Definitions

Capitalized terms shall have the following meanings:
"Access Credentials": any username, password, security key, PIN, or other method used, alone or in combination, to verify a user’s identity and authorization to access and use the Software (as defined below).
“Agreement”: means either the license agreement or the subscription agreement entered into between Provider and Customer.
"Authorized User(s)": an employee, contractor or agent of the Customer that is authorized to use the Software in accordance with the Agreement and these Terms.
“Confidential Information”: any non-public information concerning the business, technology, or operations of a Party (the “Disclosing Party”), including but not limited to: (i) technical data, software, inventions, designs, processes, and algorithms; (ii) business plans, financial information, customer data, marketing strategies, and pricing information; and (iii) any other information identified as confidential or that a reasonable person would understand to be confidential. 
“Customer”: the person or legal entity using of the Software and/or entering into an Agreement.
"Customer Data": input from the Customer or its Authorized Users submitted to, stored in and/or processed by the Software by the Customer.
“Force Majeure Event”: an event or circumstance that prevents or delays a Provider from performing its obligations under the Agreement and that event or circumstance: (i) is not within the reasonable control of Provider and is not the result of Provider’s negligence (including, without limitation, acts of God, natural disaster, acts of government, flood, fire, earthquakes, pandemics, civil unrest, acts of terror or general labor disturbances such as strikes), and (ii) cannot be overcome or avoided by Provider using reasonably diligent efforts.
"Hosted Services": hosting, management, customization, operation, maintenance and/or support services provided by the Provider in SaaS mode.
“Intellectual Property Rights”: any and all rights, titles, and interests in and to intellectual property, whether registered or unregistered, granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection in any part of the world.
"On-Premise": the licensing model of the Software (as defined below), which is installed and operated on the Customer’s infrastructure and the Customer is responsible for its operation, maintenance, and management.
“Provider”: GeneXus S.A., Globant LLC or any other affiliate entities from the Globant group. 
"Provider Materials": all materials, documentation, data, information, libraries, tutorial, demonstration programs and other content provided or made available by the Provider in connection with the Software, including but not limited to user manuals, technical specifications, training materials, reports, and any other deliverables provided under the Agreement.
"Provider Systems": the Provider’s information technology infrastructure, including but not limited to servers, networks, databases, software, hardware, and other systems used to provide the Software, Hosted Services or support under the Agreement.
"SaaS" (Software as a Service): the subscription model of the Software, which is hosted and managed by the Provider and the Customer accesses it remotely over a network on a term-use basis.
“Services”: Hosted Services, support, maintenance and any other services provides by the Provider under the Agreement, including Updates, Provider Materials and access to Provider Systems.
"Software" or “GEAI”: Provider’s proprietary software named Globant Enterprise AI, a middleware that allows access to large language models (“LLMs”), document indexing and built-in observability, and any new versions, updates, revisions, improvements and modifications of the foregoing, developed and/or published by Provider from time to time.
“Terms”: these Terms of Use together with the Agreement and any annexes.
"Third-Party Provider(s)": external providers of services, including cloud or LLM services, as selected by the Customer under an Agreement.
"Updates": new versions, patches, enhancements and/or modifications to the Software that the Provider may make generally available to the Customer, including bug fixes, security updates and new features, as specified under the Agreement. 
 

Specific Terms

The specific terms and conditions applicable to the On-Premises and SaaS versions of the Software are set forth in Annex A or Annex B, respectively, which form an integral part of these Terms.
 

Use of the Software

By using the Software, Customer agrees to these Terms. 
The Provider reserves the right to modify these Terms at any time. The Provider will notify the Customer’s administrator of any material changes, and the Customer is responsible for informing its Authorized Users of such changes. If the Customer continues to use the Software after being notified of changes to these Terms, such use constitutes acceptance of the modified Terms.

Restrictions: The Customer shall not: (i) use the Software for unauthorized or anti-competitive purposes; (ii) transfer the Software to third parties without prior written consent from the Provider. Customer will contact Provider immediately if Customer believes an unauthorized third party may be using Customer's (or Authorized Representative's) account or if Customer's (or Authorized Representative's) account information is lost or stolen. 

Third-Party Libraries: The Software may incorporate third-party libraries, frameworks, or components ("Third-Party Libraries") to enable functionality.  The Provider cannot guarantee the Third Party Libraries are free from all vulnerabilities. The Customer acknowledges hereby that Third-Party Libraries may pose unforeseen security risks and that the Provider is not liable for damages arising from vulnerabilities. 
 

Customer obligations and responsibilities

Operation and management: The Customer acknowledges and agrees that it has and will retain sole control over all access to and use of the Software by its Authorized Users. The Customer shall be solely responsible for: (i) any information, instructions, or materials provided to the Provider or the Software in connection with these Terms; (ii) the results obtained from the use of the Software; and (iii) any conclusions, decisions, or actions based on such use.

Cooperation and Assistance: The Customer shall provide all reasonable cooperation and assistance requested by the Provider to enable the Provider to exercise its rights and perform its obligations under these Terms, including but not limited to: (i) providing access to necessary systems and data; (ii) responding promptly to requests for information or approvals; and (iii) facilitating the installation of Updates or the resolution of technical issues.

Security: The Customer must protect its credentials and systems to prevent unauthorized access to the Software.
Responsibility: The Customer and its Authorized Users are bound by these Terms. The Customer is responsible for ensuring that its representatives and Authorized Users comply with these Terms and for any damages caused by their non compliance. 

Customer-Caused Delays or Failures: The Provider shall not be responsible or liable for any delay or failure in performance caused, in whole or in part, by the Customer’s delay in performing or failure to perform any of its obligations under these Terms. The Provider shall not be liable for any damages, losses, or liabilities arising from the Customer’s failure to comply with its obligations, including but not limited to delays in providing access, information, or approvals necessary for the Provider to perform its obligations.

Use restrictions: The Customer may access and use the Software and Provider Materials solely for the Permitted Use. The Customer shall not, and shall not permit any third party to: (i) copy, modify, or create derivative works of the Software or Provider Materials; (ii) reverse engineer, decompile, disassemble, or attempt to derive the source code of the Software; (iii) rent, lease, lend, sell, sublicense, or otherwise transfer the Software or Provider Materials to any third party; (iv) remove or alter any copyright, trademark, or other proprietary notices from the Software or Provider Materials; or (v) use the Software or Provider Materials for any purpose that is competitive with the Provider’s business or detrimental to its commercial interests. 
Prohibited Activities: In addition to the aforementioned, the Customer shall not: (i) knowingly introduce any harmful or malicious code into the Software or Provider Systems; (ii) use the Software in any hazardous, safety-critical, or unlawful environments; or (iii) access or use the Software beyond the scope of the authorization granted under these Term.
 

Results and Limitations

Dependence on Input Data: The results generated by the artificial intelligence are directly dependent on the quality, relevance, and accuracy of the data provided by the Customer. The Customer acknowledges that if the data used to train or interact with the Software is incomplete, inaccurate, biased, or otherwise unsuitable, the results may be unreliable, misleading, or unhelpful.

