Terms and Conditions
Welcome to QuivaWorks. Please read this document as it contains important information. To help you navigate these Terms and Conditions, we've included a short explanation or summary alongside the detailed legal provisions. These are designed to provide a short, clear and simple overview of key points and obligations. These are for convenience only and are not legally binding. The full terms and conditions are what apply so read them carefully to understand all rights and responsibilities of this Agreement.
By clicking "I Accept", You agree you have READ, UNDERSTOOD AND AGREE to these terms and conditions which will constitute a legally binding agreement (this "Agreement").
Table of Contents
- 1. Who
- 2. When
- 3. What
- 4. Definitions
- 5. Customer Warranties
- 6. Use
- 7. Accounts
- 8. Cloud Hosting Infrastructure
- 9. Plans
- 10. Additional Users
- 11. Usage Credits
- 12. Payment
- 13. The Don'ts – Use Restrictions
- 14. Your Responsibilities
- 15. Third Party Services
- 16. Data
- 17. Privacy
- 18. Security Incidents
- 19. Our AI Assistance Features
- 20. Trial or Beta Use
- 21. Our Intellectual Property
- 22. Confidential Information
- 23. Compliance with Documentation and Security
- 24. Customer Representations & Warranties
- 25. Indemnification
- 26. Limitation of Liability
- 27. Suspension
- 28. Cancellation
- 29. Sanctions and Export Laws
- 30. Miscellaneous
- 31. Amendments
1. Who
This Agreement is between Evari Services UK Ltd of 128 City Road, London EC1V 2NX ("Us, We, Ours") and you. If you are signing up:
- as an individual, this agreement will be between Us and you as the individual;
- on behalf of a company, organisation or other entity (such as your employer), it will be the entity on whose behalf you are agreeing to this Agreement.
In this Agreement the words "You", "Your", "Yours" or "Customer" refer to you as an individual or the entity as applicable.
If You do not agree, or where You are an individual agreeing on behalf of an entity and do not have the authority to legally bind the entity, you must not click "I Accept", create an Account or use QuivaWorks products including at www.quiva.ai.
2. When
This Agreement starts on the date and time You click "I Agree" and sign up (the "Start Date") and It continues until terminated by either party in accordance with this Agreement ("the Term").
3. What
This Agreement includes:
- these Terms and Conditions
- Data Processing Agreement
- Acceptable Use Policy
- Security Addendum
Each of these documents are incorporated into this document by reference.
4. Definitions
The following words will have the following meanings whenever used with capitals in this Agreement:
Key Definitions
"Account" means a Root Account and any Secondary User Account.
"Account Data" means Billing Information, as well as other information and records related to or associated with Your Account including that You provide to Us in connection with the creation or administration of an Account, such as, names, account name, occupation, phone numbers, entity information, email address, billing, location, and website details, and Account configuration information and login data. It excludes Service Content and AI Assistance Content.
"Add Ons" means optional additional feature, usage, functionality, service, improvement, or resource offered by Us from time to time that is not included in Your existing Plan and is subject to payment of an additional Add On Fee or consumption of pre-paid Usage Credits.
"AI Agents" means an artificial intelligence system with large language models ("LLM") that mimic human decision-making to accomplish a specific goal or objective in real time with limited human supervision.
"AI Assistance Content" means all data or information submitted by You including by Users to Our AI Assistance Feature.
"AI Assistance Feature" means any AI-enabled feature made available by Us as part of QuivaWorks to provide You with support and assistance. It does not include AI Agents You create via QuivaWorks.
"AI Providers" means the third parties that provide LLMs including those used by AI Agents or AI Assistance Features, which may be supported by QuivaWorks from time to time.
"API" means an application programming interface being a set of software function, protocols and tools provided by Us to enable Users to access and interact with the functionality or data of QuivaWorks.
"AUP" means Our acceptable use policy currently posted at https://www.QuivaWorks/legal.html as updated from time to time.
"Documentation" means the published user manual related to use of QuivaWorks, as well as describing the functionality of QuivaWorks found at http://www.quiva.ai/documentation as updated by Us from time to time.
"DPA" means the data processing addendum agreement between Us and You located at www.quiva.ai/legal/DPA as updated from time to time.
"Excluded Data" means any higher risk data which is data that is classified as sensitive, confidential, or high-risk under applicable Privacy/Security Laws, standards or guidance including but not limited to sensitive personal data, health information, financial data, or authentication credentials.
Important: You must not use QuivaWorks to process Excluded Data. This includes sensitive personal information, health records, financial data, or any confidential business information.
"Free Plan" means a limited, no-cost subscription to QuivaWorks that is subject to restrictions on features, users, Usage Credits or functionality as specified by Us from time to time.
"Infrastructure Providers" means the third-party providers who provide server hardware and datacentre services to Us for purposes of hosting QuivaWorks.
"Our Content" means API's, sample code, software libraries, command line hooks, proofs of concept, templates, advice, information, programs and other content made available by Us and Our Affiliates related to the use of QuivaWorks or on the Website and other related technology. It does not include QuivaWorks.
"Paid Plan" means a QuivaWorks subscription offered for a Fee, providing enhanced features, increased Usage Credits, usage limits and/or additional functionality compared with a Free Plan.
"Plan" means either a Free or Paid QuivaWorks subscription plan selected and activated by You via the Root Account or a Secondary User granted with privileges to do so.
"QuivaWorks" means Our online, cloud hosted and managed application for the creation, management and use of AI Agents as described in the Documentation as well as Our API's and any updates, upgrades, patches, modified versions, extensions, improvements and derivative works including the AI Assistance Features.
"Root Account" means the initial online account You register and open to access and use QuivaWorks and which serves as the primary account for the Root User to access and manage Your Plan.
"Secondary Account" means any online account registered and maintained to access and use QuivaWorks under the administrative control of the primary Root User.
"Service Content" means all data or information submitted to, processed, hosted or stored through QuivaWorks by You or on Your behalf, including by Users, in connection with Your use of QuivaWorks and Your Account but does not include Account Data or AI Assistance Content.
"Usage Credits" means unit of service entitlement that may be redeemed by You to use the Account in accordance with the applicable consumption rates set forth in the Documentation.
5. Customer Warranties
Individual
You represent, warrant and covenant that You have the legal capacity (including, without limitation, being over 18 years of age or of sufficient age) to enter into a binding contract under the law of the jurisdiction in which You reside, are registered or conduct business.
Entity
Where You are an entity, You represent and warrant that You have full corporate right and authority to enter into and perform this Agreement. The person agreeing to this Agreement on behalf of an entity represents, warrants and covenants that they are authorised to do so and has and maintains the authority of the entity to bind it to this Agreement.
Prohibited Persons
You represent warrant and covenant that You are not and will not be subject to any sanctions, export restrictions or prohibited party lists.
6. Use
Intended Use
QuivaWorks is intended for business or professional use only. QuivaWorks is a generally available proprietary software.
Access and Use Grant
During the Term, We grant to You a limited, revocable, non-exclusive, non-sub-licensable, non-transferable, royalty free right to permit Root and Secondary Users to access and use QuivaWorks and Our Content solely for Customer's business purposes limited to such features and functions as the Plan specifies and in accordance with the Documentation and the terms and conditions of this Agreement.
Revisions
We may revise, discontinue or remove QuivaWorks or any of its features and functions at any time. If any such revision to QuivaWorks materially reduces features or functionality provided pursuant to a current Plan, Your sole and exclusive remedy is to cancel the Plan. In the case of a discontinuance We will provide 30 days notice and the Plan will automatically cancel on the date of discontinuance.
Usage Limits
Your use of QuivaWorks is subject to the limits identified in the Plan from time to time. Your use is also subject to reasonable usage limits, as determined by Us in good faith based on industry standards and typical usage patterns.
Support
Your Plan determines the Support Services that You are eligible to receive. We will provide such Support Services to You in accordance with the Documentation.
7. Accounts
Root Account
To access and use QuivaWorks, You must register for, open, set-up and maintain a Root Account and activate a Plan.
Secondary Accounts
Secondary Users are required to create and maintain individual accounts linked to the Root Account to access and use QuivaWorks. You will be responsible for facilitating access to Secondary Users via the Root Account or granting invitation privileges to Secondary Users.
