, all terms of the Master Agreement remain in effect.

ATTACHMENT 1 – Scope of Processing

  • Subject Matter and Duration: Vendor processes Personal Data under the Master Agreement until termination, unless otherwise agreed in writing.
  • Nature and Purpose: Extract, Load, Transform, and Store Data in Customer-managed Azure Subscription Storage Resources.
  • Types of Personal Data: Personally Identifiable Information, Transactional Data, Behavioral Data.
  • Categories of Data Subjects: Not Applicable.
  • Special Categories of Data: None.

ATTACHMENT 2 – Data Security Attachment

  1. Program. Vendor will implement a written information security program with administrative, technical, and organizational safeguards.
  2. Access Controls. Vendor will follow the principle of least privilege, restrict and monitor access to Personal Data, and maintain account controls.
  3. Account Management. Vendor will manage creation, usage, and deletion of credentials securely.
  4. Information Security Management System (ISMS). Vendor will develop and maintain an ISMS addressing risk management, policy, asset management, access control, incident management, and business continuity.
  5. Security Architecture. Vendor will implement firewalls, intrusion detection, secure wireless configurations, secure time synchronization, and block unauthorized mobile code.
  6. Information Security Policy. Vendor will maintain a formal policy covering risk assessment, compliance, security standards, and responsibilities.
  7. Operations Management. Vendor will define and monitor network and infrastructure service levels, capacity planning, and quality assurance.
  8. Risk Management. Vendor will conduct regular risk assessments and update policies as needed.
  9. Vulnerability Management. Vendor will scan for vulnerabilities, log findings, prioritize remediation, and use patch management.
  10. Security Segmentation. Vendor will use firewalls, proxies, and intrusion detection to monitor and restrict data flows.
  11. Human Resources Security. Vendor will (subject to local laws) background-check employees, train them in security, and govern secure conduct.
  12. Data Governance. Vendor will maintain data retention, perform backups, and ensure secure disposal of media.
  13. Data Loss Prevention. Vendor will use industry-standard data loss prevention tools to protect data in transit, at rest, and in use.
  14. Technical Security. Vendor will encrypt Personal Data in storage and transit, protect encryption keys, deploy antivirus and patching measures, and restrict privileged access.
  15. Pseudonymization. Where feasible, Vendor will use pseudonymization to protect Personal Data.
  16. Secure Software Development and Maintenance. Vendor will develop or acquire software using secure practices (e.g., OWASP Top 10, code analysis, separation of production and development).
  17. Business Continuity Management. Vendor will implement disaster recovery and business continuity plans and test them regularly.
  18. PCI Compliance (if applicable). Vendor will comply with PCI DSS and relevant card brand rules, undergo required audits, and provide compliance reports.
  19. Physical Safeguards. Vendor will maintain secure physical access controls (e.g., 24/7 monitoring, trained security).
  20. Administrative Safeguards. Vendor will enforce appropriate security policies, provide security training, and apply consistent internal governance.
  21. Monitoring. Vendor will maintain audit logs of privileged access, review logs regularly, and restrict access to logging systems.

ATTACHMENT 3 – Service Level Agreement (SLA)

This SLA is part of the Master Agreement between Skypoint and Customer.
  1. Definitions
  • Monthly Uptime Percentage”: Percentage of time within a calendar month that the Services are “Available,” meaning operable via APIs or user interface.
  • Monthly Subscription Amount”: The subscription cost allocated monthly (excluding implementation or Additional Usage Fees).
  • Service Credit”: A credit against future invoices owed to Skypoint.
  • Delivery Network”: Content delivery network services that serve Libraries to Digital Properties.
  • Incident”: P1, P2, or P3 problem with the Service.
  • P1: Critical defect causing widespread outages, with no resolution by rolling back to a prior version.
  • P2: Material defect in which the Service is functioning, but a major component is unavailable with no workaround.
  • P3: Minor defect; the Service is functioning but with some non-critical error or bug.
  • Response Time”: The time from Skypoint’s awareness or notification by Customer of an Incident to when Skypoint acknowledges and assigns resources to resolve.
  • Resolution Time”: The time from the Response Time to the restoration of normal service.

2. Service Uptime Commitment

Skypoint will use commercially reasonable efforts to maintain a Monthly Uptime Percentage of at least 98%. If Skypoint does not meet this commitment, Customer may be entitled to a Service Credit.

3. Service Credits

Calculated as a percentage of the Monthly Subscription Amount for the affected Service:
  • <99% and ≥98.9% Uptime: 10% credit
  • <98.9% and ≥97.5% Uptime: 15% credit
  • <97.5% Uptime: 20% credit

4. Credit Request Procedure

Customer must email Skypoint at support@skypoint.ai or ticket using Help + Support in Skypoint Studio or Agent Experiences with a list of unavailability incidents, dates, and times, within ten (10) business days after the month of the alleged downtime. Skypoint must verify these incidents to award a Service Credit.

5. SLA Exclusions

The Service Commitment excludes unavailability caused by:
  • Circumstances beyond Skypoint’s control (e.g., 3rd party provider outage, Force Majeure, general internet issues).
  • Customer actions or inactions.
  • Customer’s or third-party equipment or software not under Skypoint’s direct control.
  • Suspension or termination due to Customer’s breach.
  • Scheduled downtime for maintenance and upgrades.

6. Chronic Outage Termination Right

If Uptime is below 90% for two consecutive months or any four months in a rolling 12-month period, Customer may terminate the affected Service Order and receive a refund of any prepaid amounts for the unused term.

7. Technical Response and Resolution Objectives

Severity

Description

Response Time

Resolution Time

P1

Critical defect (Service not functioning)

4 business hours

8 business hours

P2

Material defect (major function impaired)

8 business hours

5 business days

P3

Minor defect (non-critical bug/error)

1 business day

30 business days

 

8. Skypoint may downgrade severity if a workaround is found or if the issue is no longer reproducible.

9. A Root Cause Analysis (RCA) for P1 incidents is conducted within 48 hours of detection, and results are available within five (5) days of resolution.

10. Chat, Email, and Telephone Support

Support is available Monday through Friday, 8:00 AM to 5:00 PM PST (excluding holidays) via chat, email, or phone.

11. Skypoint Team

  • During initial deployment, Skypoint assigns a Forward Deployed Engineer.
  • After deployment, the Forward Deployed Engineer remains the primary liaison for both strategic and tactical issues.
  • Quarterly, the Forward Deployed Engineer will meet with Customer to discuss performance and improvements.