No Guarantee of Accuracy: The Provider does not guarantee that the results obtained through the use of the Software will be accurate, complete, or reliable. The Customer is solely responsible for: (i) the selection, quality, and suitability of the data provided to the Software; and (ii) any decisions, actions, or outcomes based on the results generated by the Software. The Customer is solely responsible for validating results before use. By using this Software, the Customer agrees that any decision or action taken based on such information is at their own risk. 

No Liability for Output: The Provider shall not be liable for any damages, losses, or liabilities arising from the Customer’s use of the Software, including but not limited to errors, inaccuracies, or inappropriate decisions made based on the Software’s Output.

Changes and updates 

Right to Modify: The Provider reserves the right, at its sole discretion, to modify the Software or its systems to: (i) maintain or enhance the quality, performance, or cost efficiency of the Software and Services; (ii) comply with applicable laws or regulations; or (iii) improve the competitive strength or market position of the Software and Services. For SaaS, such modifications may include updates to the Hosted Services, which will be implemented by the Provider without requiring action by the Customer. For On-Premises, such modifications will be made available as Updates, which the Customer is responsible for installing.

Notification of Changes: The Provider shall use commercially reasonable efforts to notify the Customer of any material changes to the Software that may affect its functionality or use. However, the Provider is not obligated to provide prior notice for minor updates, bug fixes, or security patches.
 

Suspension, Term and Termination

Suspension: The Provider may immediately suspend Customer's access to the Software without prior notice if: (i) required by law; (ii) the Provider, in good faith, believes there is a security risk or unlawful activity. If access was suspended due to the Provider’s error of fact (not breach), and Customer provides sound evidence within 7 days, access will be restored within 7 business days after verification. For SaaS, suspension may include disabling API keys or user accounts. If suspension is lifted after verification, Provider will extend the subscription term equivalent to the downtime incurred.
Termination for Convenience: Either party may terminate the Agreement with 30 days’ written notice. in the event of a Customer termination for convenience, Customer shall not be entitled to any refund or relief from payment of any fees paid or payable under the Agreement and, if the Subscription Fee is payable monthly, Provider will be entitled to charge the Customer with the Subscription Fee attributable to the corresponding calendar month of the effective date of termination.

Termination for Breach: Either party may terminate the Agreement if the other breaches a material obligation and fails to cure it within 30 days, except that termination will take immediate effect on written notice in the event of a breach of the obligations related to Use Restrictions and Prohibited Activities, Confidentiality or Proprietary Rights.

Termination for Insolvency: Either party may immediately terminate the Agreement in the event the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors (and not dismissed within 60 days thereafter).

Effects of Termination: Upon any termination or expiration of an Agreement or the use of the Software, the Customer shall cease using the Software, Provider Materials and Provider Systems and destroy all copies in Customer’s possession or control. Provider may disable such access or license and immediately cease all use of any Customer Data. Any fees owed to Provider shall further become immediately due and payable even if longer terms have been agreed earlier. 

Survival. All provisions of the Agreement and these Terms, which by their nature should survive termination, will survive termination.
 

Billing and Payments

Fees: The Customer shall pay the agreed fees according to the terms of the Agreement. To the extent permitted by the applicable law, and except as herein included, fees are non-refundable for any reason.
Third-Party Payment Processor Network: Where Customer designates use of a third-party payment processor network, Customer shall be responsible for payment of all fees and charges associated with use of such network (including registration, participation, and payment processing fees) and Provider may invoice for such fees together with the subscription fees or on separate invoice(s).

Taxes: All fees are exclusive of any taxes, levies, or duties. Customer will be responsible for payment of any sales, VAT, GST, or similar taxes applicable to the Services, except taxes based on Provider's net income. If Customer is required by law to withhold taxes on payments: (i) Customer must notify Provider immediately and provide tax receipts to Provider within 30 days; and (ii) Customer will "gross up" payments so Provider receives the full invoiced amount. If Customer claims a tax exemption, it must provide a valid exemption certificate before invoicing.

Late Payment: The Provider may suspend service if the Customer fails to pay fees on time. Unpaid amounts may be subject to interest at the lesser of 1% per month or the maximum permitted by law, plus all collection costs.

Intellectual Proprietary Rights

Provider Ownership:
Provider owns all Intellectual Property Rights related to the Software (including but not limited to patents, copyrights, trademarks, trade secrets, and database rights and derivatives) and Intellectual Property Rights related to all Provider Materials (including deliverables, Updates, enhancements, modifications, and derivative works).  .  Customer does not receive any rights in and to the Software except as explicitly permitted herein. Without limiting the foregoing, Customer will not permit any third party to:  (i) use the Software in a manner that infringes, misappropriates or otherwise violates any party’s intellectual property rights; (ii) modify or create derivative works of the Software; (iii) reverse, assemble, compile, decompile, translate, engage in model extraction or stealing attacks, or otherwise attempt to discover the source code or underlying components of models, algorithms, and systems of the Software (except to the extent such restrictions are contrary to applicable law); (iv) use the Software to develop foundation models or other softwares  that compete with GEAI; (v) use any method to extract data from the Software other than as permitted through the API; or (vii) buy, sell, or transfer API keys from, to or with a third party without GEAI prior written consent.

Customer Content:
Customers and its Authorized Users may provide input to be processed by the Software (“Input”), and receive output generated and returned by the Software based on the Input (“Output”). Input and Output are collectively “Customer Content.” As between the parties and to the extent permitted by applicable law, Customer owns all Customer Content. Provider will only use Customer Content as necessary to provide and maintain the Services, comply with applicable law, and enforce Provider’s safety policies. Customer will ensure that the use of Customer Content will not violate any applicable law or Provider’s Policies.
Customer is solely responsible for the development, content, operation, maintenance, and use of Customer Content.

Similarity of Output: Customer acknowledges that due to the nature of machine learning, the Software may generate the same or similar output for third parties. For the avoidance of doubt, Customer shall not own output generated by third parties.

Improvement of Services:  Artificial intelligence and machine learning models can improve over time to better address specific use cases. Provider may use Customer Content to develop and improve the Software. 

Customer Data: Customer hereby grants to Provider a limited, perpetual, non-exclusive, non-transferable (except in connection with the permitted assignment of this Agreement), and royalty-free license to reproduce, distribute, display and otherwise use the Customer Data for the purposes of (i) providing the Services; and (ii) Provider’s internal business purposes including using such Customer Data in an aggregated and/or de-identified form, including but not limited for running analytics, machine learning, or training AI models, for the purposes of improving the Provider’s services and offerings.

Trademarks: The Customer acknowledges it has no right, title, or interest in the Software’s and or Provider Materials’ trademarks, whether registered or unregistered (collectively the “Trademarks”). The Customer may only use Trademarks as expressly authorized in these Terms , without alteration. Any other use requires the Provider’s prior written consent. The Customer shall not: (i) remove or alter any proprietary notices from the Software or Provider Materials; (ii) claim ownership or register any rights in the Provider’s Intellectual Property; or (iii) use the Trademarks to imply endorsement or affiliation without Provider’s consent.

