Terms of Service

Last revised: June 2026

These Terms of Service, together with any Order, incorporated policies, and any applicable Data Processing Addendum, form an agreement between Essex Labs, Inc. d/b/a Basis (“Basis,” “we,” “us,” or “our”) and the entity accepting these Terms or, if no entity is identified, the person accepting these Terms on behalf of a business or other organization (“Customer,” “you,” or “your”).

These Terms become effective when you click to accept them, create an account, place an Order, or access or use the Services, whichever happens first.

1. Scope

Basis provides a software-as-a-service platform and related features, tools, models, documentation, and

support services described in an Order or on our website (collectively, the “Services”).

These Terms govern Customer’s access to and use of the Services.

2. Business Use Only

The Services are offered for business use only and not for personal, family, or household use.

If an individual accepts these Terms, that individual represents and warrants that they:

  • are acting on behalf of a business or other legal entity, or are otherwise authorized to bind Customer; and
  • have authority to enter into these Terms for Customer

3. Key Definitions

Acceptable Use Policy” or “AUP” means Basis’s Acceptable Use Policy, as updated from time to time.

Account” means the account Customer creates or that is created for Customer to access the Services.

Confidential Information” means non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information does not include information that the receiving party can show:

  • is or becomes public through no fault of the receiving party;
  • was already lawfully known to the receiving party without restriction;
  • is lawfully received from a third party without restriction; or
  • is independently developed without use of the disclosing party’s Confidential Information

For clarity, Basis’s Confidential Information includes all non-public information regarding the Services, including their user interface, functionality, architecture, techniques, processes, and non-public performance information.

Customer Data” means data, content, materials, prompts, files, records, and other information submitted to, stored in, or transmitted through the Services by or on behalf of Customer or its Users. Customer Data includes Output to the extent provided in Section 11.

Documentation” means the standard user or technical documentation Basis makes generally available for the Services.

Order” means an online order, subscription signup, checkout flow, order page, or other ordering document accepted by Basis that identifies the Services, plan, pricing, billing cadence, and subscription term, if any.

Output” means the results, summaries, analyses, drafts, or other content generated by the Services in response to Customer’s or a User’s use of the Services.

Services” has the meaning given in Section 1.

Usage Data” means technical logs, metadata, telemetry, product analytics, support metrics, and other information regarding the performance, operation, security, reliability, and use of the Services, excluding Customer Data except in deidentified or aggregated form.

User” means an employee, contractor, or other individual that Customer authorizes to access or use the Services under Customer’s Account.

4. Orders and Accounts

4.1 Orders

Customer may purchase subscriptions or other Services through an Order. Each Order is governed by these Terms.

4.2 Account Registration

Customer must provide accurate and complete account, billing, and contact information and keep that information current.

4.3 Account Responsibility

Customer is responsible for:

  • all activity under its Account;
  • managing User access and permissions;
  • maintaining the confidentiality of login credentials; and
  • promptly notifying Basis of any suspected unauthorized access or security incident involving the Account

4.4 Administrators

Customer may designate administrators who can manage the Account, Users, settings, billing, and Customer Data. Customer is responsible for its administrators’ acts and omissions.

5. Access Rights

Subject to these Terms, Basis grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the applicable subscription term to access and use the Services for Customer’s internal business purposes in accordance with:

  • these Terms;
  • the applicable Order;
  • the Documentation; and
  • the Acceptable Use Policy

Customer may allow its Users to use the Services only on Customer’s behalf and only for Customer’s internal business purposes.

6. Restrictions

Customer will not, and will not permit any User or third party to:

  • use the Services in violation of law or regulation;
  • copy, reproduce, modify, translate, adapt, alter, create derivative works of, or otherwise exploit the Services or Documentation, or any non-public features, functionality, or components of the Services, except as expressly allowed by these Terms or applicable law;
  • sell, resell, lease, sublicense, distribute, publish, transfer, assign, or otherwise make the Services available to a third party except as expressly allowed by these Terms;
  • reverse engineer, decompile, disassemble, translate, or otherwise attempt to derive the source code, models, underlying ideas, algorithms, or non-public components of the Services;
  • access or use the Services, or any non-public information, materials, or results derived from the Services, to build, train, improve, benchmark, or support a competing product or service;
  • scrape, extract, or systematically download content or data from the Services except through permitted functionality;
  • probe, scan, test the vulnerability of, interfere with, disrupt, degrade, or render inoperable the Services or related systems, except as expressly authorized by Basis in writing;
  • circumvent usage limits, security measures, or access controls;
  • upload, submit, or transmit Customer Data unless Customer has the rights and permissions needed to do so; or
  • use the Services in any way prohibited by the AUP

7. Third-Party Services

The Services may interoperate with or depend on third-party products, services, content, models, infrastructure, payment processors, or integrations (“Third-Party Services”).

