Software Services Agreement

Agreement
This XData Software, AI and Advisory Services Agreement (the “Agreement”) is entered into between XData and the customer identified in the applicable Order (“Customer”). It governs Customer’s access to and use of XData offerings, including software, AI systems, advisory services, implementation services, managed infrastructure, education, support, and related deliverables. By signing or accepting an Order, Customer agrees to this Agreement on behalf of the entity it represents and confirms that it has authority to bind that entity.
1. XData Obligations
1.1 Access to XData Services. Subject to this Agreement and the applicable Order, XData grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Order Term for Authorized Users to access and use the XData Services for Customer’s internal business purposes.
1.2 Professional and Advisory Services. Where an Order or Statement of Work includes advisory, implementation, development, education, migration, integration, managed infrastructure, or other professional services, XData will provide those services in accordance with the applicable scope, milestones, assumptions, and acceptance criteria.
1.3 Protection of Customer Data. XData will implement and maintain reasonable technical and organizational measures designed to protect Customer Data as described in Exhibit B and any applicable Data Processing Addendum. The Data Processing Addendum available at [https://xdata.si/dpa] is incorporated by reference once published or separately signed.
1.4 Support and Service Levels. Support, maintenance, service levels, response times, and availability commitments apply only where expressly stated in the applicable Order, support plan, or service-level addendum.
1.5 Deployment Model. XData may provide Services through XData-managed infrastructure, Customer-managed infrastructure, EU-hosted infrastructure, private or sovereign deployments, open-source components, third-party cloud services, or third-party AI providers, as specified in the Order. If an Order states that a deployment is “EU-only,” “private,” “local,” “sovereign,” or subject to another deployment restriction, XData will follow that restriction for the applicable Services.
2. Service Terms
2.1 Use Restrictions. Except as expressly permitted in this Agreement or an Order, Customer will not, and will not encourage or assist third parties to: (a) reverse engineer, decompile, disassemble, or attempt to discover source code or underlying structures of XData proprietary Services, except to the extent such restriction is prohibited by law; (b) provide, sell, resell, transfer, sublicense, lend, distribute, rent, or otherwise allow third parties to access or use the Services; (c) copy, modify, create derivative works of, or remove proprietary notices from the Services; (d) use the Services for unlawful, harmful, abusive, or non-commercial personal purposes; or (e) use the Services to build a substantially similar competing service using XData confidential information.
2.2 Acceptable Use Policy. Customer will comply with XData’s Acceptable Use Policy available at [https://xdata.si/aup] or any AUP attached to the applicable Order.
2.3 Account Management. Customer will appoint one or more administrative users for its account or project environment. Administrative users may manage Authorized Users, approve usage, configure integrations, and act on behalf of Customer for the relevant Services. Each Authorized User account is personal to that user. Credentials may not be shared. Customer is responsible for Authorized Users’ compliance with this Agreement and for all activities under its accounts, except to the extent caused by XData’s breach of this Agreement.
2.4 Customer Responsibilities. Customer is responsible for: (a) the accuracy, quality, legality, and rights in Customer Content; (b) obtaining consents and providing notices required for Customer Content and Customer’s use cases; (c) configuring the Services in accordance with Documentation and agreed security requirements; (d) maintaining Customer systems, integrations, and access controls not controlled by XData; and (e) evaluating whether the Services are appropriate for Customer’s intended use.
2.5 Customer Content. Customer authorizes XData and its service providers to process Customer Content solely to provide, secure, maintain, monitor, troubleshoot, support, and improve the Services, to comply with law, and to perform obligations under this Agreement and the applicable Order.
2.6 AI Services Specific Terms. For Services involving artificial intelligence, machine learning, large language models, retrieval-augmented generation, agents, automations, embeddings, speech, image, code generation, or similar capabilities: (a) Customer inputs, prompts, files, instructions, embeddings, tool outputs, and generated outputs are Customer Content; (b) AI outputs may be inaccurate, incomplete, biased, unsafe, or unsuitable for Customer’s use case, and Customer must apply human review where appropriate; (c) XData does not provide legal, medical, financial, employment, or other regulated advice through AI outputs unless expressly agreed in a separate regulated-services Order; (d) Customer is responsible for decisions made on the basis of AI outputs and for compliance with laws applicable to Customer’s deployment, including sector-specific rules; (e) XData will not intentionally use Customer Content to train general-purpose AI models without Customer’s prior written instruction, except as expressly disclosed in an Order or third-party provider terms accepted by Customer; and (f) where required by applicable law, the parties will document whether each party acts as provider, deployer, importer, distributor, processor, controller, or other regulated role for the applicable AI system.