Feedback. Provider shall be free to use, irrevocably, in perpetuity, for free and for any purpose, all suggestions, ideas, fixed, enhancements and/or feedback, whether oral or in writing, relating to the Software provided to Customer and Authorized Users. Provider may use such feedback without any payment or restriction.
 

Confidentiality duties

Obligations:  The receiving party agrees to: (i) use the Confidential Information solely for the purposes of performing its obligations under these Terms; (ii) disclose the Confidential Information only to its employees, agents, or subcontractors who need to know it and are bound by confidentiality obligations at least as protective as those in these Terms; and (iii) protect the Confidential Information using at least the same level of care it uses to protect its own confidential information, but in no event less than reasonable care.

Exclusions: Confidential Information does not include information that: (i) is or becomes publicly available without breach of these Terms; (ii) was already in the receiving party’s possession without restriction prior to disclosure; (iii) is received from a third party without breach of any confidentiality obligation; (iv) is independently developed by the receiving party without reference to the disclosing Party’s Confidential Information; or (v) is required to be disclosed by law or legal process, provided that the receiving Party notifies the disclosing Party in advance (if permitted by law) and cooperates to limit the disclosure.

Return or Destruction: Upon the Disclosing Party’s request or upon termination of this Agreement, the receiving party shall: (i) promptly return all Confidential Information (including copies) to the Disclosing Party; or (ii) certify in writing that it has destroyed all Confidential Information in its possession or control.
Prior Confidential Information: To the extent the parties exchanged any Confidential Information prior to the execution of the Agreement, such information shall be subject to the confidentiality obligations set forth herein.
 

Limitation of liability

Disclaimers. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL PROVIDER BE LIABLE FOR ANY (I) INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR (II) DAMAGES FOR THE (A) COST OF PROCURING SUBSTITIVE GOODS, OR (B) LOST PROFITS, REVENUE, USE, DATA OR GOODWILL ARISING OUT OF OR IN CONNECTION WITH AN AGREEMENT, THESE TERMS AND/OR THE USE OR THE PERFORMANCE OF THE SOFTWARE WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, AND EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A PARTY’S REMEDIES FAIL THEIR ESSENTIAL PURPOSE. 

Damages Capped. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER’S TOTAL CUMULATIVE AGGREGATE LIABILITY FOR ANY AND ALL LIABILITIES, OBLIGATIONS OR CLAIMS ARISING OUT OF OR RELATED TO AN AGREEMENT, THESE TERMS OR THE USE OR THE PERFORMANCE OF THE SOFTWARE WILL NOT EXCEED THE NET AMOUNT PAID BY CUSTOMER UNDER AN ACTIVE SOFTWARE SUBSCRIPTION, LICENSE OR UNDERLYING AGREEMENT GIVING RISE TO THE CLAIM BEFORE THE LIABILITY AROSE (OR NO MORE THAN TEN USD ($10.00) IF THE CUSTOMER OBTAINED SUCH SOFTWARE LICENSE OR SAAS AT NO CHARGE).
 

Indemnification

Customer’s indemnity: Customer agrees to defend, indemnify and hold harmless Provider, and their respective employees, contractors, agents, officers and directors, from and against any and all claims, damages, obligations, losses, liabilities, costs or debt, fines, restitutions and expenses (including but not limited to attorney’s fees and costs incident to establishing the right of indemnification) arising out of or related to (i) products or services that have been developed or deployed with or using the Software  (including results or data generated from such use), or claims that they violate laws, or infringe, violate, or misappropriate any third party right; or (ii) a violation of the terms and conditions of the Agreement or these Terms. If Customer is prohibited by law from entering into the indemnification obligation above, then Customer assumes, to the extent permitted by law, all liability for all claims, demands, actions, losses, liabilities, and expenses (including attorneys’ fees, costs and expert witnesses’ fees) that are the stated subject matter of the indemnification obligation above.

Exclusions: The Provider shall not be held liable for any  IP Claims arising from: (i) modifications made by parties other than  by Provider; (ii) combination of the Software with non-Provider materials; or (iii) any continued use of the Software after being notified of the infringement.

Procedures: The indemnified party must promptly notify the indemnifying party in writing. The indemnifying party controls the defense (including settlements) but cannot settle claims admitting fault without consent. The indemnified party must provide reasonable assistance.

Mitigation Rights: If the Software is subject to an IP Claim, the Provider may, at its option: (i) modify the Software to be non-infringing; (ii) replace it with functionally equivalent software; or (iii) terminate the Agreement and refund prepaid unused fees.

Sole Remedy: This Section states the entire liability of the Provider regarding infringement claims.
 

Warranties and Compliance 

Limited warranty: The Provider warrants that the Software will substantially conform to the Provider Materials. In the event of a material breach of the foregoing warranty, Customer’s exclusive remedy and Customer’s entire liability, shall be for Provider to use commercially reasonable efforts to correct the reported non-conformity within 30 days, or if Customer determines such remedy to be impracticable, Customer at its discretion, may terminate the Agreement and Customer will receive, as its sole remedy, a refund of any fees Customer has pre-paid for use of affected Services for the terminated portion.

Exclusions: The warranty set forth in this section shall not apply if the error was caused by misuse, unauthorized modifications or third-party hardware, software or services, including Third-Party Providers or any use provided on a no-charge or evaluation basis.

Disclaimer: Except for the express warranties stated in this Agreement, the Software and Provider Materials are provided "as is" and "as available". To the maximum extent permitted by law, the Provider disclaims all implied warranties, including but not limited to merchantability, fitness for a particular purpose, non-infringement, and accuracy or reliability of results. The Provider does not warrant that (i) the Software will meet the Customer’s specific requirements; or (ii) the Software will operate uninterrupted or compatible with all third-party systems; or (iv) security measures will prevent all breaches or vulnerabilities. 

Non-Sanctioned Status: The Customer warrants that neither it nor its Affiliates, executive officers, directors, or any individuals or entities with a significant ownership or control interest in the Customer are prohibited from dealing with the Provider under any U.S. law, regulation, or executive order, including those listed on the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Specially Designated Nationals and Blocked Persons List (SDN List). If, at any time during the Agreement's term, the Customer or any of its executive officers, directors, or significant ownership interests is found to be or becomes an individual or entity with whom the Provider is prohibited from dealing under this clause, the Customer must provide immediate written notice to the Provider. The Provider shall then have the right to terminate the Agreement immediately, without fault or liability. In the event of such termination, the Customer shall pay the Provider for any Services rendered prior to the termination date, unless such payment is legally prohibited.

Compliance: Both parties shall comply with all applicable laws and regulations in performing their obligations under these Terms, including but not limited to: (i) Data protection laws (GDPR, CCPA, or local equivalents); (ii) Export control laws (U.S. EAR, SDN List or equivalents); and (iii) Industry-specific regulations if applicable. Neither Party shall, directly or indirectly (z) offer, promise, or give anything of value (money, gifts, travel, entertainment) to government officials (including employees of state-owned entities); political parties or candidates; or any third party to corruptly influence business decisions; or engage in any conduct violating the U.S. Foreign Corrupt Practices Act (FCPA), U.K. Bribery Act 2010; or other applicable anti-corruption laws ("Anti-Corruption Laws"). Each party shall ensure its employees, agents, and subcontractors comply with Anti-Corruption Laws.