Basis is not responsible for Third-Party Services. Basis's responsibility for subprocessors is limited to what is set out in the DPA, and Customer's use of any Third-Party Services is governed by the applicable third-party terms.Basis is not responsible for Third-Party Services beyond its subprocessors listed in the DPA, and Customer’s use of any Third-Party Services is governed by the applicable third-party terms. Basis does not guarantee the continued availability of any Third-Party Service integration or feature.

8. Customer Responsibilities

Customer acknowledges that Basis’s provision of the Services depends on Customer providing all reasonably required cooperation, and Customer will provide that cooperation in a diligent and timely manner.

Customer is responsible for:

  • the accuracy, quality, legality, and integrity of Customer Data;
  • obtaining all rights, notices, permissions, and consents needed for Basis to process Customer Data as contemplated by these Terms;
  • reviewing and validating any Output before relying on or using it;
  • using reasonable administrative, technical, and operational safeguards appropriate for Customer’s use of the Services;
  • obtaining and maintaining any equipment, software, internet connectivity, and ancillary services needed to connect to, access, or otherwise use the Services

Basis has no liability for Customer’s failure to maintain the foregoing.

Customer acknowledges that the Services may generate incomplete, inaccurate, outdated, or otherwise inappropriate Output and that human review is required before use.

9. Fees, Billing, and Renewal

9.1 Fees

Customer will pay all fees and other amounts described in the applicable Order. Except as expressly stated in these Terms, an Order, or applicable law:

  • payment obligations are non-cancelable; and
  • fees paid are non-refundable

If Customer disputes a charge in good faith, Customer must notify Basis in writing within 30 days after the charge date, and the parties will work in good faith to resolve the dispute. Customer remains responsible for all undisputed amounts.

9.2 Payment Method

Customer authorizes Basis and its payment processor to charge Customer’s selected payment method for all amounts due under an Order, including recurring subscription fees, applicable taxes, and any other authorized charges.

9.3 Taxes

Fees do not include taxes, duties, levies, or similar governmental charges, including sales, use, VAT, GST, or withholding taxes, other than taxes based on Basis’s net income. Customer is responsible for all such taxes associated with its purchases and will not withhold taxes from amounts due to Basis except as required by law.

9.4 Auto-Renewal

Unless an Order states otherwise, subscriptions automatically renew for successive periods equal to the initial subscription term or, for month-to-month subscriptions, for successive monthly periods, unless canceled before the next renewal date.

9.5 Cancellation

Customer may cancel a subscription through the account settings, billing portal, or other cancellation method Basis makes available. Unless otherwise stated in the applicable Order or policy, cancellation takes effect at the end of the then-current paid billing period, and Basis will not provide refunds or credits for partial billing periods.

9.6 Failed Payments and Suspension

If Customer’s payment method fails or amounts due remain unpaid, Basis may:

  • retry the payment method;
  • require Customer to update payment information;
  • suspend access to the Services;
  • downgrade the Account;
  • terminate the subscription or applicable Order in accordance with Section 19.3; and
  • charge interest on overdue amounts at the lesser of 1% per month or the maximum amount permitted by law.

9.7 Price Changes

Basis may change pricing for a future renewal or new Order by giving reasonable advance notice. Any price change will apply no earlier than the next renewal term or the effective date stated in the notice.

10. Free Trials, Beta Features, and No-Charge Services

Basis may offer free trials, beta features, evaluation access, or other no-charge Services (“No-Charge Services”).

Basis may modify or discontinue No-Charge Services at any time. To the maximum extent permitted by law, No-Charge Services are provided “as is” and without warranties, indemnities, service commitments, or liability of any kind.

11. Ownership and Data Rights

11.1 Basis Property

As between the parties, Basis retains all right, title, and interest in and to:

  • the Services;
  • the Documentation;
  • the models, software, technology, know-how, and methodologies used to provide the Services;
  • Usage Data; and
  • all related intellectual property rights

No rights are granted to Customer except as expressly stated in these Terms.

11.2 Customer Property

As between the parties, Customer retains all right, title, and interest in and to Customer Data, subject to the rights granted in these Terms.

11.3 Output

As between the parties, and subject to Customer’s compliance with these Terms and applicable law, Basis assigns to Customer any right, title, and interest Basis may have in Output generated specifically for Customer through Customer’s permitted use of the Services. Basis does not represent or warrant that any Output is unique or protectable, or that similar or identical output will not be generated for other customers or users.

11.4 License to Basis

Customer grants Basis a non-exclusive, worldwide, limited license to host, copy, transmit, display, modify, process, and otherwise use Customer Data as necessary to:

  • provide, maintain, support, and secure the Services;
  • prevent fraud, abuse, and misuse;
  • comply with law; and
  • enforce these Terms

11.5 Usage Data and Deidentified Data

Basis may collect and use Usage Data for lawful business purposes, including product operation, analytics, security, support, and improvement.

Basis may also generate and use deidentified or aggregated data that does not identify Customer, Customer clients, Users, or any natural person for lawful business purposes, including improving the Services and developing products and features.

