This Main Cloud Services Agreement (the “MCSA”) is entered into as of the Effective Date between Segmind Inc., (“Segmind” or “we“) and Customer (as defined below). This agreement, together with any other Agreements that reference this Agreement (MCSA) governs the Customer’s use of the Segmind Services (the “Platform Services”), on each cloud service where Segmind directly provides customers with access to such Platform Services. Unless otherwise indicated, capitalized terms have the meaning assigned to them in this MCSA or in an incorporated Schedule. In the event of any conflict or inconsistency in the definition or interpretation between the body of this Agreement, the Schedules, and/or Schedules, between Schedules, or between Schedules such conflict or inconsistency shall be resolved by giving precedence first to the body of this Agreement, and then to the Schedules.
1.Definitions
2.Platform Services.
1.Use Authorization
Customer and its Authorized Users may, subject to this Agreement, access and use the Segmind Platform Services on any permitted Cloud Service Provider solely for Customer’s internal business purposes.
2.Cloud Service Providers
A list of, and applicable information relating to the use of the Platform Services on such Cloud Service Providers is set forth in the Cloud Provider Directory shared below:
a.Amazon Web Services (AWS)
b.Lambda Inc.
c.Google Cloud Platform (GCP)
d.Microsoft Azure
3.Modifications and Updates
Segmind reserves the right to improve or otherwise modify the Platform Services and its System architecture at any time subject to maintaining appropriate industry standards of practice relating to the provision and security of the Platform Services, and provided that any such modification does not materially diminish the core functionality or security of the Platform Services.
2.Authorized Users.
1. On-boarding Authorized Users.
You must obtain separate credentials (e.g., user IDs, email, or similar unique identifiers and passwords) via the Platform Services for each Authorized User and may not permit the sharing of Authorized User credentials.
2. Your Responsibilities Regarding Authorized Users.
You will at all times be responsible for and expressly assume the risks associated with all users of the Platform Services under an Authorized User’s account (including for the payment of fees related to such use), whether such action was taken by an Authorized User credentials.
3.Usage Limits.
1.You will not (and will not permit your Authorized Users to):
1.violate the Acceptable Use Agreement or use the Platform Services other than in accordance with the Documentation;
2.copy, modify, disassemble, decompile, reverse engineer, or attempt to view or discover the source code of the Platform Services, in whole or in part, or permit or authorize a third party to do so, except to the extent such activities are expressly permitted by the Agreement or by law notwithstanding this prohibition;
3.sell, resell, license, sublicense, distribute, rent, lease, or otherwise provide access to the Platform Services to any third party except to the extent explicitly authorized in writing by Segmind;
4.use the Platform Services to develop or offer a service made available to any third party that could reasonably be seen to serve as a substitute for such third party’s possible purchase of any Segmind product or service;
5.transfer or assign any of your rights hereunder; or
6.during any free trial period granted by Segmind, including during the use of any Beta Service, use the Segmind Services for any purpose other than to evaluate whether to purchase the Segmind Services.
4.Customer Content
1.Ownership.
As between you and Segmind, you retain all ownership or license rights in Customer Content, which shall be deemed your Confidential Information.
2.Limits on what Customer Content may Contain.
You agree that you may not include in Customer Data or Customer Instructional Input, or generate any Customer Results that include:
1.any data for which you do not have all rights, power and authority necessary for its collection, use and processing as contemplated by the Agreement;
2.any data that is prohibited by the Acceptable Use Agreement;
3.Usage Data.
You acknowledge and agree that, notwithstanding anything to the contrary in the Agreement, Segmind may collect usage data and telemetry regarding your Authorized Users’ use of the Platform Services and that such usage data may occasionally contain Customer Instructional Input(e.g., it may contain the queries entered by an Authorized User) but will not contain Customer Data or Customer Results (“Usage Data”). Segmind will not share (other than with third parties providing services to Segmind who agree inwriting to terms at least as restrictive regarding the processing of Usage Data as those set forth in the Agreement) or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers, nor use any Usage Data in a manner that derives its value from the unique aspects of your Customer Instructional Input.
5.Security.
1.Shared Responsibility.
The customer acknowledges that the Platform Services operate according to a shared responsibility model that requires both parties to take reasonable security precautions relating to the Platform Services and the protection of Customer Content.
2.Different Architectures.
Segmind provides the Platform Services according to different architectural models depending on the specific feature being used by the Customer, as further described in the Documentation. Accordingly, Customer acknowledges and agrees that different portions of the Platform Services are and may in the future be subject to terms that provide for different rights and responsibilities of the parties.
3.Segmind Responsibilities.
Segmind shall implement administrative, physical, and technical safeguards to protect the security of the Platform Services and the Customer Content as set forth in the Security policy (“Security Measures”);
4.Customer Responsibilities.
Customer shall:
1.use commercially reasonable efforts to ensure that its Authorized Users review the portions of Documentation relevant to the Customer’s use of the Platform Services and any security information published by Segmind and referenced therein that is designed to assist the Customer in securing Customer Content;
2.remain at all times fully responsible for all Customer Instructional Input and any consequences arising from Segmind’ execution of such Customer Instructional Input except to the extent caused by Segmind’ breach of its Security Measures or gross negligence or willful misconduct;
3.shall configure the Platform Services in an appropriate way taking into account the sensitivity of the Customer Content that Customer chooses to process using the Platform Services; and
4.ensure that Segmind at all times has updated and accurate contact information for the appropriate person for Segmind to notify regarding data security issues relating to the Segmind Services, with such contact information to be updated in each order form and any subsequent changes to be provided by email to contact@segmind.com (with “Contact Change” in the subject).
3.Support Services.
Segmind will provide you with the level of Support Services specified on an order form in accordance with the Support Policy. If Support Services are not specified on an order form, your support shall be limited to public documentation and forums.
4.Compliance with Laws; Data Protection.
1.By Segmind.
Segmind will provide the Platform Services in accordance with its obligations under laws and government regulations applicable to Segmind’s provision of the Platform Services to its customers generally, including, without limitation those related to data protection and data privacy, without regard to Customer’s particular use of the services and subject to Customer’s use of the Segmind Services in accordance with the Agreement.
2.By Customer.
You represent and warrant to Segmind that your use of Segmind Services will comply with all applicable laws, including without limitation any privacy or data protection laws applicable to your use of the Platform Services to process Personal Data.
5.Suspension; Termination.
1.Suspension.
Segmind may temporarily suspend any or all Platform Services Workspaces at any time: (a) immediately without notice if Segmind reasonably suspects that you have violated your obligations under Section 3.1 (Usage Limits), Section4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities) or Section 4 (Compliance with Laws; Data Protection) in a manner that may cause material harm or material risk of harm to Segmind or to any other party; (b) upon five (5) business days’ notice if Segmind reasonably suspects that you have committed any other violation of Section 3.1 (Usage Limits), Section 4.2 (Limits on what Customer Content may Contain), Section 5.4(Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection); or (c) upon five (5) business days’ notice if you fail to pay undisputed Fees after receiving notice that you are delinquent in payment.
2.Termination; Workspace Cancellation.
Segmind may terminate any or all of the Platform Services Workspaces and this Agreement for material breach of the Agreement or this Agreement, including without limitation your breach of Section 3.1 (Usage Limits), Section4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection). If this Agreement is terminated for any reason or upon your written request, Segmind may cancel your accounts. Segmind will delete all Customer Content contained within a Workspace within thirty (30) days following the cancellation of such account. Upon termination of the Agreement for any reason, you will delete all stored elements of the Platform Services from your Systems.
