← Back to Home

AI-EAP Enterprise Subscription Service Agreement

v1.0 Template Effective Date: April 25, 2026

This page contains a template agreement. When executing the actual contract, a formal PDF will be generated in the HR Dashboard with your company information.

Authoritative version: This English Service Agreement applies to corporate customers contracting with Here Hear AI PTE LTD (Singapore). It is governed by Singapore law. The Traditional Chinese version applies to corporate customers contracting with 竹謙科技股份有限公司 (Taiwan), governed by Taiwan law.
Parties to the Agreement Customer (Party A) (To be filled with company name at the time of formal execution)
Provider (Party B) Here Hear AI PTE LTD

The Customer and Provider are individually referred to as a "Party" and collectively as the "Parties" in this AI-EAP Enterprise Subscription Service Agreement (hereinafter referred to as the "Agreement").

The Parties hereby agree to enter into this Agreement regarding the AI-EAP-related services provided by the Provider through the Here Hear.ai platform (website: https://www.here-hear.ai, hereinafter referred to as the "Platform"), to be jointly observed as follows:

Article 1: Accounts and Permissions

  1. The Provider shall provide the Customer with one enterprise administrator account (hereinafter referred to as the "Customer Administrator"). The Customer Administrator may view, upload, edit, access, or export information and service-related reports provided by the Customer on the Platform. The Customer Administrator may also create additional accounts for other designated personnel of the Customer (hereinafter referred to as "Customer Personnel"). Customer Personnel shall not edit, modify, or change any information or plan content provided by the Customer on the Platform, but may only view, access, or export service-related reports.
  2. The Customer agrees to designate the Customer Administrator as the primary point of contact for the Service, Platform operations, report notifications, incident notifications, and other matters related to this Agreement.
  3. The Customer shall ensure that the Customer Administrator, Customer Personnel, and its operational staff properly safeguard their account credentials and passwords. The Customer may provide accounts to its operational staff as necessary. However, the Customer is responsible for properly managing and supervising its operational staff. If the Customer (including the Customer Administrator or Customer Personnel) misuses accounts or fails to properly safeguard account credentials and passwords, resulting in any damage or loss to the Provider, the Customer shall be liable for damages.

Article 2: Service Content

  1. The Parties agree that during the Contract Term, the Provider shall provide system platform, data analytics functionality, and related services (hereinafter referred to as the "Service") in accordance with this Agreement.
  2. The Parties agree that the specific content, functionality, and specifications of the Service shall be determined by the quote (hereinafter referred to as the "Quote") and plan (hereinafter referred to as the "Enterprise Plan") displayed online on the Platform. The Service plan includes, but is not limited to, the following items (each plan and detailed service content shall be as actually announced or provided on the Platform):
    1. Basic Plan
      The basic plan for the Service includes the following items:
      1. "Employee Stress Assessment Service": Provides unlimited stress assessment testing, tracking assessment, and related services to designated employees of the Customer (hereinafter referred to as "Customer Employees") on the Platform, including but not limited to providing information to Customer Employees via email.
      2. "AI Emotional Companion Assistant Interaction Service": Provides Customer Employees with emotional companion assistant interaction service via the "Here Hear" application developed by the Provider (hereinafter referred to as "HereHear App"). The provision of HereHear App service shall be capped at the maximum value of the tier corresponding to the employee headcount entered by the Customer on the Platform (hereinafter referred to as "Customer Headcount") (hereinafter referred to as the "HereHear App Quota").
      3. "De-identified Data Statistics and Reports": Based on usage data of Customer Employees for the aforementioned two services, the Provider shall provide the Customer with de-identified statistical results, tracking, cross-analysis, or reports (including but not limited to the number of Customer Personnel using the Service or stress pattern migration tracking). However, if any analysis category group covers no more than five Customer Employees, the Provider may choose not to provide statistical or analysis results for that category group.
      4. "HR Dashboard and Report Export": Enables the Customer Administrator and Customer Personnel to query, view, download, and export de-identified statistical results or related reports under the Enterprise Plan on the Platform.
    2. Additional Value-Added Services
      The Customer may purchase additional value-added services based on its needs, including but not limited to ESG Sustainability Reports or health education push materials. The specific content, provision frequency, delivery method, and fees for value-added services shall be determined by the Quote and content displayed on the Platform.
  3. The Customer acknowledges and agrees that the Provider uses the Customer Headcount filled in and confirmed by the Customer on the Platform as the basis for calculating the Enterprise Plan tier and HereHear App Quota. If the Customer Headcount changes, the Customer shall promptly notify the Provider or update it on the Platform.
  4. The Provider shall provide the Customer with exclusive invitation codes (hereinafter referred to as the "Identification Code") to enable Customer Employees to activate and obtain HereHear App service. The invitation code shall serve as the identification basis for Customer Employees to join the Enterprise Plan. The Customer shall manage and distribute invitation codes to its employees and shall ensure that only its actual employees or authorized personnel know about and use the invitation codes. The Customer shall be solely responsible for all risks and liabilities arising from the use of invitation codes by third parties.
  5. Once a Customer Employee completes activation of the Enterprise Plan using an invitation code, the account becomes a subscription account under the Customer's Enterprise Plan (hereinafter referred to as the "Subscription Account"). Once a subscription account is activated, one quota is deducted from the HereHear App Quota, and this quota shall not be restored during the Contract Term due to deactivation, non-actual use, employee resignation, or other reasons. The Customer shall properly manage and control the use of invitation codes. If the Customer fails to properly manage invitation codes, resulting in any quota being activated, misused, or other damage, the Customer shall be solely responsible.
  6. For clarity, if a Customer Employee already held a registered HereHear App account prior to the effective date of this Agreement, that account may only be activated as a subscription account and join the Enterprise Plan through an invitation code if it is not a paid account.
  7. The Customer fully acknowledges and agrees that upon expiration or termination of the Contract Term, subscription accounts shall automatically convert to regular accounts, whose management and use shall be governed by the Provider's Terms of Service or other relevant agreements, announcements, or policies. If the Customer purchases the Enterprise Plan again from the Provider after the expiration or termination of the Contract Term, Customer Employees who previously used the Enterprise Plan shall still be required to activate subscription accounts in accordance with the exclusive provisions obtained under the new subscription service agreement.
  8. The Customer fully acknowledges and agrees that the Provider shall provide the Service only within the scope of de-identified statistics, analysis, and report data. The Provider shall have no obligation to provide any original assessment responses from Customer Employees, HereHear App audio files, interaction records, or other data that could identify specific individuals.
  9. The Customer understands and agrees that the Provider may adjust the interface, operation flow, functional presentation, or non-core ancillary functions of the Service as necessary for Platform operations, technical updates, legal compliance, or information security requirements, provided that such adjustments do not materially diminish the core service content of the Enterprise Plan.