Log-in Credentials
You are responsible for the security of all User credentials. You shall use proper security protocols, such as setting strong passwords and access control mechanisms, safeguarding access to all logins and passwords, and verifying the trustworthiness of persons who are entrusted with access information.
Important: If You lose access, the Recovery Keys can be used to regain access to the Account, however if You lose access to, or fail to enter the correct Recovery Keys then You acknowledge that We will not be able to recover data from, nor restore access to, Your Account.
Your Liability for Accounts
You agree that You are responsible and liable for all access and use of QuivaWorks and Our Content under the Accounts (including by Users and any unauthorised use), including, compliance with all applicable laws, the AUP and any third-party terms.
8. Cloud Hosting Infrastructure
Infrastructure Providers
You acknowledge and agree that:
- QuivaWorks is hosted using datacentres and servers managed by third-party Infrastructure Providers, and those providers are responsible for this service including maintaining service availability; and
- We are not responsible or liable for any acts, omissions, errors, interruptions, or failures of the Infrastructure Providers; and
- disruptions, delays, or damages caused by the Infrastructure Provider are not grounds for a claim against Us, nor do they affect Your obligation to pay Fees.
Encryption
Service Content is stored inside QuivaWorks and hence with the Infrastructure Providers. Service Content is stored in encrypted form only. The Infrastructure Providers cannot decrypt Service Content.
9. Plans
Plan
You acknowledge and agree that QuivaWorks has different Plans and some features and functions or similar may only be accessed and used after payment of applicable Fees is received as set out in the Plan.
Automatic Renewal
Unless You cancel prior to the end of a Plan, the Plan will automatically renew for successive billing periods. All renewals are subject to QuivaWorks and Plan being offered at the time of renewal and will be subject to the then-current Fees applicable to the renewed Plan.
Plan Downgrades
You can downgrade a Plan at any time however the Downgrade will take effect from the next Billing Period. You acknowledge and agree that downgrading a Plan is likely to cause a reduction in Included Usage Credits, loss of features, functionality, performance capacities, data storage, processing power, data or other capabilities of QuivaWorks which were available under the higher-tier Plan.
Plan Upgrades
You can upgrade a Plan at any time and the upgrade will take effect from the date of the upgrade.
10. Additional Users
Eligibility, inclusions and limitations to the number of Additional Users that You can add to Your Plan may differ depending on the Plan that You are registered for, as described in the Documentation published on our Website from time to time.
Add On charges may apply for Additional Users. Charges vary based on the Plan that You are registered for.
If You are eligible and elect to increase the number of Additional Users for Your Account, this change shall take effect immediately. Any applicable associated increase in Add On Fees shall be applied immediately.
11. Usage Credits
Method of Payment for Add Ons
You acknowledge and agree that QuivaWorks uses Usage Credits as a mechanism for measuring fixed unit of consumption of Add On services within Your Account.
Included Usage Credits - Free Plans
Free Plans include an allocation of a specified number of Included Usage Credits per Account, per month. Included Usage Credits are allocated to Your Account at the start of each billing period. Any Included Usage Credits that are not utilised at the end of the period shall be forfeited.
Included Usage Credits - Paid Plans
Paid Plans include an allocation of a specified number of Included Usage Credits per User, per month. The total amount of Included Usage Credits will be tracked at the Account level, and consumed on a first-come-first-served basis by any User within the Account. Any Included Usage Credits that are not utilised at the end of the period shall be forfeited.
Purchase of Additional Usage Credits
Paid Plans provide you with the ability to purchase quantities of Additional Usage Credits in advance. Additional Usage Credits that are not utilised in the current billing period shall be rolled over and may be used in subsequent billing periods.
12. Payment
Fees
You shall pay Us the Subscription Fee for each Paid Plan and all applicable Add-on Fees including for additional Usage Credits during the Term (the "Fees").
Billing
Invoices will be available digitally and found in Your Root Account. You agree to be billed on a recurring basis and to be automatically charged using your payment method on invoicing. All Fees are payable in advance.
Method of Payment
You must pay Us using one of the payment methods We support from time to time. You must promptly notify Us of updates to Your Billing Information including where Your payment method is cancelled or otherwise inoperable.
Payment Processors
We use third-party payment processors ("Payment Processors") to bill you through the payment account linked to your Root Account. Payment processing is subject to the terms, conditions and policies of the Payment Processors in addition to this Agreement. We are not responsible for the errors, acts or omissions of the Payment Processors.
Refunds and Cancellation
Payment obligations are non-cancellable.
- Paid Plans: If you Downgrade a Paid Plan, You will not be entitled to any refund of amounts paid for the billing period.
- Add On Fees: Any Add on Fees and applicable Taxes are non-refundable regardless of whether the Add-on has been used or the Plan is downgraded or cancelled.
- Free Plans: No credits or refunds are provided for any cancellation or upgrade of a Free Plan as there is no Subscription Fee for a Free Plan.
Taxes
All Fees are exclusive of Taxes which You must pay in addition to and at the same time as the Fees. Fees are due and payable without deduction for any tax, tariff, duty, or assessment imposed by any government authority.
Interest
Without limiting Our rights or remedies, You shall pay interest charges on late payments from the time the payment was due at the rate that is the lower of 4% per month above the Bank of England current base rate or the highest rate permissible under applicable law until paid in full.
Late or Non-Payment
Without limiting Our other rights or remedies, We may suspend, deactivate, prevent access to, disable services, delete or terminate Your Root Account or any other account You have with Us, prohibit You from creating any new account with Us, until all sums due under this Agreement are paid in full.
13. The Don'ts – Use Restrictions
Only Use as per this Agreement
You must not, and must ensure that Users do not, use QuivaWorks or Our Content in any manner or for any purpose other than as expressly allowed by this Agreement and the Documentation.
Use which is not allowed
You must not, and must ensure that Users do not (whether directly or indirectly), attempt to or allow or encourage a third party to:
- access or use QuivaWorks or Our Content for service bureau or time-sharing purposes, offering it as a software-as-a service, for training or otherwise exploit QuivaWorks;
- resell, sublicense, rent, distribute, lease or otherwise make QuivaWorks or Our Content available to any third party, other than its Users permitted by this Agreement;
- decipher, disassemble, decompile, or reverse engineer QuivaWorks, Our Content or any portion of them;
- modify, translate, or otherwise create derivative works of any part of QuivaWorks;
- access or use QuivaWorks or Our Content to threaten or breach the security or integrity of any network, computer, communications system, software application or device;
- use any means to avoid any use limitations or other quotas such as access and storage restrictions or avoid incurring fees;
- share login credentials or non-public features or content to any third party;
- access QuivaWorks or Our Content to copy ideas, features, functions or graphics, or to build or assist in building a competitive product or service;
- engage in unauthorised web or data scraping via any means including through any software that simulates human activity, a bot or web crawler.
14. Your Responsibilities
Comply with Laws
You shall comply with all applicable laws and regulations, including Privacy/Security laws.
Acceptable Use
You shall comply and ensure Users comply with this Agreement including the AUP. You are responsible for notifying Your employees and others of the provisions of this Agreement, including the AUP.
Service Content and AI Assistance Content
You agree that You are solely responsible for:
- Content Responsibility: All Service Content, and AI Assistance Content, including its content, quality, accuracy and legality;
- Legal Compliance: Ensuring Service Content, and AI Assistance Content, complies with all laws applicable to the collection and provision of Service Content;
- Backup and Disaster Recovery: You are responsible for implementing and maintaining Your own independent backup, archiving, and disaster recovery procedures for Service Content. We do not retain or maintain any archives, copies, preservations or backups of your Service Content;
- Security Monitoring: Implementing Your own security monitoring, threat detection, malware scanning, and compliance verification procedures for Service Content.
Recovery Key Management
You are solely responsible for managing, storing, protecting, and maintaining all Recovery Keys.
Important: You acknowledge and agree that if you lose, corrupt, delete or otherwise lose access to Your Recovery Key, all Service Content may be permanently and irretrievably inaccessible and We have no liability for any Loss including of Service Content arising in connection with loss of Recovery Keys.
Unauthorised Access
You shall:
- ensure that only authorised Root and Secondary Users access and use QuivaWorks;
- take reasonable steps to prevent unauthorised access or use of QuivaWorks, including by protecting log-in credentials;
- notify Us immediately of any known or suspected unauthorised access or use of Your Account, User credentials, Recovery Keys or QuivaWorks;
- use best efforts to stop any such matters.
