These Terms of Service ("Terms") govern access to and use of the website located at https://suchmuchai.com/, the application available at https://app.suchmuchai.com/, and the related software, APIs, dashboards, exports, support, and documentation we make available (collectively, the "Services"), provided by UAB Such Much AI, a private limited liability company incorporated in Lithuania, company code 306405204, registered address Bukčių g. 6-38, Vilnius, LT-04127 Vilniaus m. sav., Lithuania, VAT number LT100017966319 ("Such Much AI", "we", "us", "our"). Our Services are marketed under the brand Such Much AI.

By creating an Account, placing an order, signing an Order Form, clicking to accept these Terms, or otherwise accessing or using the Services, you agree to these Terms. If you use the Services on behalf of an organization, you represent and warrant that you have authority to bind that organization, and "Customer" includes that organization.

‍1. Definitions
‍1.1 "Account" means a registered profile used to access the Services.
1.2 "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.
1.3 "Customer" means the legal entity or other organization that enters into these Terms and/or an Order Form and, where relevant, its authorized users.
1.4 "Customer Data" means any data, text, files, documents, prompts, instructions, images, inputs, and other content submitted to the Services by or on behalf of Customer, including any personal data contained therein.
1.5 "Documentation" means the user guides, Instructions for Use, product descriptions, technical documentation, API documentation, onboarding materials, and other materials describing the intended use, operation, and limitations of the Services, made available by Such Much AI.
1.6 "DPA" means the data processing terms under Article 28 GDPR governing our processing of personal data within Customer Data.
1.7 "Order Form" means an ordering document, statement of work, procurement order, subscription confirmation, or other written or electronic ordering instrument referencing these Terms and specifying commercial terms such as plan, fees, credits, term, and Professional Services.
1.8 "Output" means any content generated, returned, suggested, transformed, or exported by the Services based on Customer Data and/or user instructions.
1.9 "Policies" means our then-current policies referenced by these Terms, including acceptable use, privacy, security, support, or similar policies, made available in the Services or on our websites.
1.10 "Professional Services" means consulting or services described in an applicable Order Form or statement of work, including custom templates, integrations, onboarding, training, workflow configuration, and related implementation services.
1.11 "Services" means our cloud-based software services for AI-enabled document generation and related functionality, including websites, applications, APIs, dashboards, exports, and Documentation, made available by us from time to time.

‍2. Intended Customer Type; B2B/B2G Positioning; Consumer Rights
‍2.1 Intended customer type. The Services are designed and offered primarily for business, professional, institutional, and public-sector use (B2B/B2G). We do not actively market paid plans as consumer services.
2.2 Business-use representation. By entering into these Terms or using paid Services, you represent that you act in the course of trade, business, profession, or public administration and that you have the authority to accept these Terms on behalf of your organization.
2.3 Consumer fallback. If you are a natural person acting outside your trade, business, profession, or public function, mandatory consumer-protection rules may apply, and certain provisions of these Terms may not apply to you to the extent prohibited by law. Nothing in these Terms limits rights that cannot be limited under mandatory law.

‍3. Order of Precedence
‍If there is a conflict, the following order of precedence applies, from highest to lowest:(a) the applicable Order Form or statement of work;  (b) the DPA, for data-protection matters only;  (c) these Terms;  (d) The Policies and Documentation.
‍4. Accounts; Access; Permitted Use
‍4.1 Accounts. Customer is responsible for all activity under its Accounts and for ensuring that its users comply with these Terms. Customer must keep credentials confidential and promptly notify us of any suspected unauthorized access or misuse.
4.2 Access right. Subject to these Terms and payment of applicable fees, we grant Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable right during the Term to access and use the Services for Customer’s internal lawful business or public administration purposes.
4.3 Eligibility and technical requirements. Customer is responsible for ensuring its users, devices, browsers, integrations, and systems meet the technical requirements reasonably specified in our Documentation.
4.4 Changes to the Services. We may modify, update, enhance, or discontinue parts of the Services from time to time. We will not materially reduce core paid functionality during a current subscription term except where required by law, security, third-party dependency changes, or to address misuse or risk.