2.7 Prohibited AI Uses. Customer will not use the Services for prohibited or unlawful AI practices, including manipulative, deceptive, discriminatory, exploitative, or rights-infringing uses, unlawful biometric identification or categorization, unlawful surveillance, social scoring, or other uses prohibited by applicable law or the AUP.
2.8 Feedback. Customer may voluntarily provide feedback, comments, or suggestions. Customer grants XData a perpetual, irrevocable, worldwide, royalty-free right to use such feedback to maintain, improve, and enhance XData products and services, without identifying Customer as the source unless Customer agrees.
2.9 Usage Data. XData may collect and analyze technical logs, telemetry, metadata, performance data, and usage information relating to the Services. XData may use Usage Data in aggregated or de-identified form to maintain, secure, improve, and enhance XData products and services. Usage Data excludes Customer Content itself.
2.10 Third-Party and Open-Source Resources. The Services may interoperate with third-party services, open-source software, models, APIs, plugins, content, libraries, infrastructure, or Customer-selected tools. Third-party resources are governed by their own terms. XData is not responsible for third-party resources unless XData expressly assumes responsibility in an Order. Open-source components remain subject to their applicable licenses.
2.11 Reservation of Rights. As between the parties, XData owns all right, title, and interest in the XData Services, XData Materials, Documentation, methodologies, know-how, templates, frameworks, accelerators, and pre-existing intellectual property. Customer owns all right, title, and interest in Customer Content. No rights are granted except as expressly stated.
3. Charges and Payment
3.1 Fees. Customer will pay all fees specified in the applicable Order. Unless an Order states otherwise: (a) fees are stated and payable in EUR; (b) payment obligations are non-cancelable and not subject to setoff; (c) fees paid are non-refundable; and (d) quantities, seats, committed usage, or scope purchased cannot be decreased during the relevant Order Term.
3.2 Invoicing and Payment. Unless otherwise specified in an Order, subscription fees are invoiced annually in advance and payable within 30 days from invoice date; professional services may be invoiced in advance, monthly, by milestone, or on time-and-materials terms as specified in the Order. Late payments may accrue interest at the lower of 1.5% per month or the maximum permitted by law. XData may suspend or limit Services for overdue amounts after reasonable notice.
3.3 Taxes. Fees exclude taxes, duties, levies, and similar governmental charges. Customer is responsible for taxes associated with its purchases, except taxes based on XData’s income, employees, or real property.
3.4 Withholding. Payments must be made without deduction or withholding unless required by law. If withholding is required, Customer will gross up payments so that XData receives the amount it would have received absent withholding, unless prohibited by law. The parties will reasonably cooperate to reduce or eliminate withholding where possible.
3.5 Expenses. Customer will reimburse reasonable pre-approved travel, accommodation, and out-of-pocket expenses incurred in providing professional services, unless an Order states that expenses are included.
4. Confidentiality
4.1 Confidential Information. Each party may disclose proprietary or non-public business, technical, financial, legal, security, product, roadmap, operational, or other information to the other party. XData Confidential Information includes non-public information about XData Services, architectures, models, prompts, source code, security practices, pricing, product plans, and performance. Customer Confidential Information includes Customer Content.
4.2 Exclusions. Confidential Information excludes information that: (a) is or becomes public without breach; (b) was known to Recipient before disclosure; (c) is lawfully disclosed by a third party without restriction; or (d) is independently developed without use of Confidential Information.
4.3 Obligations. Recipient will use Discloser’s Confidential Information only to exercise rights and perform obligations under this Agreement. Recipient will use reasonable care to protect it and may disclose it only to employees, contractors, affiliates, agents, service providers, and professional advisors who need to know and are bound by confidentiality obligations at least as protective as this Agreement.
