Anthropic、PBC(“ Anthropic ”

freedragon發表於2024-03-06
克洛德應用程式程式設計介面研究公司訊息職業機會

商業服務條款

歡迎來到人類!在訪問我們的服務之前,請閱讀這些商業服務條款。

這些商業服務條款(“條款”)是 Anthropic、PBC(“ Anthropic ”)與您或您代表的組織、公司或其他實體(“客戶”)之間的協議。它們管理客戶對任何 Anthropic API 金鑰、Anthropic 控制檯或引用這些條款的任何其他 Anthropic 產品(“服務”)的使用。這些條款自客戶首次以電子方式同意這些條款版本之日和客戶首次訪問服務之日(“生效日期”)起生效,以較早者為準。

請注意:您不得代表組織、公司或其他實體簽署這些條款,除非您擁有約束該實體的法律權力。這些條款下的服務不供消費者使用。我們的消費者產品(例如 Claude.ai)受我們的消費者服務條款管轄。

A、服務

  1. 概述。根據這些條款,客戶可以使用服務,包括向服務提交內容(“提示”)並生成對其提示的響應(“輸出”以及與提示一起稱為“客戶內容”)。
  2. 測試版服務。Anthropic 可能會提供預釋出、測試版或試用版的服務(“測試版服務”)。這意味著它們不適合生產用途,並且是臨時“按原樣”提供的。Anthropic 不對客戶使用或依賴測試版服務負責。
  3. 反饋。如果客戶自行決定向 Anthropic 提供有關服務的反饋,Anthropic 可以自行承擔使用該反饋的風險,且不對客戶承擔任何義務。
  4. 客戶內容。在雙方之間,在適用法律允許的範圍內,Anthropic 同意客戶擁有所有輸出,並放棄根據這些條款獲得的對客戶內容的任何權利。Anthropic 預計不會根據這些條款獲得客戶內容的任何權利。在客戶遵守這些條款的前提下,Anthropic 特此向客戶轉讓其對輸出的權利、所有權和利益(如果有)。Anthropic 不得使用付費服務中的客戶內容來訓練模型。
  5. 資料隱私。如果客戶向服務提交個人資料或個人身份資訊(統稱為“ PII ”),則附件 A中的人類資料處理附錄適用並透過引用納入本條款。

B. 信任和安全;限制

  1. 遵守。各方將遵守適用於服務的提供(針對 Anthropic)和使用(針對客戶)的所有法律,包括任何適用的資料隱私法。
  2. 可接受的使用政策。客戶只能按照這些條款使用服務,包括可接受的使用政策(“ AUP ”),該政策透過引用納入這些條款中,並且可能由 Anthropic 進行更新。客戶必須盡合理努力確保其客戶或其他終端使用者(“使用者”)也同樣如此。客戶必須配合 Anthropic 提出的合理資訊請求,以支援遵守其 AUP,包括驗證客戶的身份和服務的使用情況。
  3. 輸出的限制;使用者須知。客戶有責任在使用或共享輸出之前評估輸出是否適合客戶的用例,包括適當的人工稽核。客戶承認並必須通知其使用者,在未獨立檢查其準確性的情況下不應依賴輸出中的事實斷言,因為它們可能是錯誤的、不完整的、誤導性的或不反映最近的事件或資訊。客戶進一步承認輸出可能包含與 Anthropic 觀點不一致的內容。
  4. 使用限制。客戶不得且不得嘗試 (a) 訪問服務來構建競爭性產品或服務,包括訓練競爭性 AI 模型,除非經 Anthropic 明確批准;(b) 逆向工程或複製服務;(c) 支援任何第三方嘗試實施本句中限制的任何行為。客戶及其使用者只能在Anthropic 目前支援的國家和地區使用服務。
  5. 安全。如果客戶相信或知道 (a) 用於訪問服務的帳戶已被盜用,或 (b) 客戶遭受可能對服務產生負面影響的拒絕服務或類似惡意攻擊,客戶將立即通知 Anthropic。