‍5. Restrictions; Acceptable Use
‍5.1 Customer will not, and will not permit any third party to:
(a) reverse engineer, decompile, disassemble, or attempt to derive source code, underlying models, or non-public components of the Services, except to the extent such restriction is prohibited by mandatory law;
(b) bypass or circumvent usage limits, access restrictions, authentication measures, or security controls;
(c) use the Services to develop, train, benchmark for publication, or provide a competing product or service without our prior written consent;
(d) scrape, spider, crawl, or otherwise access the Services by automated means except as expressly permitted by us in writing or through documented APIs;
(e) introduce malware, harmful code, denial-of-service traffic, or any material that may disrupt, damage, or impair the Services or third-party systems;
(f) use the Services in violation of law, third-party rights, procurement rules, confidentiality obligations, or binding professional duties;
(g) use the Services for prohibited AI practices or unlawful manipulation, deception, discrimination, or rights-infringing content;
(h) use the Services to make fully automated decisions producing legal or similarly significant effects on natural persons without appropriate human review and without any legally required safeguards;
(i) submit special categories of personal data under Article 9 GDPR, criminal-offence data under Article 10 GDPR, classified information, or data subject to heightened professional secrecy obligations unless expressly agreed in writing and appropriate safeguards are in place;
(j) misrepresent Outputs as being reviewed, approved, or endorsed by a human expert if that is not true.
5.2 Service protection measures. We may apply technical controls, including rate limits, concurrency limits, storage limits, fair-use controls, anti-abuse measures, and fraud-prevention checks to protect the security, integrity, and stability of the Services.

‍6. AI-Specific Terms; Intended Purpose; Human Oversight
‍6.1 Nature of the Services. The Services use probabilistic machine-learning and software techniques to assist with drafting, transforming, organizing, and exporting content. Outputs may be incomplete, inaccurate, outdated, biased, or otherwise unsuitable without review.
6.2 Documented intended purpose. The standard Services are intended and offered as drafting-assistance tools within the scope described in the Documentation and Instructions for Use. They are not offered as autonomous legal, tax, procurement, medical, employment, credit, law-enforcement, biometric, or other high-risk decision systems.
6.3 Use outside intended purpose. Any use of the Services outside the documented intended purpose, including use cases that materially alter the legal, operational, or risk profile of the Services, is at Customer’s sole risk unless separately assessed and expressly agreed by us in writing.
6.4 Human oversight. Customer is solely responsible for reviewing, validating, and approving Outputs before use, publication, filing, or reliance, including compliance with procurement, administrative, regulatory, and sector-specific requirements. The Services do not provide legal advice, tax advice, procurement advice, or any other regulated professional advice.
6.5 Similarity of Outputs. Due to the nature of machine learning systems, Outputs generated for different users may occasionally be similar or identical.
6.6 References and citations. Where the Services provide references, sources, or citations, they may be incomplete, outdated, incorrect, or mismatched. Customer must independently verify all citations and legal or factual references before relying on them.

‍7. Transparency; AI Marking; Downstream Publication
‍7.1 Technical marking. To support transparency, the Services may embed machine-readable indicators, metadata, or similar technical markers in exported files or Outputs identifying them as AI-generated or AI-assisted, where technically feasible.
7.2 Marker persistence limitations. Customer acknowledges that technical markers may not survive copy-paste, OCR, extraction, format conversion, editing, re-authoring, external processing, or downstream publication workflows.
7.3 Downstream transparency responsibility. If Customer or any downstream recipient removes, disables, overwrites, or fails to preserve such technical markers, or if the marker does not persist due to downstream processing, Customer is responsible for any further disclosure, labeling, or transparency measures required by applicable law in the final publication or deployment context.

‍8. Professional Services
‍8.1 Scope. Professional Services are limited to the configuration, implementation, and support of the Services within their existing documented functional scope.
8.2 No intended-purpose change. No Professional Services deliverable is intended to change the intended purpose, legal classification, or regulatory risk classification of the Services. If Customer requests or uses Professional Services in a way that materially changes the intended purpose or creates a new regulated or high-risk use case, such use is outside the standard Services and at Customer’s sole risk unless separately assessed and agreed in writing.
8.3 Dependencies and cooperation. Customer will provide timely access, information, decisions, and cooperation reasonably required for Professional Services. Delays caused by the Customer may affect timelines, scope, and fees.
8.4 Acceptance. Unless an Order Form states otherwise, Professional Services deliverables are deemed accepted when delivered; if specific acceptance criteria are stated in an Order Form, those criteria will govern.
8.5 Third-party systems. Integrations may depend on third-party systems, APIs, credentials, licenses, or vendors. We are not responsible for third-party downtime, changes, incompatibility, access revocation, or service discontinuation unless expressly agreed otherwise.
8.6 AI literacy and training.
‍(a) Customer is solely responsible for ensuring that its staff and any persons using the Services on its behalf have an appropriate level of AI literacy and competence for their role and context of use.
(b) We support lawful deployment by providing Documentation and Instructions for Use.
(c) Any training we provide as a Professional Service supplements, but does not replace, the Customer’s own legal and operational responsibility to ensure competent human oversight.