11.6 Feedback

If Customer or any User provides suggestions, ideas, enhancement requests, comments, or other feedback regarding the Services (“Feedback”), Basis may use that Feedback without restriction or obligation.

12. Confidentiality

12.1 Use and Protection

Each party will:

  • use the other party’s Confidential Information only as needed to perform under these Terms or exercise its rights under these Terms; and
  • exercise due care to protect the other party’s Confidential Information from unauthorized use and disclosure

12.2 Permitted Disclosures

A receiving party may disclose Confidential Information:

  • to its employees, contractors, advisers, and agents who have a need to know and are bound by confidentiality obligations at least as protective as those in these Terms; and
  • to the extent required by law, subpoena, or court order, provided the receiving party gives advance notice where legally permitted and reasonably cooperates with the disclosing party’s efforts to limit disclosure

12.3 Injunctive Relief

Because unauthorized use or disclosure of Confidential Information may cause irreparable harm, the disclosing party may seek equitable relief in addition to any other remedies available at law or in equity.

13. Privacy and Security

Basis will maintain appropriate administrative, technical, and physical safeguards designed to protect Customer Data.Basis will maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data.

If Basis processes personal data on Customer’s behalf and the parties enter into a Data Processing Addendum, the DPA will control with respect to that processing to the extent of any conflict.

Customer acknowledges that no system can be guaranteed 100% secure and that security obligations are subject to the scope of the Services purchased and Customer’s own security responsibilities.

14. AI and Professional Advice Disclaimer

Customer acknowledges and agrees that:

  • the Services use artificial intelligence and automated systems;
  • Output may be inaccurate, incomplete, inconsistent, biased, or unsuitable for Customer’s use case;
  • the Services and Output do not constitute legal, tax, accounting, audit, financial, investment, employment, medical, or other professional advice; and
  • Customer is solely responsible for all decisions, actions, filings, advice, work product, and outcomes arising from its or its Users’ use of the Services or Output

15. Representations

Each party represents and warrants that:

  • it has the legal power and authority to enter into these Terms; and
  • these Terms are binding and enforceable against it in accordance with their terms, subject to applicable bankruptcy and similar laws and general equitable principles

Customer further represents and warrants that:

  • it has all rights, permissions, and consents necessary for Customer Data to be processed as contemplated by these Terms; and
  • Customer’s and its Users’ use of the Services will comply with applicable law, the AUP, and these Terms

16. Disclaimer of Warranties

EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THE SERVICES, OUTPUT, DOCUMENTATION, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE.”

TO THE MAXIMUM EXTENT PERMITTED BY LAW, BASIS DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, OR RESULTS.

BASIS DOES NOT WARRANT THAT:

  • THE SERVICES OR OUTPUT WILL BE ERROR-FREE, UNINTERRUPTED, OR SECURE;
  • THE SERVICES OR OUTPUT WILL MEET CUSTOMER’S REQUIREMENTS;
  • ANY OUTPUT WILL BE ACCURATE, COMPLETE, OR SUITABLE FOR A PARTICULAR PURPOSE; OR
  • ANY THIRD-PARTY SERVICE WILL CONTINUE TO BE AVAILABLE

17. Indemnification by Customer

Customer will defend, indemnify, and hold harmless Basis and its affiliates, and their respective officers, directors, employees, and agents, from and against any third-party claim, action, demand, proceeding, damage, loss, judgment, settlement, liability, cost, or expense, including reasonable attorneys’ fees, arising out of or relating to:

  • Customer Data;
  • Customer’s or any User’s use of the Services in violation of these Terms, the AUP, or applicable law;
  • Customer’s or any User’s infringement or misappropriation of a third party’s rights; or
  • a dispute between Customer and any User or third party relating to Customer’s business, services, advice, or deliverables

Basis will:

  • promptly notify Customer of the claim, to the extent failure to do so does not materially prejudice Customer;
  • give Customer sole control of the defense and settlement, except that Customer may not settle a claim in a way that admits fault by Basis or imposes non-monetary obligations on Basis without Basis’s prior written consent; and
  • provide reasonable cooperation at Customer’s expense

18. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

18.1 Excluded Damages

IN NO EVENT WILL BASIS OR ITS AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, GOODWILL, DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

18.2 Aggregate Cap

EXCEPT FOR CUSTOMER’S PAYMENT OBLIGATIONS AND CUSTOMER’S INDEMNIFICATION OBLIGATIONS, THE TOTAL AGGREGATE LIABILITY OF BASIS AND ITS AFFILIATES ARISING OUT OF OR RELATING TO THESE TERMS, THE SERVICES, OR ANY ORDER WILL NOT EXCEED THE GREATER OF:

  • THE FEES PAID OR PAYABLE BY CUSTOMER TO BASIS FOR THE SERVICES GIVING RISE TO THE CLAIM DURING THE TWELVE MONTHS BEFORE THE EVENT GIVING RISE TO THE CLAIM; OR
  • $100

18.3 Essential Purpose

THE PARTIES ACKNOWLEDGE THAT THE DISCLAIMERS AND LIMITATIONS IN THESE TERMS ARE AN ESSENTIAL BASIS OF THE BARGAIN AND WILL APPLY EVEN IF A LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

19. Term and Termination

19.1 Term

These Terms begin on the effective date stated above and continue until all Orders have expired or been terminated.

