Terms of Use

Acceptance of the Terms of Use

These terms of use are entered into by and between You and Tailshift Inc. ("Company“, "we“, or "us“). The following terms and conditions, together with any documents they expressly incorporate by reference (collectively, "Terms of Use“), govern your access to and use of tailshift.ai, including any content, functionality and services offered on or through tailshift.ai (the "Website“), whether as a guest or a registered user.

Please read the Terms of Use carefully before you start to use the Website. By using the Website, you accept and agree to be bound and abide by these Terms of Use and our Privacy Policy, found at tailshift.ai/terms-of-use/ and tailshift.ai/privacy-policy/, incorporated herein by reference. If you do not want to agree to these Terms of Use or the Privacy Policy, you must not access or use the Website.

Changes to the Terms of Use

We may revise and update these Terms of Use from time to time in our sole discretion. All changes are effective immediately when we post them, and apply to all access to and use of the Website thereafter.

Your continued use of the Website following the posting of revised Terms of Use means that you accept and agree to the changes. You are expected to check this page from time to time so you are aware of any changes, as they are binding on you.

Accessing the Website and Account Security

We reserve the right to withdraw or amend this Website, and any service or material we provide on the Website, in our sole discretion without notice. We will not be liable if for any reason all or any part of the Website is unavailable at any time or for any period. From time to time, we may restrict access to some parts of the Website, or the entire Website, to users, including registered users.

You are responsible for both:

• Making all arrangements necessary for you to have access to the Website.

• Ensuring that all persons who access the Website through your internet connection are aware of these Terms of Use and comply with them.

To access the Website or some of the resources it offers, you may be asked to provide certain registration details or other information. It is a condition of your use of the Website that all the information you provide on the Website is correct, current and complete. You agree that all information you provide to register with this Website or otherwise, including, but not limited to, through the use of any interactive features on the Website, is governed by our Privacy Policy, and you consent to all actions we take with respect to your information consistent with our Privacy Policy.

If you choose, or are provided with, a user name, password or any other piece of information as part of our security procedures, you must treat such information as confidential, and you must not disclose it to any other person or entity. You also acknowledge that your account is personal to you and agree not to provide any other person with access to this Website or portions of it using your user name, password or other security information. You agree to notify us immediately of any unauthorized access to or use of your user name or password or any other breach of security. You also agree to ensure that you exit from your account at the end of each session. You should use particular caution when accessing your account from a public or shared computer so that others are not able to view or record your password or other personal information.

We have the right to disable any user name, password or other identifier, whether chosen by you or provided by us, at any time in our sole discretion for any or no reason, including if, in our opinion, you have violated any provision of these Terms of Use.

Intellectual Property Rights

The Website and its entire contents, features and functionality (including but not limited to all information, software, text, displays, images, video and audio, and the design, selection and arrangement thereof), are owned by the Company, its licensors or other providers of such material and are protected by United States and international copyright, trademark, patent, trade secret and other intellectual property or proprietary rights laws

These Terms of Use permit you to use the Website for your personal, non-commercial use only. You must not reproduce, distribute, modify, create derivative works of, publicly display, publicly perform, republish, download, store or transmit any of the material on our Website, except as follows:

• Your computer may temporarily store copies of such materials in RAM incidental to your accessing and viewing those materials.

• You may store files that are automatically cached by your Web browser for display enhancement purposes.

• You may print one copy of a reasonable number of pages of the Website for your own personal, non-commercial use and not for further reproduction, publication or distribution.

• If we provide desktop, mobile or other applications for download, you may download a single copy to your computer or mobile device solely for your own personal, non-commercial use, provided you agree to be bound by our end user license agreement for such applications.

• If we provide tailshift.ai with certain content, you may take such actions as are enabled by such features.

You must not:

• Modify copies of any materials from this site.

• Delete or alter any copyright, trademark or other proprietary rights notices from copies of materials from this site.

You must not access or use for any commercial purposes any part of the Website or any services or materials available through the Website.

If you print, copy, modify, download or otherwise use or provide any other person with access to any part of the Website in breach of the Terms of Use, your right to use the Website will cease immediately and you must, at our option, return or destroy any copies of the materials you have made. No right, title or interest in or to the Website or any content on the Website is transferred to you, and all rights not expressly granted are reserved by the Company. Any use of the Website not expressly permitted by these Terms of Use is a breach of these Terms of Use and may violate copyright, trademark and other laws.

Prohibited Uses

You may use the Website only for lawful purposes and in accordance with these Terms of Use. You agree not to use the Website:

• In any way that violates any applicable federal, state, local or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).

• For the purpose of exploiting, harming or attempting to exploit or harm minors in any way by exposing them to inappropriate content, asking for personally identifiable information or otherwise.