4.4 Compelled Disclosure. Recipient may disclose Confidential Information to the extent required by law or legal process, provided Recipient uses commercially reasonable efforts to notify Discloser in advance where legally permitted and to cooperate with reasonable protective requests.
4.5 Survival. Confidentiality obligations survive for five years after expiration or termination of the applicable Order. Trade secrets and highly sensitive security, source code, or customer data remain protected for as long as they remain confidential under applicable law.
5. Warranties and Disclaimers
5.1 Mutual Warranties. Each party represents and warrants that it has authority to enter into this Agreement, that doing so does not violate another agreement binding that party, and that it will perform its obligations in accordance with applicable law.
5.2 XData Service Warranty. During the applicable Order Term, XData warrants that it will provide the Services in a professional and workmanlike manner and in material conformity with the applicable Order, Documentation, and agreed specifications.
5.3 Professional Services Remedy. If Customer notifies XData of a material breach of the professional services warranty within 30 days after delivery of the affected service or deliverable, XData will use reasonable efforts to re-perform or correct the non-conforming service. If XData cannot do so, Customer’s exclusive remedy is a refund of fees paid for the affected non-conforming service.
5.4 Security Warranty. XData will use commercially reasonable measures designed to protect the Services from viruses, malware, and malicious code introduced by XData, but XData does not warrant that the Services will be uninterrupted, error-free, immune from attack, or free of all vulnerabilities.
5.5 Disclaimer. Except for the express warranties in this Section, the Services, XData Materials, AI outputs, beta features, prototypes, proofs of concept, third-party resources, and Documentation are provided “as is” and “as available.” XData disclaims all implied warranties, including merchantability, fitness for a particular purpose, quality, accuracy, title, and non-infringement, to the maximum extent permitted by law. XData does not warrant that AI outputs will be accurate, complete, unique, lawful for a particular use, or suitable for automated decision-making without human review.
6. Indemnity
6.1 Indemnification by XData. XData will defend Customer from any third-party claim alleging that XData proprietary Services, as provided by XData and used in accordance with this Agreement, infringe a third-party copyright, trademark, or trade secret, and will indemnify Customer for finally awarded damages or amounts agreed in settlement.
6.2 Exclusions. XData has no obligation for claims arising from: (a) Customer Content; (b) Customer’s or Authorized Users’ breach of this Agreement; (c) modification of the Services not made by XData; (d) combination of the Services with non-XData systems, data, models, or services where the claim would not have arisen but for the combination; (e) open-source or third-party resources not provided as XData proprietary Services; or (f) Customer’s failure to use updates or mitigation steps made available by XData.
6.3 Mitigation. If the Services are or may be subject to an infringement claim, XData may: (a) procure the right to continue use; (b) replace or modify the Services to be non-infringing with materially similar functionality; or (c) terminate the affected Services and provide a pro rata refund of prepaid unused fees for the affected Services.
6.4 Indemnification by Customer. Customer will defend XData from claims arising from Customer Content, Customer’s use of the Services in breach of this Agreement, Customer systems, Customer instructions, or Customer’s violation of applicable law, and will indemnify XData for finally awarded damages or amounts agreed in settlement.
6.5 Process. The indemnified party must promptly notify the indemnifying party of the claim, reasonably cooperate, and allow the indemnifying party to control the defense and settlement, provided that no settlement may impose liability, admission, or non-monetary obligations on the indemnified party without its consent.
6.6 Exclusive Remedy. This Section states each party’s sole and exclusive obligations and remedies for the claims covered by this indemnity, except to the extent prohibited by law.
7. Limitations of Liability
7.1 Indirect Damages. Except for Excluded Claims, neither party nor its affiliates, employees, contractors, agents, licensors, or suppliers will be liable for special, indirect, incidental, consequential, punitive, or exemplary damages, including lost profits, lost revenue, lost goodwill, lost data, business interruption, or cost of cover, even if advised of the possibility of such damages.
7.2 Liability Cap. Except for Excluded Claims, each party’s total aggregate liability arising out of or relating to this Agreement will not exceed the fees paid and payable under the applicable Order in the 12-month period before the event giving rise to liability.
7.3 Excluded Claims. “Excluded Claims” means: (a) payment obligations; (b) willful misconduct or gross negligence; (c) infringement or misappropriation of the other party’s intellectual property rights; (d) breach of confidentiality obligations; (e) data protection obligations to the extent liability cannot be limited by applicable law; and (f) indemnity obligations under Section 6.