19.2 Termination by Customer

Customer may terminate these Terms by canceling all subscriptions and discontinuing all use of the Services.

Termination will not relieve Customer of payment obligations incurred before the effective date of termination.

19.3 Termination by Basis

Basis may suspend or terminate these Terms, any Order, or Customer’s access to the Services immediately upon notice if:

  • Customer materially breaches these Terms or the AUP;
  • Customer fails to pay amounts due after reasonable notice and an opportunity to cure;
  • Customer becomes insolvent, makes an assignment for the benefit of creditors, or becomes subject to bankruptcy or similar proceedings not dismissed within 60 days; or
  • Basis reasonably believes suspension or termination is necessary to prevent harm to the Services, Basis, other customers, or third parties

19.4 Effect of Termination

Upon expiration or termination:

  • Customer’s rights to access and use the Services will end;
  • Customer must stop using the Services; and
  • each party will return or destroy the other party’s Confidential Information upon written request, except as required by law or reasonable backup retention practices

19.5 Data Export and Deletion

Upon expiration or termination, Basis may disable access to Customer Data and may delete Customer Data in accordance with its standard retention and deletion practices, except to the extent retention is required by law or reasonably necessary for backup, security, fraud prevention, dispute resolution, or enforcement purposes.

20. Changes to the Services and Terms

20.1 Changes to the Services

Basis may modify, enhance, replace, or discontinue features of the Services from time to time, including where changes are required for security, legal, regulatory, or third-party dependency reasons.

20.2 Changes to the Terms

Basis may update these Terms from time to time. If Basis makes a material change, Basis will provide reasonable notice by email, through the Services, or by other reasonable means. Unless a later date is stated in the notice, the updated Terms become effective when posted. Customer’s continued use of the Services after the effective date of the updated Terms constitutes acceptance of the updated Terms.

If applicable law requires a different notice or consent process for a particular change, Basis will follow the process required by applicable law.

21. Disputes

21.1 Governing Law

These Terms are governed by the laws of the State of New York, exclusive of its rules governing choice of law and conflict of laws. These Terms will not be governed by the United Nations Convention on Contracts for the International Sale of Goods.

21.2 Forum

Subject to applicable law, any dispute, claim, or controversy arising out of or relating to these Terms, an Order, or the Services will be brought in the state or federal courts located in New York County, New York, and each party irrevocably consents to the personal jurisdiction and venue of those courts.

21.3 Equitable Relief

Nothing in these Terms prevents either party from seeking temporary, preliminary, or emergency injunctive relief in a court of competent jurisdiction for misuse of intellectual property, Confidential Information, or unauthorized access to the Services.

22. Export Controls and Sanctions

Customer will not use the Services in violation of U.S. export control or sanctions laws or other applicable trade laws. Customer represents that it is not located in, organized under the laws of, or ordinarily resident in any country or territory subject to comprehensive sanctions, and is not listed on any government denied-party list applicable to the Services.

23. Publicity

Customer agrees that Basis may refer to Customer’s name and trademarks in Basis’s marketing materials and website; however, Basis will not use Customer’s name or trademarks in any other publicity, including press releases, customer references, and case studies, without Customer’s prior written consent, which may be provided by email.

24. Assignment

Customer may not assign or transfer these Terms or any Order without Basis’s prior written consent. Basis may assign these Terms, in whole or in part, without Customer’s consent in connection with a merger, acquisition, corporate reorganization, sale of assets, or similar transaction.

Any attempted assignment in violation of this Section is null and void. Subject to the foregoing, these Terms will bind the parties and their permitted successors and assigns.

25. Notices

Basis may provide notices to Customer by email to the account owner, through the Services, through the billing portal, or by posting notices on the website or within the Account.

Customer may provide notices to Basis at:

  • legal email: support@ofbasis.com

26. Miscellaneous

26.1 Entire Agreement

These Terms, together with the applicable Order, the AUP, the Trial, Refund, and Billing Policy, the Support Policy, the DPA if any, and any incorporated policies or addenda, are the complete and exclusive agreement between the parties regarding the Services and supersede all prior or contemporaneous proposals, statements, communications, and agreements regarding the Services.

No oral or written information or advice given by Basis, its agents, or employees will create a warranty or in any way increase the scope of any warranty in these Terms.

26.2 Order of Precedence

If there is a conflict between these Terms and an Order, the Order controls only to the extent it expressly states that it overrides these Terms. If there is a conflict between these Terms and a DPA, the DPA controls only with respect to the subject matter of the DPA.