C. 保密性

  1. 機密資訊。雙方可以共享被確定為機密、專有或類似的資訊,或者一方合理地理解為機密或專有的資訊(“機密資訊”)。客戶內容是客戶的機密資訊。
  2. 各方的義務。接收方(“接收方”)只能使用披露方(“披露方”)的機密資訊來行使其在這些條款下的權利和履行其義務。接收方只能將披露方的機密資訊分享給需要了解此類機密資訊並且必須承擔至少與這些條款中規定的保護措施同等程度的保密義務的接收方員工、代理和顧問(“代表”)。接收方將採取與接收方保護其自己的機密資訊相同的方式,並以不低於合理的謹慎程度,保護披露方的機密資訊免遭未經授權的使用、訪問或披露。接收方對其代表的所有作為和不作為負責。如果接收方懷疑或知道披露方的機密資訊被洩露,則將立即通知披露方,並同意合作以減輕進一步丟失或濫用的風險。
  3. 排除情況。如果接收方證明披露方的機密資訊 (a) 在披露方披露時已為接收方所知,(b) 由不承擔保密義務的第三方向接收方披露,則接收方對機密資訊的義務不適用,( c) 非接收方過錯而公開提供,或 (d) 由接收方獨立開發,無需使用或訪問披露方的機密資訊。接收方可以在法律、法院或行政命令要求的範圍內披露披露方的機密資訊,但除非明確禁止,否則接收方將立即通知披露方所需披露的資訊,並與披露方充分合作。
  4. 銷燬請求。接收者將根據要求立即銷燬披露者的機密資訊,但接收者自動備份系統中的副本除外,這些副本在維護時仍將受​​到這些保密義務的約束。

D、智慧財產權

除非這些條款明確規定,否則這些條款不以暗示或其他方式授予任何一方對另一方內容或智慧財產權的任何權利。

E、宣傳

未經另一方許可,任何一方均不得就客戶使用服務的情況發表公開宣告。

F. 費用

  1. 費用的支付。除非雙方另有約定,否則客戶應按照定價模型頁上指定的費率承擔其帳戶產生的費用。Anthropic 可能要求以積分形式預付服務費用或提供其他型別的積分,所有這些均須遵守 Anthropic 的補充積分條款Anthropic 可能會更新公佈的費率,更新將於 Anthropic 釋出更新後 30 天或客戶收到通知後生效,以較早者為準。
  2. 稅收。費用不包括客戶因使用服務而可能欠的任何稅費、關稅或評估費(“稅費”),除非適用的發票中另有規定。
  3. 計費。未能按時向 Anthropic 支付所有欠款可能會導致客戶暫停或終止對服務的訪問。Anthropic 保留其可能擁有的任何其他收集權利。

G. 終止和暫停

  1. 學期。這些條款從生效日期開始一直持續到終止(“期限”)。
  2. 終止。
    1. 為方便起見,各方可隨時發出通知終止這些條款,但 Anthropic 必須提前 30 天發出通知。
    2. 任何一方均可因另一方的重大違約行為而終止本條款,只需提前 30 天提供通知,詳細說明違約行為的性質,除非在該期限內得到糾正。
    3. 如果 Anthropic 有理由相信或確定 Anthropic 向客戶提供服務受到適用法律的禁止,則 Anthropic 可立即終止這些條款併發出通知。
  3. 暫停。
    1. 如果發生以下情況,Anthropic 可以暫停客戶對任何部分或全部服務的訪問: (a) Anthropic 有理由相信或確定 (i) 任何服務存在風險或受到攻擊;(ii) 客戶或任何使用者在使用服務時違反了第 B.1 條(合規性)、B.2(可接受使用政策)或 B.4(使用限制);(iii) Anthropic 向客戶提供的服務受到適用法律的禁止或會導致提供服務的成本大幅增加;(b) Anthropic 的任何供應商已暫停或終止 Anthropic 使用使客戶能夠訪問服務所需的任何第三方服務或產品(統稱為“服務暫停”)。
    2. Anthropic 將盡合理努力向客戶提供任何服務暫停的書面通知,並在導致服務暫停的事件得到解決(如果可以解決)後儘快恢復提供對服務的訪問。Anthropic 對客戶因服務暫停而可能產生的任何損害、責任、損失(包括任何資料或利潤損失)或任何其他後果不承擔任何責任。
  4. 終止的效力。終止後,客戶將無法再訪問服務。以下條款在這些條款終止或到期後仍然有效:(a) C 節(保密)、E(公開)、F(費用)、G.4(終止的影響)、H(爭議)、I(賠償)、 J.2(免責宣告)、J.3(責任限制)和 K(其他);(b) 為實現其基本目的而必須存在的任何規定或條件。