General Provisions

Governing Law: These Terms are governed by the laws of the country or state where the Provider is located. The United Nations Convention for the International Sale of Goods does not apply to this Agreement.

Entire agreement: These Terms are the complete and exclusive statement of the mutual understanding of the parties and supersede all previous written and oral agreements and communications relating to the subject matter of these Terms.

Assignment: Customer may not assign the Agreement without the Provider’s written consent.

Severability: If any provision is held invalid or unenforceable, the remainder of these Terms remains in full force. Parties shall negotiate in good faith to replace invalid provisions with valid ones that reflect the original intent.
Interpretation and order of precedence: "Including" means "including without limitation". Headings are for reference only and do not affect meaning. Written notice includes email or electronic communication. In case of conflict, the following order of precedence shall apply: 1° Agreement; 2° these Terms; 3° Exhibits/Attachments.

Notices: All notices hereunder must be in writing and sent to the other party, at the address included in the Agreement. A notice given under these Terms must be: (a) in writing in the English language; (b) sent for the attention of the person, and to the address or email address given in the Agreement.

Waiver: No waiver of any provision is effective unless in writing and signed by the waiving party. Failure to enforce a right does not constitute a waiver of future enforcement. Waivers are strictly limited to the specific instance and terms outlined.

Independent Contractors: Parties are not agents, partners, or joint venturers. Neither Party may bind the other without written consent.
 

EXHIBIT A - Specific Terms for On-Premise

License 

Subject to these Terms and the Agreement, and to the payment of any fees due under the Agreement, the Provider grants the Customer a non-exclusive, non-transferable and non-sublicensable license to use the Software, installed on the Customer’s infrastructure, solely for Customer’s internal business purposes (the “Permitted Use”).

The Provider will provide Updates, patches, and new versions of the Software as part of the Hosted Services.

Control of Services and systems

Setup and Maintenance: The Customer  has sole control over operation, set up and maintenance of its systems in accordance with the Provider Materials to ensure proper access to and use of the Software or Services; and  shall ensure that its systems meet the minimum technical requirements specified by the Provider.

Configuration. Software shall be configured within the limits permitted by the Provider and Customer is responsible for ensuring that such configurations comply with the Provider Materials and these Terms. The Customer shall maintain the systems on which the Software is installed to ensure proper operation and performance.

Customer control. The Customer shall have sole control over the operation, and maintenance of the Software on its infrastructure, including: (i) the Customer’s systems and infrastructure; (ii) the location(s) where the Software is installed and operated; (iii) the configuration and use of the Software; and (iv) the security and access controls for the Software and related systems. Customer Data resides on Customer’s infrastructure unless shared for support.  Provider accesses data only for troubleshooting at Customer’s request; or mandatory Updates. Customer’s indemnity covers claims from local data protection laws due to Customer’s configuration/storage of data. 

Provider control. The Provider shall retain control over: (i) the provision of Updates, patches, and new versions of the Software; and (ii) the provision of set up, support and maintenance services, if agreed under the Agreement. Provided does not warrant performance on unsupported hardware.
Data Breach Incidents : The Provider shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from or related to any Data Breach of Customer Data that is hosted in the Customer's own infrastructure. This includes, but is not limited to, any loss of data, loss of business, or any other damages resulting from unauthorized access to, or disclosure of, Customer Data.

EXHIBIT B - Specific Terms for SaaS

Right to access and use

Subject to these Terms and the Agreement, and to the payment of any fees due under the Agreement, the Provider grants the Customer a right to access and use the Software solely for the Permitted Use.

Control of Services and systems

Provider control. The Provider shall have sole control over the operation, maintenance and management of the Software and Hosted Services, including: (i) the Provider’s systems and infrastructure; (ii) the location(s) where the Hosted Services are performed; (iii) the deployment, modification and replacement of the Software; and (iv) the performance of support services, maintenance, patches and Updates. 

Customer control. The Customer shall have sole control over:  (i) the access and use of the Software by its Authorized Users; (ii) the configuration of the Software within the limits permitted by the Provider; and  (iii) the data inputted into the Software and the results obtained from its use. The Customer shall ensure that its systems and internet connectivity meet the minimum requirements for accessing the Hosted Services, as specified in the Provider Materials.

Disclaimer. The Customer acknowledges that: (i) the Provider has no control over the data inputted by the Customer or its Authorized Users into the Software; (ii) the Provider is not responsible for the accuracy, completeness, or suitability of the results generated by the Software; and (iii) the Customer is solely responsible for any decisions or actions taken based on the use of the Software.

Third-Party services

Acknowledgement. If the Customer uses Third-Party Provider(s) services, the Customer acknowledges and agrees that: 

• The Provider does not assume any responsibility or liability for the performance, availability, or compliance of Third-Party Providers’ services, nor for the accuracy, quality or regulatory compliance of any LLM from a Third-Party Provider.
• The Provider shall not be responsible for and makes no representations, warranty, express or implied, concerning the extent to whichThird-Party Providers’ services or the output of Third-Party Providers’ LLM’s are appropriate, permissible, lawful, accurate, correct, or otherwise suitable for the Customer or its intended use.

Indemnification. Provider will not indemnify for vulnerabilities in Third-Party Libraries unless they are caused by Provider’s negligence.

No warranty. The Provider does not endorse, guarantee, or assume responsibility for any Third-Party Provider’s service accessible through the Software. The Provider disclaims all liability for: (a) the accuracy, completeness, or reliability of any data processed or generated by a Third-Party Provider; (b) any downtime, interruptions, or failures of Third-Party Provider’s services; and (c) any damages or losses resulting from the Customer’s reliance on Third-Party Provider’s services.  

Service levels and availability

Service Level Agreement (SLA). The Provider shall use commercially reasonable efforts to ensure that the Software is available at least 99.5% of the time, excluding scheduled maintenance and Force Majeure Events in accordance with the terms set forth in https://www.genexus.com/en/pdf-file/sla-genexus-enterprise-ai.

Exceptions to Service Levels. The following events shall not be considered a breach of these Terms, and the Software shall not be deemed unavailable, if the impairment to access results, in whole or in part, from: (i) acts or omissions by the Customer or its Authorized Users, including misuse of Access Credentials or failure to comply with these Terms or the Provider Materials; (ii) the Customer’s failure or delay in fulfilling its obligations under these Terms; (iii) issues with the Customer’s or its Authorized Users’ internet connectivity; (iv) Force Majeure Events, including but not limited to strikes, lockouts, natural disasters, war, riots, or government actions; (v) failures of third-party software, hardware, systems, or networks not provided by the Provider; (vi) scheduled downtime as described below; or (vii) the suspension or termination of the Services in accordance with these Terms.

Scheduled Downtime: The Provider shall use commercially reasonable efforts to: (i) schedule routine maintenance of the Hosted Services between midnight and 06:00 a.m. (Eastern Time); and (ii) provide the Customer with at least 24 hours’ prior notice in Provider’s portal of any scheduled outages.