3.Pay-as-you-go service
Notwithstanding anything in the Agreement to the contrary, Segmind may suspend or terminate any pay-as-you-go Services account, and delete any Customer Content relating to such account that may be stored within the Platform Services or other Segmind’ Systems, upon thirty (30) day’s prior written notice (over email) if Segmind reasonably determines the account is inactive as set forth in the Acceptable Use Agreement.
4.Notice.
Notice under this Section 5 (Suspension; Termination) may be provided by email sent to a person the party providing notice reasonably believes to have responsibility for the other party’s activities under the Agreement.
6.Warranty; Warranty Remedy.
1.Multi-Cloud Platform Services Warranty.
In addition to any other express warranties stated elsewhere in this agreement, Segmind warrants that, during the term of an order form for Platform Services: (a) the Platform Services will function substantially in accordance with the Documentation, and (b) it will employ commercially reasonable efforts in accordance with industry standards to prevent the transmission of malware or malicious code via the Platform Services not caused by Customer or its Authorized Users.
2.Multi-Cloud Platform Services Disclaimer.
THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORM SERVICES WARRANTY)ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, EXPRESS, IMPLIED ORSTATUTORY, REGARDING SEGMIND AND SEGMIND’s SERVICES PROVIDED HEREUNDER. SEGMINDAND ITS LICENSORS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, CONDITIONS ANDOTHER TERMS, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OFMERCHANTABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE.NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN: (a) ANY SERVICES PROVIDEDUNDER ANY FREE TRIAL PERIOD ARE PROVIDED “AS-IS'' AND WITHOUT WARRANTY OF ANYKIND; (b) WITHOUT LIMITATION, SEGMIND DOES NOT MAKE ANY WARRANTY OF ACCURACY,COMPLETENESS, TIMELINESS, OR UNINTERRUPTABILITY, OF THE PLATFORM SERVICES; (c)SEGMIND IS NOT RESPONSIBLE FOR RESULTS OBTAINED FROM THE USE OF THE PLATFORMSERVICES OR FOR CONCLUSIONS DRAWN FROM SUCH USE; AND (d) SEGMIND WILL TAKEREASONABLE EFFORTS TO RESTORE LOST OR CORRUPTED CUSTOMER INSTRUCTIONAL INPUTDESCRIBED THEREIN SHALL BE SEGMIND’s SOLE LIABILITY AND YOUR SOLE AND EXCLUSIVEREMEDY IN THE EVENT OF ANY LOSS OR CORRUPTION OF CUSTOMER CONTENT IN CONNECTIONWITH THE SEGMIND SERVICES.
3.Multi-Cloud Platform Services Warranty Remedy.
FOR ANY BREACH OF THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORMSERVICES WARRANTY), YOUR EXCLUSIVE REMEDY AND SEGMIND’s ENTIRE LIABILITY WILLBE THE MATERIAL CORRECTION OF THE DEFICIENT SERVICES THAT CAUSED THE BREACH OFWARRANTY, OR, IF WE CANNOT SUBSTANTIALLY CORRECT THE DEFICIENCY IN ACOMMERCIALLY REASONABLE MANNER, SEGMIND WILL END THE DEFICIENT SERVICES ANDREFUND TO YOU THE PORTION OF ANY PREPAID FEES PAID BY YOU TO SEGMIND APPLICABLETO THE PERIOD FOLLOWING THE EFFECTIVE DATE OF TERMINATION.
7.Additional Indemnities.
In addition to the Customer indemnities set forth in the MCSA, Customer’s obligation to defend and indemnify Segmind Indemnitees will include a Claim Against Segmind arising from any Customer Content or its use with the Segmind Services, including any claim that such Customer Content infringes or misappropriates such party’s Intellectual Property Rights.
This acceptable use agreement (“AUA'') sets forth certain restrictions relating to the access to, and use of, the Segmind Services by you or someone on your behalf under your agreement with Segmind applicable to the Segmind Services. The restrictions set forth in this AUA are not exhaustive. Any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. This AUA maybe updated by Segmind from time to time upon reasonable notice, which may be provided through the Segmind Services or by posting an updated version of this AUA. Updates of the AUA become binding, including on existing users, on the later of the date specified in the updated AUA or thirty (30) days after posting. Any modification to the AUA within an update will relate solely to restrictions on use of, and access to, the Segmind Services. Any violation of this AUA may result in the suspension or termination of your access to and use of the Segmind Services.
You shall not (and shall not permit your Authorized Users to):
1.attempt to access, search, or create accounts for any of our services by any means other than our publicly supported interfaces or as otherwise authorized by us;
2.create multiple accounts for the purpose of extending your free trial;
3.interfere with or disrupt (or attempt to interfere with or disrupt) the Segmind Services, or gain (or attempt to gain) access to any Systems that connect thereto (except as required to appropriately access and use the Segmind Services);
4.use the Segmind Services to violate the security or integrity of, or otherwise abuse, any System of any party (including without limitation the Platform Services or Support Services), including but not limited to gaining unauthorized access to any System (including attempting to probe, scan, monitor, or test the vulnerability of a System), forging any headers or other parts of any message describing its origin or routing, interfering with the proper functioning of any System (including any deliberate attempt by any means to overload a System), implementing denial-of-service attacks, operating non-permissioned network services (including open proxies, mail relays or recursive domain name servers), using any means to bypass System usage limitations, or storing, transmitting or installing malicious code;
5.use the Segmind Services to distribute or facilitate the sending of unsolicited or unlawful (i) email or other messages, or (ii) promotions of any kind;
6.use the Segmind Services to engage in or promote any other fraudulent, deceptive or illegal activities;
7.use the Segmind Services to process, store or transmit material, including any Customer Data, in violation of any Law or any third party rights, including without limitation privacy rights;
8.provide a custom deployment name for your Workspace that might reasonably be considered inappropriate or that includes the tradename of any third party unless such party has provided you with express writing permission;
9.disclose any benchmarking of the Segmind Services ;or
Segmind may modify cluster, project and instance names if they are found to be in violation of this AUA.
Inactive pay-as-you-go accounts:
If an account for which Segmind is providing pay-as-you-go Services is found to be inactive, the account may be suspended or terminated by Segmind, and any Customer Content relating to such account is stored within the Subscription Services or other Segmind Systems may be deleted. Segmind will provide at least 15 days' notice (in accordance with the Agreement) prior to permanently deleting your account unless we deem it reasonably necessary to suspend or terminate your account without notice. For the avoidance of doubt, if we determine that the email associated with your account is invalid (e.g., because it bounces upon our notification of inactivity), we may terminate your account without further notice.
An account may be considered inactive if:
●No Customer Authorized User has logged into the account for at least three months;
●No Customer Instructional Input was ever created within or input into the account and at least three months has passed since the account was established; or
●If your account is set up to be paid by credit card, you (i) did not provide a valid credit card number or (ii) you failed to update an expired or invalid credit card number and at least three months have passed without a valid credit card number is on file, provided that for the avoidance of doubt this provision does not limit Segmind’s right to terminate your account for non-payment relating to actual usage.
This Security Policy is incorporated into and made a part of the written agreement between Segmind, Inc. (“Segmind”) and the Customer that references this Security policy (“Agreement”).
Segmind maintains a comprehensively documented security program that is based on industry-standard security framework. Pursuant to the Security Program, Segmind implements and maintains administrative, physical, and technical security measures to protect the Platform Services and Support Services and the security and confidentiality of Customer Content (including any Customer Personal Data that may be contained therein) (each as defined in the Agreement) under Segmind’s control that is processed by Segmind in its provisioning of the Platform Services or Support Services (the “Security Measures'').
Segmind’s compliance with this policy shall be deemed to satisfy anymore general measures included within any Agreement
In accordance with its Security Program, Segmind will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures.
Segmind regularly tests and evaluates its Security Program, and may review and update this Security policy at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.
1.Deployment Model
1.Shared Responsibility.