AI Agents
You are solely responsible for the access and use of any AI Agents that You create through Your or Users use of QuivaWorks. We have no responsibility or liability for such access and use.
15. Third Party Services
Any Third-Party Services are not within Our control, and You use them at Your own risk. To the fullest extent permitted by law, We are not responsible or liable for the availability, content, functions, output, performance, accuracy, legality, appropriateness, security or any other aspect of any Third-Party Service.
You acknowledge that when You use AI Assistance Features or configure integrations between QuivaWorks and Third-Party Services:
- Service Content and AI Assistance Content may be decrypted after transmission by such Third-Party Services and any AI Providers;
- such Third-Parties may have access to Service Content and AI Assistance Content in unencrypted form;
- We have no control over and no responsibility for AI Providers and Third-Party Services handling, security or use of Service Content or AI Assistance Features Content;
- You are solely responsible for evaluation of the security, privacy practices, and terms of service of all AI Providers and Third-Party Services.
16. Data
Our privacy policy is on our website – read it to know how we handle your Account Data and Usage Analytics.
You agree we can use your Service Content and AI Assistance Content to provide services, de-identified data as we like, and otherwise as set out in the Privacy Policy.
General
QuivaWorks permits the submission or uploading of Service Content and the AI Assistance Feature permits submission or upload of AI Assistance Content, by You and Secondary Users in accordance with this Agreement.
No Access to Service Content
We do not have access to Service Content. Service Content is encrypted and may be accessed only by Users and is managed solely by You.
Limited Access to AI Assistance Content
We have access to AI Assistance Content to provide the AI Assistance Features. All AI Assistance Content is stored securely in encrypted form. You control what data You provide as part of the AI Assistance Content.
Customer Managed
You acknowledge and agree that because We cannot access Your Service Content, We cannot:
- monitor, access or decrypt Service Content for any purpose, including security monitoring, threat detection, malware scanning or compliance verification;
- investigate, analyse or provide forensic analysis of data incidents, security breaches or unauthorised access involving Service Content;
- provide technical support, troubleshooting, or customer assistance that requires access to, inspection of, or analysis of Service Content;
- recover, restore, or retrieve Service Content if You lose access to Your Recovery Keys or if Service Content becomes corrupted;
- regenerate Recovery Keys under any circumstances;
- comply with lawful access requests, court orders, or regulatory demands for production of Service Content in unencrypted form.
Excluded Data
"Excluded Data" means any higher risk data which is data that is classified as sensitive, confidential, or high-risk under applicable Privacy/Security Laws, including:
- sensitive, special category or high risk Personal Data under the GDPR or equivalent;
- health information under HIPAA or similar;
- financial data including account numbers, payment card information;
- national or government identification numbers, social security numbers;
- data requiring additional compliance or protection obligations.
Excluded Data Warranty
You warrant that:
- You have not and will not transmit Excluded Data, or permit transmission of Excluded Data, to Us or Our computers or other media;
- Service Content and AI Assistance Content does not and will not include Excluded Data;
- You shall inform Us of any Excluded Data within Service Content or AI Assistance Content immediately after discovery.
Important: Our systems are not intended for management or protection of Excluded Data and may not provide adequate or legally required security for Excluded Data. We are not responsible or liable for any data exposure or disclosure or related loss to the extent that it involves Excluded Data.
Storage Region
You may select the Region in which Services Content will be stored, as offered from time to time by Us. You consent to the storage of Services Content in, and transfer of Services Content into, the Region you select.
Account Data and Usage Analytics
You acknowledge and agree with Our Privacy Policy. You consent to Our use of Account Data, AI Assistance Content and Usage Analytics as set out in the Privacy Policy. The Privacy Policy does not apply to Service Content.
De-Identified Data
"De-Identified Data" refers to Usage Analytics with information that identifies or could reasonably be used to identify an individual person, a household, or You removed. You grant Us to the right to and We may use, reproduce, sell, publicise, or otherwise exploit De-Identified Data in any way, in Our sole discretion.
17. Privacy
General
The provisions below of this clause are subject to applicable law, including Privacy/Security Laws. This clause only relates to Personal Data that We Process.
DPA
Each party shall comply with its obligations under the DPA.
Safeguards
We or Our Affiliates will use appropriate and administrative physical and technical safeguards designed to prevent unauthorised access to, use or disclosure of Service Content and AI Assistance Content containing Personal Data as described in the Security Addendum.
Access to and Limited Use of Personal Data
We and Our Affiliates will not access or use any Service Content and AI Assistance Content except as set out in this Agreement, as necessary to maintain, provide or facilitate QuivaWorks, provide Support Services, to enforce this Agreement, or for a Permitted Disclosure.
Risk of Exposure
You accept and agree that hosting data online involves risks of unauthorised disclosure or exposure and that, in accessing and using QuivaWorks, You assume such risks. We offer no representation, warranty, or guarantee that Service Content and AI Assistance Content or other information will not be exposed or disclosed through errors or the actions of third parties.
18. Security Incidents
Our Responsibilities
We will comply with Our Obligations in the Security Addendum. We are responsible for Security Incidents only where, and to the extent that, such result from Our failure to maintain the security measures set out in the Security Addendum in respect of the QuivaWorks Service Environment that We control.
Your Responsibilities
You are responsible for any Security Incident to the extent it arises out of or is in connection with:
- the Recovery Keys;
- unauthorised User access or compromised User credentials;
- Your security practices and procedures;
- malicious or negligent acts of Your personnel or Users;
- vulnerabilities in Service Content and AI Assistance Content itself;
- Third-party Services and applications that You integrate with QuivaWorks.
Your Security Incident Response Obligations
You are solely responsible for:
- investigating whether Service Content and AI Assistance Content has been compromised in any Security Incident;
- determining what Personal Data or sensitive information may have been affected;
- making all legally required notifications to data subjects, regulators, and other third parties;
- managing all legal, regulatory, and contractual obligations arising from any Security Incident;
- responding to inquiries from data subjects, regulators, law enforcement, and other third parties.
19. Our AI Assistance Features
Ownership
You may provide input to the AI Assistance Features ("AI Input") and receive output from the AI Features based on the AI Input ("AI Output"). AI Input and AI Output are together "AI Customer Content". As between Us and You, and to the extent permitted by law, You retain all ownership rights in the AI Input and own the AI Output.
Training
We will not train AI models using AI Customer Content. We may only use the AI Customer Content as necessary to provide QuivaWorks, Our Content, Support Services, comply with applicable laws, and to enforce our rights under this Agreement.
You don't own similar AI Output
AI Output may not be unique and other Users may receive similar content from QuivaWorks. Responses that are requested by and generated for other Users are not Your AI Input nor Your AI Output.
Disclaimer
Important: AI Assistance Features may produce incorrect AI Output that does not accurately reflect the true position. You must use human review to verify, identify and correct any errors in the AI Output before using the AI Output for any purpose.
Excluded Warranties
To the maximum extent permitted by law, the AI Assistance Features and AI Output are provided AS IS and AS AVAILABLE. We make no warranties (express, implied, statutory or otherwise) with respect to the AI Assistance Features and AI Output.
20. Trial or Beta Use
Trial
A "trial" is intended for short term evaluation of QuivaWorks that is provided for free or discounted. Trial use is limited to internal evaluation purposes. Trial use is provided without support, AS IS and AS AVAILABLE without warranty, or condition of any kind (to the maximum extent permitted by law).
Beta
We may offer access to or use of certain features, technologies, Regions and services that are not generally available. These include any products or services labelled "beta", "preview", "pre-release" or "experimental" ("Beta").
Beta Disclaimer
Without limiting any of the disclaimers of liability in this Agreement, You agree that Beta's are not ready for general commercial release and may contain bugs, errors, defects or harmful components. Accordingly, and despite any other terms contradicting this in this Agreement, We provide the Beta to you "AS IS" and "AS AVAILABLE".
We and Our Affiliates and their Associates and licensors do not make any representation or warranty of any kind, whether express, implied, statutory or otherwise regarding Beta, including that the Beta will become generally available, be uninterrupted, error free, or free of harmful components.