‍9. Fees; Billing; Plans; Credits; Taxes
‍9.1 Fees. Customer will pay the fees stated in the applicable Order Form or plan.
9.2 Billing cadence. Fees may be billed monthly, annually, or as otherwise specified in the applicable Order Form. Unless otherwise stated, fees are billed in advance.
9.3 Credits and usage entitlements. If a plan includes credits or other usage entitlements, they may be subject to reset periods, plan limits, and fair-use controls. Unless an Order Form states otherwise, credits do not roll over.
9.4 Overages. We may charge for usage exceeding plan limits at the rates stated in the applicable Order Form or published pricing, where applicable.9.5 Payment terms. The Customer will pay undisputed invoices by the stated due date. Late amounts may accrue statutory late-payment interest or a reasonable contractual late fee to the extent permitted by law.
9.6 Suspension for non-payment. We may suspend access for overdue payment after reasonable notice.
9.7 Taxes. Fees exclude taxes unless stated otherwise. Customer is responsible for applicable taxes, including VAT, unless a reverse-charge mechanism applies and Customer provides a valid VAT identification number.
9.8 Refunds. Fees are non-refundable except where required by mandatory law or expressly stated in an applicable Order Form.
9.9 Trials and free services. We may offer free trials, pilot access, beta access, or other free Services. Such access may be modified, suspended, limited, or withdrawn at any time and is provided without warranties to the fullest extent permitted by law.

‍10. Term; Renewal; Suspension; Termination
‍10.1 Term. These Terms begin on the earlier of the date Customer first accepts them or first uses the Services and continue until terminated in accordance with these Terms.
10.2 Subscription term. Paid subscriptions continue for the term stated in the applicable Order Form and, unless otherwise stated, renew automatically for successive periods equal to the initial term.
10.3 Non-renewal. Either party may prevent renewal by giving notice before the deadline stated in the applicable Order Form or, if none is stated, at least 20 days before the next renewal date.
10.4 Suspension. We may suspend access immediately where reasonably necessary to:
(a) address security risk, abuse, fraud, or service integrity issues;
(b) comply with law or binding authority instructions;
(c) prevent material harm to us, Customer, other customers, or third parties; or
(d) address Customer’s material breach, including non-payment.
10.5 Termination for cause. Either party may terminate an applicable Order Form for material breach not cured within 30 days after written notice, unless the breach is incapable of cure, in which case termination may be immediate.
10.6 Effect of termination. Upon termination or expiry:
(a) Customer’s access rights end.
(b) outstanding fees become due to the extent permitted by law and the applicable Order Form;
(c) We will provide reasonable export access to Customer Data for 30 days after termination, subject to technical and legal constraints.
(d) We may delete Customer Data thereafter in accordance with the DPA, our retention practices, and legal obligations.
10.7 Survival. Provisions which by their nature should survive termination will survive, including those on fees accrued, confidentiality, IP, limitations of liability, indemnities, and dispute resolution.

‍11. Intellectual Property; Customer Data; Outputs
‍11.1 Our rights. We and our licensors retain all right, title, and interest in and to the Services, including software, models, workflows, templates, UI, Documentation, APIs, improvements, and all related intellectual property rights. No rights are granted except as expressly stated in these Terms.
11.2 Customer Data. As between the parties, Customer retains all rights in Customer Data. Customer grants us a limited, non-exclusive right to host, process, transmit, reproduce, display, and otherwise use Customer Data solely as necessary to provide, secure, maintain, support, and improve the operational performance of the Services for Customer, perform Professional Services, enforce these Terms, and comply with law.
11.3 Outputs. As between the parties, Customer owns Outputs to the extent ownership is recognized under applicable law. To the extent any rights in Outputs vest in Such Much AI, we assign those rights to Customer. Customer remains solely responsible for its use, publication, filing, or reliance on Outputs.
11.4 Feedback. If Customer provides suggestions, ideas, or feedback regarding the Services, we may use them without restriction or compensation.
11.5 No training without opt-in. We do not use Customer Data or Outputs to train models for other customers or general model improvement unless the Customer has explicitly opted in in writing to a specific arrangement describing the scope and safeguards.
11.6 Aggregated and de-identified data. We may generate and use aggregated, statistical, and de-identified data derived from the use of the Services to operate, secure, support, analyze, and improve the Services, provided such data does not identify Customer or disclose Customer Data.
11.7 No sale of Customer Data. We do not sell Customer Data as a separate data asset.