• To send, knowingly receive, upload, download, use or re-use any material which does not comply with the Content Standards set out in these Terms of Use.

• To transmit, or procure the sending of, any advertising or promotional material, including any "junk mail“, "chain letter“, "spam“, or any other similar solicitation.

• To impersonate or attempt to impersonate the Company, a Company employee, another user or any other person or entity (including, without limitation, by using e-mail addresses associated with any of the foregoing).

• To engage in any other conduct that restricts or inhibits anyone's use or enjoyment of the Website, or which, as determined by us, may harm the Company or users of the Website, or expose them to liability.

Additionally, you agree not to:

• Use the Website in any manner that could disable, overburden, damage, or impair the site or interfere with any other party's use of the Website, including their ability to engage in real time activities through the Website.

• Use any robot, spider or other automatic device, process or means to access the Website for any purpose, including monitoring or copying any of the material on the Website.

• Use any manual process to monitor or copy any of the material on the Website, or for any other purpose not expressly authorized in these Terms of Use, without our prior written consent.

• Use any device, software or routine that interferes with the proper working of the Website.

• Introduce any viruses, trojan horses, worms, logic bombs or other material which is malicious or technologically harmful.

• Attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the Website, the server on which the Website is stored, or any server, computer or database connected to the Website.

• Attack the Website via a denial-of-service attack or a distributed denial-of-service attack.

• Otherwise attempt to interfere with the proper working of the Website.

User Contributions

The Website may contain message boards, chat rooms, personal web pages or profiles, forums, bulletin boards, and other interactive features (collectively, "Interactive Services“) that allow users to post, submit, publish, display or transmit to other users or other persons (hereinafter, "post“) content or materials (collectively, "User Contributions“) on or through the Website.

All User Contributions must comply with the Content Standards set out in these Terms of Use.

Any User Contribution you post to the site will be considered non-confidential and non-proprietary. By providing any User Contribution on the Website, you grant us and our licensees, successors and assigns the right to use, reproduce, modify, perform, display, distribute and otherwise disclose to third parties any such material for any purpose.

You represent and warrant that:

• You own or control all rights in and to the User Contributions and have the right to grant the license granted above to us and our licensees, successors and assigns.

• All of your User Contributions do and will comply with these Terms of Use.

You understand and acknowledge that you are responsible for any User Contributions you submit or contribute, and you, not the Company, have full responsibility for such content, including its legality, reliability, accuracy and appropriateness.

We are not responsible, or liable to any third party, for the content or accuracy of any User Contributions posted by you or any other user of the Website.

Monitoring and Enforcement; Termination

We have the right to:

• Remove or refuse to post any User Contributions for any or no reason in our sole discretion.

• Take any action with respect to any User Contribution that we deem necessary or appropriate in our sole discretion, including if we believe that such User Contribution violates the Terms of Use, including the Content Standards, infringes any intellectual property right or other right of any person or entity, threatens the personal safety of users of the Website or the public or could create liability for the Company.

• Disclose your identity or other information about you to any third party who claims that material posted by you violates their rights, including their intellectual property rights or their right to privacy.

• Take appropriate legal action, including without limitation, referral to law enforcement, for any illegal or unauthorized use of the Website.

• Terminate or suspend your access to all or part of the Website for any or no reason, including without limitation, any violation of these Terms of Use.

Without limiting the foregoing, we have the right to fully cooperate with any law enforcement authorities or court order requesting or directing us to disclose the identity or other information of anyone posting any materials on or through the Website. YOU WAIVE AND HOLD HARMLESS THE COMPANY FROM ANY CLAIMS RESULTING FROM ANY ACTION TAKEN BY THE COMPANY DURING OR AS A RESULT OF ITS INVESTIGATIONS AND FROM ANY ACTIONS TAKEN AS A CONSEQUENCE OF INVESTIGATIONS BY EITHER THE COMPANY OR LAW ENFORCEMENT AUTHORITIES.

However, we cannot review all material before it is posted on the Website, and cannot ensure prompt removal of objectionable material after it has been posted. Accordingly, we assume no liability for any action or inaction regarding transmissions, communications or content provided by any user or third party. We have no liability or responsibility to anyone for performance or nonperformance of the activities described in this section.

Content Standards

These content standards apply to any and all User Contributions and use of Interactive Services. User Contributions must in their entirety comply with all applicable federal, state, local and international laws and regulations. Without limiting the foregoing, User Contributions must not:

• Contain any material which is defamatory, obscene, indecent, abusive, offensive, harassing, violent, hateful, inflammatory or otherwise objectionable.

• Promote sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.

• Infringe any patent, trademark, trade secret, copyright or other intellectual property or other rights of any other person.

• Violate the legal rights (including the rights of publicity and privacy) of others or contain any material that could give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with these Terms of Use and our Privacy Policy.