Article 3: Personal Data and Information Security

  1. The Provider shall protect the data of the Customer and Customer Employees in accordance with applicable personal data protection laws and shall not use such data for purposes outside the scope of this Agreement. The Provider shall not proactively provide sensitive personal data of Customer Employees (including but not limited to audio files, individual analysis, analysis summaries, etc.) to the Customer, but shall only provide data related to the Customer and Customer Employees that is not sensitive or that is de-identified and processed in a manner that prevents tracking or identification of any individual Customer Employee.
  2. The Customer acknowledges and agrees that it shall not use any statistics, analysis, or report data provided by the Service to monitor, evaluate, penalize, or impose any adverse actions against individual Customer Employees, nor shall it combine such data with other data to perform personal identification or reconstruction.
  3. The Provider shall collect, process, use, store, delete, and otherwise handle the Customer's data and the personal data of Customer Employees in accordance with Annex 1 to this Agreement (Data Processing Agreement). If there is any inconsistency between this Agreement and Annex 1, the provisions of Annex 1 shall take precedence regarding data processing matters.
  4. The Customer acknowledges and agrees that the Provider's retention period for enterprise-level data generated by the Service (including but not limited to de-identified statistical data, analysis results, and reports) shall be limited to five years during the Contract Term. The Customer shall be responsible for backing up important data. The Provider shall have no obligation for permanent retention. However, this shall not apply if the Parties have otherwise agreed. Beyond that period, the Provider may delete data, de-identify it, or retain only summary information at its discretion based on system management, storage costs, or service design, and shall have no obligation to provide complete historical data. The Customer may not claim that the Provider has failed to fully perform the Service or request any form of price reduction, damages, or compensation based on such data deletion.