Customer Data

Accuracy and Legality: The Customer is solely responsible for the accuracy, content, and legality of all Customer Data. The Customer represents and warrants that it has all necessary rights, consents, authorizations and permissions to collect, share, store and use Customer Data as contemplated in these Terms, without violating any third-party rights or applicable laws and regulations.
Privacy Policy: All Customer Data provided will be stored and used in accordance with Provider's Privacy Policy, as may be amended by from time to time.

Compliance with Laws: The Customer agrees to comply with all applicable laws, including data protection and privacy laws, in its use of the Services and the Software. Customer indemnifies Provider for claims arising from unlawful or infringing Customer Data.

Configuration and Security: The Customer is responsible for properly using the Software, as well as taking reasonable measures to secure and protect its accounts and Customer Data. Customer Data shall be stored with logical separation from information of other customers.

Processing of Personal Data: Solely to the extent necessary for the provision of the Services, Provider (in its capacity as Data Processor) may from time to time collect, store, use and process, or otherwise be provided with, or have access to, information and other data of Customer (in its capacity as Data Controller) or of other third parties (where Customer is acting in the capacity of a Data Processor for such third parties) including information and data which may qualify as Personal Data (as defined in Attachment 1) . The parties’ rights and obligations with respect to the Personal Data processing activities shall be subject to Attachment 1.

Attachment 1:  Data Processing Agreement (“DPA”)

In addition to those terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:
“Appropriate Safeguards” means such legally enforceable mechanism(s) for Transfers of personal data as may be permitted under Data Protection Law from time to time;
“Data Controller” means the Customer;
“Data Processing Services” mean the services described in Schedule 1 to this DPA;
“Data Processor” means the Provider;
“Data Protection Law” means all data privacy regulations that are applicable and binding on the Controller, the Processor and/or the Data Processing Services, including, but not limited to the Uruguay’s data protection laws and regulation, EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK Data Protection Act of 2018, and the UK GDPR (“UK GDPR”), Argentina’s Personal Data Protection Law (No. 25.326), California Consumer Privacy Act (“CCPA”);
“Onward Transfer” means a Transfer from one International Recipient to another International Recipient;
“Personal Data” means the information referring to a Data Subject that is processed by the Processor by instruction of the Controller in the context of the provision of Data Processing Services;
“Regulator” means any regulatory body with responsibility for ensuring compliance with Data Protection Law;
“Restricted Transfer” means an overseas transfer to a country that is not subject to an adequacy decision or otherwise requires some form of transfer mechanism to be implemented in order to comply with such Data Protection Law;
“Security Breach” means any actual or suspected compromise of either the integrity, security, physical, technical, administrative or organizational safeguards implemented by Globant that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data;
“Standard Contractual Clauses” means (a) with respect to a Restricted Transfer which is subject to the EU GDPR, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), (b) with respect to a Restricted Transfer subject to the UK GDPR, the International Data Transfer DPA to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK IDTA”), (c) with respect to other Restricted Transfer subject to Argentina’s Personal Data Protection Law, the Controller to Processor standard contractual clauses, as set out in Regulation No. 60-E/2016, as may be amended or replaced by the National Directorate for the Protection of Personal Data from time to time (“Argentinian SCCs”), and (d) with respect to Restricted Transfers subject to other Data Protection Laws, such other standard contract clauses as may be required to be implemented between Controller and Processor (“Other Applicable Transfer Clauses”);
“Sub-Processor” means any third party appointed by the Processor to process Personal Data.

References in this DPA to “Data Subject", “Processing”, “Data Protection Officer” and “Transfer” shall have the same meaning as defined in Data Protection Law.

Controller’s Obligations. The Controller shall: 

• Comply with all applicable Data Protection Law;
• Instruct Processor (and authorize Processor to instruct each of its approved Sub-Processors) to process Personal Data;
• Warrant and represent that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out above;
• Warrant and represent that the Personal Data sourced by the Controller for use in connection with Schedule 1 of this DPA, shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Law;
• Perform an assessment of the impact on personal data protection of the processing operations to be conducted by the Processor as required by Data Protection Law;
• Implement the relevant prior consultations;
• Inform the Processor, to the best of Controller’s knowledge, if any Personal Data disclosure is somehow restricted (including but not limited to, any restriction from further disclosure to Controller’s subcontractors and/or any international transfer of the Personal Data allowed hereunder);
• These same obligations apply when Controller is acting as data processor for a different end client.

Processor’s Obligations. The Processor shall:

• Process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes of the Data Processing Services and in accordance with the Controller’s written instructions;
• Keep written records of all categories of processing activities carried out on behalf of the Controller as part of the Data Processing Services, including
• Comply with its obligations as Processor under Data Protection Law including, where necessary, appointing a Data Protection Officer;
• Take appropriate technical and organizational measures, at least equivalent to the technical and organizational measures set out in Schedule 2 of this DPA;
• Notify Controller without undue delay if in the Processor’s opinion any of Controller’s instructions violate Data Protection Law. Processor shall not be liable for not carrying out any allegedly infringing instruction that has been duly notified to Controller until the status of such instruction has been resolved by the Parties. Any notification is provided “as is” and shall not be considered legal advice on behalf of the Processor. The Processor shall have indemnification rights and no liability whatsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses costs, expenses or liabilities arising from or in connection with any processing in accordance with Controller’s processing instructions;
• Ensure that its employees and contractors who have access to Personal Data are subject to appropriate enforceable obligations of confidentiality with regards to Personal Data, at least as restrictive as the ones contained under this DPA and Data Protection Law, and that access to, or use of, Personal Data by such employees and contractors is permitted only where required to perform the Data Processing Services;
  Provide Controller with cooperation and assistance required in relation to the Controller’s obligations under Data Protection Law, considering the nature of the Data Processing Services and the information available to the Processor, including:
  • notifying Controller without undue delay of receipt of any request made by a Data Subject to exercise any of their rights under Data Protection Law, and providing, to the extent that the Processor has it, reasonable and sufficient information and assistance in complying with such requests;
  • assisting with compliance of the Controller’s obligations to report Security Breaches to Regulators and Data Subjects in respect. Processor shall not make any public statement, announcement or comment in relation to any Security Breach without the prior review and written consent of the Controller; and
  • contributing to data protection impact assessments, and, where applicable, prior consultations with Regulators.
  • The Processor shall give written notice to the Controller, without undue delay, of any relevant Security Breach. Processor notice shall not be necessary where it is unlikely that such Security Breach constitutes a risk for the rights and liberties of individuals. The Processor shall without undue delay of the Security Breach, provide all reasonable information, to the extent that Processor has it, as the Controller reasonably requires to report the Security Breach to a Regulator and to notify affected Data Subjects.

Audit. Upon receipt of reasonable prior written notice of at least 10 (ten) Business Days, the Processor shall (and shall ensure all of its sub-processors shall) promptly make available to the Controller such information as is required to demonstrate the Processor’s compliance with its obligations under this DPA and the Data Protection Law, and allow for audits by the Controller for this purpose at the reasonable request the Controller subject to a maximum of one audit request in any 12 (twelve)  month period. 
The Processor shall provide (or procure) access to all relevant premises, documents, personnel and records during normal business hours for the purposes of each such audit and provide and procure all further reasonable cooperation, access and assistance in relation to any such audit.