Segmind operates in a shared responsibility model, where both Segmind and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.
2.Architecture.
Segmind is a hybrid platform-as-a-service offering. The components responsible for managing and controlling the Platform Services are referred toas the ‘Segmind Control Plane’ and are hosted within a Segmind Cloud Service Provider account. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Cloud Service Providers, the Data Plane may either be deployed in the Customer’s Cloud Service Provider account (known as the ‘Customer Data Plane’) or, for Segmind Serverless Compute, in a Segmind-controlled Cloud Service Provider account (known as the ‘Segmind Data Plane’). Data Plane shall refer to both Customer Data Plane and Segmind Data Plane unless otherwise specified.
3.Compute Resources.
Compute resources are created and coordinated by the Segmind Control Plane and deployed into the Data Plane. Compute resources are launched as new virtual machines that leverage the latest base image and Segmind source code and do not have data from previous machines. When compute resources terminate, the data on their local hard drives is overwritten by Segmind or by the Cloud Service Provider
4.Data Storage of Customer Content.
1.Customer Control.
Most Customer Data is stored within the Customer’s own Cloud Service Provider account at rest (e.g., within Customer’s AWS S3bucket or AWS EBS Storage) or within other Systems under the Customer’s control. Customers may choose where this Customer Data resides. Please see the Documentation for more details.
2.Segmind Control.
Small amounts of Customer Data may be stored within the Segmind Control Plane, including Customer Results and metadata about Customer Data (e.g., contained within the meta store). Segmind offers Customers options regarding the storage of certain Customer Content within the Platform Services (e.g., the location of Customer Results created by the use of interactive notebooks). Please see the Documentation for more details.
2.Customer Instructional Input. Customer Instructional Input is stored at rest within the Segmind Control Plane.
2.Deployment Region. Customers may specify the region(s) where their Platform Services Workspaces are deployed. Customers can choose to deploy the Data Plane into any supported Segmind region. The Segmind Control Plane may not be deployed into the same region. Segmind will not, without Customers’ permission, move a Customer's Workspace into a different region.
3.Segmind’ Audits & Certifications. Segmind uses independent third-party auditors to assess the Segmind Security Program at least annually.
4.Administrative Controls
1.Governance. Segmind’s Chief Security Officer leads the Segmind’s Information Security Program and develops, reviews, and approves(together with other stakeholders, such as Legal, Human Resources, Finance, and Engineering) Segmind’s Security Policies (as defined below).
2.Change Management. Segmind maintains a documented change management policy, reviewed annually, which includes but is not limited to, evaluating changes of or relating to systems authentication.
3.Personnel Training. The personnel receives comprehensive training on the Security Policies upon hire and refresher training is given annually. Personnel is required to certify and agree to the Security Policies and personnel who violate the Security Policies are subject to disciplinary action, including warnings, suspension, and up to (and including) termination.
4.Personnel Screening and Evaluation. All personnel undergo background checks prior to onboarding (as permitted by local law),which may include, but are not limited to, criminal record checks, employment history verification, education verification, and global sanctions and enforcement checks. Segmind uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel is required to sign confidentiality agreements.
5.Monitoring & Logging. Segmind employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.
6.Access Review. Active users with access to the Platform Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.
7.Third-Party Risk Management. Segmind assesses the security compliance of applicable third parties, including vendors and sub processors, in order to measure and manage risk. This includes, but is not limited to, conducting a security risk assessment and due diligence prior to engagement and reviewing external audit reports from critical vendors at least annually. In addition, applicable vendors and sub-processors are required to sign a data processing agreement that includes compliance with applicable data protection laws, as well as confidentiality requirements.
5.Physical and Environmental Controls
1.Cloud Service Provider Data Centers. Segmind regularly reviews Cloud Service Provider audits conducted in compliance with ISO 27001, SOC 1, SOC 2, and PCI-DSS. Security controls include, but are not limited to the list below:
1.Biometric facility access controls
2.Visitor facility access policies and procedures
3.24-hour armed physical security
4.CCTV at ingress and egress
5.Intrusion detection
6.Business continuity and disaster recovery plans
7.Smoke detection sensors and fire suppression equipment
8.Mechanisms to control temperature, humidity, and water leaks
9.Power redundancy with backup power supply
6.Systems & Network Security
1.Platform Controls.
1.Isolation.
Segmind leverages multiple layers of network security controls, including network-level isolation, for separation between the Segmind Control Plane and Customer Data Plane, and between Workspaces within the Segmind Data Plane.
2.Firewalls & Security Groups.
Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider’s account. Segmind also configures local firewalls or security groups within the Customer Data Plane.
3.Hardening.
1.Segmind employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.
2.For Systems under Segmind control supporting the production data processing environment, Segmind tracks security configurations against industry-standard baselines such as CIS and STIG.
4.Encryption
1.Encryption of data-in-transit.
Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the Segmind Control Plane and (2) the Segmind Control Plane and the Data Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt communications between clusters within the Data Plane.
2.Encryption of data-at-rest.
Customer Content is encrypted using cryptographically secure protocols (AES-128 bit, or the equivalent or better) while at rest within the Segmind Control Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt at rest Customer Content within the Data Plane.
3.Review.
Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.
4.Customer Options; Responsibilities.
Customers may choose to leverage additional encryption options for data in transit within the Customer Data Plane or Segmind Data Plane as described in the Documentation. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate.
5.Monitoring & Logging
1.Intrusion Detection Systems
Segmind leverages security capabilities provided natively by Cloud Service Providers for security detection.
2.Audit Logs.
1.Generation. Segmind generated audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.
2.Delivery. Customers may, depending on the entitlement tier of the Platform Services, enable delivery of audit logs. It is Customer’s responsibility to configure this option.
3.Integrity. Segmind stores audit logs in a manner designed to protect the audit logs from tampering.
4.Retention. Segmind stores audit logs for at least one year.
6.Penetration Testing. Segmind conducts third-party penetration tests at least annually, employs in-house offensive security personnel, and also maintains a public bug bounty program.
7.Vulnerability Management & Remediation. Segmind regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Data Plane and Segmind Control Plane. Segmind will use commercially reasonable efforts to address critical vulnerabilities within 14 days, high severity within 30 days, and medium severity within 60 days measured from, with respect to publicly declared third party vulnerabilities, the date of availability of a compatible, vendor-supplied patch, or for internal vulnerabilities, from the date such vulnerability is confirmed. Segmind leverages the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating, combined with an internal analysis of contextual risk to determine criticality.
8.Patching.
1.Control Plane. Segmind deploys new code to the Segmind Control on an ongoing basis.
2.Data Plane. New Data Plane virtual machines use the latest applicable source code and system images upon launch and do not require Segmind to patch live systems. Customers are encouraged to restart always-on clusters on a periodic basis to take advantage of security patches.
9.Segmind Personnel Login to Customer Workspaces. Segmind utilizes an internal technical and organizational control tool that permits Segmind personnel to login to a Customer Workspace to provide support to our Customers and permits limited Segmind engineering personnel to log in to certain Platform Services infrastructure. Customers may optionally configure certain limitations on the ability for Segmind personnel to access Customer Workspaces.
2.Corporate Controls.
1.Access Controls
1.Authentication. Segmind personnel is authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibit personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. If your identity provider supports the SAML2.0 protocol, you can use Segmind’s SSO to integrate with your identity provider.
2.Role-Based Access Controls (RBACs). Only authorized roles are allowed to access systems processing customer and personal data. Segmind enforces RBACs (based on security groups and access control lists) and restricts access to Customer Content based on the principle of ‘least privilege’ and segregation of responsibilities and duties.
2.Pseudonymization. Information stored in activity logs and databases is protected where appropriate using a unique randomized user identifier to mitigate the risk of re-identification of data subjects.