H、爭議

  1. 糾紛。如果發生與這些條款相關的爭議、索賠或爭議(“爭議”),雙方將首先真誠地嘗試以非正式方式解決問題。提出爭議的一方必須通知另一方(“爭議通知”),另一方將在爭議通知送達之日起 15 天內建議雙方與適當級別的管理人員會面以嘗試解決爭議的時間。如果雙方在發出爭議通知後 45 天內仍未解決爭議,任何一方均可按照 H.2 節的規定尋求透過仲裁解決爭議。
  2. 仲裁。任何爭議均將由獨任仲裁員根據司法仲裁和調解服務公司(“ JAMS ”)的綜合仲裁規則和程式在加利福尼亞州舊金山進行最終、具有約束力的仲裁來解決對透過 JAMS 仲裁程式釋出的任何裁決的判決可以由任何有管轄權的法院進行。各方同意在與這些條款有關的法律允許的最大範圍內放棄陪審團審判的權利以及加入和參與集體訴訟的權利。
  3. 公平救濟。本 H 節(爭議)並不限制任何一方尋求衡平法救濟。

一、賠償

  1. 針對客戶的索賠。Anthropic 將針對任何客戶索賠(定義見下文)為客戶及其人員、繼任者和受讓人進行辯護,並就具有有效管轄權的法院就此類客戶索賠向第三方做出的任何判決或仲裁員裁決第三方做出的任何判決向他們進行賠償任何經 Anthropic 批准的此類客戶索賠和解協議中的一方。客戶索賠”是指聲稱客戶根據這些條款或透過生成的輸出付費使用服務(包括 Anthropic 用於訓練屬於服務一部分的模型的資料)的第三方索賠、訴訟或訴訟程式此類授權使用侵犯了第三方專利、商業秘密、商標或版權。
  2. 針對 Anthropic 的索賠。客戶將保護 Anthropic 及其人員、繼任者和受讓人免受任何 Anthropic 索賠(定義見下文)的影響,並就具有有效管轄權的法院就此類 Anthropic 索賠向第三方做出的任何判決或仲裁員裁決第三方做出的任何判決向他們進行賠償根據客戶批准的此類人為索賠的任何解決方案的一方。人為索賠”是指與客戶或其使用者 (a) 提示或 (b) 違反 AUP 或 B.4 節(使用限制)使用服務相關的任何第三方索賠、訴訟或程式。人為索賠和客戶索賠均是“索賠”(如適用)。
  3. 排除情況。如果潛在指控是因受賠償方的欺詐、故意不當行為、違法或違反本協議而引起的,則任何一方的辯護或賠償義務均不適用。此外,如果客戶索賠是由於以下原因引起的,Anthropic 的辯護和賠償義務將不適用: (a) 客戶對服務或輸出進行的修改;(b) 服務或輸出與非 Anthropic 提供的技術或內容的組合;(c) 客戶提供的提示或其他資料;(d) 以客戶知道或合理應該知道的方式使用服務或輸出會侵犯或侵犯他人的權利;(e) 成果中包含的專利發明的實踐;(f) 因在貿易或商業中使用輸出而涉嫌侵犯商標權。
  4. 過程。受賠償方必須及時將相關索賠通知賠償方,併合理配合抗辯。賠償方將保留控制任何此類索賠辯護的權利,包括律師的選擇、任何訴訟或上訴的策略和過程,以及任何談判、和解或妥協,但受賠償方有權,不得無理行使,拒絕任何要求其承認不當行為或責任或使其承擔持續肯定義務的和解或妥協。如果下列任一情況嚴重損害抗辯,則賠償方的義務將被免除: (a) 受賠償方未能及時提供索賠通知;(b) 未能合理配合辯護。
  5. 唯一的補救措施。在本第 I 節(賠償)涵蓋的範圍內,賠償是各方根據本條款對任何第三方索賠的唯一補救措施。