‍12. Data Protection; DPA; Security
‍12.1 Roles. For personal data contained in Customer Data, Customer acts as controller, and Such Much AI acts as processor unless otherwise agreed in writing. For account administration, billing, website administration, and similar service-provider data processed for our own purposes, Such Much AI acts as a controller as described in our Privacy Policy.
12.2 DPA incorporation. The DPA in Annex 1 is incorporated into and forms part of these Terms.
12.3 Hosting. Customer Data is hosted by default in the European Economic Area unless otherwise agreed in writing.
12.4 Security measures. We implement commercially reasonable technical and organizational measures designed to protect the confidentiality, integrity, and availability of Customer Data and the Services.
12.5 Subprocessors. We may use subprocessors to support the Services. We will maintain a current subprocessor list available upon request or through our website and will provide notice of material subprocessor changes where required by the DPA.
12.6 Incident reporting and cooperation.
‍(a) We will notify Customer without undue delay after becoming aware of a security incident affecting Customer Data or materially affecting the confidentiality, integrity, or availability of the Services used by Customer.
(b) Where the available facts reasonably indicate that such an incident may be relevant to Customer’s statutory incident-reporting obligations, we will provide available initial information in time to support those obligations, including 24-hour early-warning timelines where applicable.
(c) If the incident involves a personal data breach affecting Customer Data, we will provide information reasonably necessary for Customer to meet its GDPR notification and documentation obligations.
(d) Customer remains responsible for its own statutory notifications to supervisory authorities, CSIRTs, the National Cyber Security Centre, or other regulators, as applicable.

‍13. Confidentiality
‍13.1 Each party may receive Confidential Information from the other party.
13.2 Confidential Information means non-public information disclosed by one party to the other that is marked confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including Customer Data, product roadmaps, security information, pricing, and business information.
13.3 The receiving party will:
(a) Use Confidential Information only to perform or exercise rights under these Terms;
(b) protect it with at least reasonable care; and
(c) disclose it only to personnel, Affiliates, contractors, or advisers who need to know it and are bound by confidentiality obligations.
13.4 Confidentiality obligations do not apply to information that:
(a) is or becomes public without breach;
(b) was lawfully known without restriction;
(c) is lawfully received from a third party without restriction; or
(d) is independently developed without the use of the disclosing party’s Confidential Information.
13.5 A party may disclose Confidential Information where required by law, regulation, court order, or competent authority, provided it gives prior notice where legally permitted.
13.6 Confidentiality obligations survive for five years after termination, except trade secrets, which remain protected for as long as they remain trade secrets under applicable law.

‍14. Warranties; Disclaimers
‍14.1 Authority. Each party warrants that it has the authority to enter into these Terms.
14.2 Service standard. We warrant that the Services will be provided in substantial conformity with the applicable Documentation under normal use, subject to the limitations stated in these Terms.
14.3 Service availability. Unless expressly stated in an Order Form, we do not guarantee uninterrupted or error-free operation of the Services. Maintenance, updates, security measures, and third-party dependencies may cause temporary interruptions.
14.4 Outputs disclaimer. Outputs are assistive drafts only. Customer is solely responsible for reviewing, validating, approving, and deciding whether to use any Output.
14.5 General disclaimer. Except as expressly stated in these Terms or an applicable Order Form, the Services, Outputs, beta features, trials, and Professional Services are provided "as is" and "as available," and to the maximum extent permitted by law, we disclaim all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement.
14.6 No professional advice. The Services and Outputs do not constitute legal, tax, procurement, accounting, employment, medical, or other regulated professional advice.
14.7 Beta and preview features. We may designate certain features as beta, preview, pilot, or experimental. Such features may be modified or discontinued at any time and may be subject to additional limitations.