3.Workstation Controls: Segmind enforces certain security controls on its workstations used by personnel, including:
1.Full-disk encryption
2.Anti-malware software
3.Automatic screen lock after 15 minutes of inactivity
4.Secure VPN
7.Incident Detection & Response
1.Detection & Investigation. Segmind’s dedicated Detection engineering team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimize the effects of unplanned security events.
2.Security Incidents; Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data under Segmind control. A “Security Incident” is any actual or attempted breach of security that does not rise to the level of a Security Breach. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. Segmind maintains a record of known Security Incidents and Security Breaches that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed Security Incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Security Incidents, Segmind will take appropriate, reasonable steps to minimize product and Customer damage or unauthorized disclosure. All incidents are logged in an incident tracking system that is subject to auditing on an annual basis.
3.Communications & Cooperation. In accordance with applicable data protection laws, Segmind will notify the Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.
8.Backups, Business Continuity, and Disaster Recovery
1.Business Continuity and Disaster Recovery. Segmind Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed and drills are conducted annually.
2.Data Resiliency. Segmind performs backups for the Segmind Control Plane (including any Customer Instructional Input stored therein), generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure. While Segmind backs up Customer notebooks that persist in the Segmind Control Plane as part of the resiliency of its systems, those backups are maintained only for emergency recovery purposes and are not available for Customers to use on request for recovery purposes.
3.No Data Restoration. Due to the hybrid nature of the Segmind Platform, Segmind does not provide backup for Customer Content, and Segmind is unable to restore an individual Customer’s Instructional Input upon request. To assist Customers in backing up Customer Instructional Input, Segmind provides certain features within the Platform Services (like the ability to synchronize notebooks via a customer’s Github or Bitbucket account).
4.Self-service Access. Segmind makes available certain features within the Platform Services that permit customers to access, export, and delete certain Customer Content (e.g., experiments) contained within the Segmind Control Plane.
5.Customer Managed Backups. Customers retain ownership of their Customer Content and must manage their own backups, including to the extent applicable, enabling backup within the Systems in which the Customer Data is stored.
9.Data Deletion.
1.During Use. The Platform Services provide Customers with functionality that permits Customers to delete Customer Content under Segmind’s control.
2.Upon Workspace Cancellation. Customer Content contained within a Customer Workspace is permanently deleted within thirty (30)days following cancellation of the Workspace.
10. Secure Software Development Lifecycle (“SDLC”)
1.Security team. Segmind Engineering and the security organization co-run a Security program, in which senior engineers are trained and socialized as virtual members of the security team. Security programs are available to all engineering staff for design or code review.
2.Security Design Review. Feature designs are assessed by security personnel for their security impact to the Segmind Platform, for example, additions or modifications to access controls, dataflows, and logging.
3.Security Training. Engineers are required to take Secure SDLC training, including but not limited to, content provided by OWASP.
4.Peer Code Review. All production code must be approved through a peer code review process.
5.Change Control. Segmind’s controls are designed to securely manage assets, configurations, and changes throughout the SDLC.
6.Code Scanning. Static and dynamic code scans are regularly run and reviewed.
7.Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.
8.Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.
9.Multi-Factor Authentication. Accessing the Segmind code repository requires Multi-Factor Authentication.
Code Deployment. Production code is deployed via automated continuous integration /continuous deployment (CI/CD) pipeline processes. The release management teams are separated from the engineering teams that build the product.
Production Separation. Segmind separates production Platform Services Systems from testing and development Platform Services Systems.
This Main Cloud Services Agreement (the “MCSA”) is entered into as of the Effective Date between Segmind Inc., (“Segmind” or “we“) and Customer (as defined below). This agreement, together with any other Agreements that reference this Agreement (MCSA) governs the Customer’s use of the Segmind Services (the “Platform Services”), on each cloud service where Segmind directly provides customers with access to such Platform Services. Unless otherwise indicated, capitalized terms have the meaning assigned to them in this MCSA or in an incorporated Schedule. In the event of any conflict or inconsistency in the definition or interpretation between the body of this Agreement, the Schedules, and/or Schedules, between Schedules, or between Schedules such conflict or inconsistency shall be resolved by giving precedence first to the body of this Agreement, and then to the Schedules.
1.Definitions
2.Platform Services.
1.Use Authorization
Customer and its Authorized Users may, subject to this Agreement, access and use the Segmind Platform Services on any permitted Cloud Service Provider solely for Customer’s internal business purposes.
2.Cloud Service Providers
A list of, and applicable information relating to the use of the Platform Services on such Cloud Service Providers is set forth in the Cloud Provider Directory shared below:
a.Amazon Web Services (AWS)
b.Lambda Inc.
c.Google Cloud Platform (GCP)
d.Microsoft Azure
3.Modifications and Updates
Segmind reserves the right to improve or otherwise modify the Platform Services and its System architecture at any time subject to maintaining appropriate industry standards of practice relating to the provision and security of the Platform Services, and provided that any such modification does not materially diminish the core functionality or security of the Platform Services.
2.Authorized Users.
1. On-boarding Authorized Users.
You must obtain separate credentials (e.g., user IDs, email, or similar unique identifiers and passwords) via the Platform Services for each Authorized User and may not permit the sharing of Authorized User credentials.
2. Your Responsibilities Regarding Authorized Users.
You will at all times be responsible for and expressly assume the risks associated with all users of the Platform Services under an Authorized User’s account (including for the payment of fees related to such use), whether such action was taken by an Authorized User credentials.
3.Usage Limits.
1.You will not (and will not permit your Authorized Users to):
1.violate the Acceptable Use Agreement or use the Platform Services other than in accordance with the Documentation;
2.copy, modify, disassemble, decompile, reverse engineer, or attempt to view or discover the source code of the Platform Services, in whole or in part, or permit or authorize a third party to do so, except to the extent such activities are expressly permitted by the Agreement or by law notwithstanding this prohibition;
3.sell, resell, license, sublicense, distribute, rent, lease, or otherwise provide access to the Platform Services to any third party except to the extent explicitly authorized in writing by Segmind;
4.use the Platform Services to develop or offer a service made available to any third party that could reasonably be seen to serve as a substitute for such third party’s possible purchase of any Segmind product or service;
5.transfer or assign any of your rights hereunder; or
6.during any free trial period granted by Segmind, including during the use of any Beta Service, use the Segmind Services for any purpose other than to evaluate whether to purchase the Segmind Services.
4.Customer Content
1.Ownership.
As between you and Segmind, you retain all ownership or license rights in Customer Content, which shall be deemed your Confidential Information.
2.Limits on what Customer Content may Contain.
You agree that you may not include in Customer Data or Customer Instructional Input, or generate any Customer Results that include:
1.any data for which you do not have all rights, power and authority necessary for its collection, use and processing as contemplated by the Agreement;
2.any data that is prohibited by the Acceptable Use Agreement;
3.Usage Data.
You acknowledge and agree that, notwithstanding anything to the contrary in the Agreement, Segmind may collect usage data and telemetry regarding your Authorized Users’ use of the Platform Services and that such usage data may occasionally contain Customer Instructional Input(e.g., it may contain the queries entered by an Authorized User) but will not contain Customer Data or Customer Results (“Usage Data”). Segmind will not share (other than with third parties providing services to Segmind who agree inwriting to terms at least as restrictive regarding the processing of Usage Data as those set forth in the Agreement) or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers, nor use any Usage Data in a manner that derives its value from the unique aspects of your Customer Instructional Input.
5.Security.
1.Shared Responsibility.
The customer acknowledges that the Platform Services operate according to a shared responsibility model that requires both parties to take reasonable security precautions relating to the Platform Services and the protection of Customer Content.
2.Different Architectures.