J. 保證和責任限制

  1. 保證。各方宣告並保證 (a) 其被授權簽署這些條款;(b) 簽訂和履行這些條款不會違反任何公司規則(如果適用)。客戶進一步宣告並保證其擁有向服務提交提示所需的所有權利和許可。
  2. 免責宣告。除這些條款中明確規定的範圍外,在法律允許的最大範圍內 (A) 服務和輸出按“原樣”和“可用”提供,不提供任何形式的保證;(B) Anthropic 對第三方產品或服務(包括第三方介面)不做任何明示或暗示的保證。Anthropic 明確否認所有默示保證,包括適銷性、非侵權性和特定用途適用性的保證,以及因法規、交易或履行過程或貿易使用而產生的任何默示保證。Anthropic 不保證並否認服務或輸出準確、完整或無錯誤,或者其使用不會中斷。輸出中提及第三方可能並不意味著他們認可 Anthropic 或以其他方式與 Anthropic 合作。
  3. 責任限制。
    1. 除第 J.3.b 節所述外,各方及其附屬公司和許可方對於因本條款 (i) 引起的或與之相關的任何損害所承擔的責任不包括後果性、偶然性、特殊性、間接性或懲戒性損害賠償,包括利潤損失、業務損失、合同損失、收入損失、商譽損失、生產損失、預期節省或資料損失以及替代商品或服務的採購成本,並且 (ii) 僅限於客戶在之前為服務實際支付的費用12個月。
    2. 第 J.3 節(責任限制)中的責任限制不適用於任何一方在第 I 節(賠償)下的義務。
    3. 本節 J.3 中的責任限制(責任限制)適用於: (A) 在適用法律允許的最大範圍內;(B) 侵權責任,包括疏忽責任;(C) 無論訴訟形式如何,無論是合同、侵權、嚴格產品責任還是其他;(D) 即使違約方已提前被告知有關損害的可能性,並且即使此類損害是可預見的;(E) 即使受害方的補救措施未能達到其基本目的。
    4. 雙方同意,他們依據本 J.3 節(責任限制)的條款簽訂了這些條款,這些條款構成了雙方談判的重要基礎。

K、雜項

  1. 通知。這些條款項下的所有通知、要求、棄權和其他通訊(均稱為“通知”)必須採用書面形式。除與仲裁要求或尋求衡平法救濟相關的通知外,根據本條款提供的任何通知均可以電子方式傳送至客戶地址或向 Anthropic 提供的其他授權地址;如果傳送至 Anthropic,則傳送至notices@anthropic.com通知僅在以下情況下有效:(i) 接收方收到後,並且 (ii) 發出通知的一方已遵守本第 K.1 節(通知)的所有要求。
  2. 電子通訊。客戶同意接收來自 Anthropic 的基於客戶對服務的使用情況以及與這些條款相關的電子通訊。除非適用法律禁止,否則電子通訊可能包括透過服務或客戶管理儀表板或在 Anthropic 網站上傳送的電子郵件。Anthropic 還可以透過文字或 SMS 提供有關客戶使用服務的電子通訊,或者根據客戶向 Anthropic 提出的其他要求。如果客戶希望停止接收此類訊息,客戶可以向 Anthropic 提出請求或回覆任何此類簡訊“停止”。
  3. 修正和修改。Anthropic 可以隨時更新這些條款,更新在 Anthropic 釋出更新後 30 天或客戶以其他方式收到通知後生效,但為響應法律或法規變更而進行的更新在釋出或通知後立即生效。更改不會追溯適用。除非以書面形式並經雙方簽署,否則對這些條款的任何其他修訂或修改均無效。未能行使或延遲行使由這些條款產生的任何權利或補救措施現在和將來都不會被解釋為放棄;任何單一或部分行使任何權利或補救措施均不會妨礙未來行使此類權利或補救措施。
  4. 指派和委託。未經另一方事先書面同意,任何一方均不得轉讓其在本條款項下的權利或委託其義務,但 Anthropic 可以在出售其全部或大部分業務的過程中轉讓其權利並委託其義務。除上述允許的情況外,任何聲稱的轉讓或委託均無效。任何允許的轉讓或委託都不會免除締約方或受讓人在這些條款下的義務。這些條款將對雙方及其各自允許的繼承人和受讓人具有約束力並符合其利益。
  5. 可分割性。如果這些條款的某項規定在任何司法管轄區無效、非法或無法執行,則此類無效、非法或不可執行既不會影響這些條款的任何其他條款或規定,也不會導致此類條款或規定在任何其他司法管轄區無效或無法執行。一旦確定任何條款或其他規定無效、非法或不可執行,雙方將真誠協商修改這些條款,以儘可能反映雙方的初衷。
  6. 解釋。這些條款將相互解釋,任何一方均不被視為起草者。提供文件和章節標題是為了方便起見,不會對其進行解釋。短語“例如”或“包括”或“或”不是限制性的。
  7. 適用法律。這些條款受加利福尼亞州法律管轄並根據加利福尼亞州法律解釋,不影響任何法律選擇條款。根據 H 節(爭議)的規定,與這些條款相關的所有訴訟、行動或訴訟程式將僅在位於加利福尼亞州舊金山的聯邦或州法院提起,並且各方不可撤銷地服從其專屬管轄權。
  8. 出口和制裁。客戶不得向個人或實體出口或向其提供對服務的訪問許可權,或向美國或其他適用國際法禁止的國家或地區出口或提供對服務的訪問。在不限制上述句子的情況下,此限制適用於 (a) 在未事先獲得適當許可證的情況下從美國出口或向該國家出口將被禁止或非法的國家,以及 (b) 受美國製裁的個人、實體或國家。
  9. 一體化。這些條款(包括 AUP、DPA、模型定價頁以及透過引用納入這些條款的其他檔案或條款)構成雙方對服務的提供和使用的完整理解。這些條款取代雙方之間有關服務的所有其他諒解或協議。如果客戶也同意我們的服務條款,則以這些條款為準。
  10. 不可抗力。任何一方均不對因超出其合理控制範圍的情況而導致的未能履行或延遲履行承擔責任。