21. Our Intellectual Property
QuivaWorks
As between Us and You, We retain all right, title, and interest in and to all intellectual property rights in QuivaWorks, Our Content and Support Services including without limitation all related and underlying technology and Documentation. This Agreement does not grant You any intellectual property license or rights in or to QuivaWorks Materials except to the limited extent that such rights are necessary for Your use of QuivaWorks as specifically authorised by this Agreement.
Feedback
"Feedback" refers to any suggestion, enhancement requests, recommendations, other feedback or idea for improving or otherwise modifying any of Our or Our Affiliates' products or services or the Website. We have not agreed to and do not agree to treat as confidential any Feedback that You, Your Clients, or other Users give Us. You irrevocably assign to Us all right, title and interest in and to any Feedback.
Marketing
You grant us permission to use and display Your name, logos and trademarks "Customer Marks" in Our promotional and marketing materials and communications including on the Website to identify You as a customer or user of QuivaWorks.
22. Confidential Information
Definition
"Confidential Information" means all information We, Our Licensors, business partners or Our or their respective Associates disclose to You that is not public, designated as confidential or that given the nature of the information or circumstances surrounding its disclosure, reasonably ought to be understood as confidential. It includes:
- the Documentation, terms of this Agreement, Plan and Our Content (to the extent such are not public);
- the nature, content and existence of any discussions or negotiations between You and Us or Our Affiliates;
- non-public information relating to Our or Our Affiliates or business partners' technology, software, customers, business plans;
- third party information that We are obligated to keep confidential;
- trade secrets;
- Our Beta products or services.
Non-Disclosure Obligations
You shall not:
- use Confidential Information for any purpose other than in connection with Your use of QuivaWorks or Support Services as expressly permitted under this Agreement;
- disclose Confidential Information to any third party without Our prior written consent;
- issue any press release or make any other public communication with respect to this Agreement, Our Content or Your use of QuivaWorks;
- otherwise disclose Confidential Information during the Term or at any time after the end of the Term.
Protection
You shall protect Confidential Information to keep it confidential and against disclosure, dissemination or unauthorised use, with no less than reasonable care.
23. Compliance with Documentation and Security
From Us
We will ensure that:
- QuivaWorks will perform in all material respects with the Documentation; and
- We will not materially decrease the overall security of QuivaWorks during the Term.
Disclaimers
Except to the extent in Clause 23.1 above, You accept QuivaWorks and Our Content and Support Services or any other material provided "AS IS," and "AS AVAILABLE" and to the maximum extent permitted by law We and Our Affiliates and their Associates and licensors make no representation or warranty of any kind, express or implied.
We do not represent or warrant that QuivaWorks, Our Content or other material will:
- perform without interruption or error or that it is free of harmful components;
- achieve any intended result;
- be compatible, work with, or continue to work with Your or other components;
- be secure from hacking or other unauthorised intrusion or that Service Content will remain private or secure or not otherwise lost or altered.
24. Customer Representations & Warranties
From You
You represent and warrant that:
- You have accurately identified yourself and have not provided any inaccurate information to Us or through QuivaWorks;
- You or Your licensors own all right, title and interest in and to Service Content and Feedback;
- none of the Service Content or Users' use of Service Content or QuivaWorks will breach the AUP;
- You have carefully evaluated whether QuivaWorks is appropriate and suitable for Your specific use case, industry, regulatory requirements and risk.
25. Indemnification
Indemnity
You shall defend, indemnify (and keep Us indemnified), and hold harmless Us, Our Affiliates and licensors and each of their respective Associates from and against any Losses arising out of or relating to any third party claim, suit, demand, or proceeding arising out of or related to Your alleged or actual use of, misuse of, or failure to use QuivaWorks or Our Content, including claims:
- concerning or by You or Users' (including use by Your employees and personnel) including any activities under Your Account;
- related to Data Incidents including such events caused by You, Your customers or other Users;
- related to misappropriation, infringement or breach of any third-party rights by written material, images, logos or other content uploaded to QuivaWorks through Your Account;
- for breach of this Agreement, Documentation, or applicable law by You, Users;
- related to Service Content or AI Assistance Content;
- related to a dispute between You and any User.
26. Limitation of Liability
Exclusions to Liability Cap
Nothing in this Agreement limits either party's liability where that cannot be limited by applicable law. If applicable law limits the application of the provisions of this clause, Our liability will be limited to the maximum extent permissible.
Cap
Our and our Affiliates and licensors and each of their Associates total cumulative liability for all claims arising out of or related to this Agreement or QuivaWorks will not exceed the total amount paid by You to Us under this Agreement for the services giving rise to the liability during the 12 months immediately prior to the event giving rise to such liability.
Excluded Damages
We will not be liable for:
- lost profits, goodwill, business, anticipated savings, customers, revenues, opportunities;
- loss of use or corruption of software or data;
- any consequential, indirect, special, incidental, exemplary or punitive damages;
- unavailability or failure to provide any services or support
arising out of or related to this Agreement or use of QuivaWorks and Our Content.
Time limit on claims
Unless You notify Us that You intend to make a claim within 2 months of the event giving rise to the claim, then We will have no liability for that event. Your notice must identify the event and grounds for the claim in reasonable detail.
27. Suspension
General
We may suspend Your Account and or Your and any Users' right to access or use any part or all of QuivaWorks, immediately on notice to You if We reasonably determine:
- Fees are overdue or You are in breach of Your payment obligations;
- You are in breach of this Agreement;
- Your use poses a security risk to QuivaWorks, Us, Our Affiliates, or any third party;
- Your use could adversely impact our systems, QuivaWorks, or the systems or Services Content of any other customer;
- Your use could subject Us to liability;
- Your use could be fraudulent;
- You are on a Free Plan.
Effect of Suspension
If Your Account is suspended under this clause, You will be responsible for all Fees you incur during the period of suspension that We invoice to You.
28. Cancellation
Cancellation by Deletion of Account
You can cancel this Agreement at any time by deleting the Root Account. Deletion of an Account will not relieve You of any incurred Fees and payment obligations. Cancellation will simultaneously cancel any Plan and Add-ons.
Cancellation by Us for Cause
We may cancel this Agreement immediately and without prior notice:
- where You are in breach of this Agreement or the Documentation;
- where You terminate or suspend Your business, become bankrupt, insolvent or are wound up or liquidated;
- if We have the right to suspend;
- if the issue giving rise to the suspension has not been remedied within 30 days of Us suspending.
Immediate Cancellation by Us
We may cancel this Agreement immediately without prior notice:
- for any reason where you are on a Free Plan;
- if Our relationship with the Infrastructure Provider, or a third-party partner expires or terminates;
- to comply with the law, regulatory or government authority;
- because of a Force Majeure event;
- continued provision poses a security risk, or risk of harm.
Cancellation by Us with Notice
We may cancel this Agreement upon 14 days notice to You for any reason.
Effects of Cancellation
Important: Upon cancellation of this Agreement:
- You are solely responsible for exporting Service Content in a commonly used, machine-readable format from QuivaWorks prior to cancellation;
- You acknowledge that cancellation is likely to result in the immediate loss of access to all Services Content;
- You and all Users shall cease all access and use of QuivaWorks and Our Content;
- You remain responsible for all Fees incurred through to and including the date of cancellation;
- all Your rights under this Agreement immediately end.
Data Export and Deletion
Where this Agreement is cancelled, We will delete all Services Content from Our systems as set out in our Data Retention Policy unless required to retain it for legal or regulatory reasons.
29. Sanctions and Export Laws
Compliance
You represent, warrant, and undertake that Your use of QuivaWorks will comply with all applicable export control and sanctions laws and regulations, including the laws and regulations administered by the United Nations, United States Department of Commerce, United States Department of the Treasury Office of Foreign Assets Control (OFAC), the European Union, Her Majesty's Treasury (UK), and any other applicable governmental authority.
Restrictions
You shall not use, access, export, re-export, divert, transfer, or disclose QuivaWorks, Our Content, or any related technology:
- in or to any jurisdiction prohibited under applicable export control or sanctions laws;
- for the benefit of any person or entity identified on any sanctions or restricted parties list;
- for any purpose related to nuclear, chemical, or biological weapons, or missile technology.
30. Miscellaneous
Independent Contractors
The relationship between You and Us is as independent contractors. Neither of us is the agent, partner or has a joint venture or employment relationship with the other. Neither of us has the authority or may make commitments on the other's behalf.