Segmind provides the Platform Services according to different architectural models depending on the specific feature being used by the Customer, as further described in the Documentation. Accordingly, Customer acknowledges and agrees that different portions of the Platform Services are and may in the future be subject to terms that provide for different rights and responsibilities of the parties.
3.Segmind Responsibilities.
Segmind shall implement administrative, physical, and technical safeguards to protect the security of the Platform Services and the Customer Content as set forth in the Security policy (“Security Measures”);
4.Customer Responsibilities.
Customer shall:
1.use commercially reasonable efforts to ensure that its Authorized Users review the portions of Documentation relevant to the Customer’s use of the Platform Services and any security information published by Segmind and referenced therein that is designed to assist the Customer in securing Customer Content;
2.remain at all times fully responsible for all Customer Instructional Input and any consequences arising from Segmind’ execution of such Customer Instructional Input except to the extent caused by Segmind’ breach of its Security Measures or gross negligence or willful misconduct;
3.shall configure the Platform Services in an appropriate way taking into account the sensitivity of the Customer Content that Customer chooses to process using the Platform Services; and
4.ensure that Segmind at all times has updated and accurate contact information for the appropriate person for Segmind to notify regarding data security issues relating to the Segmind Services, with such contact information to be updated in each order form and any subsequent changes to be provided by email to contact@segmind.com (with “Contact Change” in the subject).
3.Support Services.
Segmind will provide you with the level of Support Services specified on an order form in accordance with the Support Policy. If Support Services are not specified on an order form, your support shall be limited to public documentation and forums.
4.Compliance with Laws; Data Protection.
1.By Segmind.
Segmind will provide the Platform Services in accordance with its obligations under laws and government regulations applicable to Segmind’s provision of the Platform Services to its customers generally, including, without limitation those related to data protection and data privacy, without regard to Customer’s particular use of the services and subject to Customer’s use of the Segmind Services in accordance with the Agreement.
2.By Customer.
You represent and warrant to Segmind that your use of Segmind Services will comply with all applicable laws, including without limitation any privacy or data protection laws applicable to your use of the Platform Services to process Personal Data.
5.Suspension; Termination.
1.Suspension.
Segmind may temporarily suspend any or all Platform Services Workspaces at any time: (a) immediately without notice if Segmind reasonably suspects that you have violated your obligations under Section 3.1 (Usage Limits), Section4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities) or Section 4 (Compliance with Laws; Data Protection) in a manner that may cause material harm or material risk of harm to Segmind or to any other party; (b) upon five (5) business days’ notice if Segmind reasonably suspects that you have committed any other violation of Section 3.1 (Usage Limits), Section 4.2 (Limits on what Customer Content may Contain), Section 5.4(Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection); or (c) upon five (5) business days’ notice if you fail to pay undisputed Fees after receiving notice that you are delinquent in payment.
2.Termination; Workspace Cancellation.
Segmind may terminate any or all of the Platform Services Workspaces and this Agreement for material breach of the Agreement or this Agreement, including without limitation your breach of Section 3.1 (Usage Limits), Section4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection). If this Agreement is terminated for any reason or upon your written request, Segmind may cancel your accounts. Segmind will delete all Customer Content contained within a Workspace within thirty (30) days following the cancellation of such account. Upon termination of the Agreement for any reason, you will delete all stored elements of the Platform Services from your Systems.
3.Pay-as-you-go service
Notwithstanding anything in the Agreement to the contrary, Segmind may suspend or terminate any pay-as-you-go Services account, and delete any Customer Content relating to such account that may be stored within the Platform Services or other Segmind’ Systems, upon thirty (30) day’s prior written notice (over email) if Segmind reasonably determines the account is inactive as set forth in the Acceptable Use Agreement.
4.Notice.
Notice under this Section 5 (Suspension; Termination) may be provided by email sent to a person the party providing notice reasonably believes to have responsibility for the other party’s activities under the Agreement.
6.Warranty; Warranty Remedy.
1.Multi-Cloud Platform Services Warranty.
In addition to any other express warranties stated elsewhere in this agreement, Segmind warrants that, during the term of an order form for Platform Services: (a) the Platform Services will function substantially in accordance with the Documentation, and (b) it will employ commercially reasonable efforts in accordance with industry standards to prevent the transmission of malware or malicious code via the Platform Services not caused by Customer or its Authorized Users.
2.Multi-Cloud Platform Services Disclaimer.
THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORM SERVICES WARRANTY)ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, EXPRESS, IMPLIED ORSTATUTORY, REGARDING SEGMIND AND SEGMIND’s SERVICES PROVIDED HEREUNDER. SEGMINDAND ITS LICENSORS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, CONDITIONS ANDOTHER TERMS, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OFMERCHANTABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE.NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN: (a) ANY SERVICES PROVIDEDUNDER ANY FREE TRIAL PERIOD ARE PROVIDED “AS-IS'' AND WITHOUT WARRANTY OF ANYKIND; (b) WITHOUT LIMITATION, SEGMIND DOES NOT MAKE ANY WARRANTY OF ACCURACY,COMPLETENESS, TIMELINESS, OR UNINTERRUPTABILITY, OF THE PLATFORM SERVICES; (c)SEGMIND IS NOT RESPONSIBLE FOR RESULTS OBTAINED FROM THE USE OF THE PLATFORMSERVICES OR FOR CONCLUSIONS DRAWN FROM SUCH USE; AND (d) SEGMIND WILL TAKEREASONABLE EFFORTS TO RESTORE LOST OR CORRUPTED CUSTOMER INSTRUCTIONAL INPUTDESCRIBED THEREIN SHALL BE SEGMIND’s SOLE LIABILITY AND YOUR SOLE AND EXCLUSIVEREMEDY IN THE EVENT OF ANY LOSS OR CORRUPTION OF CUSTOMER CONTENT IN CONNECTIONWITH THE SEGMIND SERVICES.
3.Multi-Cloud Platform Services Warranty Remedy.
FOR ANY BREACH OF THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORMSERVICES WARRANTY), YOUR EXCLUSIVE REMEDY AND SEGMIND’s ENTIRE LIABILITY WILLBE THE MATERIAL CORRECTION OF THE DEFICIENT SERVICES THAT CAUSED THE BREACH OFWARRANTY, OR, IF WE CANNOT SUBSTANTIALLY CORRECT THE DEFICIENCY IN ACOMMERCIALLY REASONABLE MANNER, SEGMIND WILL END THE DEFICIENT SERVICES ANDREFUND TO YOU THE PORTION OF ANY PREPAID FEES PAID BY YOU TO SEGMIND APPLICABLETO THE PERIOD FOLLOWING THE EFFECTIVE DATE OF TERMINATION.
7.Additional Indemnities.
In addition to the Customer indemnities set forth in the MCSA, Customer’s obligation to defend and indemnify Segmind Indemnitees will include a Claim Against Segmind arising from any Customer Content or its use with the Segmind Services, including any claim that such Customer Content infringes or misappropriates such party’s Intellectual Property Rights.
This acceptable use agreement (“AUA'') sets forth certain restrictions relating to the access to, and use of, the Segmind Services by you or someone on your behalf under your agreement with Segmind applicable to the Segmind Services. The restrictions set forth in this AUA are not exhaustive. Any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. This AUA maybe updated by Segmind from time to time upon reasonable notice, which may be provided through the Segmind Services or by posting an updated version of this AUA. Updates of the AUA become binding, including on existing users, on the later of the date specified in the updated AUA or thirty (30) days after posting. Any modification to the AUA within an update will relate solely to restrictions on use of, and access to, the Segmind Services. Any violation of this AUA may result in the suspension or termination of your access to and use of the Segmind Services.