Article 4: Service Fees and Payment

  1. During the Contract Term, the Service Fees shall be determined by the amount specified in the Quote (hereinafter referred to as "Service Fees").
  2. The Parties agree that the Customer may choose one of the following payment options on the Platform and shall pay the Service Fees to the Provider in accordance with the amounts specified in the Quote:
    1. Installment Payment: Monthly installment payment of Service Fees for a total of twelve installments.
    2. Lump Sum Payment: One-time full payment of Service Fees with a 10% discount on the Service Fees (i.e., actual payment amount = original Service Fees price × 90%).
  3. The Customer shall complete payment of the Service Fees according to the payment method displayed on the Platform. The Provider shall issue and provide an electronic invoice to the Customer through the Platform in accordance with the preceding article.
  4. If this Agreement is terminated early due to reasons not attributable to the Customer, the Provider shall refund the Customer's paid but unused Service Fees based on the original Service Fees price (without any discounts) on a pro-rata basis for the remaining unused Contract Term (if the usage period is less than one month, it shall be calculated as one month). The Provider may deduct reasonable service charges for processing the refund, payment processing, administration, or other necessary operations from the refund amount and shall return the remaining amount according to the Customer's original payment method or other mutually agreed method.
  5. If the Customer chooses installment payment of Service Fees and any installment is not completed by the payment due date, the Parties agree to handle the matter as follows:
    1. The Provider may notify the Customer by email or through the Platform to remit the overdue payment and shall grant a grace period of 14 days from the due date. If the Customer fails to complete payment within the grace period, the Provider may downgrade the Service to read-only mode, whereby the Customer may still log in to the Platform to query and download existing reports, but the Provider may suspend the provision of HereHear App, Stress Assessment, and related interactive functions to Customer Employees.
    2. If the Customer fails to complete payment within 30 days after the read-only mode is activated, the Provider may suspend the provision of the Service and notify the Customer in writing of the termination of this Agreement.
  6. If the Customer completes the payment of all overdue amounts before the read-only mode is activated or before the termination notice of this Agreement is issued, the Provider shall resume the provision of the Service in accordance with this Agreement within a reasonable timeframe.

Article 5: Contract Term

  1. Except as otherwise agreed in this Agreement, the Contract Term shall be 12 months from the date when the Customer completes the payment of Service Fees in accordance with the preceding article and the Provider's system confirms that the order is established (hereinafter referred to as the "Contract Term"). The detailed calculation and start and end dates of the Contract Term shall be determined by the Platform.
  2. For clarity, the "Service Fee Payment" referred to in this article means completion of full payment for lump sum payment, and completion of the first installment payment for installment payment.

Article 6: Platform Maintenance and Technical Support

  1. The Provider shall use commercially reasonable efforts to maintain the operation of the Platform and the Service during the Contract Term. Except as otherwise agreed in this Agreement, the Provider does not guarantee that the Platform, the Service, or the HereHear App shall never be interrupted, error-free, or completely without defects.
  2. The Provider may suspend the provision of all or part of the Platform or the Service for system maintenance, updates, upgrades, patches, or other necessary operations. The Provider shall notify the Customer in advance within a reasonable timeframe, except in cases of emergency repairs, information security incident handling, or other situations not attributable to the Provider.
  3. The Parties agree that the target monthly availability rate of the Platform during the Contract Term shall be 99.5%. The Provider shall use commercially reasonable efforts to maintain this availability rate, except in the following cases:
    1. Scheduled maintenance announced in advance;
    2. Interruptions caused by force majeure;
    3. Interruptions caused by failures of third-party telecommunications, network, cloud, payment processing, or other systems beyond the Provider's control;
    4. Interruptions caused by factors beyond the Provider's control, including those related to the Customer, Customer Employees, or their equipment, network environment, browser, operating system, third-party applications, or other factors; or
    5. Necessary interruptions caused by information security incidents, defensive measures, or requirements from regulatory authorities.
  4. If the Provider fails to meet the target monthly availability rate set forth in this article, the Customer may notify the Provider to confirm. If both Parties confirm that the failure is attributable to the Provider and does not fall within any of the exclusion clauses in the preceding paragraph, the Provider shall extend the Service usage period accordingly, and the Customer may not claim other damages or rights to terminate or rescind this Agreement based on such failure. The Parties agree that if there is a Service usage period extension under this article, the Contract Term shall also be extended accordingly.
  5. The Provider shall provide general technical support, troubleshooting, and customer service for the Platform and the Service in accordance with the service time, method, and procedures announced on the Platform. If the Customer discovers any Service anomalies, the Customer Administrator shall report such anomalies to the Provider through the Provider's designated method and shall cooperate in providing necessary information to facilitate problem resolution.

Article 7: Intellectual Property

  1. The Customer acknowledges and understands that all software, programs, and content on the Platform, including but not limited to works, images, files, information, data, website architecture, website layout, web design, and other information disclosed by the Provider to perform this Agreement, and all intellectual property rights including copyrights, patents, trademarks, and trade secrets, and all other rights, are owned by the Provider or other right holders. Except as otherwise agreed in this Agreement, the Provider has not granted or transferred any rights to the Customer.
  2. The Customer may not without authorization use, modify, reproduce, publicly distribute, adapt, disseminate, publish, publicly display, reverse engineer, decompile, or reverse assemble any content, software, or programs on the Platform or related intellectual property rights. If the Customer wishes to cite or reprint such software, programs, or website content, it must obtain prior written consent from the Provider or other right holders in accordance with applicable law. Any violation shall result in the Customer's liability for damages to the Provider, including but not limited to litigation costs and attorney's fees.
  3. The provisions of this article shall not lose their effect due to the termination, rescission, or expiration of this Agreement.

