Master Services Agreement -- Template Skeleton

The Client shall use the AI Systems in accordance with the instructions for use provided by the Provider, including any technical documentation, user guides, and limitations communicated by the Provider.

Before deploying any AI System in a production environment, the Client shall review the system's intended purpose, capabilities, and limitations as described in the Provider's documentation. The Client acknowledges that AI Systems may produce inaccurate, incomplete, or biased outputs and shall implement appropriate verification procedures.

The Client shall ensure that natural persons assigned to oversee the AI Systems have the necessary competence, training, and authority, and that such persons are supported by adequate resources. The Client shall not use AI System outputs as the sole basis for decisions that produce legal effects or similarly significant effects on natural persons without meaningful human review.

The Client shall monitor the operation and outputs of the AI Systems in production. If the Client identifies or reasonably suspects a serious incident, malfunction, or risk to health, safety, or fundamental rights, the Client shall: (a) immediately suspend use of the AI System; (b) notify the Provider without undue delay; and (c) cooperate with the Provider in investigating the incident.

The Client shall inform individuals interacting with the AI Systems that they are interacting with an AI system, unless this is obvious from the circumstances. Where the AI System generates or manipulates text, audio, image, or video content, the Client shall disclose that the content is AI-generated.

The Client is responsible for the quality, lawfulness, and relevance of the input data provided to the AI Systems. The Client shall ensure that all personal data provided to the AI Systems is collected and processed in compliance with applicable data protection laws, including the GDPR.

The Client shall retain the logs automatically generated by the AI Systems for a period of [LAWYER: minimum period -- AI Act suggests at least 6 months for high-risk, consider a standard period for all systems], to the extent such logs are under the Client's control.

Where the Client is a body governed by public law, or a private entity providing public services, and the AI System is a high-risk system listed in Annex III, the Client shall perform a fundamental rights impact assessment before putting the system into use.

The Client may use the AI Systems solely for the purposes specified in the applicable Order Form or SOW, and in compliance with this Agreement, applicable law, and the Provider's documentation.

The Client shall not, under any circumstances, use the AI Systems for:

• (a) Subliminal, manipulative, or deceptive techniques that distort behavior and cause significant harm;
• (b) Exploitation of vulnerabilities related to age, disability, or social/economic situation;
• (c) Social scoring -- evaluating or classifying individuals based on social behavior or personal characteristics leading to detrimental or disproportionate treatment;
• (d) Real-time remote biometric identification in publicly accessible spaces for law enforcement;
• (e) Emotion recognition in the workplace or educational institutions (except for medical or safety reasons);
• (f) Untargeted scraping of facial images from the internet or CCTV footage to build facial recognition databases;
• (g) Any other use prohibited under Article 5 of the EU AI Act.

The Client shall not deploy the AI Systems in any Annex III high-risk context (as defined in Section 5 below) without prior written notification to the Provider as set forth in Section 5.

[LAWYER: Define consequences for breach of Sections 4.2 and 4.3. Consider: (a) immediate termination right; (b) indemnification by Client; (c) Provider's right to suspend access. The prohibited use clause (4.2) should carry the strongest consequences -- material breach with no cure period.]

The Client shall notify the Provider in writing at least [LAWYER: e.g., 30 days] before deploying any AI System in a context that falls within, or may reasonably fall within, the scope of Annex III of the EU AI Act, including but not limited to:

• (a) Recruitment and HR management: Screening, filtering, or evaluating candidates; making decisions on hiring, promotion, termination, or task allocation;
• (b) Credit scoring and financial assessments: Evaluating creditworthiness or establishing credit scores;
• (c) Law enforcement: Risk assessments, polygraph or similar tools, evaluation of evidence;
• (d) Education and vocational training: Determining access to educational institutions, assessing students, monitoring behavior during tests;
• (e) Critical infrastructure: Safety components in management and operation of digital infrastructure, road traffic, water/gas/heating/electricity supply;
• (f) Healthcare: AI intended to be used as a medical device or as a safety component of a medical device;
• (g) Migration, asylum, and border control: Risk assessments, document authenticity verification;
• (h) Administration of justice and democratic processes: Assisting judicial authorities in researching and interpreting facts and law.

Upon receiving a high-risk deployment notification, the Provider may, at its sole discretion:

• (a) Approve the deployment subject to additional technical safeguards and documentation;
• (b) Require a joint risk assessment and/or DPIA before deployment proceeds;
• (c) Require modifications to the deployment plan to reduce risk;
• (d) Decline the deployment if, in the Provider's reasonable judgment, the risk cannot be adequately mitigated.

The Client shall not proceed with a high-risk deployment until it has received written approval from the Provider.

For any deployment approved under Section 5.2(a), the Client shall additionally:

• (a) Appoint a designated person responsible for AI oversight within its organization;
• (b) Implement the human oversight measures specified by the Provider;
• (c) Maintain logs for the period specified in Section 3.7;
• (d) Report serious incidents to the Provider and, where required by law, to the relevant market surveillance authority;
• (e) Conduct a fundamental rights impact assessment where required under Article 27.