26.3 Independent Contractors

The parties are independent contractors. These Terms do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship.

26.4 No Third-Party Beneficiaries

There are no third-party beneficiaries to these Terms.

26.5 Waiver

No failure or delay by either party in exercising a right under these Terms will operate as a waiver.

26.6 Severability

If any provision of these Terms is held unenforceable, the remaining provisions will remain in effect, and the unenforceable provision will be enforced to the maximum extent permitted by law.

26.7 Force Majeure

Neither party is liable for any delay or failure to perform caused by events beyond its reasonable control, including natural disasters, war, terrorism, labor disputes, internet or utility failures, denial-of-service attacks, or governmental action, except that Customer’s payment obligations are not excused.

26.8 Electronic Communications

Customer agrees to receive electronic communications from Basis relating to the Services, the Account, billing, notices, and legal disclosures.

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Essex Labs, Inc. d/b/a Basis

(“Basis” or “Processor”) and the customer entity that entered into the applicable Terms of Service, Order, or other agreement governing the Services (“Customer” or “Controller”).

This DPA applies only to the extent Basis processes Customer Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the underlying agreement.

Applicable Data Protection Law” means laws and regulations applicable to the processing of Customer Personal Data under the underlying agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, and U.S. state privacy laws that impose processor or service provider obligations.

Customer Personal Data” means personal data, personal information, or other similar regulated data contained in Customer Data that Basis processes on behalf of Customer in connection with the Services.

Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

GDPR” means Regulation (EU) 2016/679.

Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Basis’s possession or control. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as pings, port scans, denial-of-service attempts, or other network attacks that do not result in unauthorized access, or any vulnerabilities pre-identified e.g. from pen tests or vulnerability scans.

Subprocessor” means a third party engaged by Basis to process Customer Personal Data on behalf of Customer in connection with the Services.

UK GDPR” means the GDPR as incorporated into United Kingdom law.

2. Roles of the Parties

The parties acknowledge and agree that:

  • Customer is the controller, business, or similar primary responsible party with respect to Customer Personal Data; and
  • Basis is the processor, service provider, or contractor processing Customer Personal Data on Customer’s behalf

If Applicable Data Protection Law requires a different allocation of roles for a specific processing activity, the parties will comply with that law for that activity.

3. Processing Details

The details of the processing are described in Annex 1 to this DPA.

4. Customer Instructions

Basis will process Customer Personal Data only:

  • on Customer’s documented instructions;
  • as necessary to provide the Services under the underlying agreement; or
  • as required by applicable law

Basis will not use Customer Personal Data to train or improve general-purpose machine learning or AI models.

The underlying agreement and Customer’s use of the Services, including account settings and administrator actions, constitute Customer’s documented instructions to Basis.

If Basis believes an instruction violates Applicable Data Protection Law, Basis may notify Customer and suspend the affected processing until the issue is resolved.

5. Customer Responsibilities

Customer is responsible for:

  • its compliance with Applicable Data Protection Law as controller or business;
  • providing all notices and obtaining all consents and legal bases required for Basis to process Customer Personal Data lawfully;
  • ensuring its instructions to Basis comply with Applicable Data Protection Law; and
  • determining whether the Services provide appropriate protections for Customer’s intended use case
  • protecting its user credentials from compromise
  • notifying Basis of any discovered or suspected security incident

6. Personnel Confidentiality

Basis will ensure that personnel authorized to process Customer Personal Data are subject to appropriate

confidentiality obligations.

7. Security Measures

Basis will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account:

  • the nature of the processing;
  • the state of the art;
  • implementation costs;
  • the context and purposes of the processing; and
  • the risks to Data Subjects

The baseline security measures are described in Annex 2.

Basis may update the security measures from time to time, provided the updates do not materially reduce the overall security of the Services.

8. Security Incident Notification

Basis will notify Customer without undue delay after becoming aware of a Security Incident.

That notice will include, to the extent reasonably available at the time:

  • the nature of the Security Incident;
  • the categories of affected Customer Personal Data;
  • the measures Basis has taken or proposes to take; and
  • information reasonably necessary for Customer to meet its own notification obligations

Basis’s notification of or response to a Security Incident is not an admission of fault or liability.

9. Assistance to Customer

Taking into account the nature of the processing and the information available to Basis, Basis will provide

reasonable assistance to Customer for:

  • responding to Data Subject requests;
  • carrying out data protection impact assessments where required;
  • consulting with regulators where required; and
  • complying with Customer’s obligations relating to security and breach notification

Unless otherwise required by Applicable Data Protection Law, Basis may charge reasonable fees for

assistance that is not required by law or that exceeds what is reasonably necessary for the Services.

10. Subprocessors

10.1 General Authorization

Customer grants Basis general written authorization to engage Subprocessors.