Notices
We can send notices to you to your Account email address (considered received after 24 hours) or post them on our website (effective at time of posting).
We may send notices pursuant to this Agreement to the email address provided by You to Us for Your Account, and such notices we deem received 24 hours after they are sent or by posting a notice on our Website which are effective at the time of posting. You are responsible for keeping Your Account email address current and correct. You may send Us notices pursuant to this Agreement to legal@quiva.ai, and such notices we deem received 72 hours after they are sent.
Force Majeure
No delay, failure, or default, other than a failure to pay Fees when due, will constitute a breach of this Agreement and neither You or Us will be liable for any delay, failure or default (other than to pay fees) to the extent caused by acts of war, terrorism, hurricanes, earthquakes, fire, flood, epidemics, other acts of God or of nature, or other causes beyond the performing party's reasonable control.
Assignment & Successors
You may not assign, delegate or otherwise transfer this Agreement or any of its rights or obligations without Our express written consent. Any purported transfer without such consent will be void. We may assign, delegate or otherwise transfer this Agreement or any of its rights or obligations without notice or consent.
No Third-Party Beneficiaries
Except under clause 25 (Indemnification) this Agreement does not create any third-party beneficiary rights in any individual or entity that is not a party of this Agreement.
Severability
To the extent permitted by applicable law, in the event that a part of this Agreement is held to be invalid or otherwise unenforceable, such part will be interpreted to fulfil its intended purpose to the maximum extent permitted by applicable law, and the remaining parts of this Agreement will continue in full force and effect.
No Waiver
Neither You nor We are deemed to have waived any rights under this Agreement by lapse of time or by any statement or representation other than by an authorised representative in an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any other breach.
Choice of Law
This Agreement and all claims or disputes arising out of or related to it or its subject matter, including the formation, construction, validity and performance and all non-contractual obligations will be governed solely by the laws of England.
Jurisdiction
The parties irrevocably consent to the exclusive jurisdiction and venue of the courts of England. This clause governs all claims and disputes arising out of or related to this Agreement and its subject matter including without limitation non-contractual and tort claims.
Entire Agreement
This Agreement together with all incorporated documents by reference, sets out the entire agreement between You and Us and supersedes all prior or contemporaneous, negotiations, proposals, representations, understandings and discussions (whether written, oral or otherwise) with respect to its subject matter.
31. Amendments
Notice
We may amend this Agreement (including any policies) on a going-forward basis from time to time in our sole discretion. We will post an amended version at our Website or by otherwise notifying You. Where the amendments are material, We will send You a written notice. Such amendment will be deemed accepted and become effective on the date set out in the amended version which will be at least 30 days after such notice.
Deemed Acceptance
Your continued use of QuivaWorks or Our Content following the amendment date will confirm Your agreement to the amended version. If You do not agree to the amended version, You and all Users must stop using QuivaWorks and Our Content immediately. Your sole and exclusive remedy is to cancel this Agreement and Your Account.
Privacy Policy, Security Addendum and AUP changes
We may revise the Privacy Policy, Security Addendum and AUP at any time by posting a new version at the Website, and such new version will become effective on the date it is posted; provided if such amendment materially reduces Your rights or protections, notice and consent will be subject to the requirements above.
Contact Information:
Evari Services UK Ltd
128 City Road
London EC1V 2NX
United Kingdom
Email: legal@quiva.ai
Privacy Policy
This Privacy Policy explains how quiva.ai collects, uses, and protects your personal information when you use our AI agent platform and services.
Table of Contents
1. Information We Collect
Account Information
When you create an account, we collect:
- Name and email address
- Company information (if applicable)
- Account preferences and settings
Service Content
We process the data you submit to our platform to provide our AI agent services. This may include:
- Text, documents, and files you upload
- Configurations and workflow data
- Integration data from connected services
Important: We do not use your Service Content to train our AI models or share it with third parties except as necessary to provide our services.
Usage Information
We automatically collect information about how you use our services:
- Log data and API usage
- Feature usage and performance metrics
- Device and browser information
2. How We Use Your Information
We use your information to:
- Provide our services: Process your requests, run AI agents, and deliver platform functionality
- Account management: Create and maintain your account, provide customer support
- Service improvement: Analyze usage patterns to improve our platform and develop new features
- Communication: Send service updates, security notices, and support messages
- Legal compliance: Meet our legal obligations and protect our rights
We process your personal data based on legitimate interests, contractual necessity, or your consent, depending on the specific use case.
3. Data Sharing and Disclosure
We may share your information with:
Service Providers
Trusted third-party providers who help us deliver our services, including:
- Cloud hosting providers (AWS, Google Cloud, Azure)
- AI model providers for processing your requests
- Analytics and monitoring services
Legal Requirements
We may disclose information when required by law or to:
- Comply with legal processes
- Protect our rights and property
- Ensure user safety
We never sell your personal data and only share it as described in this policy.
4. Data Security
We implement comprehensive security measures to protect your data:
Technical Safeguards
- Encryption in transit and at rest
- Regular security assessments and monitoring
- Access controls and authentication
- Secure development practices
Compliance
Our security practices align with industry standards including:
- ISO 27001 certification
- GDPR compliance
- SOC 2 Type 2 (in progress)
While we implement strong security measures, no system is 100% secure. We encourage you to use strong passwords and keep your account credentials safe.
5. Data Retention
We retain your data for as long as necessary to:
- Provide our services to you
- Comply with legal obligations
- Resolve disputes and enforce agreements
Retention Periods
- Account data: Until account deletion plus 30 days
- Service content: Until you delete it or cancel your account
- Usage logs: Up to 2 years for security and compliance
6. Your Rights
Depending on your location, you may have the following rights:
GDPR Rights (EU/UK Users)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data
- Portability: Receive your data in a portable format
- Objection: Object to processing based on legitimate interests
- Restriction: Restrict certain processing activities
California Privacy Rights
California residents have additional rights under the CCPA, including the right to know about data collection and the right to opt-out of data sales (though we don't sell personal data).
To exercise your rights, contact us at privacy@quiva.ai. We'll respond within the timeframes required by applicable law.
9. Children's Privacy
Our services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We'll notify you of material changes by:
- Posting the updated policy on our website
- Sending an email notification
- Providing in-app notifications
Your continued use of our services after changes become effective constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@quiva.ai
Address:
Evari Services UK Ltd
128 City Road
London EC1V 2NX
United Kingdom
Acceptable Use Policy
Welcome to QuivaWorks! We want to make sure everyone has a great experience. This Acceptable Use Policy (AUP) explains what You as a User can and can't do while using QuivaWorks.
Table of Contents
1. Prohibited Activities
You agree not to (and shall not permit Users or other third parties to) use QuivaWorks or do anything in connection with QuivaWorks:
1.1 To Be Disrespectful
- Harass, threaten, or abuse anyone
- Spread hate speech or discriminatory content
- Post anything offensive, defamatory, or harmful
- Share unconfirmed or false information to prevent the spread of misinformation
1.2 For Anything Illegal
- Violating any laws, regulations, or rights of others
- Engaging in fraud, phishing, or other deceptive practices
- Uploading, storing, making available or sharing content that is illegal, threatening, fraudulent or which infringes on someone else's rights including intellectual property (like copying movies, music, or software without permission) or privacy rights
1.3 Compromise Security
- Hack, disrupt, or tamper with QuivaWorks or other Users' data
- Share your login details with others or let anyone else use Your Account
- Introduce viruses, malware, or any harmful software or malicious code that could damage QuivaWorks or other Users' data
- Perform any security penetration tests or security assessment activities
- Make network connections to any Users, hosts or networks unless Customer has permission to communicate with them, including to perform any denial of service or distributed denial of service attacks
- Breach the security or integrity of any network, computer or communications system, software application, or network or computing device, including to attempt to or perform account takeovers by brute-force attacks or other means
1.4 Other Than for Fair Use
- Using more resources than your Plan allows. That means sticking to your limits including for data streaming, storage, and processing power
- Using QuivaWorks in a way that could impact other Users' experience (like causing heavy traffic or disruptions)
- Allow use or make QuivaWorks available to anyone other than its Users as explicitly set out in the Agreement
- Using any means to avoid or circumvent any use limitations placed on QuivaWorks (such as access and storage restrictions) or to bypass any paywalls
1.5 To Spam
- Send spam, junk mail, or unauthorised promotions
- Send unsolicited messages or other communications to Users or third parties, including using an unauthorised email account
1.6 Disrespect Privacy
- Collect or share Personal Data without permission
- Track or monitor anyone's use without their consent
1.7 Exceed Your Rights
- Only use QuivaWorks as authorised by your subscription Plan
- Reverse-engineer, decompile, or try to copy our software, unless it's allowed by law
- Perform any benchmarking against any competitive products or services or any other competitive purpose
- Breach respect for copyright and intellectual property by using content that isn't your own without permission
1.8 To Transmit Unauthorised Content
- Protected Health Information (as defined under HIPAA) into QuivaWorks
- Cardholder or sensitive authentication data (as defined in the PCI DSS standards)
2. Enforcement
What Happens if You Break the Rules?
