MSA + DPA templates

This Master Services Agreement (the "Agreement") is made and entered into as of the date of the last signature below (the "Effective Date") by and between CARTIEAI LLC, a Texas limited liability company with its principal place of business in Texas, United States ("CARTIE AI") and the customer entity signing below ("Customer").

1. Services

CARTIE AI will provide Customer with access to its AI-native cloud financial intelligence platform and related services (the "Services"), as further described atcartieai.com and in any mutually agreed Order Form or Statement of Work. The Services are subject to our publicly posted Terms of Service, which are incorporated by reference. In case of conflict between this Agreement and the public Terms, this Agreement controls for the Customer.

2. Fees and Payment

• Fees are set out in the applicable Order Form, invoiced monthly or annually via Stripe.
• Net 30 payment terms from invoice date. Late payments accrue interest at 1% per month.
• Fees exclude applicable taxes; Customer is responsible for all sales, VAT, or similar levies.
• Fees may be increased at renewal with at least 30 days' written notice.

3. Term and Termination

• Initial term: as specified on the Order Form (typically 12 months), automatically renewing for successive 12-month periods unless either party gives 30 days' written notice of non-renewal.
• Termination for cause: either party may terminate immediately upon a material breach by the other party that remains uncured 30 days after written notice.
• Termination for convenience: Customer may terminate at any time; pre-paid fees are non-refundable except as expressly stated in our Refund Policy.
• Effect of termination: Customer may export data for 30 days; thereafter Customer data is permanently deleted (except where retention is legally required).

4. Confidentiality

Each party agrees to protect the other party's Confidential Information with at least the same degree of care it uses for its own confidential information of like importance, and never less than reasonable care. Confidential Information does not include information that is publicly available, independently developed, or rightfully received from a third party without restriction.

5. Data Ownership and License

Customer retains ownership of all data it provides to or generates through the Services ("Customer Data"). Customer grants CARTIE AI a limited, non-exclusive, worldwide license to host, process, and display Customer Data solely to provide the Services. CARTIE AI will not use Customer Data to train AI models for the benefit of other customers. Aggregated, de-identified statistics may be used to improve the Services.

6. Security and Privacy

CARTIE AI will maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Data, as described in our Privacy Policy and the Data Processing Agreement below. Current safeguards include AES-256 encryption at rest, TLS 1.3 in transit, bcrypt password hashing, RBAC, audit logging, and 35-day encrypted backups. Formal SOC 2 Type II audit is targeted for Q2 2026.

7. Warranties

CARTIE AI warrants that the Services will perform materially as described in our public documentation and the applicable Order Form. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES ARE PROVIDED "AS IS" AND CARTIE AI DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

8. Indemnification

CARTIE AI will defend Customer against any third-party claim that the Services infringe a U.S. patent, copyright, or trade secret, and will indemnify Customer for damages finally awarded, provided Customer promptly notifies CARTIE AI in writing and allows CARTIE AI sole control of the defense. Customer will similarly defend CARTIE AI against claims arising from Customer Data or Customer's use of the Services in violation of this Agreement.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS OR REVENUES. Each party's aggregate liability under this Agreement will not exceed the fees paid or payable by Customer in the 12 months preceding the claim. The foregoing limitations do not apply to (a) breaches of confidentiality, (b) indemnification obligations, or (c) Customer's payment obligations.

10. Governing Law and Disputes

This Agreement is governed by the laws of the State of Texas, United States, without regard to conflict-of-law rules. The state and federal courts located in Travis County, Texas have exclusive jurisdiction over any dispute, except that either party may seek injunctive relief in any court of competent jurisdiction. Parties agree to attempt good-faith resolution within 30 days before initiating litigation.