Article 8: Confidentiality Obligations

  1. The Customer shall be under an obligation to maintain the confidentiality of the content of this Agreement and any information known or possessed by the Customer in performing this Agreement, including but not limited to technical information, equipment, financial data, pricing policies, documents related to business operations, and other information usable for sales or business operations (hereinafter collectively referred to as "Confidential Information"). Except as necessary for the execution of this Agreement and with the prior written consent of the Provider, the Customer may not disclose such information to any third party. However, this obligation shall not apply to information that is public information or information that is required to be disclosed by applicable law, administrative authorities, or judicial authorities. Before disclosing any Confidential Information in accordance with the foregoing, the Customer shall notify the Provider within one day of notification and shall cooperate with the Provider to take appropriate measures to maintain the confidentiality of such information.
  2. If the Customer violates the preceding provision, it shall pay the Provider a punitive damages fee calculated as three times the total Service Fees. If the Provider can prove other damages, the Customer shall also be liable for such damages.
  3. The confidentiality obligations set forth in this article shall be perpetually effective and shall not lose their effect due to the termination, rescission, or expiration of this Agreement.

Article 9: Representations and Warranties

  1. The Parties represent that if either Party is a company lawfully established under Singapore law, it has full and independent legal status and legal capacity to sign and perform this Agreement and may independently act as a party to litigation.
  2. The Parties represent that if either Party is a natural person, such person has full and independent legal status and legal capacity to sign and perform this Agreement and may independently act as a party to litigation.
  3. The Parties represent that the execution and performance of this Agreement do not violate any applicable law, court judgment, order or sanction from a relevant authority, nor do they violate any contract, agreement, statement, warranty, guarantee, undertaking, or other obligation to which either Party is legally bound.
  4. The Customer represents and warrants that all information it fills in and provides on the Platform (including but not limited to registration number, Customer Headcount, contact information, and other information related to the Quote or the Service) is current, true, correct, and complete. If there are any changes, the Customer shall update such information in a timely manner. If the Customer provides false, incorrect, outdated, or incomplete information, resulting in any damage to the Provider or errors in the provision, pricing, or performance of the Service, the Customer shall be liable for all related responsibilities.
  5. The Customer acknowledges and agrees that the analysis results, recommendations, or feedback generated by the Service are based on system algorithms and user input data and may be incomplete, inaccurate, or biased. The Provider does not warrant the accuracy or applicability of such results.
  6. The Customer fully acknowledges and agrees that the Provider is not engaged in the professional practice of medicine, and that the Platform and the HereHear App are merely platforms for users to express emotions and do not have diagnostic, treatment, psychotherapy, psychological counseling, medical device, or other medical-related functions. The Service should not be considered a substitute for any medical or psychological treatment and should not be used as a basis for clinical decision-making or medical diagnosis.

Article 10: Breach of Contract

  1. Except as otherwise provided in this Agreement, if either Party breaches any provision of this Agreement, if such breach is remediable, the non-breaching Party may request in writing that the breaching Party remedy the breach within 14 days. If the breaching Party fails to remedy the breach within the prescribed period or if the breach is not remediable, the non-breaching Party may terminate this Agreement directly. If the breach causes damage to the non-breaching Party, the non-breaching Party may also claim damages from the breaching Party.
  2. If the Customer provides the Provider with inaccurate or false information regarding the Customer Headcount without valid reason, resulting in incorrect calculation of Service Fees, the Customer shall pay a punitive breach penalty calculated as the difference between the accurate Customer Headcount and the actual reported headcount. The payment of such breach penalty is not a make-up or adjustment of Service Fees. The Customer may not claim make-up of quotas, extension of the usage period, or make any related requests to the Provider based on such payment, and such payment does not affect the Provider's right to claim damages for other losses.
  3. If this Agreement is terminated early due to reasons attributable to the Customer or due to the Customer's request for termination, the Customer shall pay the Provider a punitive breach penalty calculated on a pro-rata basis based on the Service Fees, amounting to two months of Service Fees. Such payment does not affect the Provider's right to claim damages for other losses.
  4. Except in cases of intentional misconduct or gross negligence by the Provider, the Provider's total cumulative liability for damages to the Customer for any claim, damage, or liability related to this Agreement, the Service, or matters related to the Service, regardless of its legal basis, shall not exceed the total amount of Service Fees actually paid by the Customer to the Provider within the 12 months immediately preceding the occurrence of the damage. The Provider shall not be liable for any indirect damages, incidental damages, consequential damages, lost profits, loss of goodwill, data loss, or cost of substitute services.