• Be likely to deceive any person.

• Promote any illegal activity, or advocate, promote or assist any unlawful act.

• Cause annoyance, inconvenience or needless anxiety or be likely to upset, embarrass, alarm or annoy any other person.

• Impersonate any person, or misrepresent your identity or affiliation with any person or organization.

• Involve commercial activities or sales, such as contests, sweepstakes and other sales promotions, barter or advertising.

• Give the impression that they emanate from or are endorsed by us or any other person or entity, if this is not the case.

Copyright Infringement

If you believe that any User Contributions violate your copyright, please email us to [email protected] It is the policy of the Company to terminate the user accounts of repeat infringers.

Reliance on Information Posted

The information presented on or through the Website is made available solely for general information purposes. We do not warrant the accuracy, completeness or usefulness of this information. Any reliance you place on such information is strictly at your own risk. We disclaim all liability and responsibility arising from any reliance placed on such materials by you or any other visitor to the Website, or by anyone who may be informed of any of its contents.

This Website may include content provided by third parties, including materials provided by other users, bloggers and third-party licensors, syndicators, aggregators and/or reporting services. All statements and/or opinions expressed in these materials, and all articles and responses to questions and other content, other than the content provided by the Company, are solely the opinions and the responsibility of the person or entity providing those materials. These materials do not necessarily reflect the opinion of the Company. We are not responsible, or liable to you or any third party, for the content or accuracy of any materials provided by any third parties.

Errors and corrections

We do not represent or warrant that the website or knowledgebase will be error-free, free of viruses or other harmful components, or that defects will be corrected. Additionally, this website, its content and knowledgebase, is for educational purposes only. We do not warrant or represent that the content and any information available on or through the website or knowledgebase will be correct, accurate, timely or otherwise reliable. We may make changes to the content of the website or knowledgebase at any time.

Changes to the Website

We may update the content on this Website from time to time, but its content is not necessarily complete or up-to-date. Any of the material on the Website may be out of date at any given time, and we are under no obligation to update such material.

Information About You and Your Visits to the Website

All information we collect on this Website is subject to our Privacy Policy. By using the Website, you consent to all actions taken by us with respect to your information in compliance with the Privacy Policy.

Online Purchases and Other Terms and Conditions

All purchases through our site or other transactions for the sale of services formed through the Website, or as a result of visits made by you are governed by our Terms of Use.

Additional terms and conditions may also apply to specific portions, services or features of the Website. All such additional terms and conditions are hereby incorporated by this reference into these Terms of Use.

Linking to the Website and Social Media Features

You may link to our homepage, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it, but you must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part

This Website may provide certain social media features that enable you to:

• Link from your own or certain third-party websites to certain content on this Website.

• Send e-mails or other communications with certain content, or links to certain content, on this Website.

• Cause limited portions of content on this Website to be displayed or appear to be displayed on your own or certain third-party websites.

You may use these features solely as they are provided by us, and solely with respect to the content they are displayed with, and otherwise in accordance with any additional terms and conditions we provide with respect to such features. Subject to the foregoing, you must not:

• Establish a link from any website that is not owned by you.

• Cause the Website or portions of it to be displayed, or appear to be displayed by, for example, framing, deep linking or in-line linking, on any other site. Link to any part of the Website other than the homepage.

• Link to any part of the Website other than the homepage.

• Otherwise take any action with respect to the materials on this Website that is inconsistent with any other provision of these Terms of Use.

The website from which you are linking, or on which you make certain content accessible, must comply in all respects with the Content Standards set out in these Terms of Use.

You agree to cooperate with us in causing any unauthorized framing or linking immediately to cease. We reserve the right to withdraw linking permission without notice.

We may disable all or any social media features and any links at any time without notice in our discretion.

Links from the Website

If the Website contains links to other sites and resources provided by third parties, these links are provided for your convenience only. This includes links contained in advertisements, including banner advertisements and sponsored links. We have no control over the contents of those sites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them. If you decide to access any of the third party websites linked to this Website, you do so entirely at your own risk and subject to the terms and conditions of use for such websites.

Geographic Restrictions

The owner of the Website is based in the State of California in the United States. We provide this Website for use only by persons located in the United States. We make no claims that the Website or any of its content is accessible or appropriate outside of the United States. Access to the Website may not be legal by certain persons or in certain countries. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.

Disclaimer of Warranties

You understand that we cannot and do not guarantee or warrant that files available for downloading from the internet or the Website will be free of viruses or other destructive code. You are responsible for implementing sufficient procedures and checkpoints to satisfy your particular requirements for anti-virus protection and accuracy of data input and output, and for maintaining a means external to our site for any reconstruction of any lost data. WE WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA OR OTHER PROPRIETARY MATERIAL DUE TO YOUR USE OF THE WEBSITE OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT.