If you violate this policy, We may:
- Suspend or terminate Your access to and use of QuivaWorks and delete your Account
- Remove any Customer Data
- Contact law enforcement if illegal activities are involved
- Take other steps to protect QuivaWorks and other Users
3. Reporting Problems
If you spot someone breaking these rules, let us know. Report any breaches by contacting legal@QuivaWorks. We'll look into it and take the necessary action.
Email: legal@QuivaWorks
4. Changes to This Policy
We may update this policy from time to time to keep things up to date. If We make any significant changes, we'll let you know, but it's always a good idea to check in occasionally. Any changes will be effective when posted on our Website.
5. Questions
If you have any questions or need clarification on anything in this policy, feel free to reach out to us.
Email: support@quiva.ai
Security Addendum
This Security Addendum describes the security measures and practices We maintain to protect the confidentiality, integrity, and availability of Your data when using the Service. Our security program is based on ISO 27001 standards and regularly audited by independent third parties.
This Security Addendum is incorporated into the Agreement between Us and You. Capitalized terms not defined herein have the meanings set forth in the Agreement.
We use third-party cloud service providers ("Infrastructure Providers") to supply the underlying infrastructure for the Service. While We carefully select Infrastructure Providers based on their security capabilities and certifications, they independently manage physical data centers and foundational infrastructure security. We implement our own security controls for the Service layer, including application security, access management, encryption, and monitoring.
Table of Contents
1. Security Governance
Information Security Management System
We maintain a comprehensive Information Security Management System (ISMS) consistent with ISO 27001:2013 and ISO 27002:2022 standards. The ISMS includes documented security policies, procedures, and controls designed to:
- Safeguard the confidentiality, integrity, and availability of Service Content
- Protect information systems from security threats
- Ensure appropriate vetting of suppliers and partners
- Verify the effectiveness of security controls
Policy Management
Each security policy has a designated owner responsible for its maintenance and compliance. Policies are reviewed at least annually and updated as necessary to address evolving threats and business requirements. Personnel are required to acknowledge and comply with applicable security policies.
We regularly review and update our security practices to align with evolving industry standards and emerging threats. We will notify You of material changes that affect Your use of the Service.
Personnel Security
Personnel undergo background screening to the extent permitted by applicable law and sign confidentiality agreements as a condition of employment. All personnel receive security awareness training and are required to comply with security policies. Violations may result in disciplinary action up to and including termination.
Independent Audits & Certifications
We engage independent third-party auditors to assess our security controls on at least an annual basis. We maintain certifications and compliance with recognized security frameworks including ISO 27001:2022, ISO 27002:2022, and ISO 27017:2015.
2. Technical Security Controls
Infrastructure Security
We maintain separate environments for production, development, and testing with strict segregation between them. Production systems are protected using a multi-layered security strategy including firewalls, network access controls, and traffic filtering based on region, IP range, and security rules.
The Service is hosted in secure, tier-appropriate data centers operated by our Infrastructure Providers. These facilities maintain industry-standard physical security controls including 24/7 monitoring, access controls, environmental controls, fire suppression, and redundant power systems.
Data Encryption
All data transmitted to and from the Service is encrypted using Transport Layer Security (TLS) version 1.2 or higher. Data at rest is encrypted using AES-256 encryption or equivalent. Encryption keys are managed in accordance with industry best practices and stored separately from encrypted data.
You are solely responsible for the security, backup, and availability of Recovery Keys that are provided in case You lose access to Your Account.
Access Controls
We implement role-based access controls following the principle of least privilege. Access to production systems is restricted to authorized personnel based on job function and business need. Personnel with access to production systems are required to use:
- Unique user credentials
- Multi-factor authentication (MFA)
- VPN connections for remote access
- Passwords meeting PCI-DSS complexity requirements
Access rights are reviewed at least quarterly, and access is promptly revoked upon personnel offboarding. All access credentials and devices are recovered and securely wiped during the offboarding process.
Endpoint Security
Personnel devices are provisioned with security controls including full disk encryption, malware protection, automatic patching, DNS filtering, and restrictions on software installation. Devices are centrally managed and monitored for security compliance.
Security Monitoring & Logging
The Service generates audit logs that capture system events, user activities, errors, and performance metrics. Logs are stored as encrypted Service Content. Logs are used for security monitoring, incident detection, troubleshooting, and system optimization.
3. Vulnerability & Patch Management
Vulnerability Management Program
We maintain a vulnerability management program that identifies, assesses, and remediates security vulnerabilities through multiple sources including:
- Automated security scanning and code analysis
- Third-party security advisories (NCSC, CVSS, NPM, GitHub)
- External penetration testing by CREST-certified testers (at least annually)
- Responsible disclosure reports from security researchers
- Vendor security bulletins
We follow a Secure Development Policy incorporating industry best practices throughout the software development lifecycle to prevent vulnerabilities from entering production code.
Vulnerability Remediation
Vulnerabilities are prioritized using the Common Vulnerability Scoring System (CVSS) from the National Vulnerability Database. Confirmed vulnerabilities affecting the confidentiality, integrity, or availability of the Service or Service Content are tracked and remediated based on severity and the nature of the vulnerability, availability of patches, and potential impact to Service operations.
4. Incident Management & Response
Security Incident Response
We maintain a documented incident response plan with defined procedures, roles, communication protocols, and severity levels for managing security incidents.
If We become aware of a security incident resulting in unauthorized access to, disclosure of, or loss of Your Service Content, We will notify You within 72 hours of confirming the incident. Notification will include information about the nature of the incident, affected data (to the extent known), mitigation measures taken, and a point of contact for additional information.
Upon detection of a security incident, We will promptly investigate, contain, and remediate the incident. Relevant logs will be preserved for at least one year to support investigation and remediation activities. We will provide You with reasonable assistance in Your investigation and remediation efforts, subject to technical and legal constraints.
Cyber Insurance
We maintain cyber security insurance coverage appropriate to our business operations.
5. Business Continuity & Data Resilience
Business Continuity Planning
We maintain Business Continuity and Disaster Recovery (BCDR) plans aligned with ISO 22301 and ISO 27035 standards. These plans are designed to prepare for, respond to, and recover from potential disruptions while minimizing impact on Service availability and customer operations. Plans are regularly reviewed and tested to address emerging threats and changes in business operations.
Data Resilience & Backup
Service Content is automatically replicated across a minimum of three nodes within our infrastructure for redundancy and disaster recovery purposes. This replication protects against infrastructure and hardware failures and provides operational resilience. You are responsible for maintaining additional backups if required for Your specific compliance, regulatory, or business continuity requirements.
Risk Management
We maintain a risk management program based on ISO 31000 standards. Risk assessments are conducted regularly through internal reviews, audits, third-party assessments, and threat analyses. Senior management actively participates in risk oversight and approves risk mitigation strategies and control improvements.
6. Data Location & Retention
Data Location
Service Content is stored in Infrastructure Provider data centers, we may provide You with options around which geographic regions the data is stored within.
Data Retention & Deletion
Upon Your request or termination of the Agreement, Service Content will be deleted within 48 hours. De-identified performance and analytical data may be retained indefinitely for service improvement purposes.
Security-related data including access logs and security configurations may be retained for up to 90 days after termination where necessary to investigate active security incidents. Account and contact information will be retained for up to six years for legal and business purposes unless You request earlier deletion.
8. Compliance & Regulatory Requirements
Our security practices are designed to support customer compliance with common regulatory frameworks including GDPR, Australian Privacy Act, and other applicable data protection laws in jurisdictions where We operate.