The Processor need not give access to its premises or share information for the purposes of such an audit:
to any individual unless they produce reasonable evidence of identity and authority; outside normal business hours at those premises; or to any auditor that declines to sign any of the confidentiality agreements required by the Processor or that is a competitor of the Processor.
Under no circumstances shall any of the terms of this DPA be construed as the Processor’s obligation to deliver or disclose to the Controller and/or its auditors any piece of information that: (a) is not strictly related to the Data Processing Services; (b) is related to any of the Processor’s clients other than the Controller; (c) relates to salaries or any other information regarding the Processor’s or the Processor Affiliates’ employees; or (d) relates to the costs of execution of the services provided by Processor.
The Controller shall ensure that it makes reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Processor’s premises, equipment, personnel and business while its personnel are on the Processor’s premises in the course of such audit.

The costs of the audit shall be borne by the Controller. If, as a result of the audit any errors or instances of non-compliance are identified, the Controller shall notify the Processor and grant the Processor a term of 30 (thirty) days to correct the matter.

Sub-Processors. The Processor is hereby authorized to subcontract any of its Affiliates as well as with companies that conduct auxiliary production tasks to develop the services contracted between the parties. The aforementioned subcontractors may be hired by the Processor for the performance of any of its obligations under any relevant DPA, but only to the extent not restricted thereunder. 
The Processor shall ensure that access to Personal Data is limited to the authorized persons who need access to it to provide the Data Processing Services.

The Processor shall, prior to any Sub-processor carrying out any processing activities in respect to the Personal Data, appoint such Sub-processor under a binding written contract containing the same obligations outlined in this DPA and procure compliance by each such Sub-processor of its obligations under such agreement.
The Processor shall remain fully liable to the Controller under this DPA for all the acts and omissions of each of its Sub-processors as if they were its own.

International Transfers. The Controller hereby consents to the Processor Transferring Personal Data for the purpose of the Data Processing Services to any International Recipients, provided all Transfers of Personal Data by the Processor to an International Recipient (including any Onward Transfer) as long as the Transfer is made by way of Appropriate Safeguards and in accordance with Data Protection Law and this DPA; and made pursuant to a written contract, including equivalent obligations on each sub-processor in respect of Transfers to International Recipients as apply to the Processor.

The Processor may transmit the Personal Data to its Affiliates, third parties hired by the Processor in accordance with the Data Protection Law and in relation to the purpose, and to other Processors of the same Controller (“Authorized Parties”) in accordance with the instructions given by the Controller; in which case, the Controller shall previously identify in writing the entity that shall receive the data, the data to be shared and the security measures to apply in order to proceed to the communication.
If the Processor must transfer Personal Data from one country to another or to an international organization, pursuant to and to the extent required by the Data Protection Law, and except to the extent such transfer is to any of the Authorized Parties, it shall previously inform the Controller of such statutory requirement, unless such law prohibits it for important public interest reasons.
To the extent any Restricted Transfer of Personal Data takes place, the terms set forth in Schedule 3 will apply.

Data Deletion. The Processor shall (and shall ensure that each of its Sub-Processors shall) delete all the Personal Data, within 30 days from receiving the request from the Controller, in such form as the Controller reasonably requests once the provision of the relevant Data Processing Services have ended and are no longer required. 
The requirement to delete the data shall not apply to the extent that the Processor (or any of its Sub-processors) is required by applicable statutory or regulatory law, regulation, court order or other similar rules in any relevant jurisdiction, to retain or continue to store the Personal Data.
If so requested in writing by the Controller, the Processor shall provide written confirmation of compliance with this clause.
 

Schedule 1 – Data Processing Services Details

Subject-matter and duration of processing: The subject matter and duration of the Data Processing Services are set out in the Agreement.

Nature and purpose of the processing: Processing personal data to facilitate the services to be provided under the Agreement:

• Hosting
• Collection
• Registration
• Structuring
• Modification
• Maintenance
• Access
• Erasure
• Destruction

Identification of Personal Data:
Categories of Data Subjects: Users, clients, end clients, employees.
Categories of Personal Data: Data used as content for the Software and provision of services. No PHI or other categories of sensitive information is processed.

Processing Instructions: All necessary processing operations to provide the Data Processing Services under this DPA and the services and performance of Processor’s obligations under the Agreement.
 

Schedule 2 – Technical and Organizational Measures
 

Processor is a serious professional software development service provider that adheres to the best practices of cybersecurity and data protection as requested by all its clients. Processor implements several controls (logical and physical) in order to guarantee the security of the information. These controls include but are not limited to:

• Information security policies
• Remote working
• Employees screenings
• Awareness training for its employees.
• Asset management
• Access controls (logical)
• User management
• Operating Systems, Software, Patching and Antivirus
• Network controls
• Backups
• Systems and Applications Logging
• Encryption
• Business Continuity Management (BCM)
• Incident Management

Personal Data is stored in AWS cloud environments. Servers are located in the United States.
 

Schedule 3 - Cross Border Transfer Mechanisms

In the event of a Restricted Transfer to a recipient outside of the EEA, then such transfers shall be governed by Module 2 of the EU SCCs, which shall be entered into and incorporated into this DPA by this reference and the following terms shall apply:

• the optional docking clause in Clause 7 does not apply;
• in Clause 9, Option 2 will apply, the minimum time period for prior notice of Sub-processor changes shall be 5 (five) days, and Processor shall fulfill its notification obligations by notifying Controller of any Sub-processor changes by emailing Controller;
• in Clause 11, the optional language does not apply;
• in Clause 13, all square brackets are removed with the text remaining;
• in Clause 17, Option 1 will apply, governing law shall be the one set out in the DPA;
• in Clause 18, disputes will be resolved before the courts set out in the DPA;
• the information required in Annex 1 of the EU SCCs (Subject Matter and Details of Processing) is attached in this DPA as Schedule 1;
• the information required in Annex 2 of the EU SCCs is contained in Schedule 2.

In the event of a Restricted Transfer to a recipient outside of the UK, then such transfers shall be governed by the UK IDTA, which shall be entered into and incorporated into this DPA by this reference and completed as follows:

•  in Table 1, the parties’ information shall be completed as set out in this DPA;
• in Table 2, the transfer details shall be completed as set out in this DPA;
• in Table 3, the details of the Transferred Data shall be completed as set out in Schedule 1 of this DPA;
• in Table 4, the details of the Security Requirements shall be completed as set out in Schedule 2 of this DPA.

In the event of a Restricted Transfer to a recipient outside of Argentina, then such transfers shall be governed by Appendix II the Argentinian SCCs, which shall be entered into and incorporated into this DPA by reference and Exhibit A (Subject Matter and Details of Processing) shall be completed as set out in Schedules 1 and 2 of this DPA.