You shall not (and shall not permit your Authorized Users to):
1.attempt to access, search, or create accounts for any of our services by any means other than our publicly supported interfaces or as otherwise authorized by us;
2.create multiple accounts for the purpose of extending your free trial;
3.interfere with or disrupt (or attempt to interfere with or disrupt) the Segmind Services, or gain (or attempt to gain) access to any Systems that connect thereto (except as required to appropriately access and use the Segmind Services);
4.use the Segmind Services to violate the security or integrity of, or otherwise abuse, any System of any party (including without limitation the Platform Services or Support Services), including but not limited to gaining unauthorized access to any System (including attempting to probe, scan, monitor, or test the vulnerability of a System), forging any headers or other parts of any message describing its origin or routing, interfering with the proper functioning of any System (including any deliberate attempt by any means to overload a System), implementing denial-of-service attacks, operating non-permissioned network services (including open proxies, mail relays or recursive domain name servers), using any means to bypass System usage limitations, or storing, transmitting or installing malicious code;
5.use the Segmind Services to distribute or facilitate the sending of unsolicited or unlawful (i) email or other messages, or (ii) promotions of any kind;
6.use the Segmind Services to engage in or promote any other fraudulent, deceptive or illegal activities;
7.use the Segmind Services to process, store or transmit material, including any Customer Data, in violation of any Law or any third party rights, including without limitation privacy rights;
8.provide a custom deployment name for your Workspace that might reasonably be considered inappropriate or that includes the tradename of any third party unless such party has provided you with express writing permission;
9.disclose any benchmarking of the Segmind Services ;or
Segmind may modify cluster, project and instance names if they are found to be in violation of this AUA.
Inactive pay-as-you-go accounts:
If an account for which Segmind is providing pay-as-you-go Services is found to be inactive, the account may be suspended or terminated by Segmind, and any Customer Content relating to such account is stored within the Subscription Services or other Segmind Systems may be deleted. Segmind will provide at least 15 days' notice (in accordance with the Agreement) prior to permanently deleting your account unless we deem it reasonably necessary to suspend or terminate your account without notice. For the avoidance of doubt, if we determine that the email associated with your account is invalid (e.g., because it bounces upon our notification of inactivity), we may terminate your account without further notice.
An account may be considered inactive if:
●No Customer Authorized User has logged into the account for at least three months;
●No Customer Instructional Input was ever created within or input into the account and at least three months has passed since the account was established; or
●If your account is set up to be paid by credit card, you (i) did not provide a valid credit card number or (ii) you failed to update an expired or invalid credit card number and at least three months have passed without a valid credit card number is on file, provided that for the avoidance of doubt this provision does not limit Segmind’s right to terminate your account for non-payment relating to actual usage.
This Security Policy is incorporated into and made a part of the written agreement between Segmind, Inc. (“Segmind”) and the Customer that references this Security policy (“Agreement”).
Segmind maintains a comprehensively documented security program that is based on industry-standard security framework. Pursuant to the Security Program, Segmind implements and maintains administrative, physical, and technical security measures to protect the Platform Services and Support Services and the security and confidentiality of Customer Content (including any Customer Personal Data that may be contained therein) (each as defined in the Agreement) under Segmind’s control that is processed by Segmind in its provisioning of the Platform Services or Support Services (the “Security Measures'').
Segmind’s compliance with this policy shall be deemed to satisfy anymore general measures included within any Agreement
In accordance with its Security Program, Segmind will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures.
Segmind regularly tests and evaluates its Security Program, and may review and update this Security policy at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.
1.Deployment Model
1.Shared Responsibility.
Segmind operates in a shared responsibility model, where both Segmind and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.
2.Architecture.
Segmind is a hybrid platform-as-a-service offering. The components responsible for managing and controlling the Platform Services are referred toas the ‘Segmind Control Plane’ and are hosted within a Segmind Cloud Service Provider account. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Cloud Service Providers, the Data Plane may either be deployed in the Customer’s Cloud Service Provider account (known as the ‘Customer Data Plane’) or, for Segmind Serverless Compute, in a Segmind-controlled Cloud Service Provider account (known as the ‘Segmind Data Plane’). Data Plane shall refer to both Customer Data Plane and Segmind Data Plane unless otherwise specified.
3.Compute Resources.
Compute resources are created and coordinated by the Segmind Control Plane and deployed into the Data Plane. Compute resources are launched as new virtual machines that leverage the latest base image and Segmind source code and do not have data from previous machines. When compute resources terminate, the data on their local hard drives is overwritten by Segmind or by the Cloud Service Provider
4.Data Storage of Customer Content.
1.Customer Data and Customer Results.
1.Customer Control.
Most Customer Data is stored within the Customer’s own Cloud Service Provider account at rest (e.g., within Customer’s AWS S3bucket or AWS EBS Storage) or within other Systems under the Customer’s control. Customers may choose where this Customer Data resides. Please see the Documentation for more details.
2.Segmind Control.
Small amounts of Customer Data may be stored within the Segmind Control Plane, including Customer Results and metadata about Customer Data (e.g., contained within the meta store). Segmind offers Customers options regarding the storage of certain Customer Content within the Platform Services (e.g., the location of Customer Results created by the use of interactive notebooks). Please see the Documentation for more details.
2.Customer Instructional Input. Customer Instructional Input is stored at rest within the Segmind Control Plane.
2.Deployment Region. Customers may specify the region(s) where their Platform Services Workspaces are deployed. Customers can choose to deploy the Data Plane into any supported Segmind region. The Segmind Control Plane may not be deployed into the same region. Segmind will not, without Customers’ permission, move a Customer's Workspace into a different region.
3.Segmind’ Audits & Certifications. Segmind uses independent third-party auditors to assess the Segmind Security Program at least annually.
4.Administrative Controls
1.Governance. Segmind’s Chief Security Officer leads the Segmind’s Information Security Program and develops, reviews, and approves(together with other stakeholders, such as Legal, Human Resources, Finance, and Engineering) Segmind’s Security Policies (as defined below).
2.Change Management. Segmind maintains a documented change management policy, reviewed annually, which includes but is not limited to, evaluating changes of or relating to systems authentication.
3.Personnel Training. The personnel receives comprehensive training on the Security Policies upon hire and refresher training is given annually. Personnel is required to certify and agree to the Security Policies and personnel who violate the Security Policies are subject to disciplinary action, including warnings, suspension, and up to (and including) termination.
4.Personnel Screening and Evaluation. All personnel undergo background checks prior to onboarding (as permitted by local law),which may include, but are not limited to, criminal record checks, employment history verification, education verification, and global sanctions and enforcement checks. Segmind uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel is required to sign confidentiality agreements.
5.Monitoring & Logging. Segmind employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.
6.Access Review. Active users with access to the Platform Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.
7.Third-Party Risk Management. Segmind assesses the security compliance of applicable third parties, including vendors and sub processors, in order to measure and manage risk. This includes, but is not limited to, conducting a security risk assessment and due diligence prior to engagement and reviewing external audit reports from critical vendors at least annually. In addition, applicable vendors and sub-processors are required to sign a data processing agreement that includes compliance with applicable data protection laws, as well as confidentiality requirements.
5.Physical and Environmental Controls
1.Cloud Service Provider Data Centers. Segmind regularly reviews Cloud Service Provider audits conducted in compliance with ISO 27001, SOC 1, SOC 2, and PCI-DSS. Security controls include, but are not limited to the list below:
1.Biometric facility access controls
2.Visitor facility access policies and procedures
3.24-hour armed physical security
4.CCTV at ingress and egress
5.Intrusion detection
6.Business continuity and disaster recovery plans
7.Smoke detection sensors and fire suppression equipment
8.Mechanisms to control temperature, humidity, and water leaks
9.Power redundancy with backup power supply
6.Systems & Network Security
1.Platform Controls.