THE COMPANY HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR PARTICULAR PURPOSE.

THE FOREGOING DOES NOT AFFECT ANY WARRANTIES WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Limitation on Liability

TO THE FULLEST EXTENT PROVIDED BY LAW, IN NO EVENT WILL THE COMPANY, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE WEBSITE, ANY WEBSITES LINKED TO IT, ANY CONTENT ON THE WEBSITE OR SUCH OTHER WEBSITES OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE OR SUCH OTHER WEBSITES, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE.

THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Indemnification

You agree to defend, indemnify and hold harmless the Company, its affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses or fees (including reasonable attorneys' fees) arising out of or relating to your violation of these Terms of Use or your use of the Website, including, but not limited to, your User Contributions, any use of the Website's content, services and products other than as expressly authorized in these Terms of Use, or your use of any information obtained from the Website.

Governing Law and Jurisdiction

All matters relating to the Website and these Terms of Use, and any dispute or claim arising therefrom or related thereto (in each case, including non-contractual disputes or claims), shall be governed by and construed in accordance with the internal laws of the State of Colorado without giving effect to any choice or conflict of law provision or rule (whether of the State of Colorado or any other jurisdiction).

Any legal suit, action or proceeding arising out of, or related to, these Terms of Use or the Website shall be instituted exclusively in the federal courts of the United States or the courts of the State of Colorado, in each case located in the City of Denver and County of Boulder, although we retain the right to bring any suit, action or proceeding against you for breach of these Terms of Use in your country of residence or any other relevant country. You waive any and all objections to the exercise of jurisdiction over you by such courts and to venue in such courts.

Arbitration

Any dispute or difference between us and you arising from or relating to this Agreement, including its formation or validity, whether arising before or after termination of this Agreement, shall be submitted to an arbitration panel (the "Panel“) consisting of two arbitrators and an umpire.

Each party shall appoint an arbitrator within thirty (30) days of the date on which a party makes a written demand for arbitration, and the two named shall select an Umpire. If either party refuses or neglects to appoint an arbitrator within the time specified, the other party may appoint the second arbitrator. If the two arbitrators fail to agree on an Umpire within thirty (30) days of their appointment each of them shall name three (3) individuals, of whom the other shall decline two (2), and the choice shall then be made by drawing lots. The arbitrators and the Umpire shall be disinterested and shall be active or former officers of insurance or reinsurance companies authorized to transact business in one or more states of the United States of America.

Each party shall submit its case to the arbitrators within thirty (30) days of the appointment of the Umpire or within such period as may be agreed by the arbitrators. The sittings of the Panel shall take place in New York, NY unless otherwise agreed by the parties. The Panel shall make its decision with regard to the custom and usage of the insurance business. The Panel shall be relieved of all judicial formalities and may abstain from following the strict rules of law. The written decision of a majority of the Panel shall be made as soon as practicable but within sixty (60) days following termination of the hearings unless the parties consent to an extension. Such majority decision of the Panel shall be final and binding on the parties both as to law and fact and may not be appealed to any court of any jurisdiction. Judgment may be entered upon the final decision of the Panel in any court of proper jurisdiction.

Each party shall bear the expense of its own arbitrator and shall jointly and equally bear with the other party the expense of the third arbitrator and of the arbitration.

Limitation on Time to File Claims

ANY CAUSE OF ACTION OR CLAIM YOU MAY HAVE ARISING OUT OF OR RELATING TO THESE TERMS OF USE OR THE WEBSITE MUST BE COMMENCED WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES; OTHERWISE, SUCH CAUSE OF ACTION OR CLAIM IS PERMANENTLY BARRED.

Waiver and Severability

No waiver of by the Company of any term or condition set forth in these Terms of Use shall be deemed a further or continuing waiver of such term or condition or a waiver of any other term or condition, and any failure of the Company to assert a right or provision under these Terms of Use shall not constitute a waiver of such right or provision.

If any provision of these Terms of Use is held by a court or other tribunal of competent jurisdiction to be invalid, illegal or unenforceable for any reason, such provision shall be eliminated or limited to the minimum extent such that the remaining provisions of the Terms of Use will continue in full force and effect.

Entire Agreement

The Terms of Use, our Privacy Policy, and Terms of Sale constitute the sole and entire agreement between you and Tailshift with respect to the Website and supersede all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to the Website.

Your Comments and Concerns

This website is operated by Tailshift, 21 West 46th Street Ste. 602 New York, NY 10036

All notices of copyright infringement claims should be sent via email to [email protected]

All other feedback, comments, requests for technical support and other communications relating to the Website should be directed to: [email protected].