11. Miscellaneous

• Notices: All notices to CARTIE AI go to hello@cartieai.com; notices to Customer go to the email on file.
• Assignment: Neither party may assign this Agreement without the other's prior written consent, except in connection with a merger, acquisition, or sale of substantially all assets.
• Entire agreement: This Agreement, together with any Order Form and the incorporated DPA below, constitutes the entire agreement between the parties.
• Severability: If any provision is held unenforceable, the remainder remains in effect.

This Data Processing Agreement (the "DPA") supplements the Master Services Agreement above between CARTIEAI LLC (the "Processor") and the Customer (the "Controller"). It applies to all Personal Data (as defined by the EU General Data Protection Regulation 2016/679 and the California Consumer Privacy Act, collectively "Applicable Data Protection Laws") that Processor processes on Controller's behalf.

1. Subject Matter and Duration

Processor will process Personal Data only for the duration of the underlying MSA and only as necessary to provide the Services. Categories of data subjects: Controller's employees, contractors, and end-users to the extent reflected in cloud cost and usage telemetry.

2. Nature and Purpose of Processing

Processor will process Personal Data solely to (a) provide the Services, (b) detect and prevent fraud or abuse, (c) comply with legal obligations, and (d) generate aggregated, de-identified statistics.

3. Categories of Personal Data

• Account-holder identifiers (name, work email, role)
• Authentication metadata (hashed password, MFA tokens, session timestamps)
• Usage telemetry (IP address, browser, pages visited)
• Cloud billing data ingested via read-only APIs (resource IDs, tags, costs)
• Customer-list metadata if Stripe integration is enabled (customer email, name, subscription state — no card data)

4. Processor Obligations

• Process Personal Data only on documented instructions from Controller.
• Ensure personnel are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (Section 7).
• Assist Controller in responding to data-subject rights requests and DPIAs.
• Notify Controller without undue delay (within 72 hours) of any Personal Data Breach.
• Delete or return all Personal Data within 30 days of termination, except where retention is legally required.

5. Subprocessors

Controller authorises Processor to engage subprocessors listed at cartieai.com/subprocessors (current vendors include AWS, Stripe, Resend, MongoDB Atlas, Anthropic, OpenAI). Processor will notify Controller at least 14 days before engaging any new subprocessor and will impose contractual data-protection obligations no less stringent than those in this DPA.

6. International Transfers

Processor's primary data hosting is in the United States (MongoDB Atlas, US-East region). For Personal Data originating in the EU/UK, the parties incorporate the EU Standard Contractual Clauses (Module 2: controller-to-processor) by reference. Processor will assist Controller with any transfer-impact assessment.

7. Security Measures

• AES-256 encryption at rest; TLS 1.3 in transit
• Bcrypt password hashing; optional TOTP and email-based MFA
• Strict per-tenant isolation enforced at the database-collection level (automated tests on every release)
• Role-based access control with least-privilege defaults
• Audit logs of every privileged action, retained for 12 months
• 35-day encrypted backups, then permanently destroyed
• Annual penetration testing (post-SOC 2 Type II); quarterly internal security audits today
• SOC 2 Type II audit targeted for Q2 2026

8. Audit Rights

Processor will, on reasonable notice and no more than once per 12-month period, make available to Controller (or its independent auditor under NDA) the information necessary to demonstrate compliance with this DPA, including the most recent SOC 2 report once available. Audits will be conducted during business hours and will not unreasonably interfere with Processor's operations.

9. Data Subject Rights

Processor will provide reasonable assistance, including by appropriate technical and organisational measures, to enable Controller to respond to requests from data subjects exercising rights under Applicable Data Protection Laws (access, rectification, erasure, portability, restriction, objection). Requests received directly by Processor will be forwarded to Controller within 5 business days.

10. Liability and Indemnification

Liability under this DPA is governed by Section 9 (Limitation of Liability) of the MSA. Each party indemnifies the other for fines or damages arising from its own breach of Applicable Data Protection Laws.

11. Governing Law

This DPA is governed by the laws of the State of Texas, United States. Where Applicable Data Protection Laws require, mandatory provisions of those laws prevail.