With respect to Personal Data processed in the context of the Services:

• (a) The Client acts as the Controller (or, where applicable, a Processor acting on behalf of its own controller);
• (b) The Provider acts as the Processor, processing Personal Data solely on behalf of and in accordance with the documented instructions of the Client.

The processing of Personal Data under this Agreement is governed by the Data Processing Agreement attached as Annex A, which forms an integral part of this Agreement. The DPA is executed pursuant to Article 28 of the GDPR.

The current list of sub-processors is set forth in Annex C. The Provider shall notify the Client of any intended changes to sub-processors with at least [LAWYER: 30 days] prior notice, in accordance with the DPA.

Where Personal Data is transferred to sub-processors located outside the EEA (in particular: Anthropic LLC, USA; Resend Inc., USA), such transfers shall be subject to appropriate safeguards in accordance with Chapter V of the GDPR, including [LAWYER: Standard Contractual Clauses (SCCs), adequacy decisions, or other transfer mechanisms as applicable].

The Provider retains all intellectual property rights in the AI Systems, Platform, tools, methodologies, know-how, and pre-existing materials. Nothing in this Agreement transfers ownership of Provider IP to the Client.

[LAWYER: Address whether the Provider can use anonymized/aggregated usage patterns and Client feedback to improve the AI Systems. Standard SaaS practice, but should be explicitly stated and limited.]

Each Party shall keep confidential all Confidential Information received from the other Party and shall not disclose it to any third party except: (a) to employees, contractors, and advisors who need to know and are bound by equivalent confidentiality obligations; (b) as required by law or court order; (c) with the prior written consent of the disclosing Party.

Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving Party; (b) was already known to the receiving Party without restriction; (c) is independently developed by the receiving Party; (d) is received from a third party without restriction.

Confidentiality obligations survive termination of this Agreement for a period of [LAWYER: e.g., 3 or 5 years].

[LAWYER: Define liability caps. Considerations:

• Variant A: Cap at total fees paid under the relevant SOW in the 12 months preceding the claim
• Variant B: Cap at total subscription fees paid in the 12 months preceding the claim
• Exclusions from cap: fraud, willful misconduct, death/personal injury from negligence, breach of confidentiality, IP infringement indemnity, data protection breach indemnity
• Exclusion of indirect, consequential, incidental, and punitive damages]

The Client shall indemnify, defend, and hold harmless the Provider from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or relating to:

• (a) The Client's breach of its obligations under Section 3 (AI Act Deployer Obligations);
• (b) The Client's use of the AI Systems in violation of Section 4 (Permitted Use and Restrictions);
• (c) The Client's failure to notify the Provider of a high-risk deployment under Section 5;
• (d) The Client's processing of Personal Data in breach of applicable data protection laws;
• (e) Any claim by a third party arising from the Client's deployment of the AI Systems outside the scope of this Agreement.

[LAWYER: Define Provider indemnification obligations. Consider: (a) IP infringement claims (Provider indemnifies Client if the Platform infringes third-party IP); (b) Provider's breach of the DPA; (c) Provider's gross negligence or willful misconduct.]

The Client acknowledges that:

• (a) AI Systems may produce inaccurate, incomplete, biased, or inappropriate outputs ("hallucinations");
• (b) The Provider does not guarantee the accuracy, completeness, or fitness for any particular purpose of AI-generated outputs;
• (c) The Client is solely responsible for evaluating and acting upon AI-generated outputs;
• (d) The Provider shall not be liable for decisions made by the Client or its end users based on AI-generated outputs.

Either Party may terminate this Agreement immediately upon written notice if:

• (a) The other Party commits a material breach that is not cured within [LAWYER: e.g., 30 days] of written notice;
• (b) The other Party becomes insolvent, enters bankruptcy, or ceases to carry on business;
• (c) The Client breaches Section 4.2 (Prohibited Uses) -- no cure period.

Upon termination: (a) the Client's access to the Platform/Services shall cease; (b) data deletion/return shall be handled in accordance with the DPA (Annex A); (c) accrued rights and obligations survive; (d) Sections 7 (IP), 8 (Confidentiality), 9 (Liability), and the DPA shall survive termination.

This Agreement, together with its Annexes and any Order Forms or SOWs, constitutes the entire agreement between the Parties and supersedes all prior negotiations, representations, and agreements.

No amendment to this Agreement shall be effective unless in writing and signed by both Parties.

Neither Party may assign this Agreement without the prior written consent of the other Party, except in connection with a merger, acquisition, or sale of substantially all of its assets.

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

All notices under this Agreement shall be in writing and delivered to the addresses specified in the Order Form. [LAWYER: Define acceptable delivery methods -- email, registered mail, etc.]

[LAWYER: Standard force majeure clause. Consider whether AI model unavailability (e.g., Anthropic API outage) qualifies.]

Each Party shall comply with all applicable laws and regulations, including without limitation the GDPR, the EU AI Act (Regulation 2024/1689), and any implementing national legislation.

12.1. This Agreement shall be governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg.

12.2. Any disputes arising out of or in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Luxembourg City.

[LAWYER: Consider whether an arbitration clause (e.g., ICC, Luxembourg Arbitration Center) would be preferable for international clients. Also consider whether the jurisdiction clause should be non-exclusive for Variant A (international consulting projects).]