7.4 Risk Allocation. The limitations of liability, warranty disclaimers, and exclusions of damages allocate the risks between the parties and are an essential basis of the bargain. They apply to the maximum extent permitted by law, regardless of the legal theory and even if a limited remedy fails of its essential purpose.
8. Term and Termination
8.1 Term. This Agreement begins on the Subscription Start Date or the effective date of the first Order and continues until all Orders expire or are terminated.
8.2 Termination for Cause. Either party may terminate an Order or this Agreement if the other party materially breaches and fails to cure within 30 days after written notice. Either party may terminate immediately if the other party breaches intellectual property or confidentiality obligations, becomes insolvent, enters bankruptcy or liquidation proceedings, or ceases business operations.
8.3 Suspension. XData may suspend Services where necessary to prevent security risks, unlawful use, material harm, violation of the AUP, or overdue payment after reasonable notice, and will use reasonable efforts to limit suspension to the affected Services.
8.4 Effect of Termination. Termination of the Agreement terminates all Orders. Termination of a single Order does not terminate other Orders unless stated. If Customer terminates for XData’s uncured material breach, XData will refund prepaid unused fees for the terminated Order. In other cases, fees are non-refundable and unpaid fees remain due.
8.5 Data Export and Deletion. Upon termination or expiration, XData will make Customer Content stored by XData available for electronic retrieval for 30 days where technically feasible and legally permitted. After that period, XData may delete or retain Customer Content according to Customer instructions, the DPA, backup retention, and legal obligations.
8.6 Survival. Sections relating to payment, confidentiality, intellectual property, disclaimers, indemnity, liability limitations, termination effects, governing law, and any provisions intended to survive will survive expiration or termination.
9. Product-Specific and Project Terms
9.1 Product-Specific Terms. Certain offerings, including beta features, proofs of concept, AI agents, APIs, managed hosting, training programs, security-sensitive deployments, connectors, and open-source distributions, may be subject to Product-Specific Terms available at [https://xdata.si/product-terms] or attached to an Order.
9.2 Order of Precedence. If documents conflict, the order of precedence is: (a) signed amendment or negotiated special terms; (b) DPA for personal data processing matters; (c) Product-Specific Terms; (d) this Agreement; (e) the applicable Order; and (f) Documentation, unless an Order expressly states that it overrides a higher-ranking document.
9.3 Customer Purchase Terms. Terms in Customer purchase orders, vendor portals, procurement documents, or similar materials are void and have no effect unless expressly signed by XData as an amendment.
10. Miscellaneous
10.1 Affiliates. Customer Affiliates may enter into Orders under this Agreement if accepted by XData. Each Affiliate is bound by this Agreement for its Order. XData may provide Services through XData Affiliates, contractors, and service providers while remaining responsible for XData’s obligations.
10.2 Assignment. Neither party may assign this Agreement without the other party’s prior written consent, except to an affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets, provided the assignee assumes the obligations.
10.3 Force Majeure. Neither party is liable for failure or delay caused by events beyond reasonable control, excluding payment obligations. The affected party must notify the other party and use reasonable efforts to mitigate and resume performance. If a force majeure event continues for more than 30 consecutive days, either party may terminate the affected Order.
10.4 Notices. Notices must be in writing and sent to the contacts stated in the Order. Notices to XData should also be sent to [This email address is being protected from spambots. You need JavaScript enabled to view it.] or another notice email specified by XData.
10.5 Export Control and Sanctions. Each party will comply with applicable export control, sanctions, and trade laws. Customer will not access or use the Services in violation of such laws or from restricted jurisdictions. XData may take measures required by law, including blocking access or terminating affected Services.
10.6 Anti-Corruption. Neither party will offer, give, request, or accept illegal or improper bribes, kickbacks, payments, gifts, or things of value in connection with this Agreement. Reasonable gifts and hospitality in the ordinary course of business are permitted where lawful.
10.7 Publicity. XData may identify Customer as a customer and use Customer’s name and logo in customer lists, case studies, or marketing materials only with Customer’s prior consent, unless the Order states otherwise.
10.8 No Partnership. This Agreement does not create an agency, partnership, joint venture, franchise, or employment relationship. Neither party may bind the other.