Data Protection Addendum

Last updated: August 22, 2025

This Addendum is between Tailshift Inc. ("Tailshift") and the Customer (as defined in the applicable agreement) and forms part of the Tailshift Terms of Service available at [ https://www.tailshift.ai/terms-of-use/] or any other written or electronic agreement between Tailshift and Customer that expressly incorporates this Addendum (the "Agreement").

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and that have not entered into a separate data protection addendum with Tailshift. For purposes of this Addendum only, references to "Customer" include such Affiliates.

The Parties agree that the terms below are added as an addendum to the Agreement and will apply to Tailshift’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws.

1. Definitions

Capitalized terms not defined below have the meanings in the Agreement. In this Addendum:

• "Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party, where control means direct or indirect ownership or control of more than 50% of the voting interests of an entity or otherwise having the power to direct its management and policies.
• "Customer Personal Data" means any Personal Data provided by or made available by Customer to Tailshift, or collected by Tailshift on behalf of Customer, that Tailshift Processes to provide the Services.
• "Controller to Processor SCCs" means: (i) the standard contractual clauses adopted by the European Commission on 4 June 2021 for transfers of Personal Data to third countries (including as amended or replaced from time to time), together with any Swiss FDPIC and/or UK ICO modifications; and (ii) the UK International Data Transfer Addendum ("UK Addendum").
• "Data Protection Laws" means all laws and regulations relating to data protection, privacy, security and breach notification to the extent applicable to the Processing of Customer Personal Data under the Agreement, which may include, as applicable: the EU GDPR, UK GDPR, Swiss DPA, the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA"), state privacy laws in the United States, HIPAA and its implementing regulations, and any similar or successor laws.
• "EU Area" means the European Union, European Economic Area, the United Kingdom and Switzerland.
• "EU Area Law" means the EU GDPR, UK GDPR, Swiss DPA and any national laws implementing or supplementing them.
• "HIPAA" means the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (including the Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160 and 164).
• "PHI" means protected health information as defined under HIPAA.
• "Security Incident" means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Tailshift. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data (e.g., unsuccessful log-ins, pings, scans, denial of service without data access).
• "Services" means the services provided by Tailshift to Customer under the Agreement.
• "Subprocessor" means any third party engaged by Tailshift to Process Customer Personal Data on Tailshift’s behalf to provide the Services.
• The terms Business, Business Purpose, commercial purpose, Contractor, Controller, Data Subject, Personal Data, Personal Data Breach, Process/Processing, Processor, Sell, Service Provider, Share, Supervisory Authority and Third Party shall have the meanings given in applicable Data Protection Laws.

2. Scope; Relationship of the Parties

2.1 Scope. This Addendum applies to Tailshift’s Processing of Customer Personal Data under the Agreement to the extent that such Processing is subject to Data Protection Laws. Unless required otherwise by Data Protection Laws, this Addendum is governed by the governing law specified in the Agreement.

2.2 Roles. As further described in Annex 1, Customer is a Controller (or Business under CCPA) and Tailshift acts as a Processor (or Service Provider/Contractor under CCPA) with respect to Customer Personal Data. Where Tailshift acts as a Subprocessor, Tailshift will comply with the obligations applicable to Subprocessors herein.

2.3 HIPAA Role (if applicable). If and only to the extent Tailshift receives, creates, maintains or transmits PHI on behalf of Customer (acting as a Covered Entity or Business Associate), Tailshift shall act as Customer’s Business Associate and the parties will execute a separate Business Associate Agreement (BAA), which is incorporated by reference or attached as Annex 3 (if executed). In case of conflict between the BAA and this Addendum with respect to PHI, the BAA controls.

3. Description and Purposes of Processing

The subject matter, nature, categories of data subjects and Personal Data, Processing purposes, and retention are set out in Annex 1. The Parties may reasonably update Annex 1 from time to time by written agreement. The purpose of Processing under this Addendum is Tailshift’s provision of the Services and performance of the Agreement and any order forms.

4. Customer Obligations and Instructions

4.1 Compliance. Customer will comply with Data Protection Laws in its use of the Services and in providing instructions to Tailshift. Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data and the means by which Customer acquired it, including providing all required notices and obtaining all necessary consents.

4.2 Instructions. Tailshift will Process Customer Personal Data only on Customer’s documented instructions, including as set forth in the Agreement, this Addendum, Customer’s configuration and use of the Services, and as otherwise documented in writing by Customer. Tailshift will notify Customer if Tailshift determines it can no longer meet its obligations under Data Protection Laws or if, in Tailshift’s opinion, an instruction infringes Data Protection Laws (in which case Tailshift may refrain from Processing until the instruction is confirmed or modified).