‍15. Indemnities
‍15.1 Our IP indemnity. We will defend Customer against third-party claims alleging that the unmodified Services, as provided by us and used in accordance with these Terms, directly infringe a third party’s copyright, trademark, or EU/EEA patent right, and will pay finally awarded damages and reasonable settlement amounts approved by us, provided Customer:
(a) promptly notifies us;
(b) allows us sole control of the defense and settlement; and
(c) reasonably cooperates.
15.2 Our exclusions. We have no obligation under Section 15.1 to the extent a claim arises from:
(a) Customer Data;
(b) Outputs;
(c) use of the Services outside the Documentation or intended purpose;
(d) modification by Customer or a third party;
(e) combination with products, services, or data not provided by us; or
(f) use of a non-current version, where the claim would have been avoided by using the current version.
15.3 Our remedies. If an infringement claim is made or appears likely, we may, at our option:
(a) Modify the affected Services to be non-infringing;
(b) obtain the right for the Customer to continue using them;
(c) replace the affected component; or
(d) terminate the affected Services and refund prepaid, unused fees for the terminated portion.
15.4 Customer indemnity. Customer will defend and indemnify Such Much AI against third-party claims arising from:
(a) Customer Data;
(b) Customer’s unlawful, misleading, or rights-infringing use of the Services or Outputs;
(c) Customer’s publication, filing, or operational use of Outputs without appropriate review; or
(d) Customer’s breach of these Terms or third-party rights.

‍16. Limitation of Liability
‍16.1 Non-excludable liability. Nothing in these Terms excludes or limits liability that cannot be excluded or limited under mandatory law, including liability for fraud, intentional misconduct, or death or personal injury caused by negligence where applicable.
16.2 Cap. To the maximum extent permitted by law, our total aggregate liability arising out of or relating to the Services, the Order Form, Professional Services, or these Terms will not exceed the total fees paid or payable by Customer under the applicable Order Form in the 12 months preceding the event giving rise to the claim.
16.3 Excluded damages. To the maximum extent permitted by law, neither party will be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, or for lost profits, lost revenue, lost business, loss of goodwill, or business interruption.
16.4 Output-related allocation. Without limiting Section 16.2, we are not liable for Customer’s or any third party’s decisions, filings, publications, procurement actions, legal positions, or operational actions taken based on Outputs, except to the extent directly caused by our breach of an express contractual obligation.
16.5 Data-protection liability. This Section does not limit liabilities to the extent such limitation is prohibited by GDPR or other mandatory data-protection law.

‍17. Export Controls; Sanctions
‍Customer will comply with applicable export-control and sanctions laws. We may suspend or terminate access to the extent required to comply with the law.

‍18. Public Sector; Procurement; Mandatory Law Adjustments
‍18.1 If Customer is a public authority, contracting authority, state-owned entity, municipal entity, or other public-sector body subject to mandatory public-law or procurement requirements, these Terms apply only to the extent consistent with such mandatory rules.
18.2 Any provision conflicting with non-waivable public-law, procurement, or regulatory requirements will be deemed modified only to the minimum extent necessary, and the remainder of these Terms will remain in force.

‍19. Changes to the Terms
‍19.1 We may update these Terms from time to time.
19.2 For material changes, we will provide notice through the Services, by email, or both, and specify the effective date of the update.
19.3 Changes will not retroactively modify an active Order Form during its current committed term unless required by law, security needs, or operational necessity, or unless agreed in writing.
19.4 Continued use of the Services after the effective date constitutes acceptance of the updated Terms to the extent legally permitted.

‍20. Governing Law; Dispute Resolution
‍20.1 These Terms are governed by the laws of the Republic of Lithuania, excluding conflict-of-laws rules that would require another jurisdiction’s law.
20.2 For B2B/B2G Customers, the courts of Vilnius, Lithuania, have exclusive jurisdiction over disputes arising out of or relating to these Terms, except where mandatory law requires otherwise.
20.3 Before filing a claim, the parties will attempt in good faith to resolve the dispute through negotiations for 30 days, except for claims seeking urgent injunctive or interim relief.
20.4 If Customer is a consumer, mandatory jurisdiction and consumer-protection rules apply.

‍21. Notices
‍21.1 Operational notices. We may send operational notices to the email address associated with the Customer’s Account.
21.2 Formal legal notices to Such Much AI. Formal legal notices must be sent by registered mail or recognized courier to:
‍UAB Such Much AI
‍Bukčių g. 6-38
Vilnius, LT-04127
Lithuania
A copy may also be sent to info@suchmuchai.com, but email alone does not constitute a formal legal notice unless we expressly agree otherwise in writing.
21.3 Formal legal notices to Customer. Customer must provide a current postal and email address in the Account or Order Form. Formal legal notices to Customer may be sent to that address.