10.9 Severability and Waiver. If any provision is invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable while preserving intent, or replaced with an enforceable provision with similar effect. Failure to enforce a right is not a waiver.
10.10 Governing Law and Venue. This Agreement is governed by the laws of the Republic of Slovenia, excluding conflict-of-law rules and the United Nations Convention on Contracts for the International Sale of Goods. The competent courts in Ljubljana, Slovenia, will have exclusive jurisdiction, unless the applicable Order specifies arbitration or another forum.
10.11 Entire Agreement. This Agreement, the applicable Orders, Product-Specific Terms, DPA, exhibits, and signed amendments constitute the entire agreement concerning the Services and supersede prior or contemporaneous agreements on the same subject.
Exhibit A – Definitions
Affiliate. means an entity that controls, is controlled by, or is under common control with a party.
Agreement. means this XData Software, AI and Advisory Services Agreement, including exhibits, addenda, Product-Specific Terms, and Orders.
Authorized Users. means employees, contractors, representatives, and other persons authorized by Customer or its Affiliates to access or use the Services.
Customer Content. means data, prompts, files, text, images, audio, video, code, documents, databases, credentials, configurations, instructions, outputs, embeddings, metadata, and other materials submitted to, generated through, or processed by the Services for Customer.
Customer Data. means Customer Content and personal data processed by XData on behalf of Customer.
Documentation. means XData-provided user guides, technical documentation, policies, and instructions made available for the Services.
Order. means an order form, statement of work, online order, proposal accepted by Customer, or other document identifying Services, fees, term, scope, and special terms.
Order Term. means the subscription term, project term, evaluation term, or service period in the applicable Order.
Product-Specific Terms. means terms that apply to particular Services, including beta features, AI agents, APIs, managed hosting, connectors, training, or open-source distributions.
Services. means XData software, platforms, APIs, AI systems, LLM gateway services, RAG/knowledge services, advisory services, implementation services, managed infrastructure, support, education, deliverables, and related offerings identified in an Order.
XData. means XData d.o.o. [registered address, company number, VAT ID to be inserted] or another XData contracting entity identified in the Order.
XData Materials. means XData pre-existing intellectual property, methodologies, templates, know-how, frameworks, scripts, software, documentation, models, prompts, connectors, and reusable components.
Exhibit B – XData Security Standards
B.1 Security Program.. XData will maintain a written information security program with administrative, technical, and organizational safeguards appropriate to the nature of the Services, Customer Data, deployment model, and risks.
B.2 Policies and Responsibility.. XData will assign responsibility for information security to appropriate personnel and maintain policies covering access control, acceptable use, incident response, change management, vulnerability management, confidentiality, backup, and data handling.
B.3 Access Control.. XData will use unique user accounts for personnel access to production systems where technically feasible, follow least-privilege principles, require multi-factor authentication for administrative access where supported, promptly revoke access when no longer required, and periodically review privileged access.
B.4 Logging and Monitoring.. XData will maintain logs appropriate to the deployment model for security monitoring, troubleshooting, abuse prevention, and auditability. Log retention periods may vary by service and will be specified in an Order or security addendum where required.
B.5 Change Management and Secure Development.. XData will use version control, change review, testing, and deployment controls appropriate to the risk of the Services. Development, testing, and production environments will be separated where technically and commercially reasonable.
B.6 Vulnerability Management.. XData will use commercially reasonable processes to identify, assess, prioritize, and remediate vulnerabilities, including dependency review, patching, container/image updates, and scanning where appropriate to the service.
B.7 Encryption.. XData will protect Customer Data in transit using modern transport encryption where technically feasible. Encryption at rest will be implemented for managed production systems where supported by the infrastructure or specified in an Order.
B.8 Backups and Recovery.. For managed production Services, XData will maintain backup and recovery processes appropriate to the service tier. Backup frequency, retention, RPO, and RTO apply only if specified in an Order or service-level addendum.
B.9 Security Incidents.. XData will maintain an incident response process. XData will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Security Incident affecting Customer Data, and will take reasonable steps to investigate, mitigate, and remediate the incident.