Article 11: Termination of Agreement

  1. Except as otherwise agreed in this Agreement, this Agreement may be terminated by mutual consent of the Parties.
  2. The Provider may terminate this Agreement by written notice to the Customer if any of the following circumstances occur:
    1. The Customer ceases business operations, enters liquidation, or becomes bankrupt;
    2. The Customer fails to pay Service Fees as required in Article 4; or
    3. The Customer breaches this Agreement and fails to remedy the breach within the prescribed period.
  3. If either Party is unable to perform this Agreement due to force majeure events such as typhoons, fires, floods, earthquakes, riots, wars, strikes, export bans, or pandemic outbreaks, the affected Party shall not be liable for delays in performance, but shall perform its obligations as soon as possible after the force majeure event ceases. Except as otherwise agreed in this Agreement, if the force majeure event continues for one month without recovery to normal conditions, either Party may terminate this Agreement.
  4. Except as otherwise agreed in this Agreement, termination of this Agreement shall not affect the rights and obligations of the Parties that have already occurred or been established prior to termination.
  5. If this Agreement is terminated early, the qualification of subscription accounts that have been activated in accordance with this Agreement shall automatically terminate as of the termination date, and the Provider shall have no obligation to provide any Service to the Customer. Except as otherwise agreed in this Agreement, the Customer may not make any related requests to the Provider.
  6. Upon termination or expiration of this Agreement, the Provider may retain the Customer's enterprise data for 90 days in accordance with this Agreement and Annex 1 for the Customer to export. After the expiration of this period, the Provider may delete the relevant data.

Article 12: Notices

  1. Any request, notice, or indication of intent under this Agreement shall be in writing (including email) and shall be sent to the designated representatives of the Parties and shall become effective on the day of receipt by the designated representative:
    1. The Customer agrees to designate the Customer Administrator as the designated contact for this Agreement.
    2. The Provider's designated contact shall be in accordance with the contact method announced on the Platform.
  2. Either Party may change its designated representative for receipt of notices, address, and/or email address at any time, provided that it notifies the other Party in writing (including email), and such change shall become effective on the second day after the notice is received.

Article 13: Governing Law and Dispute Resolution

  1. This Agreement shall be interpreted and governed by the laws of Singapore.
  2. For any disputes arising out of this Agreement, the Parties shall attempt to resolve them through good faith negotiation. If the dispute cannot be resolved through negotiation, it shall be subject to the jurisdiction of the courts of Singapore.

Article 14: Miscellaneous Provisions

  1. Neither Party may assign the rights and obligations under this Agreement without the prior written consent of the other Party.
  2. If there are any matters not covered by this Agreement, the Parties shall resolve them through good faith negotiation.
  3. Except as otherwise agreed in this Agreement, any modification, addition, or deletion to this Agreement must be agreed to by both Parties and shall be in writing.
  4. Except as otherwise agreed, all costs and taxes legally arising from the performance of this Agreement shall be borne by the respective Parties.
  5. The headings used in this Agreement are for reference only and shall not be construed as binding when interpreting this Agreement.
  6. If any provision of this Agreement is invalid due to legal prohibition or for other reasons, it shall not affect the validity of the other provisions of this Agreement.
  7. The Quote and the annexes to this Agreement constitute part of this Agreement and have the same force and effect as this Agreement.

Annex 1: Data Processing Agreement (DPA)

Whereas the Provider provides the Service to the Customer through the Platform developed by the Provider, the Parties agree to use this Data Processing Agreement (hereinafter referred to as the "DPA") to govern the Provider's collection, processing, and use of the Customer's data and related personal data.