10.2 Subprocessor Obligations

Basis will:

  • enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than the obligations in this DPA, to the extent applicable to the services provided by the Subprocessor; and
  • remain responsible for the Subprocessor’s performance of its data protection obligations to the extent required by Applicable Data Protection Law

10.3 Changes to Subprocessors

Basis may update its Subprocessors from time to time. If required by Applicable Data Protection Law, Basis will provide notice of material Subprocessor changes through the Subprocessor list, email, or another reasonable method.

If Customer reasonably objects to a new Subprocessor on documented data protection grounds, the parties will work in good faith to address the objection. If the parties cannot resolve the issue within a reasonable time, Customer may stop using the affected portion of the Services or terminate the affected Services.

11. Data Subject Requests

If Basis receives a request directly from a Data Subject relating to Customer Personal Data, Basis will:

  • promptly notify Customer, unless legally prohibited; and
  • not respond except on Customer’s documented instructions or as required by applicable law

Customer is responsible for responding to Data Subject requests unless Applicable Data Protection Law requires Basis to respond directly.

12. Return and Deletion

Upon expiration or termination of the underlying agreement, Basis will, at Customer’s choice and to the extent supported by the Services:

  • return Customer Personal Data; or
  • delete Customer Personal Data

Basis may retain Customer Personal Data:

  • as required by applicable law;
  • in secure backups maintained in the ordinary course; or
  • for limited periods necessary for fraud prevention, legal holds, dispute resolution, security, or enforcement

Where data is retained, Basis will continue to protect it in accordance with this DPA and will not actively process it except as required for the retention purpose.

13. Demonstrating Compliance and Audit Rights

To the extent required by Applicable Data Protection Law, Basis will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer agrees that Basis may satisfy audit obligations by providing one or more of the following:

  • current third-party audit reports or certifications, such as SOC 2 reports, if available;
  • security questionnaires;
  • summary information regarding security controls; or
  • written confirmations of compliance

If the information above is not sufficient under Applicable Data Protection Law, Customer may request an

audit of Basis’s relevant processing activities, subject to the following conditions:

  • audits must be conducted no more than once per year, unless a Security Incident or regulator requires more frequent review;
  • Customer must provide reasonable advance written notice;
  • the audit must be limited in scope to information necessary to demonstrate compliance with this DPA;
  • the audit must not unreasonably disrupt Basis’s business or compromise the security or confidentiality of other customers;
  • the auditor must be independent and bound by confidentiality obligations acceptable to Basis; and
  • Customer bears its own costs and reimburses Basis for its reasonable internal costs if the audit is not required by law due to Basis’s noncompliance

14. International Transfers

14.1 Transfer Mechanisms

To the extent Customer Personal Data subject to Applicable Data Protection Law is transferred to Basis in a country that is not recognized as providing an adequate level of protection, the parties agree that the following transfer terms will apply where required:

  • the EU Standard Contractual Clauses, Module Two (Controller to Processor); and
  • the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, where UK GDPR

applies

14.2 Incorporation by Reference

The SCCs and, where applicable, the UK Addendum are deemed incorporated into this DPA by reference and completed as follows unless the parties agree otherwise in writing:

  • Module Two applies.
  • In Clause 7, the optional docking clause applies.
  • In Clause 9, Option 2 applies and the time period for prior notice of new Subprocessors is the period described in Section 10.4 of this DPA.
  • In Clause 11, the optional language does not apply.
  • In Clause 17, the governing law is Ireland, unless another EU Member State law is required.
  • In Clause 18(b), disputes will be resolved in the courts of Ireland, unless another EU Member State court is required.
  • Annex I, Annex II, and Annex III of the SCCs are completed with the information in Annexes 1, 2, and 3 to this DPA.
  • For the UK Addendum, the Tables are completed using the relevant information from this DPA and the SCCs.

15. U.S. State Privacy Law Terms

To the extent U.S. state privacy law applies to Customer Personal Data and requires processor, service provider, or contractor terms, Basis will:

  • process Customer Personal Data only for the limited and specified purposes set out in the underlying agreement and this DPA;
  • comply with applicable restrictions on retaining, using, or disclosing Customer Personal Data outside the direct business relationship between the parties, except as permitted by law;
  • not sell or share Customer Personal Data received from Customer, except as permitted by law;
  • not combine Customer Personal Data received from Customer with personal information received from other sources, except as permitted by law;
  • notify Customer if Basis determines that it can no longer meet its obligations under applicable processor, service provider, or contractor requirements; and
  • provide reasonable cooperation and information to help Customer assess and remediate unauthorized use of Customer Personal Data

Basis certifies that it understands the restrictions described in this Section 15 and will comply with them to the

extent required by applicable U.S. state privacy law.

Customer may, upon notice, take reasonable and appropriate steps to help ensure Basis uses Customer

Personal Data in a manner consistent with Customer’s obligations under applicable U.S. state privacy law.

16. Liability

This DPA is subject to the liability limitations and exclusions in the underlying agreement, unless Applicable Data Protection Law requires otherwise.

