Specific privacy and security policies when using our AI-supported services

1 Use and Nondisclosure. “Confidential Information” means any business, technical or financial information, materials, or other subject matter disclosed by one party (“Discloser”) to the other party (“Recipient”) that is identified as confidential at the time of disclosure or should be reasonably understood by Recipient to be confidential under the circumstances. For the avoidance of doubt, Confidential Information includes our Customer Content. Recipient agrees it will: (a) only use Discloser’s Confidential Information to exercise its rights and fulfill its obligations under this Agreement, (b) take reasonable measures to protect the Confidential Information, and (c) not disclose the Confidential Information to any third party except as expressly permitted in this Agreement.

2 Exceptions. The obligations in Section 1 do not apply to any information that (a) is or becomes generally available to the public through no fault of Recipient, (b) was in Recipient’s possession or known by it prior to receipt from Discloser, (c) was rightfully disclosed to Recipient without restriction by a third party, or (d) was independently developed without use of Discloser’s Confidential Information. Recipient may disclose Confidential Information only to its employees, contractors, and agents who have a need to know and who are bound by confidentiality obligations at least as restrictive as those of this Agreement. Recipient will be responsible for any breach of this Section 4 by its employees, contractors, and agents. Recipient may disclose Confidential Information to the extent required by law, provided that Recipient uses reasonable efforts to notify Discloser in advance.

1 Our Security Program. We will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) protect the Services and Customer Content against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access, and (c) minimize security risks, including through regular risk assessments and testing. 

2 Our Security Obligations. As part of our information security program, we will: (a) implement and enforce policies related to electronic, network, and physical monitoring and data storage, transfer, and access; (b) deploy production infrastructure behind VPNs where possible; (c) require multi-factor authentication for employees; (d) configure network security, firewalls, accounts, and resources for least-privilege access; (e) maintain a logging and incident response process; (f) maintain corrective action plans to respond to potential security threats; and (g) conduct periodic reviews of our security and the adequacy of our information security program as aligned to industry best practices and our own policies and procedures.

1 Personal Data. When we use the Services to process personal data, we provide to our Customer  (a) legally adequate privacy notices and obtain necessary consents for the processing of personal data by the Services, (b) process personal data in accordance with applicable law, and (c) if processing “personal data” or “Personal Information” as defined under applicable data protection laws, execute our Privacy Policy.

2 HIPAA. We agree not to use the Services to create, receive, maintain, transmit, or otherwise process any information that includes or constitutes “Protected Health Information”, as defined under the HIPAA Privacy Rule (45 C.F.R. Section 160.103).