4.3 Special Categories & PHI. Customer will not provide Special Categories of Personal Data (as defined by GDPR) or PHI unless expressly permitted by the Agreement or Annex 1 and (for PHI) a BAA is in effect. If such data is permitted, Customer represents that it has a lawful basis and will configure the Services accordingly.

5. Tailshift Obligations

5.1 Use Restrictions (including CCPA). Tailshift will not Sell or Share Customer Personal Data and will not retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose of performing the Services or as otherwise permitted by Data Protection Laws. Tailshift certifies that it understands and will comply with the restrictions in this Section 5.1. Tailshift will not combine Customer Personal Data with Personal Data obtained from other sources except as permitted by CCPA (e.g., to detect security incidents, protect against fraud, or to improve the quality of the Services without using such data to perform services for another person), or as otherwise authorized by Customer.

5.2 Confidentiality. Tailshift will ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations or statutory duties of confidentiality.

5.3 Security. Taking into account the state of the art, costs, nature, scope, context and purposes of Processing, and the risk to Data Subjects, Tailshift will implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data as required by Article 32 GDPR and other applicable laws. Tailshift maintains an information security program aligned with SOC 2 Type 2 controls and a HIPAA Security Rule–aligned program. A description of TOMs appears in Annex 1, Section 4.

5.4 Audit & Reports. Upon written request no more than once annually (unless otherwise required by a Supervisory Authority or following a Security Incident impacting Customer Personal Data), Tailshift will make available information reasonably necessary to demonstrate compliance with this Addendum, which may include responses to security questionnaires and summaries of independent assessments (e.g., a current SOC 2 Type 2 report under NDA). If such materials are insufficient to establish compliance, Customer may conduct an on-site or remote audit during normal business hours upon reasonable prior notice and in a manner that avoids undue disruption. Customer will bear its audit costs and reasonable Tailshift time and out-of-pocket costs.

5.5 Subprocessors. Customer authorizes Tailshift to engage Subprocessors to Process Customer Personal Data, including those listed in Annex 2. Tailshift will: (a) enter into a written contract with each Subprocessor imposing data protection obligations materially no less protective than those in this Addendum; (b) remain responsible for Subprocessors’ performance; and (c) provide Customer with at least 30 days’ advance notice of any new or replacement Subprocessors (via email or a publicly posted list). Customer may object on reasonable data protection grounds within 30 days; the Parties will work in good faith to find a reasonable solution. If none is found within 30 days, either Party may terminate the affected Services without penalty.

5.6 Government & Third-Party Requests. To the extent legally permitted, Tailshift will promptly notify Customer of any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, court or other public body. Where legally permissible, Tailshift will challenge unlawful or overbroad requests and disclose only the minimum data required, keeping records of disclosures.

5.7 Data Subject Requests. Taking into account the nature of the Processing, Tailshift will provide reasonable assistance to Customer by appropriate technical and organizational measures to enable Customer to respond to requests to exercise Data Subject rights under Data Protection Laws. Tailshift will not respond directly to such requests unless required by law or authorized in writing by Customer. Customer will reimburse Tailshift’s reasonable costs for assistance that is not included in the Services.

5.8 Security Incidents. Upon becoming aware of a Security Incident affecting Customer Personal Data, Tailshift will notify Customer without undue delay and provide information reasonably available to Tailshift to assist Customer in meeting its breach notification obligations. Tailshift will take reasonable steps to investigate, mitigate and remediate the Security Incident and keep Customer reasonably informed. Notification is not an acknowledgment of fault.

5.9 Assistance (DPIAs, HIPAA). Taking into account the nature of Processing and information available to Tailshift, Tailshift will provide reasonable assistance to Customer with obligations under Articles 32–36 GDPR (including DPIAs and prior consultations) and with HIPAA Security Rule risk analysis and risk management where Tailshift’s systems are in scope. Customer will reimburse Tailshift’s reasonable costs for assistance outside the Services.

5.10 Return or Deletion. Upon termination or expiration of the Agreement, Tailshift will, at Customer’s choice, delete or return Customer Personal Data (unless applicable law requires retention). Where deletion is chosen, Tailshift will render Customer Personal Data unrecoverable, subject to standard backup retention periods, after which backups are overwritten in the ordinary course.

5.11 Records. Tailshift will maintain records of Processing of Customer Personal Data as required by Article 30 GDPR and other applicable laws.