DPA Article 1: Data Processing

  1. Scope and Roles
    1. This DPA applies to the Provider's processing of the Customer's data during the provision of the Service.
    2. The Customer's data consists of enterprise-level data, such as enterprise account data and enterprise-level statistical analysis data, and end-user data, which is personal data provided by the Customer's employees through the Service, including employee personal data, stress assessment results, interaction records, and other data related to psychological condition.
    3. Within the scope of the Provider's provision of enterprise-level data processing, statistical analysis, and report services to the Customer in accordance with this Agreement and the Service, the Parties agree that the Customer is the Data Controller and the Provider is the Data Processor. The Provider shall process such data in accordance with the Customer's instructions and this Agreement/DPA. However, for personal data provided or generated by Customer Employees in the HereHear App or other individual-facing services, such data shall be processed in accordance with the Terms of Service, Privacy Policy, and other relevant rules between the Provider and the Customer Employees, and the Customer shall not necessarily be the sole Data Controller.
  2. Customer Control and Assistance
    1. The Customer may use the management functions and control mechanisms provided by the Service (hereinafter referred to as "Service Control Mechanisms") to assist in fulfilling its obligations under applicable data protection laws, including responding to queries, access requests, correction requests, and deletion requests from data subjects.
    2. In light of the nature of data processing, the Customer agrees that the Provider generally cannot proactively identify errors in the Customer's data. However, if the Provider discovers any such errors, it shall notify the Customer within a reasonable period and shall assist the Customer in correcting or deleting such data through the Service Control Mechanisms.
    3. The Customer shall ensure that its collection, use, and disclosure of employee personal data comply with applicable data protection laws and shall be responsible for obtaining necessary notifications and consents.
  3. Data Processing Content
    1. The subject of data processing under this DPA is the Customer's data. In relation to the Provider and the Customer, the data processing period shall be determined by the Customer's use of the Service and shall be bound by the provisions of this Agreement.
    2. The purpose of data processing is to provide the Service to the Customer, such as corporate employee mental health management, stress analysis, and related data statistics functions.
    3. The nature of data processing includes, but is not limited to, collection, recording, storage, analysis, statistics, and other processing actions necessary for the provision of the Service.
    4. Except as otherwise agreed by the Parties, the Provider may only use de-identified statistical data that cannot be used to identify any specific individual or specific enterprise for the maintenance, improvement, analysis, and optimization of the Service. The Provider may not use data that can identify the Customer or Customer Employees to train general models or to improve services provided to other third-party customers.
    5. Data subjects may include the Customer's employees and other end users.
  4. Legal Compliance
    The Parties shall comply with applicable data protection laws during the performance of this DPA and the provision of the Service.

DPA Article 2: Customer Instructions

  1. The Parties agree that this DPA and this Agreement (including operations and settings issued by the Customer through the Service's configuration interface, management backend, or other system functions) constitute the Customer's written instructions for the Provider's processing of the Customer's data.
  2. Within the scope of data processing, the Provider shall process the Customer's data only in accordance with such instructions.
  3. If the Customer requests the Provider to perform processing beyond or outside the scope of the aforementioned instructions, the Parties shall agree on such in writing in advance. The reasonable costs arising from such processing may be separately agreed to be borne by the Customer.
  4. In light of the nature of data processing, the Customer agrees that the Provider generally cannot determine whether the Customer's instructions violate applicable data protection laws. However, if the Provider believes that such instructions may violate applicable laws, it shall notify the Customer immediately, and the Customer may withdraw or modify such instructions.

DPA Article 3: Confidentiality of Customer Data

  1. The Provider may not access, use, or disclose the Customer's data to any third party unless such access, use, or disclosure is necessary to provide or maintain the Service, or is required by law, legitimate orders from regulatory authorities, or judicial authorities (such as subpoenas or court orders).
  2. If a government agency requests the Provider to provide the Customer's data, the Provider shall, to the extent reasonably feasible, prioritize directing the government agency to apply directly to the Customer. To facilitate such processes, the Provider may provide the Customer's basic contact information to the government agency to enable direct contact with the Customer.
  3. If the Provider is legally required to disclose the Customer's data to a government agency, except where prohibited by law, the Provider shall, to the extent reasonable, notify the Customer in advance so that the Customer may take protective measures or pursue other appropriate legal remedies as circumstances warrant.

DPA Article 4: Personnel Confidentiality Obligations

  1. The Provider shall take appropriate measures to restrict its personnel's access to and processing of the Customer's data only to the extent necessary for the provision of the Service.
  2. The Provider shall also ensure that its personnel are under confidentiality obligations with respect to the Customer's data and shall, through contracts, internal policies, or other appropriate measures, ensure that its personnel comply with applicable data protection laws and information security requirements.

DPA Article 5: Security Measures for Data Processing

  1. Provider's Obligations
    The Provider shall, based on the nature of the data and processing risks, implement appropriate technical and organizational security measures to ensure the confidentiality, integrity, and availability of the Customer's data, and to prevent unauthorized access, use, disclosure, modification, or destruction.
  2. Customer's Obligations
    1. The Customer shall, based on its own needs and risk assessment, take appropriate technical and organizational measures to protect its data in the Service.
    2. Such measures may include, but are not limited to: de-identification or encryption of data, establishment of appropriate backup and recovery mechanisms, and periodic review and assessment of the effectiveness of security measures implemented.