‍22. Miscellaneous
‍22.1 Assignment. Customer may not assign these Terms without our prior written consent, except to an Affiliate or in connection with a merger, reorganization, or sale of substantially all assets, provided the assignee agrees in writing to be bound. We may assign these Terms to an Affiliate or successor.
22.2 Severability. If any provision is held invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will remain in effect.
22.3 No waiver. Failure to enforce any provision is not a waiver.
22.4 Entire agreement. These Terms, the applicable Order Form, the DPA, and incorporated Policies constitute the entire agreement between the parties regarding the Services and supersede prior discussions on that subject.
22.5 Language. The English version governs unless mandatory law requires otherwise.
22.6 Electronic contracting. The parties agree that these Terms, Order Forms, acceptances, notices, and related records may be formed, signed, stored, and evidenced electronically.
22.7 Contact information. Questions about these Terms may be sent to info@suchmuchai.com

‍Annex 1 — Data Processing Terms (Article 28 GDPR)
‍This Annex applies where Such Much AI processes personal data contained in Customer Data on behalf of Customer.
‍
‍1. Roles
‍For personal data in Customer Data, Customer is the controller and Such Much AI is the processor, unless the parties expressly agree otherwise in writing.
‍
‍2. Subject matter and duration
‍The subject matter of the processing is the provision of the Services and any Professional Services. Processing continues for the duration of the applicable Services term and any limited post-termination export and deletion period described in the Terms, unless law requires longer retention.
‍
‍3. Nature and purpose of processing
‍Processing may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, export, alignment, restriction, deletion, and other operations necessary to:(a) provide and secure the Services;  (b) generate, transform, and export Outputs based on the Customer’s instructions;  (c) provide support and Professional Services;  (d) detect, prevent, and address abuse, fraud, and security incidents; and  (e) comply with applicable law.
‍
‍4. Categories of data and data subjects
‍The categories of personal data and data subjects are determined by Customer and may include names, contact details, employment details, procurement-related data, communications, document contents, user account data, and other personal data that Customer submits, excluding special categories and criminal-offence data unless expressly agreed in writing.
‍
‍5. Documented instructions
‍We will process personal data only on Customer’s documented instructions, including those reflected in the Terms, the applicable Order Form, Customer’s use of the Services, and documented support requests, unless required to do otherwise by Union or Member State law.
‍
‍6. Confidentiality
‍We will ensure that personnel authorized to process personal data are subject to confidentiality obligations.
‍
‍7. Security
‍We will implement appropriate technical and organizational measures designed to protect personal data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.
‍
‍8. Subprocessors
‍8.1 Customer grants general authorization for the engagement of subprocessors.
8.2 We will impose data-protection obligations on subprocessors that are materially consistent with this Annex.
8.3 We remain responsible for the performance of our subprocessors’ obligations to the extent required by law.
8.4 We will notify Customer of material subprocessor changes and allow Customer to object on reasonable data-protection grounds within a reasonable period. If we cannot reasonably accommodate such objection, Customer may terminate the affected Services.

‍9. Assistance to Customer
‍Taking into account the nature of the processing and the information available to us, we will reasonably assist Customer with:
(a) responding to data-subject requests;
(b) security obligations;
(c) personal-data-breach notifications;
(d) data-protection impact assessments; and
(e) consultations with supervisory authorities, where required and feasible.
‍
‍10. Personal data breaches
‍We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and provide information reasonably available to us to help Customer meet its legal obligations.

‍11. Audits and information
‍11.1 We will make available information reasonably necessary to demonstrate compliance with this Annex.
11.2 Customer may request an audit no more than once per year, except where required by law or following a reasonably substantiated security incident.
11.3 Audits must be subject to reasonable notice, confidentiality, proportionality, security restrictions, and minimal disruption to our business and other customers.
11.4 We may satisfy audit obligations through recent third-party certifications, summaries, questionnaires, or equivalent evidence where appropriate.

‍12. International transfers
‍Customer Data is hosted by default in the EEA. If we transfer personal data outside the EEA, we will implement a lawful transfer mechanism and appropriate safeguards as required by applicable law.

‍13. Return and deletion
‍Upon termination, we will make Customer Data available for export for 30 days unless otherwise agreed. After that period, we will delete or render inaccessible the personal data, unless retention is required by law or reasonably necessary for security, backup rotation, dispute preservation, or legal claims handling, in which case we will continue to protect it in accordance with this Annex.

‍14. Special categories and restricted data
‍Customer must not submit special categories of personal data, criminal-offence data, or similarly restricted data unless expressly agreed in writing and subject to appropriate safeguards.

‍15. Contact
‍Customer may contact us regarding this Annex at info@suchmuchai.com