6. Restricted Transfers; International Data Transfers

6.1 SCCs & UK Addendum. Where Customer Personal Data is transferred from the EU Area to a country without an adequacy decision and such transfer is subject to EU Area Law, the Parties agree the Controller–Processor SCCs (Module Two) are incorporated by reference and form part of this Addendum as completed below, together with the UK Addendum where the UK GDPR applies:

• Clause 7 (Docking): applies.
• Clause 9 (Subprocessors): Option 2 applies with the notice period in Section 5.5.
• Clause 11 (Redress): does not apply.
• Clause 17 (Governing law): Irish law.
• Clause 18 (Forum and jurisdiction): Courts of Ireland.
• Annex I to the SCCs: completed by Annex 1 of this Addendum.
• Annex II to the SCCs: completed by Annex 1, Section 4 of this Addendum.
• For Swiss transfers, references to the GDPR shall be read as references to the Swiss DPA; references to Member States shall be to Switzerland; governing law and forum shall be Swiss law and competent Swiss courts.
• For UK transfers, the UK Addendum applies; Part 1 tables are completed by Annex 1; in Table 4, both Importer and Exporter may make changes.

6.2 Additional Measures. If the SCCs or UK Addendum are insufficient to safeguard transfers in light of the laws of the destination country, Tailshift will implement supplementary measures (e.g., encryption at rest and in transit, pseudonymization, access controls, transparency reporting) to ensure an essentially equivalent level of protection.

6.3 Processing Locations & AI/ML. Tailshift Processes Customer Personal Data in the regions described in Annex 1 (or as otherwise agreed in writing). If Tailshift provides optional AI/ML features, Tailshift will Process Personal Data only to the extent necessary to provide those features and in accordance with this Addendum and Data Protection Laws. Tailshift will not use Customer Personal Data to train generalized models for third-party benefit without Customer’s written authorization.

7. California Privacy (CCPA/CPRA) Provisions

7.1 Tailshift acts as a Service Provider/Contractor to Customer. Tailshift will: (a) comply with applicable obligations under CCPA; (b) provide the same level of privacy protection as is required of Service Providers/Contractors by CCPA; (c) grant Customer the right to take reasonable and appropriate steps to ensure Tailshift uses Customer Personal Data in a manner consistent with Customer’s obligations under CCPA; (d) notify Customer if Tailshift determines it can no longer meet its obligations; and (e) permit Customer, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

7.2 Tailshift will assist Customer in responding to verifiable consumer requests under CCPA to the extent the request relates to data Tailshift holds as Service Provider.

8. Warranties

Each Party warrants that it will comply with its respective obligations under applicable Data Protection Laws. Tailshift represents it maintains an information security program aligned with SOC 2 Type 2 and a HIPAA Security Rule compliance program.

9. Indemnity

To the extent permitted by law, Customer will defend, indemnify and hold harmless Tailshift and its Affiliates from and against third-party claims and related liabilities, damages, fines, penalties, costs and expenses arising from Customer’s breach of this Addendum or of Data Protection Laws. Tailshift may participate with counsel of its choosing at its own expense.

10. Precedence; Severability; Miscellaneous

10.1 Order of Precedence. In case of conflict: (a) the SCCs/UK Addendum (and any other transfer mechanism agreed in writing) prevail; then (b) the BAA (for PHI); then (c) this Addendum; then (d) the Agreement.

10.2 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

10.3 Privacy by Design. Tailshift applies privacy by design and by default in its development lifecycle and change management.

10.4 Notices. Notices under this Addendum must be given pursuant to the notice provisions of the Agreement. Privacy-specific notices may be sent to the contacts in Annex 1.

10.5 No Legal Advice. This Addendum is a template for commercial use and is not legal advice. Parties should consult their counsel.

Annex 1 — Description of Processing

1. Parties

Data Exporter (Controller/Business)
Name: Customer (as set forth in the Agreement)
Address:As set forth in the relevant order form
Contact:As set forth in the relevant order form
Role:Controller/Business

Data Importer (Processor/Service Provider)
Name: Tailshift Inc.
Address: [Insert Tailshift address]
Contact: [email protected] (or as otherwise specified)
Role: Processor/Service Provider

2. Competent Supervisory Authority
As determined in accordance with Clause 13 of the SCCs (and the Swiss DPA/UK Addendum, as applicable).

3. Processing Details

Data Subjects. Customer’s employees, contractors, end-users and other individuals whose Personal Data is submitted to or collected by the Services at Customer’s direction.

Categories of Personal Data. Depending on Customer’s configuration and use of the Services, categories may include: identifiers (name, business email, username), professional information (role, employer), account metadata, audit logs, support communications, usage data, and any other Personal Data that Customer elects to submit to the Services. If permitted by the Agreement/BAA and configured by Customer, this may include Special Categories (GDPR Art. 9) and/or PHI.

Sensitive/PHI. Not Processed unless expressly permitted by the Agreement/Annex and, for PHI, a BAA is in effect. If processed, Tailshift will apply HIPAA Security Rule controls and the TOMs in Section 4.

Frequency & Duration. Continuous/transactional during the term of the Agreement, plus any retention period specified below.