In the event of any other Restricted Transfer, such transfers shall be governed by such other applicable transfer clauses as may be required under Data Protection Laws, which shall be entered into and incorporated into this DPA by reference and:

• Schedule 1 to this to this DPA will provide details of the Restricted Transfer;
• Schedule 2 to this DPA will provide the Technical and Organization Measures; and disputes relating to the Restricted Transfer shall be governed by the applicable laws of the country from which the Restricted
• Transfer takes place and resolved before the courts of such country.

EXHIBIT 2
GLOBANT ENTERPRISE AI - PRIVACY POLICY 

1. Scope

This privacy policy (“Policy”) explains how Provider processes personal data from Customer and Authorized Users of our software Globant Enterprise AI (“GEAI” or “Software”).
Capitalized terms not otherwise defined in this Policy shall have the meaning in the Terms of Use. You should read this Policy together with our Terms and Conditions in order to better understand the rules governing the use of our Software.

If you are using the Software in a workplace, or through a device or account issued to you by your employer, that entity (the “Customer”) likely has its own policies regarding storage, access, modification, deletion, and retention of information you submit or provide through the Software. When we process personal data in our role as a data processor on behalf of a Customer, we process personal data in accordance with our contract with the Customer. This means that Customer has the right to control and administer your account and access to the Software and process any data you submit or provide through the Software. Please contact the Customer with any privacy inquiries regarding policies, including any service agreement with Provider, it has in place regarding your use of the Software.
 

2. Personal Data We Collect

While the personal data we collect varies depending upon your use of our Software and our interactions with you, we may collect personal data from you, from third-party sources, and automatically in the following circumstances:
 

Personal Data Collected Directly from You. We may collect the following personal data from you:

• User Account. You will need an account to use and access our Software. You may create your own account, or your account may be assigned to you by an administrator, such as your employer. If you are creating your own account, information is collected when you volunteer to identify yourself, register to our Software and provide requested information. If your account is being assigned to you by an administrator, such administrator (i.e. your employer) will share your personally identifiable information in order to create your account, such as your name and e-mail address.
• Content. Through use of our Software you may provide Customer Data that directly provides information about you to Provider, including input you share with the Software that has any personally identifiable information. Depending on the configuration set up by the Customer, Provider may store a copy of the Content. You hereby warrant that any Customer Data you create or otherwise upload to our Software is not a special category of protected personal information, such as information covered by HIPAA, information classified as sensitive personal information per applicable regulations, nor information subject to industry specific standards such as PCI.
• Customer Service and Support. When you contact us for support or other customer service requests, we maintain support tickets and other records of your requests/ related communications.
• Communications. We collect the information you provide such as contact information and records of our communications.
• Transaction and Billing Information. We collect information when you purchase the Software.
• Surveys. When you fill out a survey, we collect your response, which depends on the type of survey, but may include contact information and your satisfaction with the Software.
• Other Information. We may collect other personal data that you consent to or would reasonably expect based on the nature of the circumstances. 

Personal Data Collected Automatically. When you use our Software, we and third parties may collect personal data including through the use of cookies and other similar technologies such as:

• Device and Browsing Information. When you use our Software, we may collect information, which may be considered personal data under certain laws, such as IP address, browser type, domain names, access times, date/time stamps, operating system, language, device type, unique or online identifier, Internet service provider, referring and exiting URLs, clickstream data, and similar device and browsing information.
• Activities and Usage. We may also collect activity information related to your use of the Software, such as log file information, and other activity and usage information.
• Location Information. We may also collect or derive general location information about you, such as through your IP address.
  For more information please review Section 7 Cookies and Other Tracking Mechanism.
   

3. How We Use Personal Data

Generally, we use personal data for the following purposes:

• Grant you access to the Software.
• Providing the Software and Support. To provide and operate our Software, communicate with you about your use of the Software, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, communicate with you, and for similar service and support purposes.
• Communications. To respond to your questions and fulfill your orders and requests; to send you communications, which you have requested or that may interest you; and to notify you of changes to our Software.
• Analytics and Improvement. To better understand how users access and use the Software, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our Software and business operations, to develop our Software and features, and for internal quality control and training purposes.
• Customization and Personalization. To tailor content we may send or display on the Software, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
• Marketing and Advertising. To send you information about our Software, such as offers, promotions, newsletters and any other information that you sign up to receive; and to manage, analyze, measure and improve our advertising campaigns.
• Research and Surveys. To administer surveys and questionnaires, such as for market research or customer satisfaction purposes.
• Security and Protection of Rights. To protect the Software and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms or this Policy.
• Legal Proceedings and Obligations. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings.  
• General Business and Operational Support. Related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions.
   

4. Disclosures of Personal Data

In general, we disclose and make available personal data to third parties in the following ways:

• Corporate Affiliates. We may disclose personal data to corporate affiliates as part of our global business operations and for purposes and uses that are consistent with this Policy.
• Customer. If you access the Software as an Authorized User of a Customer, the Customer will access your personal information and any Customer Data you upload to the Software.
• Processors and Service Providers. We may disclose personal data to our service providers who perform Software on our behalf such as IT service providers, hosting providers, etc.
• Third Parties, Platforms, and Software. We may disclose or make available personal data to third-party platforms and providers that we use to provide or make available certain features or portions of the Software, or as necessary to respond to your requests.
• Third-Party Analytics Providers. We may also engage third-party analytics companies to collect information about how you access and use our Software, to improve our Software, and for other research and analytical purposes.
• Compliance, governance and legal requirements. We may disclose personal data to comply with legal and compliance obligations and to respond to legal process and related to legal proceedings. For example, we may disclose personal data in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement. We may also disclose information, including personal data, related to litigation and other legal claims or proceedings, for our internal accounting, auditing, compliance, recordkeeping, and legal functions. In addition, we may disclose the names of sweepstakes and contests winners, in accordance with applicable law.  
• Business Transfers. We may disclose personal data as part of commercial transactions (e.g., mergers, acquisitions, bankruptcy, or other similar business transactions) and in contemplation of such transactions (e.g., due diligence).
• Business partners. We may disclose your personal data with partners who are co-hosting or organizing an event with Provider.
• Other Disclosures. We may disclose your personal data for other purposes, which we will notify you of and/or obtain your consent when required.

Aggregate and/or Deidentified Data. We may use and disclose aggregate, deidentified, and other non-identifiable data related to our business and the Software for quality control, analytics, research, development and other purposes. Where we use, disclose, or process deidentified data we will maintain and use the information in deidentified form and not to attempt to reidentify it except where permitted by law.
 

5. International Data Transfer 

Given Provider’s international presence, your personal data may be transferred within and out of the European Economic Area (EEA). Any international transfers of your personal information will be made in compliance with applicable laws and regulations regarding personal data protection as well as complying with all legal confidentiality and security obligations. Your personal data will not be shared with any third parties that do not have authorization for their processing.

To efficiently provide services, some of our service providers (data processors) are located in countries out of the EEA, or if located in the EEA, they may share information with entities out of the EEA.

When we transfer personal data outside of the EEA, to be processed by companies hired by Provider or affiliates or subsidiaries of Provider, we will comply with the EU General Data Protection Regulation and all applicable data transfer regulations. Specifically, all data transfers will comply with appropriate safeguards. 
 