DPA Article 6: Rules Regarding Sub-Processors

  1. Use of Sub-Processors
    1. The Customer agrees that the Provider may, to the extent necessary for the provision of the Service, engage third parties (hereinafter referred to as "Sub-Processors") to process the Customer's data on its behalf.
    2. The Provider shall ensure that Sub-Processors are selected based on their appropriate data protection and information security capabilities, and may disclose information about the main Sub-Processors it uses in documents related to the Service or on the Platform.
    3. If the Provider adds or replaces a Sub-Processor that significantly affects the processing of the Customer's data, it shall notify the Customer within a reasonable period through website announcements, system notices, or similar means. If the Customer raises a specific and reasonable written objection to the new Sub-Processor based on the requirements of applicable data protection laws, the Parties shall negotiate in good faith to find a feasible alternative solution.
  2. Obligations of Sub-Processors
    1. When engaging Sub-Processors to process the Customer's data, the Provider shall ensure:
      1. Sub-Processors may only access or process the Customer's data to the extent necessary for the provision of the Service and may not use such data for any other purpose;
      2. The Provider and Sub-Processors shall agree in writing on their data protection and confidentiality obligations, and the level of protection shall not be lower than that provided in this DPA; and
      3. The Provider shall remain responsible for the actions of Sub-Processors and shall ensure their compliance with the obligations under this DPA.

DPA Article 7: Handling of Data Subject Rights

  1. Customer Data Requests
    1. With respect to the processing of the Customer's data, the Provider shall, based on the Customer's instructions and through the functions and management mechanisms provided by the Service, assist the Customer in fulfilling its obligations to respond to data subject rights requests under applicable data protection laws, including access, inspection, correction, deletion, and data portability.
    2. If a data subject submits a request directly to the Provider regarding the Customer's data, the Provider shall, upon identifying that the request falls within the Customer's scope of responsibility, notify the Customer within a reasonable period to handle the request. The Customer agrees that the Provider may respond to the data subject merely by stating that the request has been forwarded to the Customer for handling.
  2. Scope of Assistance
    1. The Parties agree that the functions and notification mechanisms provided by the Provider under this article constitute the scope of assistance the Provider is required to provide under this DPA for data subject rights requests.
    2. If the Customer instructs the Provider to provide sensitive personal data of end users under this article, the Provider may refuse to provide such data in accordance with applicable data protection laws.

DPA Article 8: Information Security Incident Handling

  1. Information Security Incident Notification
    1. If an information security incident involving the Customer's data occurs (such as unauthorized access, disclosure, loss, damage, or modification of the Customer's data due to a security breach, hereinafter referred to as an "Information Security Incident"), the Provider shall notify the Customer as soon as possible upon becoming aware of the incident and shall take appropriate measures to handle the Information Security Incident, including reducing or mitigating any potential adverse effects.
    2. The Provider may notify the Customer Administrator of the Information Security Incident by email or other reasonable means. The Customer shall ensure that the contact information it provides is accurate and accessible.
  2. Assistance Obligations
    1. The Provider shall, to the extent reasonable, provide relevant information it possesses and may disclose to assist the Customer in assessing the impact of the Information Security Incident and to fulfill its obligations to notify or report to regulatory authorities or data subjects in accordance with applicable laws.
    2. The Customer agrees that it is in the best position to determine the actual impact of the Information Security Incident and the remedial measures to be taken thereafter.
  3. Situations Not Constituting Information Security Incidents
    1. The following situations, if they do not result in unauthorized access, disclosure, or other substantial impact on the Customer's data, shall not be considered Information Security Incidents as referred to in this article:
      1. System scans, tests, or other unsuccessful attack attempts;
      2. Unsuccessful login attempts, denial-of-service attacks, or similar activities;
      3. Other events that do not result in data leakage or damage to the Customer's data.
  4. Allocation of Notification Obligations
    If the Provider notifies the Customer of an Information Security Incident under this article, or if the Customer becomes aware of an Information Security Incident affecting its data, the Customer shall determine whether to notify regulatory authorities or data subjects in accordance with applicable laws and shall be responsible for taking necessary remedial measures.