1.Isolation.
Segmind leverages multiple layers of network security controls, including network-level isolation, for separation between the Segmind Control Plane and Customer Data Plane, and between Workspaces within the Segmind Data Plane.
2.Firewalls & Security Groups.
Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider’s account. Segmind also configures local firewalls or security groups within the Customer Data Plane.
3.Hardening.
1.Segmind employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.
2.For Systems under Segmind control supporting the production data processing environment, Segmind tracks security configurations against industry-standard baselines such as CIS and STIG.
4.Encryption
1.Encryption of data-in-transit.
Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the Segmind Control Plane and (2) the Segmind Control Plane and the Data Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt communications between clusters within the Data Plane.
2.Encryption of data-at-rest.
Customer Content is encrypted using cryptographically secure protocols (AES-128 bit, or the equivalent or better) while at rest within the Segmind Control Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt at rest Customer Content within the Data Plane.
3.Review.
Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.
4.Customer Options; Responsibilities.
Customers may choose to leverage additional encryption options for data in transit within the Customer Data Plane or Segmind Data Plane as described in the Documentation. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate.
5.Monitoring & Logging
1.Intrusion Detection Systems
Segmind leverages security capabilities provided natively by Cloud Service Providers for security detection.
2.Audit Logs.
1.Generation. Segmind generated audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.
2.Delivery. Customers may, depending on the entitlement tier of the Platform Services, enable delivery of audit logs. It is Customer’s responsibility to configure this option.
3.Integrity. Segmind stores audit logs in a manner designed to protect the audit logs from tampering.
4.Retention. Segmind stores audit logs for at least one year.
6.Penetration Testing. Segmind conducts third-party penetration tests at least annually, employs in-house offensive security personnel, and also maintains a public bug bounty program.
7.Vulnerability Management & Remediation. Segmind regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Data Plane and Segmind Control Plane. Segmind will use commercially reasonable efforts to address critical vulnerabilities within 14 days, high severity within 30 days, and medium severity within 60 days measured from, with respect to publicly declared third party vulnerabilities, the date of availability of a compatible, vendor-supplied patch, or for internal vulnerabilities, from the date such vulnerability is confirmed. Segmind leverages the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating, combined with an internal analysis of contextual risk to determine criticality.
8.Patching.
1.Control Plane. Segmind deploys new code to the Segmind Control on an ongoing basis.
2.Data Plane. New Data Plane virtual machines use the latest applicable source code and system images upon launch and do not require Segmind to patch live systems. Customers are encouraged to restart always-on clusters on a periodic basis to take advantage of security patches.
9.Segmind Personnel Login to Customer Workspaces. Segmind utilizes an internal technical and organizational control tool that permits Segmind personnel to login to a Customer Workspace to provide support to our Customers and permits limited Segmind engineering personnel to log in to certain Platform Services infrastructure. Customers may optionally configure certain limitations on the ability for Segmind personnel to access Customer Workspaces.
2.Corporate Controls.
1.Access Controls
1.Authentication. Segmind personnel is authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibit personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. If your identity provider supports the SAML2.0 protocol, you can use Segmind’s SSO to integrate with your identity provider.
2.Role-Based Access Controls (RBACs). Only authorized roles are allowed to access systems processing customer and personal data. Segmind enforces RBACs (based on security groups and access control lists) and restricts access to Customer Content based on the principle of ‘least privilege’ and segregation of responsibilities and duties.
2.Pseudonymization. Information stored in activity logs and databases is protected where appropriate using a unique randomized user identifier to mitigate the risk of re-identification of data subjects.
3.Workstation Controls: Segmind enforces certain security controls on its workstations used by personnel, including:
1.Full-disk encryption
2.Anti-malware software
3.Automatic screen lock after 15 minutes of inactivity
4.Secure VPN
7.Incident Detection & Response
1.Detection & Investigation. Segmind’s dedicated Detection engineering team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimize the effects of unplanned security events.
2.Security Incidents; Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data under Segmind control. A “Security Incident” is any actual or attempted breach of security that does not rise to the level of a Security Breach. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. Segmind maintains a record of known Security Incidents and Security Breaches that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed Security Incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Security Incidents, Segmind will take appropriate, reasonable steps to minimize product and Customer damage or unauthorized disclosure. All incidents are logged in an incident tracking system that is subject to auditing on an annual basis.
3.Communications & Cooperation. In accordance with applicable data protection laws, Segmind will notify the Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.
8.Backups, Business Continuity, and Disaster Recovery
1.Business Continuity and Disaster Recovery. Segmind Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed and drills are conducted annually.
2.Data Resiliency. Segmind performs backups for the Segmind Control Plane (including any Customer Instructional Input stored therein), generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure. While Segmind backs up Customer notebooks that persist in the Segmind Control Plane as part of the resiliency of its systems, those backups are maintained only for emergency recovery purposes and are not available for Customers to use on request for recovery purposes.
3.No Data Restoration. Due to the hybrid nature of the Segmind Platform, Segmind does not provide backup for Customer Content, and Segmind is unable to restore an individual Customer’s Instructional Input upon request. To assist Customers in backing up Customer Instructional Input, Segmind provides certain features within the Platform Services (like the ability to synchronize notebooks via a customer’s Github or Bitbucket account).
4.Self-service Access. Segmind makes available certain features within the Platform Services that permit customers to access, export, and delete certain Customer Content (e.g., experiments) contained within the Segmind Control Plane.
5.Customer Managed Backups. Customers retain ownership of their Customer Content and must manage their own backups, including to the extent applicable, enabling backup within the Systems in which the Customer Data is stored.
9.Data Deletion.
1.During Use. The Platform Services provide Customers with functionality that permits Customers to delete Customer Content under Segmind’s control.
2.Upon Workspace Cancellation. Customer Content contained within a Customer Workspace is permanently deleted within thirty (30)days following cancellation of the Workspace.
10. Secure Software Development Lifecycle (“SDLC”)
1.Security team. Segmind Engineering and the security organization co-run a Security program, in which senior engineers are trained and socialized as virtual members of the security team. Security programs are available to all engineering staff for design or code review.
2.Security Design Review. Feature designs are assessed by security personnel for their security impact to the Segmind Platform, for example, additions or modifications to access controls, dataflows, and logging.
3.Security Training. Engineers are required to take Secure SDLC training, including but not limited to, content provided by OWASP.
4.Peer Code Review. All production code must be approved through a peer code review process.
5.Change Control. Segmind’s controls are designed to securely manage assets, configurations, and changes throughout the SDLC.
6.Code Scanning. Static and dynamic code scans are regularly run and reviewed.
7.Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.
8.Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.
9.Multi-Factor Authentication. Accessing the Segmind code repository requires Multi-Factor Authentication.
Code Deployment. Production code is deployed via automated continuous integration /continuous deployment (CI/CD) pipeline processes. The release management teams are separated from the engineering teams that build the product.
Production Separation. Segmind separates production Platform Services Systems from testing and development Platform Services Systems.
This privacy notice for Segmind Inc. ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
Visit our website at http://www.segmind.com, or any website of ours that links to this privacy notice
Engage with us in other related ways, including any sales, marketing, or events
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at contact@segmind.com.
SUMMARY OF KEY POINTS
This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for. You can also click here to go directly to our table of contents.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with Segmind Inc. and the Services, the choices you make, and the products and features you use. Click here to learn more.
Do we process any sensitive personal information? We do not process sensitive personal information.
Do we receive any information from third parties? We do not receive any information from third parties.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Click here to learn more.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties. Click here to learn more.
How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Click here to learn more.
What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Click here to learn more.
How do you exercise your rights? The easiest way to exercise your rights is by emailing us at contact@segmind.com . We will consider and act upon any request in accordance with applicable data protection laws.