6. Legal Bases

We are entitled to use your personal data based on (i) our legitimate interest such as for research and development, to market and promote our Software, to protect our legal rights and interests, to the extent that your interests or your fundamental rights are not overridden; (ii) your consent to do so for a specific purpose; or (iii) to process your data to comply with a legal obligation or (iv) a contractual obligation.
 

7. Cookies and Other Tracking Mechanisms

We and other third parties may use cookies and other similar tracking mechanisms to automatically collect information. If collected, we use this information to, for example, analyze and understand how you use and interact with our Software; to identify and resolve bugs and errors in our Software; to assess, secure, protect, optimize, and improve the performance of our Software; and to personalize content on our Software. We may also deidentify or aggregate such information to analyze trends, administer our Software, gather broad demographic information for aggregate uses and for any other lawful purpose.

Cookies. “Cookies” are alphanumeric identifiers used for tracking purposes. Some cookies allow us to make it easier for you to navigate, while others are used to enable a faster log-in process, support the security and performance of the Software, or allow us to track activity and usage data.

Third Party Analytics. We may use third party tools, such as Google Analytics, which are operated by third party companies to evaluate usage of our Software. These third-party analytics companies use cookies, pixels, and other tracking technologies to collect usage data about our Software to provide us with reports and metrics that help us evaluate usage of our Software, improve our Software, and enhance performance and user experience. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/partners/. You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.  
 

8. Security

No data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect your personal data, we cannot guarantee or warrant the security of any information collected through our Software. You use Software and provide us with your personal data at your own risk.
 

9. How Long We Retain Your Personal Data 

Your personal data will be retained until such time as needed to fulfill the purposes and uses for which it was collected as outlined in this Policy. If you request we delete your personal data from our databases, please note we may still retain your personal data as necessary to comply with our legal obligations, regulatory requests, resolve disputes, and enforce our agreements.
 

10. Your rights as a data subject

You may exercise your rights of access, rectification, deletion, portability, restricting processing and opposing processing by sending a letter to Provider’s address as outlined below, or by sending an email to privacy@globant.com. In case we need to verify your identity, we may require you to send us a copy of a valid government issued identification document.

In case you consider your request has not been properly responded to you may file a complaint with the competent authority. However, we recommend that prior to filing any complaint with the competent authority, you reach out to our Data Protection Officer by sending an email to privacy@globant.com in order to review the specific situation and try, if possible, to find an amicable and efficient solution.
 

11. Personal Data of Minors 

Our Software is not designed for minors, and we do not knowingly collect personal data from minors.
 

12. External Links

Our Software may contain links to third-party websites or features. Any access to and use of such linked websites or features is not governed by this Policy, but instead is governed by the privacy policies of those third parties. We are not responsible for the information practices of such third parties, including their collection of your personal data. You should review the privacy policies and terms for any third-party websites before proceeding to those websites or using those features.
 

13. California Notice at Collection and Privacy Rights

This section of the Policy (the “California Privacy Notice”) provides additional information for California residents (“you”) and describes our information practices pursuant to applicable California privacy laws, including the California Consumer Privacy Act and the regulations issued thereto, each as amended (the “CCPA”). 

In this section, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. This section does not address or apply to our handling of publicly available information or Personal Information that is otherwise exempt under the CCPA.

Categories of Personal Information Collected and Disclosed. The following table identifies the categories of Personal Information we may collect about you (and may have collected in the prior 12 months), as defined by the CCPA, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose. Depending on how you use the Software, we may collect and disclose the following categories of Personal Information. For more information, please see Section 3 How We Use Personal Data and Section 4 Disclosures of Personal Data sections above. 
 

Sale and Sharing of Personal Information. Additionally, the CCPA defines "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available Personal Information to a third party for purposes of cross-contextual behavioral advertising. We do not sell or share Personal Information.

Sources of Personal Information. As further described in Section 2: Personal Data We Collect, we collect Personal Information from the following sources: directly from you; advertising networks; data analytics providers; social networks; internet service providers; operating systems and platforms; affiliated entities; and government entities.

Retention. We retain the Personal Information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. We retain Personal Information as necessary to comply with our tax, accounting and recordkeeping obligations, to provide you with the services you have requested, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, and comply with our legal obligations. In some cases, rather than delete your Personal Information, we may deidentify or aggregate it and use it in compliance with the CCPA.

Purposes for Collecting, Using, Disclosing, and Processing Personal Information. As more fully described in the Section 3 How We Use Personal Data, we collect, use, and otherwise process the above categories of Personal Information to provide our Software to you, respond to and fulfill your requests, as otherwise directed or consented to by you, and for the following business and commercial purposes: to provide Software and support, communications, analytics and improvement, customization and personalization, marketing and advertising, events, research and studies, security and the protection of rights, legal proceedings and obligations, and general business and operational support.

Sensitive Personal Information. We do not use or disclose Sensitive Personal Information beyond the purposes authorized by the CCPA. 

California Residents Rights. The CCPA provides you with certain rights regarding your Personal Information. Please note that these rights are subject to certain conditions and exceptions.

Right to Know/Request Access. With respect to the Personal Information we have collected about you in the prior twelve (12) months, you have the right to know:

• The categories of Personal Information we collected about you;
• The categories of sources from which we collected your Personal Information;
• The business or commercial purposes for collecting, selling, or sharing your Personal Information;
• The categories of third parties to whom we have disclosed your Personal Information; and
• The specific pieces of your Personal Information we have collected.

Right to Delete. You have the right to request we delete your Personal Information.
Right to Correct. You have the right to request that we correct inaccuracies in your Personal Information.
Right to Opt-Out of Sales and Sharing. We do not sell or share Personal Information.
Right to Limit Use of Sensitive Personal Information. We do not engage in uses or disclosures of “Sensitive Personal Information” that would trigger the right to limit use of Sensitive Personal Information under the CCPA.
Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Exercising Your Rights. If you are a California resident and would like to exercise your CCPA rights, you may do so via any of the methods described below:

• Calling us at 1-833-765-7776
• Emailing us at privacy@globant.com
   

Verification. Before responding to your request, we must first verify your identity using the Personal Information you recently provided to us. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.
Authorized Agents. You may designate someone as an authorized agent to submit requests and to act on your behalf. Authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify the identity and the authority of the authorized agent.
 

14. Brazilian Privacy Statement

Data collected and/or processed in Brazil, or other data processed in relation to people and/or Software located in Brazil, shall be also subject to the provisions of Brazilian General Data Protection Law (Law nr. 13.709/2018 – Lei Geral de Proteção de Dados Pessoais or LGPD). Any requests regarding data protection in Brazil shall be directed to the email privacy@globant.com. Our person “in charge” (encarregado, in accordance with Art. 41, §1º, LGPD) is Mr. Bryan Longo, lawyer at Clasen & Casado Filho Sociedade de Advogados.
 

15. Changes to this Policy

If we change or update our Policy, we will inform you of any relevant changes to our Policy. Your continued use of the Software is subject to our most up-to-date Policy.
 

16. Contact Us 

If you have questions or concerns regarding the way in which your personal data is being processed or this Policy, please email us at privacy@globant.com.