附件 A:人擇資料處理附錄

本資料處理附錄(“ DPA ”)適用於 Anthropic PBC,一家公益公司(“ Anthropic ”)及其與向客戶提供 Anthropic 服務相關的個人資料處理(定義見參考本 DPA 的合同) Anthropic 已同意提供服務)。除非協議中另有明確規定,本 DPA 在協議的整個期限內有效並持續有效。Anthropic 和客戶在此可各自稱為“一方”或統稱為“雙方”。

1. 定義

  • 客戶關聯公司”是指作為本協議受益人的客戶關聯公司。
  • 適用的資料保護法”是指與個人資料的隱私、機密性或安全性相關的所有適用的法律、規則、法規和政府要求,這些法律、規則、法規和政府要求可能會不時修訂或以其他方式更新。
  • 控制者”具有以下含義(如適用): (a) 適用資料保護法賦予“控制者”的含義;(b) 適用資料保護法賦予“業務”的含義。
  • 涵蓋資料”是指客戶或客戶關聯公司共享的與提供服務相關的個人資料。“資料主體”是指其個人資料屬於涵蓋資料一部分的自然人。
  • 資料主體請求”是指資料主體根據適用資料保護法行使其權利的請求。“GDPR”是指法規 (EU) 2016/679。
  • 個人資料”是指以下任何資料或資訊: (a) 與已識別或可識別的自然人關聯或可合理關聯;(b) 是“個人資料”、“個人資訊”、“個人身份資訊”或適用資料保護法下類似定義的資料或資訊。
  • 處理”是指對個人資料或個人資料集執行的任何操作或一組操作,無論是否透過自動方式。“程序”、“程序”和“已處理”將被相應地解釋。
  • 處理者”具有以下含義(如適用): (a) 適用資料保護法賦予“處理者”的含義;(b) 適用資料保護法賦予“服務提供商”的含義。
  • 安全事件”是指導致涵蓋資料意外或非法破壞、丟失、更改、未經授權披露或未經授權訪問(包括未經授權內部訪問)的安全漏洞。
  • "Services" means the services to be provided by Anthropic pursuant to the Agreement.
  • "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor)and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
  • "Sub-processor" means an entity appointed by Anthropic, as a Processor, toProcess Covered Data on its behalf.
  • “UK GDPR” has the meaning given under the Data Protection Act 2018 (UK).

2. GENERAL

  1. This DPA is incorporated into and forms an integral part of the Agreement. If there is any conflict between this DPA and the Agreement relating to the Processing of Covered Data, this DPA shall govern. Customer acknowledges and agrees that Anthropic may amend this DPA from time to time on reasonable notice to Customer where such changes are required because of changes in Applicable Data Protection Laws.
  2. Clauses 3 to 9 of this DPA apply to the extent Anthropic acts as a Processor on behalf of Customer with respect to the Covered Data.