B.10 Subprocessors and Service Providers.. XData will use a risk-based process for service providers that process Customer Data. A subprocessor list will be made available at [https://xdata.si/subprocessors] or attached to the DPA.
B.11 Personnel Confidentiality and Training.. XData personnel and contractors with access to Customer Data will be subject to confidentiality obligations and will receive security and privacy guidance appropriate to their role.
B.12 Certifications.. No ISO 27001, SOC 2, or other certification, external audit report, penetration test report, or compliance attestation is promised unless expressly stated in the applicable Order.
B.13 Customer-Managed Deployments.. Where Services are deployed in Customer-controlled infrastructure, Customer is responsible for the security, availability, backup, patching, monitoring, and access controls of that infrastructure unless an Order expressly assigns those responsibilities to XData.
Exhibit C – Data Processing and AI Governance Addendum Summary
C.1 Data Protection Roles.. For personal data processed in providing the Services, the parties will determine whether XData acts as processor, subprocessor, independent controller, or joint controller in the DPA or applicable Order.
C.2 Processing Instructions.. Where XData acts as processor, XData will process personal data only on documented Customer instructions, including this Agreement, the Order, the DPA, and Customer configurations.
C.3 International Transfers.. If personal data is transferred outside the EEA, the parties will use an appropriate transfer mechanism required by applicable data protection law, such as standard contractual clauses or another valid mechanism.
C.4 Data Subject Requests and DPIAs.. Taking into account the nature of processing and information available to XData, XData will reasonably assist Customer with data subject requests, security obligations, DPIAs, and supervisory authority consultations as required by applicable data protection law.
C.5 AI Act Role Allocation.. For AI systems subject to AI-specific regulation, each Order should identify intended purpose, deployment context, risk classification, prohibited-use controls, transparency requirements, human oversight, logging, monitoring, and whether XData, Customer, or a third party acts as provider, deployer, importer, distributor, or other regulated operator.
C.6 Model and Provider Disclosure.. The applicable Order or technical appendix should identify material AI model providers, hosting regions, logging/training settings, data retention controls, and whether Customer Content may be processed by third-party AI providers.
C.7 No General Model Training Default.. Unless expressly agreed, XData will not use Customer Content to train general-purpose AI models. This does not prevent XData from using aggregated or de-identified Usage Data, improving XData Materials without revealing Customer Content, or performing evaluation and security testing needed to provide the Services.
Exhibit D – Professional Services and Deliverables
D.1 Scope.. Professional services are limited to the scope in the applicable Order. Any out-of-scope work requires a written change order or written approval by both parties.
D.2 Customer Dependencies.. Customer will provide timely access to personnel, systems, data, documentation, credentials, environments, decisions, approvals, and feedback reasonably required for XData to perform. Delays in dependencies may extend timelines and increase fees.
D.3 Acceptance.. If an Order includes deliverables subject to acceptance, Customer must review and either accept or provide specific written rejection reasons within 10 business days after delivery. If Customer does not respond within that period, the deliverable is deemed accepted unless the Order states otherwise.
D.4 Deliverable Rights.. Upon full payment, Customer receives a non-exclusive, worldwide, perpetual right to use deliverables created specifically for Customer for Customer’s internal business purposes, subject to third-party and open-source licenses. XData retains ownership of XData Materials and may reuse general know-how, ideas, skills, templates, methods, and non-customer-specific components.
D.5 Prototypes and Proofs of Concept.. Unless an Order states otherwise, prototypes, demos, proofs of concept, and experimental features are provided for evaluation only, are not production-ready, and are not subject to production service levels or security commitments.
D.6 Managed Services.. For managed infrastructure, managed AI gateways, monitoring, backups, or support operations, the Order must specify service boundaries, support hours, incident priority definitions, backup retention, maintenance windows, excluded tasks, and escalation contacts.

Image

Transforming organizations for the AI era through strategy, research, education and implementation.

SOLUTIONS

INSIGHTS

COMPANY

STAY INFORMED

Get the latest insights, research and frameworks delivered to your inbox.

EU Based & Compliant

GDPR • AI Act • ISO 42001

Secure & Sovereign

Your data. Your control.

Research Driven

Powered by Cognitio Labs

Proven Impact

Measurable results