Nature and Purpose of Processing. Provision, operation, maintenance, configuration, support and security of the Services; account administration; troubleshooting; detection/prevention of fraud and abuse; quality and performance optimization; analytics necessary to deliver and improve the Services (without using Customer Personal Data to provide services to another person without authorization); and as otherwise described in the Agreement.

Retention. Tailshift retains Customer Personal Data for the term of the Agreement and deletes or returns it upon termination per Section 5.10, subject to legally required retention and standard backup cycles.

Business Purposes under CCPA :(as applicable)

• Helping to ensure security and integrity in a reasonably necessary and proportionate manner.
• Debugging to identify and repair errors that impair intended functionality.
• Performing services on behalf of the business (account servicing, customer service, order processing, analytics, storage, payments if applicable).
• Undertaking internal research for technological development and demonstration.
• Verifying or maintaining the quality or safety of the Services, and improving, upgrading or enhancing the Services.
• Retaining and employing another service provider or contractor as a subcontractor under CCPA requirements.
• Preventing, detecting, or investigating security incidents or malicious, deceptive, fraudulent, or illegal activity.

Processing Locations; Storage; AI/ML. Tailshift may Process Customer Personal Data in the following regions: United States (primarily). If Customer selects a region in product settings (where available), Tailshift will honor that selection. Optional AI/ML features, if enabled by Customer, will Process Personal Data only as necessary to provide those features and not to train generalized models for third-party benefit without Customer’s written authorization.

4. Technical and Organizational Measures (TOMs)

Tailshift maintains an information security program aligned with SOC 2 Type 2 controls and HIPAA Security Rule requirements, including:

Governance & Risk Management

• Designated security leadership and cross-functional privacy committee.
• Documented security, privacy, acceptable use, and access control policies; annual reviews.
• Formal risk assessments; vulnerability management; penetration testing at least annually; patch management; vendor security reviews.

Personnel Security

• Background checks as permitted by law for personnel with access to Customer Personal Data.
• Confidentiality agreements; role-based security/privacy training; least-privilege access; MFA for administrative access.

Access Controls

• Unique IDs and strong authentication (including MFA/SSO); least-privilege and need-to-know access; periodic access reviews; session timeouts; detailed access logging.

Data Security

• Encryption in transit (TLS 1.2+); encryption at rest using industry-standard algorithms.
• Logical tenant isolation; environment segregation (prod/test/dev); secrets management; secure key management.
• Data minimization and pseudonymization where feasible; secure deletion procedures and verified destruction of media.

Network & Infrastructure Security

• Hardened images; configuration management; firewalls/security groups; IDS/IPS and anomaly detection; DDoS protections at cloud edge; time-synchronized logs shipped to centralized logging.

Application Security

• Secure SDLC with code review, dependency scanning and SAST/DAST; change management; segregation of duties; security testing prior to releases.

Resilience & Availability

• Redundancy across availability zones; backups with tested restorations; disaster recovery and business continuity plans with defined RTO/RPO; monitoring and alerting.

Incident Response & Breach Notification

• Documented incident response plan with defined roles; 24×7 monitoring; prompt triage, containment, eradication and recovery; customer notification per Section 5.8 and applicable laws (including HIPAA Breach Notification Rule when PHI is involved).

Subprocessor Management

• Written data protection terms; security reviews prior to onboarding; ongoing monitoring.

Audit & Assurance

• Independent assessments (e.g., SOC 2 Type 2) and provision of reports/summaries under NDA; support for Customer audits as described in Section 5.4.

Subprocessor Management

• Written data protection terms; security reviews prior to onboarding; ongoing monitoring.

Audit & Assurance

• Independent assessments (e.g., SOC 2 Type 2) and provision of reports/summaries under NDA; support for Customer audits as described in Section 5.4.

HIPAA-Specific Controls (if PHI is in scope)

• Administrative, Physical, and Technical Safeguards per 45 C.F.R. §164.308–312; security incident procedures; contingency plans; device/media controls; transmission security; workforce security and sanction policy; BA flow-down to Subprocessors handling PHI.

Annex 2 — Subprocessors

Tailshift currently engages the following Subprocessors to support the Services (subject to change per Section 5.5):

Annex 3 — Business Associate Agreement (Optional; if PHI is in scope)

If Tailshift will act as Business Associate, the Parties will execute a separate BAA. In summary and without limiting the BAA terms: Tailshift may use and disclose PHI only to perform the Services, for proper management and administration, and as required by law; will implement the HIPAA Security Rule safeguards; will report breaches of unsecured PHI and other security incidents to Customer without unreasonable delay; will ensure any subcontractors that create, receive, maintain or transmit PHI on Tailshift’s behalf agree to equivalent restrictions; and will return or destroy PHI at termination per Customer’s instruction unless infeasible. The executed BAA governs PHI in case of conflict.