DPA Article 9: Audits and Information Disclosure

  1. Security Certifications and Information Provision
    1. The Provider may, as appropriate, obtain or maintain relevant information security or data protection certifications or reports (such as ISO or other equivalent standards).
    2. Upon reasonable request by the Customer and provided that both Parties have signed confidentiality obligations, the Provider may provide documentation describing information security and data protection measures related to the Service to enable the Customer to reasonably confirm the Provider's compliance with the obligations under this DPA.
  2. Audit Mechanisms
    1. The Provider may periodically review and assess the effectiveness of its information security measures through internal means or by engaging third parties.
    2. Such review may be conducted in accordance with appropriate information security standards or operational procedures and may result in the production of relevant reports or records.
  3. Provision of Audit Data
    1. Upon written request by the Customer and provided that both Parties have signed confidentiality obligations, the Provider may, to the extent reasonable, provide the relevant reports or data described in the preceding article to enable the Customer to reasonably confirm whether the Provider is complying with this DPA.
    2. Such data is confidential information of the Provider, and the Customer shall protect it in accordance with relevant confidentiality obligations.
  4. Compliance Assistance
    The Provider shall, to the extent reasonable and based on the information it possesses, assist the Customer in fulfilling its obligations under applicable data protection laws, such as conducting data protection impact assessments or prior consultations with regulatory authorities.

DPA Article 10: Customer Verification

  1. If the Customer needs to verify the Provider's data processing activities in accordance with applicable data protection laws or relevant regulations, the Parties agree that such verification shall be based on the relevant documents, reports, or explanations provided by the Provider under this article.
  2. If the Customer has any remaining questions about the aforementioned data, it may submit written inquiries or requests for supplemental explanations to the Provider, and the Provider shall cooperate to a reasonable extent.
  3. Except as otherwise agreed in writing by the Parties, the Customer may not request on-site verification, audits, or similar inspections of the Provider's systems, equipment, or operational facilities.

DPA Article 11: Cross-Border Transfer of Customer Data

  1. Data Processing Location
    1. The Provider may, to the extent necessary for the provision of the Service, process the Customer's data in its systems or the data centers of third-party services it uses.
    2. If the Customer has specific requirements regarding the data processing location, such requirements should be separately agreed upon in this Agreement. Except for such agreements, the Customer agrees that the Provider may adjust the data processing location to a reasonable extent based on the operational needs of the Service.
  2. Cross-Border Transfer
    1. The Customer agrees that the Provider may, to the extent necessary for the provision of the Service, transfer the Customer's data to other countries or regions where it or its Sub-Processors are located for processing.
    2. The Provider shall ensure that such cross-border transfers comply with the requirements of applicable data protection laws and shall implement appropriate protective measures to ensure the security of the Customer's data during the cross-border transfer process.
  3. Protection Mechanisms
    1. The protective measures referred to in the preceding paragraph may include, but are not limited to:
      1. Contractual agreements with Sub-Processors;
      2. Engagement of service providers with appropriate data protection standards; or
      3. Other data transfer mechanisms that comply with applicable legal requirements.

DPA Article 12: Effective Date of DPA

This DPA shall become effective as of the effective date of this Agreement and shall terminate together with this Agreement upon its termination or expiration.

DPA Article 13: Return and Deletion of Customer Data

  1. Within the scope of functions provided by this Agreement and the Service, the Customer may request the return, export, or deletion of its enterprise-level data. However, for personal data of Customer Employees, such matters shall be handled in accordance with the functional design of the Service, relevant Terms of Service, and applicable laws.
  2. After the termination or expiration of this Agreement, the Provider may retain the Customer's data for a period of ninety days for the Customer to download or export. After the expiration of this period, the Provider shall delete the relevant Customer data, except where otherwise provided by law or as otherwise agreed by the Parties.
  3. The Customer shall complete the backup or export of such data within the aforementioned period and shall be responsible for its subsequent retention. If the Customer fails to process such data within the prescribed period, the Provider shall have no obligation to retain or provide such data.

DPA Article 14: Notification Obligations

  1. If the Customer's data is seized, impounded, or otherwise disposed of by a third party during the Provider's processing due to bankruptcy, liquidation, or other similar proceedings, the Provider shall notify the Customer within a reasonable period.
  2. The Provider shall also, to the extent reasonable, explain to the relevant third parties that such Customer data is data controlled and disposable by the Customer, to assist in protecting the Customer's interests.

DPA Article 15: Miscellaneous

  1. This DPA is part of this Agreement. Except as otherwise provided in this DPA, all provisions of this Agreement shall continue to be effective.
  2. If this DPA conflicts with the provisions of this Agreement, the provisions of this DPA shall take precedence. However, special provisions in this Agreement regarding the Service may take precedence over this DPA within their applicable scope.
If you have any questions, please feel free to contact our customer service team at herehear@here-hear.ai