We undergo regular independent audits and maintain relevant security certifications. Current compliance documentation, certifications, and audit reports are available to customers under NDA upon request.
You are responsible for determining whether the Service meets Your specific regulatory and compliance requirements. We recommend You review our security documentation and conduct Your own assessment before storing regulated data in the Service.
9. Security Transparency
We maintain transparency about our security practices and encourage responsible security research. We participate in coordinated vulnerability disclosure programs and work with the security research community to continuously improve our security posture.
Questions about our security practices should be directed to security@quiva.ai.
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the QuivaWorks Subscription Agreement (the "Agreement") between Evari Services UK Limited and its Affiliates ("We", "we", "us", "our") and the customer identified in the Agreement ("Customer", "You", "Your").
Table of Contents
- 1. Definitions and Interpretation
- 2. Scope and Applicability
- 3. Processing of Personal Data
- 4. Sub-processors
- 5. Security
- 6. Data Subject Rights
- 7. Data Return and Deletion
- 8. Audits
- 9. International Data Transfers
- 10. US State Privacy Laws
- 11. Prohibited Data
- 12. AI and Automated Processing
- 13. Limitation of Liability
- 14. General Provisions
1. Definitions and Interpretation
1.1 Capitalized Terms
Capitalized terms not defined in this DPA have the meanings in the Agreement.
1.2 Defined Terms
The following terms shall have these meanings:
- Applicable Data Protection Laws: All applicable data protection and privacy laws, including GDPR, UK GDPR, and US State Privacy Laws.
- Controller, Processor, Data Subject, Personal Data, and Processing: Have the meanings given in Applicable Data Protection Laws.
- GDPR: Regulation (EU) 2016/679.
- Standard Contractual Clauses or SCCs: The EU Commission's standard contractual clauses for international data transfers (Decision 2021/914, June 4, 2021).
- Sub-processor: Any third party engaged by We to Process Personal Data.
- UK GDPR: The GDPR as retained in UK law.
- US State Privacy Laws: Applicable US state privacy laws including CCPA/CPRA.
1.3 References
References to Clauses, Sections, and Schedules are to clauses and sections of, and schedules to, this DPA unless otherwise stated.
2. Scope and Applicability
2.1 When This DPA Applies
This DPA applies only to Personal Data that We Processes as a Processor on behalf of Customer as part of Service Content and AI Assistance Content (as defined in the Agreement).
2.2 Data Categories and Controller/Processor Roles
(a) Service Content: We act as Processor. Service Content is encrypted and We do not have access to Service Content except where You explicitly grant temporary access for Support Services or share information through support requests.
(b) AI Assistance Content: We act as Processor. AI Assistance Content is protected with the same safeguards as Service Content. We do not have access to AI Assistance Content except when You submit information through AI Assistance Features (for example, when requesting support through these features). Such submissions are made voluntarily by You and constitute documented instructions for Processing.
(c) Excluded from DPA: The following data categories are excluded from this DPA as We act as a Controller (not Processor) for this data under its Privacy Policy:
- Account Data (as defined in the Agreement): Root Account information, Secondary User Account information, Billing Information, and login data
- Usage Analytics (as defined in the Agreement): Analytics and metadata regarding use of QuivaWorks
- De-Identified Data: Data that has identifying information removed
- Feedback (as defined in the Agreement)
2.3 Roles
For Personal Data within scope:
- You are the Controller (or Processor if acting on behalf of another Controller)
- We are the Processor (or Sub-processor where You are yourself a Processor)
2.4 Customer Warranties
You warrant that:
- You have the legal right to provide Personal Data to Us for Processing
- Your instructions comply with Applicable Data Protection Laws
- Where You are a Processor, You have obtained necessary authorizations from the relevant Controller
3. Processing of Personal Data
3.1 Processing Instructions
We shall Process Personal Data only:
- In accordance with Your documented instructions via this DPA, the Agreement, and Your use and configuration of the Services; or
- As required by applicable law (in which case We shall inform You before Processing, unless legally prohibited).
3.2 Processing Details
The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Schedule 1.
3.3 Unlawful Instructions
If We reasonably believe any instruction violates Applicable Data Protection Laws, We shall inform You and may suspend Processing until resolved.
3.4 Compliance
Each party shall comply with its obligations under Applicable Data Protection Laws.
4. Sub-processors
4.1 Authorization
You authorize Us to engage Sub-processors as listed in the Sub-processor table at the end of the Agreement, which includes:
- Our Affiliates
- Infrastructure Providers (third-party providers of server hardware and data center services)
- AI Providers (when selected by You or Us for AI Agent functionality)
- Other Third-Party Services as specified
4.2 New Sub-processors
We shall provide notice before engaging new Sub-processors via the notification mechanism in the Agreement.
4.3 Objection Rights
You may object to a new Sub-processor on reasonable data protection grounds within fifteen (15) days of notice. If no resolution is reached within thirty (30) days, You may terminate the affected Services.
4.4 Sub-processor Obligations
We shall ensure Sub-processors are bound by equivalent data protection obligations and remain liable for Sub-processor acts or omissions.
5. Security
5.1 Security Measures
We shall implement and maintain appropriate technical and organizational measures as described in the Security Addendum to the Agreement.
5.2 Security Incidents
Upon becoming aware of a Security Incident affecting Personal Data, We shall:
- Notify You without undue delay (within 72 hours where feasible)
- Provide information reasonably necessary for You to meet Your notification obligations
- Investigate and take reasonable remediation measures
5.3 Definition
"Security Incident" means unauthorized or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
6. Data Subject Rights
6.1 Assistance
We shall, to the extent legally permitted:
- Promptly notify You of Data Subject requests received directly
- Not respond to such requests without Your authorization (unless legally required)
- Provide reasonable assistance to You in responding to requests, taking into account the nature of Processing
6.2 Fees
We may charge reasonable fees for assistance requiring substantial effort beyond normal operations.
7. Data Return and Deletion
7.1 Return or Deletion
Upon termination or expiration of the Agreement, or upon Your written request, We shall (at Your election) either:
- Return all Personal Data in a commonly used electronic format; or
- Securely delete all Personal Data
7.2 Legal Retention
We may retain Personal Data to the extent and for the period required by law, subject to ongoing confidentiality and security obligations.
7.3 Timeline
Return or deletion shall occur within sixty (60) days unless a longer period is required by law.
8. Audits
8.1 Documentation
Upon Your reasonable written request, and no more than once per year, We shall provide information demonstrating compliance with this DPA, which may include:
- Summaries or confirmations of relevant security certifications (such as ISO 27001, or equivalent)
- Security and privacy policy summaries
- Responses to standard security questionnaires
- Other documentation reasonably necessary to demonstrate compliance
8.2 Third Party Audit Reports
Where We have obtained independent third-party audit reports or certifications, We may satisfy our obligations under Section 8.1 by providing summaries of such reports or confirmation of certifications, subject to confidentiality restrictions with auditors.
8.3 Onsite Audits
We are not obligated to permit onsite audits by You except:
- (a) Where required by a data protection supervisory authority or other governmental regulatory body in connection with an investigation or inquiry; or
- (b) Where We agree in our sole discretion (typically only for enterprise customers with separate negotiated terms).
Any permitted onsite audit under Section 8.3 must:
- Be conducted during normal business hours with at least 30 days' prior written notice
- Be conducted in a manner that minimizes disruption to Our business operations
- Be at Your sole expense (including reimbursement of Our reasonable costs)
- Be subject to reasonable confidentiality obligations
- Not exceed one audit per year unless required by a supervisory authority
8.4 Right to Terminate
If We cannot or will not provide sufficient evidence of compliance under Sections 8.1-8.2, and refuse to permit an onsite audit requested under Section 8.3(a), You may terminate the affected Services upon 30 days' written notice.
9. International Data Transfers
9.1 Authorization
You authorize transfer of Personal Data to Our Affiliates and Sub-processors in the UK, Australia, and other locations as listed in the Agreement.
9.2 Transfer Mechanisms
Where Personal Data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, such transfers shall be governed by:
- The Standard Contractual Clauses as set out in Schedule 2 (EU/EEA transfers)
- The UK International Data Transfer Addendum to the SCCs (UK transfers)
- Modified SCCs for Swiss law (Swiss transfers)
9.3 SCC Incorporation
The SCCs are incorporated by reference into this DPA. By entering into the Agreement, both parties are deemed to have executed the SCCs with the specifications in Schedule 2.