3. DETAILS OF DATA PROCESSING

  1. The details of the Processing of Covered Data (such as subject matter, duration, nature, and purpose of the Processing, categories of Personal Data and DataSubjects) are described in the Agreement and in Part B of Schedule 1 to this DPA.
  2. Anthropic will only Process Covered Data in accordance with Applicable DataProtection Laws and on the documented instructions of Customer (including as set out in the Agreement and this DPA), unless required to do otherwise by applicable law to which Anthropic is subject, in which case Anthropic will, unless prohibited by applicable law, inform Customer of such legal requirement before Processing. Without limiting the foregoing, Anthropic is prohibited from:
    1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
    2. sharing Covered Data with any third party for cross-context behavioural advertising;
    3. retaining, using, or disclosing Covered Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and
    4. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Anthropic receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
  3. To the extent that any of the instructions provided by Customer to Anthropic in accordance with clause 3.b require Processing of Covered Data in a manner that falls outside the scope of the Services, Anthropic may:
    1. notify Customer that such instructions fall outside the scope of Services under theAgreement and not carry out such instructions, or at Anthropic’s election, make the performance of any such instructions subject to the payment by Customer of any costs and expenses incurred by Customer or such additional charges asCustomer may reasonably determine; or
    2. immediately terminate the Agreement and the Services.
  4. Anthropic will promptly inform Customer if, in its opinion, an instruction from Customer relating to the Processing of Covered Data infringes Applicable Data Protection Law.
  5. Customer hereby authorises and instructs Anthropic to Process Covered Data anywhere that Anthropic or its Sub-processors maintain facilities.
  6. Anthropic will, at the request of Customer, provide assistance that is reasonable necessary for Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws.
  7. Customer will have the right to take reasonable and appropriate steps to ensure thatAnthropic uses Covered Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws.
  8. Anthropic will ensure that each person authorised to process Covered Data is subject to a duty of confidentiality.
  9. Customer acknowledges that Anthropic’s Services are not designed, intended, or provided for the purpose of making predictions regarding any Data Subject, determining creditworthiness, or any other manner of automated decision-making regarding Data Subject(s) to which the Covered Data relates.
  10. Anthropic may charge Customer, and Customer will reimburse Anthropic, for any assistance provided by Anthropic to Customer in relation to this DPA, including with respect to any TIAs or consultation with any supervisory authority of Customer.

4. SUB-PROCESSORS

  1. Customer grants Anthropic the general authorisation to engage the Sub-processors listed in Schedule 5, and any additional Sub-processors in accordance with clause 4.c.
  2. Anthropic will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantively no less protective of Covered Data than Anthropic’s obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
  3. In the event that Anthropic wishes to appoint an additional Sub-processor: (a) Anthropic will provide Customer reasonable notice; and (b) Customer may, on the basis of reasonable data privacy and data security concerns, object to Anthropic’s use of such Sub-processor by providing Anthropic with written notice of the objection within ten (10) days of the date of such notice, otherwise the additional Sub-processor shall be deemed approved. In the event Customer objects to Anthropic’s use of a newSub-processor, Customer and Anthropic will work together in good faith to find a mutually acceptable resolution to address any objections raised by Customer.

5. DATA SUBJECT RIGHTS REQUESTS

  1. Anthropic will forward to Customer promptly any Data Subject Request received byAnthropic relating to the Covered Data and may advise the Data Subject to submit their request directly to Customer.
  2. Anthropic will, taking into account the nature of the Processing of Covered Data, provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

6. SECURITY

  1. Accounting for the state of the art, costs of implementation and the nature, scope and context and purposes of the relevant Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Anthropic will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for theCovered Data appropriate to the risk of the relevant Processing.
  2. The Parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Covered Data, accounting for the risks presented by theProcessing outlined in the Agreement and this DPA.