17. Order of Precedence

If there is a conflict between this DPA and the underlying agreement, this DPA controls as to the subject matter of this DPA.

18. Annex 1: Processing Details

A. Parties

Data exporter / Customer: the Customer entity identified in the underlying agreement.

Data importer / Processor: Essex Labs, Inc. d/b/a Basis.

B. Subject matter

Provision of the Services under the underlying agreement.

C. Duration

For the term of the underlying agreement, plus any period during which Basis processes Customer Personal Data in accordance with the underlying agreement or this DPA.

D. Nature and purpose of the processing

Processing necessary to provide, host, secure, maintain, support, configure, and improve the Services, including:

  • hosting and storage
  • account administration
  • authentication and access management
  • customer support
  • communications relating to the Services
  • troubleshooting and debugging
  • security monitoring and fraud prevention
  • backup and disaster recovery
  • analytics related to service performance and usage

E. Categories of Data Subjects

As determined by Customer and its use of the Services, which may include:

  • Customer personnel
  • Customer contractors
  • Customer clients and their personnel
  • Customer end users
  • other individuals whose information is included in Customer Data

F. Categories of personal data

As determined by Customer and its use of the Services, which may include:

  • names
  • email addresses
  • phone numbers
  • professional and employment information
  • account identifiers
  • financial or transactional data
  • communications content
  • document content
  • logs and metadata
  • other personal data submitted to the Services by or on behalf of Customer

G. Sensitive data

Not intended to include special category data (e.g., health, biometric, genetic data), noting that Customer content submitted for accounting workflows may include tax identifiers and financial account or payment information and that such records may incidentally contain sensitive data elements. Customer remains responsible for determining what data to submit and for any required legal basis, notices, and consents.

H. Frequency

Continuous or as initiated by Customer during use of the Services.

I. Locations

United States, and may process in other jurisdictions where Basis and its Subprocessors process data as necessary to provide the Services, as listed in Basis’ Subprocessor list.

19. Annex 2: Security Measures

Basis will maintain a written security program designed to protect Customer Personal Data, including

measures reasonably appropriate to the Services, such as:

  • access controls based on role and business need;
  • authentication controls for administrative access;
  • personnel confidentiality and security awareness measures;
  • logging and monitoring of relevant systems;
  • vulnerability management and patching processes;
  • malware protections where appropriate;
  • encryption of Customer Personal Data in transit over public networks;
  • encryption or other appropriate safeguards for Customer Personal Data at rest where supported by the relevant system;
  • backup and recovery measures;
  • incident response procedures;
  • vendor and Subprocessor risk management appropriate to the service provided;
  • change management procedures; and
  • secure deletion or disposition processes where applicable

Basis may update these measures over time as the Services evolve, provided the updates do not materially

reduce the overall security of the Services.

Acceptable Use Policy

This Acceptable Use Policy (“AUP”) applies to all access to and use of the Services provided by Essex Labs,

Inc. d/b/a Basis (“Basis”).

This AUP is incorporated into the Terms of Service and any other agreement governing use of the Services.

1. General Rule

Use the Services lawfully, responsibly, and only for authorized business purposes.

Do not use the Services, or allow others to use the Services, to do anything that is illegal, harmful, deceptive, abusive, unsafe, infringing, or that interferes with the Services or others.

2. Prohibited Uses

You may not use the Services to:

  • violate any law, regulation, court order, or third-party right;
  • create, store, or transmit content that is unlawful, defamatory, fraudulent, harassing, threatening, or abusive;
  • infringe or misappropriate intellectual property, privacy, publicity, confidentiality, or other rights;
  • develop, support, or improve a competing service or model using the Services or Output;
  • benchmark, scrape, extract, or systematically harvest data or Output except as expressly allowed by the Services;
  • reverse engineer, decompile, or attempt to discover source code, model weights, prompts, or non-public system components;
  • bypass security features, access controls, rate limits, or usage restrictions;
  • upload malware, spyware, ransomware, or other malicious code;
  • interfere with or disrupt the Services or related systems;
  • perform unauthorized security testing;
  • impersonate another person or entity, or misrepresent an affiliation;
  • use the Services to generate or distribute spam, phishing messages, or deceptive communications;
  • use the Services to make fully automated decisions about individuals where human review is legally or practically required;
  • rely on Output as legal, tax, accounting, audit, financial, investment, employment, medical, or other professional advice without appropriate human review; or
  • use the Services in connection with weapons, unlawful surveillance, exploitation, or other high-risk or harmful activities

3. Data and Content Rules

You may submit only data and content that you are authorized to use with the Services.