10. US State Privacy Laws
Where Customer's use of the Services involves Personal Data subject to US State Privacy Laws, We shall:
- Process Personal Data solely for the business purposes specified in this DPA and the Agreement
- Not sell or share Personal Data as defined under such laws
- Not retain, use, or disclose Personal Data outside the direct business relationship with Customer
- Assist You in responding to consumer rights requests
- Provide reasonable certifications of compliance upon request
11. Prohibited Data
11.1 Exclusions
You shall not submit to the Services:
- Special category data under GDPR Article 9
- Personal Data of children without appropriate consent mechanisms
- HIPAA-protected health information
- PCI DSS-regulated payment card information
- National IDs, Social Security numbers, driver's licenses
- Data requiring localization or otherwise prohibited under the Agreement
11.2 No Liability
We have no liability for Prohibited Data submitted by You, and You shall indemnify Us for related claims.
12. AI and Automated Processing
12.1 AI-Powered Features
The Services include AI-powered features and capabilities that may Process Personal Data, including:
- AI agents created and configured by You
- Our-operated AI assistance features
- Integration with third-party AI model providers
- Automated workflows and computational processing
12.2 Third-Party AI Model Providers
(a) Customer Selection. You select and configure third-party AI model providers (such as OpenAI, Anthropic, Google) for use with Your AI agents. You acknowledge that:
- Processing by third-party AI providers is subject to their respective terms, privacy policies, and data processing agreements
- We do not control how third-party AI providers Process Personal Data
- You are responsible for ensuring third-party AI providers meet Your obligations under Applicable Data Protection Laws
(b) Data Transfers. When You configure AI agents to use third-party AI model providers, Personal Data (including prompts, inputs, and outputs) will be transmitted to and processed by such providers in accordance with their terms. You authorize such transfers and remain responsible for compliance with international transfer requirements.
12.3 Use of Personal Data for AI
(a) No Training on Customer Data. We do not use Personal Data contained in Service Content to train, improve, or develop Our AI models or machine learning systems, except as explicitly authorized by You in writing.
(b) We-Operated AI Features. For AI features operated by Us (such as QuivaWorks support features):
- Inputs and outputs are logged in Our systems with indefinite retention
- We may use aggregated, de-identified, or anonymized data derived from such features to improve the Services
- We will implement reasonable measures to anonymize data before using it for improvement purposes
(c) Third-Party AI Providers. We do not control and are not responsible for how third-party AI model providers use data submitted to them. You should review the data usage policies of any third-party AI providers You choose to use.
12.4 Automated Decision-Making
(a) Customer Control. You determine the purposes and logic of any automated decision-making or profiling conducted through QuivaWorks. You are responsible for:
- Ensuring compliance with Article 22 GDPR and equivalent provisions under other Applicable Data Protection Laws
- Providing required notices to Data Subjects about automated decision-making
- Implementing appropriate safeguards, including human oversight where required
- Responding to Data Subject requests related to automated decisions
(b) Significant Decisions. Where You use QuivaWorks to make decisions that produce legal effects or similarly significantly affect individuals (including decisions regarding employment, creditworthiness, eligibility for services, or other significant matters):
- You must ensure such processing complies with all applicable legal requirements
- You must implement appropriate human review mechanisms
- You are responsible for providing explanations to Data Subjects as required by law
(c) Transparency and Explainability. Upon reasonable request, We will provide You with information about how QuivaWorks processes data to assist You in meeting transparency obligations to Data Subjects, taking into account the nature of QuivaWorks and Our Confidential Information.
12.5 AI Risk Assessments
Where required by Applicable Data Protection Laws (including CCPA risk assessment requirements for automated decision-making technology), You are responsible for conducting appropriate risk assessments prior to deploying AI Agents or automated processing through QuivaWorks.
12.6 Emerging AI Regulations
The parties acknowledge that AI-specific regulations (including the EU AI Act and CCPA automated decision-making requirements) continue to evolve. We may update this Section 12 to address new regulatory requirements, with advance notice to You as provided in Section 14.3.
13. Limitation of Liability
13.1 General Limitation
Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.
13.2 Exceptions
Nothing in this DPA limits either party's liability for:
- Regulatory fines imposed for violations of Applicable Data Protection Laws
- Claims by Data Subjects for violations of their rights
- Fraud or willful misconduct
14. General Provisions
14.1 Term
This DPA remains in effect during the Agreement term and continues for obligations that survive termination.
14.2 Order of Precedence
In case of conflict: (1) SCCs; (2) this DPA; (3) the Agreement.
14.3 Amendments
We may update this DPA to reflect changes in Applicable Data Protection Laws or regulatory guidance. Material changes will be notified in advance.
14.4 Governing Law
This DPA is governed by the same law as the Agreement.
14.5 Severability
If any provision is invalid or unenforceable, the remaining provisions continue in full effect.
Schedule 1: Description of Processing
Subject Matter
Processing of Personal Data in connection with the provision of the QuivaWorks platform and Services.
Duration
For the term of the Agreement and any retention period required by law or specified in the Agreement.
Nature and Purpose of Processing
We will collect, store, retrieve, use, transmit, and delete Personal Data as necessary to:
- Provide the QuivaWorks platform and Services to You
- Enable You to create, deploy, and manage AI agents and agentic workflows
- Process Your uploaded or generated data and content
- Execute computations and integrate with third-party services as configured by You
- Provide customer support (with Your authorization)
Types of Personal Data
Depends on what You upload or create through the Services, and may include:
- Contact information (names, emails, phone numbers, addresses)
- Professional information (job titles, company names)
- User credentials and authentication data
- Content data (any Personal Data in documents, files, messages, or other uploaded content)
- Technical data (IP addresses, device information, to the extent they constitute Personal Data)
- Any other Personal Data within Your knowledge bases, agent configurations, or workflow data
Categories of Data Subjects
May include:
- Your employees and contractors
- Your customers and clients
- Your business partners
- Any other individuals about whom You provide Personal Data
Sensitive Data
You acknowledge the Services are not designed to Process special categories of Personal Data or Prohibited Data as defined in Section 11.
Schedule 2: Standard Contractual Clauses
A. EU/EEA Transfers
Where Personal Data protected by GDPR is transferred to a country without an EU adequacy decision, the Standard Contractual Clauses (Commission Decision 2021/914 of June 4, 2021) apply with the following specifications:
Module Selection:
- Module Two (Controller to Processor) where Customer is a Controller
- Module Three (Processor to Processor) where Customer is a Processor
Clause Selections:
- Clause 7 (Docking): Optional docking clause applies
- Clause 9 (Sub-processors): Option 2 applies (general authorization with notification per Section 4)
- Clause 11 (Redress): Optional language does not apply
- Clause 17 (Governing Law): Laws of the Republic of Ireland
- Clause 18 (Forum): Courts of the Republic of Ireland
Annexes:
- Annex I: Parties per Agreement; Description per Schedule 1; Sub-processors per Agreement Clause 5.1
- Annex II: Security Addendum to the Agreement
- Annex III: Sub-processor list per Agreement Clause 5.1
Audit Rights: Exercised per Section 8 of this DPA.
B. UK Transfers
For UK GDPR-protected data transferred to countries without a UK adequacy decision, the UK International Data Transfer Addendum (IDTA version B1.0, effective March 21, 2022) applies, appended to the EU SCCs above.
Tables:
- Table 1 (Parties): Per Agreement
- Table 2 (SCCs Version): EU SCCs (June 4, 2021), Module Two or Three as applicable
- Table 3 (Annexes): As specified in Section A above
- Table 4 (Ending): Both parties may end the arrangement
C. Swiss Transfers
For Swiss transfers, the EU SCCs apply with these modifications:
- "GDPR" includes the Swiss Federal Act on Data Protection
- "Member State" includes Switzerland
- Competent supervisory authority: Swiss Federal Data Protection and Information Commissioner
- Clause 17 governed by Swiss law; Clause 18 provides jurisdiction to Swiss courts
Acceptance and Contact Information
By entering into the Agreement or continuing to use the Services, You agree to this DPA.
Contact for Data Protection Matters:
Email: support@quiva.ai
Evari Services UK Limited
This DPA is pre-signed on behalf of Evari Services UK Limited and its Affiliates.