7. AUDITS AND RECORDS

  1. Upon request, Anthropic will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
  2. To the extent required by Applicable Data Protection Legislation, Anthropic will permitCustomer (or a suitably qualified, independent third-party auditor which is not a competitor of Anthropic) to audit Anthropic’s compliance with this DPA no more than once per calendar year on at least thirty (30) days’ written notice to Anthropic (an “Audit”), provided that Customer (or Customer’s third-party auditor, as applicable):
    1. may only conduct an Audit during Anthropic’s normal business hours;
    2. will conduct the Audit in a manner that does not disrupt Anthropic’s business;
    3. enters into a confidentiality agreement reasonably acceptable to Anthropic prior to conducting the Audit;
    4. pays any reasonably incurred costs and expenses incurred by Anthropic in the event of an Audit;
    5. ensures that its personnel comply with any policies and procedures notified byAnthropic to Customer when attending Anthropic’s premises;
    6. submits, as part of the written notice provided by Customer to Anthropic, a detailed proposed audit plan which is agreed by Anthropic (an “Audit Plan”); and
    7. conducts the Audit in compliance with the final agreed Audit Plan.
  3. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA. Nothing in this clause 7 will require Anthropic to breach any duties of confidentiality it owes to third parties.

8. SECURITY INCIDENTS

  1. Anthropic will notify Customer in writing without undue delay after becoming aware of any Security Incident. Anthropic will, to the extent reasonably necessary, cooperate with Customer’s investigation of the Security Incident. Anthropic’s notification of, or response to, a Security Incident will not be construed as an acknowledgement byAnthropic of any fault or liability with respect to the Security Incident.

9. DELETION AND RETURN

  1. Anthropic will, in any event, within thirty (30) days of the date of termination or expiry of the Agreement (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Anthropic or any Sub-processors.

10. STANDARD CONTRACTUAL CLAUSES

The Parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the Standard Contractual Clauses Module 1 (Controller to Controller),Module Two (Controller to Processor) and/or Module Three (Processor to Processor),each as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the Parties.

  1. To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the Parties.
  2. To the extent that there is any conflict between the terms of this DPA and the terms of the Standard Contractual Clauses, the Standard Contractual Clauses shall govern.
  3. Anthropic will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Covered Data. Anthropic will, upon Customer’s request and at Customer’s cost, provide information toCustomer which is reasonably necessary for Customer to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.

SCHEDULE 1 - DETAILS OF PROCESSING AND TRANSFERS

PART A – List of Parties

The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws, additional information regarding the data exporter and data importer is set out below.

  1. Data Exporter
    The data exporter is: Customer and/or Customer Affiliates exporting Covered Data to which the GDPR applies.The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Anthropic upon request.
  2. Data Importer
    The data importer is: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, United States. The data importer’s contact person and contact details are included in theAgreement or will be disclosed to Customer upon request.

PART B – Description of Processing

  1. Categories of Data Subjects - Determined by Customer (in accordance with the Agreement).
  2. Categories of Personal Data - Determined by the Customer (in accordance with the Agreement).
  3. Special categories of Personal Data (if applicable) - None.
  4. Duration and Frequency of the Processing - The Processing is performed on a continuous basis for the duration of the Agreement and is determined by Customer’s configuration of the Services.
  5. Subject matter and nature of the Processing - Performing the Services on behalf ofAnthropic which involves Processing (including collection, storage, organisation and structuring) of Personal Data as part of a natural language-based, machine-learning tool, as further described in the Agreement; undertaking activities to verify or maintain the quality of the Services; debugging to identify and repair errors that impair existing intended functionality; helping to ensure security and integrity of the Services.
  6. Purpose(s) of the data transfer and further Processing - To provide the Services to Customer pursuant to the Agreement and as may be further agreed upon by Customer and Anthropic.
  7. Storage Limitation - The duration is the term of the Agreement.
  8. Sub-processor (if applicable) - To provide Processing system capability toAnthropic (as described in Schedule 4) to provide the Services described in theAgreement.