Want to learn more about what Segmind Inc. does with any information we collect? Click here to review the notice in full.
TABLE OF CONTENTS
1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
7. HOW LONG DO WE KEEP YOUR INFORMATION?
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
9. DO WE COLLECT INFORMATION FROM MINORS?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. CONTROLS FOR DO-NOT-TRACK FEATURES
12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
13. DO WE MAKE UPDATES TO THIS NOTICE?
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
1. WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:
names
phone numbers
email addresses
mailing addresses
job titles
usernames
passwords
contact preferences
contact or authentication data
billing addresses
debit/credit card numbers
Sensitive Information. We do not process sensitive information.
Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is stored by Stripe. You may find their privacy notice link(s) here: https://stripe.com/en-gb-us/privacy.
Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, Twitter, or other social media account. If you choose to register in this way, we will collect the information described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Information automatically collected
In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies.
The information we collect includes:
Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).
Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.
2. HOW DO WE PROCESS YOUR INFORMATION?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.
To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
To fulfill and manage your orders. We may process your information to fulfill and manage your orders, payments, returns, and exchanges made through the Services.
To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.
If you are located in the EU or UK, this section applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:
Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Click here to learn more.
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
Diagnose problems and/or prevent fraudulent activities
Understand how our users use our products and services so we can improve user experience
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.
If you are located in Canada, this section applies to you.
We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time. Click here to learn more.
In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:
If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
For investigations and fraud detection and prevention
For business transactions provided certain conditions are met
If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
For identifying injured, ill, or deceased persons and communicating with next of kin
If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
If the collection is solely for journalistic, artistic, or literary purposes
If the information is publicly available and is specified by the regulations
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
In Short: We may share information in specific situations described in this section and/or with the following third parties.
We may need to share your personal information in the following situations:
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
In Short: We may use cookies and other tracking technologies to collect and store your information.
We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.
Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook or Twitter logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public on such a social media platform.
We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.
7. HOW LONG DO WE KEEP YOUR INFORMATION?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than three (3) months past the termination of the user's account.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
In Short: We aim to protect your personal information through a system of organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
9. DO WE COLLECT INFORMATION FROM MINORS?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at rohit@segmind.com.
10. WHAT ARE YOUR PRIVACY RIGHTS?
In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.
In some regions (like the EEA, UK, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.
We will consider and act upon any request in accordance with applicable data protection laws.
If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
If you are located in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.
Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below or updating your preferences.
However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, replying "STOP" or "UNSUBSCRIBE" to the SMS messages that we send, or by contacting us using the details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
Account Information
If you would at any time like to review or change the information in your account or terminate your account, you can:
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.
Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. To opt out of interest-based advertising by advertisers on our Services visit http://www.aboutads.info/choices/.
If you have questions or comments about your privacy rights, you may email us at contact@segmind.com.
11. CONTROLS FOR DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.
12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: Yes, if you are a resident of California, you are granted specific rights regarding access to your personal information.
California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).
CCPA Privacy Notice
The California Code of Regulations defines a "resident" as:
(1) every individual who is in the State of California for other than a temporary or transitory purpose and
(2) every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose
All other individuals are defined as "non-residents."
If this definition of "resident" applies to you, we must adhere to certain rights and obligations regarding your personal information.
What categories of personal information do we collect?
We have collected the following categories of personal information in the past twelve (12) months:
Category
Examples
Collected
A. Identifiers
Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name
YES
B. Personal information categories listed in the California Customer Records statute
Name, contact information, education, employment, employment history, and financial information
YES
C. Protected classification characteristics under California or federal law
Gender and date of birth
NO
D. Commercial information
Transaction information, purchase history, financial details, and payment information
NO
E. Biometric information
Fingerprints and voiceprints
NO
F. Internet or other similar network activity
Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements
NO
G. Geolocation data
Device location
NO
H. Audio, electronic, visual, thermal, olfactory, or similar information
Images and audio, video or call recordings created in connection with our business activities
NO
I. Professional or employment-related information
Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us
NO
J. Education Information
Student records and directory information
NO
K. Inferences drawn from other personal information
Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics
NO
L. Sensitive Personal Information
NO
We will use and retain the collected personal information as needed to provide the Services or for:
Category A - 6 months
Category B - As long as the user has an account with us
We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of:
Receiving help through our customer support channels;
Participation in customer surveys or contests; and
Facilitation in the delivery of our Services and to respond to your inquiries.
How do we use and share your personal information?
More information about our data collection and sharing practices can be found in this privacy notice.
You may contact us by email at contact@segmind.com, by visiting http://www.segmind.com/contact, or by referring to the contact details at the bottom of this document.
If you are using an authorized agent to exercise your right to opt out we may deny a request if the authorized agent does not submit proof that they have been validly authorized to act on your behalf.
Will your information be shared with anyone else?
We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Each service provider is a for-profit entity that processes the information on our behalf, following the same strict privacy protection obligations mandated by the CCPA.
We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information.
Segmind Inc. has not disclosed, sold, or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. Segmind Inc. will not sell or share personal information in the future belonging to website visitors, users, and other consumers.
Your rights with respect to your personal data
Right to request deletion of the data — Request to delete
You can ask for the deletion of your personal information. If you ask us to delete your personal information, we will respect your request and delete your personal information, subject to certain exceptions provided by law, such as (but not limited to) the exercise by another consumer of his or her right to free speech, our compliance requirements resulting from a legal obligation, or any processing that may be required to protect against illegal activities.
Right to be informed — Request to know
Depending on the circumstances, you have a right to know:
whether we collect and use your personal information;
the categories of personal information that we collect;
the purposes for which the collected personal information is used;
whether we sell or share personal information to third parties;
the categories of personal information that we sold, shared, or disclosed for a business purpose;
the categories of third parties to whom the personal information was sold, shared, or disclosed for a business purpose;
the business or commercial purpose for collecting, selling, or sharing personal information; and
the specific pieces of personal information we collected about you.
In accordance with applicable law, we are not obligated to provide or delete consumer information that is de-identified in response to a consumer request or to re-identify individual data to verify a consumer request.
Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
We will not discriminate against you if you exercise your privacy rights.
Right to Limit Use and Disclosure of Sensitive Personal Information
We do not process consumer's sensitive personal information.
Verification process
Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. These verification efforts require us to ask you to provide information so that we can match it with information you have previously provided us. For instance, depending on the type of request you submit, we may ask you to provide certain information so that we can match the information you provide with the information we already have on file, or we may contact you through a communication method (e.g., phone or email) that you have previously provided to us. We may also use other verification methods as the circumstances dictate.
We will only use personal information provided in your request to verify your identity or authority to make the request. To the extent possible, we will avoid requesting additional information from you for the purposes of verification. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. We will delete such additionally provided information as soon as we finish verifying you.
Other privacy rights
You may object to the processing of your personal information.
You may request correction of your personal data if it is incorrect or no longer relevant, or ask to restrict the processing of the information.
You can designate an authorized agent to make a request under the CCPA on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with the CCPA.
You may request to opt out from future selling or sharing of your personal information to third parties. Upon receiving an opt-out request, we will act upon the request as soon as feasibly possible, but no later than fifteen (15) days from the date of the request submission.
To exercise these rights, you can contact us by email at contact@segmind.com, by visiting http://www.segmind.com/contact, or by referring to the contact details at the bottom of this document. If you have a complaint about how we handle your data, we would like to hear from you.
13. DO WE MAKE UPDATES TO THIS NOTICE?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this privacy notice from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) , Rohit Ramesh, by email at rohit@segmind.com, by phone at 14254434587, or by post to:
Segmind Inc.
Rohit Ramesh
1013, Center Road, Suite 403-B
Wilmington, DE 19805
United States
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please email contact@segmind.com .