You must not submit:

  • personal data in violation of applicable privacy law;
  • data subject to contractual or legal restrictions that prohibit processing through the Services;
  • trade secrets or confidential information of third parties unless you are authorized to disclose and process

that information

4. Account Integrity

You must:

  • keep credentials confidential;
  • use reasonable security practices;
  • promptly notify Basis of suspected unauthorized access; and
  • ensure Users comply with this AUP

5. Monitoring and Enforcement

Basis may investigate suspected violations of this AUP and may:

  • suspend or restrict access to the Services;
  • remove or disable access to content where reasonably necessary;
  • require corrective action;
  • terminate access or the applicable agreement; and
  • report unlawful conduct to law enforcement or regulators where appropriate

Basis is not required to monitor use of the Services, but may do so to protect the Services, Basis, customers, users, and third parties.

6. Changes

Basis may update this AUP from time to time. Material changes will be handled in accordance with the notice provisions in the Terms of Service or other applicable agreement.

Trial, Refund, and Billing Policy

This Trial, Refund, and Billing Policy applies to self-serve purchases of Basis subscriptions unless an Order or

separate written agreement states otherwise.

1. Plans and Billing

Basis may offer monthly plans, annual plans, usage-based features, add-ons, and promotional offers.

The applicable plan terms will be shown at checkout, in the billing portal, or in the relevant Order.

2. Payment Timing

Unless stated otherwise at checkout or in an applicable Order:

  • monthly subscriptions are billed in advance each month;
  • annual subscriptions are billed in advance each year; and
  • usage-based charges, overages, or add-ons may be billed in arrears or as otherwise shown in the billing flow

3. Auto-Renewal

Subscriptions automatically renew until canceled.

Before completing a purchase, the checkout flow should clearly disclose:

  • the subscription term or billing cadence;
  • the amount to be charged;
  • whether the subscription automatically renews;
  • how to cancel; and
  • where applicable, when a trial or promotional price ends

4. Cancellation

Customers may cancel through the account settings, billing portal, or other online cancellation method Basis

makes available.

Unless Basis states otherwise in writing:

  • cancellation stops future renewals; and
  • cancellation does not entitle the customer to a refund for the current billing period

5. Trials

Basis may offer a free trial or discounted introductory period.

If Basis offers a trial or introductory offer:

  • the specific terms will be shown at checkout or on the promotional page;
  • the customer must cancel before the end of the trial or introductory period to avoid charges for the next

billing period; and

  • Basis may limit trial eligibility by account, company, domain, payment method, or other criteria

6. Refunds

Except where required by law or expressly stated in writing:

  • fees are non-refundable;
  • partial billing periods are non-refundable; and
  • unused seats, unused capacity, or failure to use the Services do not create a refund right

If Basis elects to offer a refund program, onboarding guarantee, or limited cancellation window, the terms of that offer will control only for the applicable promotion or plan.

7. Failed Payments

Failed payments are addressed in Section 9.6 of the Terms of Service.

8. Taxes

Charges may exclude applicable taxes, duties, or similar governmental fees. Where required, those amounts

may be added at checkout or on the invoice.

9. Promotions and Credits

Promotional credits, discounts, coupons, and free periods:

  • have no cash value unless required by law;
  • may be limited to specific plans or time periods; and
  • may not carry over or renew automatically unless Basis expressly states otherwise

10. Changes to This Policy

Basis may update this Policy from time to time. Material changes will apply prospectively and will not affect

charges already incurred.

Support Policy

This Support Policy describes the standard support Basis makes available for self-serve customers.

This Support Policy is not a service-level agreement and does not provide service credits unless Basis

expressly agrees otherwise in writing.

1. Standard Support Channels

Basis may provide support through one or more of the following channels:

  • email: support@ofbasis.com
  • in-product help or support submission flows
  • help center or documentation resources
  • other support channels Basis may make available from time to time

2. Standard Support Hours

Basis may make live technical support available during business hours and through the channels it

designates from time to time.

Any published support hours are provided for convenience only and may change at any time. This Support Policy does not guarantee any minimum availability, response time, or resolution time.

3. Scope of Standard Support

Standard support is intended to help with:

  • access and login issues;
  • basic product questions;
  • bug reporting;
  • troubleshooting reproducible issues; and
  • reasonable requests for standard product guidance

Standard support does not include:

  • custom implementation services;
  • consulting;
  • data migration;
  • legal, tax, accounting, audit, financial, investment, employment, medical, or other professional advice;
  • development of custom features;
  • guaranteed response or resolution times; or
  • support for third-party products except as Basis decides in its discretion

4. Customer Responsibilities

To receive support efficiently, customers should:

  • provide accurate contact information;
  • identify the affected account or workspace;
  • describe the issue in reasonable detail;
  • provide reproducible steps, screenshots, logs, or other relevant details where available; and
  • cooperate reasonably with Basis’s troubleshooting efforts

5. Priority and Response

Basis may prioritize support requests based on factors such as severity, customer impact, security implications, and operational urgency.

Basis does not guarantee any response time, resolution time, uptime commitment, or service credit under this Policy.

6. Beta and No-Charge Services

Support for beta, preview, evaluation, or other no-charge features may be limited or unavailable.

7. Changes to This Policy

Basis may update this Support Policy from time to time.