PART C – Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Anthropic has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, accounting for the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Anthropic’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Anthropic’s organization, monitoring and maintaining compliance with Anthropic’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
    1. being transmitted by Anthropic over public networks (i.e., the Internet) or when transmitted wirelessly; or
    2. at rest or stored on portable or removable media (i.e., laptop computers,CD/DVD, USB drives, back-up tapes).
  4. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
  5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Anthropic’s passwords that are assigned to its employees; controls include appropriate password security requirements, and specific time and use limitations for passwords.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
  7. Physical and environmental security of data center, server room facilities and other areas containing Covered Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of
    Anthropic facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Anthropic’s possession.
  9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Anthropic’s technology and information assets.
  10. Incident / problem management procedures designed to allow Anthropic to investigate, respond to, mitigate, and notify of events related to Anthropic’s technology and information assets.
  11. Network security controls that provide for the use of firewall systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  12. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
  13. Business resiliency/continuity plan and procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

SCHEDULE 3 - INTERNATIONAL TRANSFERS

EU SCCS

Elections for the purposes of Module 1, Module Two and Module Three of the Standard ContractualClauses:

  1. Clause 7 (Docking clause) – does not apply.
  2. Clause 11 (Redress) – optional wording does not apply.
  3. Clause 17 (Governing Law) – Option 1 will apply and the governing law will be the law of the Republic of Ireland.
  4. Clause 18 (Choice of forum and jurisdiction) – the applicable choice of forum and jurisdiction will be the Republic of Ireland.
  5. For the purpose of Annex I of the Standard Contractual Clauses, Part A of Schedule 1contains the specifications regarding the parties, Part B of Schedule 1 contains the description of transfer for Module Two and Module Three, and Part B of Schedule 1 contains the description of transfer for Module 1 except that the purpose, nature and subject matter of the processing shall be as set out in clause 2.3, and Part C of Schedule1 contains the competent supervisory authority.
  6. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.

Additional elections for the purposes of Module Two and Module Three of the Standard ContractualClauses:

  1. Clause 9 (Use of sub-processors) – Option 2 (General written authorization) will apply, and the time period is as specified in clause 4.c of the DPA.
  2. For the purpose Annex III of the Standard Contractual Clauses, the list of Sub-processors are set out in Schedule 4 or as otherwise determined by clause 4.c of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Anthropic upon request.

UK ADDENDUM

This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

  1. With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Customer (as data exporter) to Anthropic (as data importer):
    1. to the extent necessary under Applicable Data Protection Law, the ApprovedAddendum as further specified in this UK Addendum of this Schedule 3 will be incorporated into and form part of this DPA;
    2. for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Part A of Schedule 1;
    3. for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Schedule 3 including the Appendix Information are the selected SCCs; and
    4. for the purposes of Table 4 of Part 1 of the Approved Addendum, Anthropic (as data importer) may end the Approved Addendum.

SWISS ADDENDUM

This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

  1. Interpretation of this Addendum
    1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
      1. This Addendum: This Addendum to the Clauses
      2. Clauses: The Standard Contractual Clauses as further specified in this Schedule
      3. Swiss Data Protection Laws: The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
    2. This Addendum will be read and interpreted in the light of the provisions of SwissData Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
  2. Hierarchy
    In the event of a conflict or inconsistency between this Addendum and the provisions of theClauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
  3. Incorporation of the Clauses
    1. In relation to any Processing of Personal Data subject to Swiss Data ProtectionLaws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
      1. for transfers made by the data exporter to the data importer, to the extent thatSwiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and
      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    2. To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):
      1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as itamends the SCCs.
      2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."
      3. References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s)
        of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.
      4. References to Regulation (EU) 2018/1725 are removed.
      5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
      6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data ProtectionLaws;
      7. Clause 17 is replaced to state: "These Clauses are governed by the laws ofSwitzerland insofar as the transfers are governed by Swiss Data Protection Laws".
      8. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts ofSwitzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

在修訂後的瑞士資料保護法生效之前,這些條款還將保護法人實體的個人資料,並且法人實體將獲得與自然人相同的條款保護。

  1. 如果任何個人資料處理均受瑞士資料保護法和 GDPR 的約束,則 DPA(包括本附表中進一步規定的條款)將適用 (i) 按原樣,以及 (ii) 此外,如果傳輸受瑞士資料保護法(經本瑞士附錄第 3.1 和 3.3 條修訂)的約束,唯一的例外是 SCC 第 17 條不會按照本瑞士附錄第 3.3(b)(g) 條的規定被替換。
  2. 客戶保證其和/或客戶關聯公司已按照瑞士資料保護法的要求向 FDPIC 發出任何通知。

附表 4 - 分處理者

Anthropic 的子處理者列表可在https://www.anthropic.com/subprocessors上找到。

Ctrl+M