Minimum age requirement

You must be no less than 18 years of age, or the lowest age stipulated in your jurisdiction to engage Deepshi, and you must affirm that you satisfy this age criterion. As an uncensored AI platform, Deepshi may produce outputs depending on the functionalities you select that are unsuitable for minors. For example, if users opt for specific functionalities or enter provocative or vulgar terms, Deepshi might reply with content that could encompass vulgar terms, raw wit, intimate scenarios, or aggression. We advise guardians to vigilantly oversee their adolescents' engagement with Deepshi. Guardians who elect to employ particular aspects of Deepshi to facilitate their dialogues with their offspring, encompassing instructive, illuminating, or amusing exchanges with their offspring, must utilize the information controls available in Deepshi to choose the suitable functionalities for their requirements.

Enrollment

You are required to furnish precise and thorough details to enroll for an account to utilize Deepshi. You are prohibited from disseminating your account details or rendering your account accessible to any other individual, and you bear responsibility for all actions transpiring under your account. If you establish an account or employ Deepshi on behalf of another individual or organization, you must possess the authority to assent to these Terms on their behalf.

Access via a third-party provider

By electing to access Deepshi via a third-party provider, such as Google or a Web3 wallet, you authorize us to retrieve, utilize, and retain your data from that provider, as allowed by that provider, which might encompass access credentials and/or access tokens for that provider.

Permissible actions

Contingent upon your adherence to these Terms, you may enter and employ Deepshi. You are obligated to conform to all pertinent laws in addition to the Acceptable Use Policy set forth below and any additional records, directives, or policies we furnish to you, encompassing those on our site.

Prohibited actions

Forbidden utilizations of Deepshi encompass any unlawful, detrimental, or abusive conduct, including but not confined to:

Adversely affecting Deepshi, encompassing by:

• Altering, duplicating, renting, vending, reselling, disseminating, condensing, manipulating, employing automated agents to access, reverse engineering, or decompiling Deepshi
• Employing Deepshi or any Output to construct models or services that rival ELI, extracting or reselling any Input or Output, or condensing model information
• Interfering with, meddling in, or unauthorized entry to Deepshi or its protective mechanisms

Inflicting damage or participating in abusive conduct, encompassing by:

• Severely damaging or advocating severe damage to human existence (yours or another's), encompassing pro-terrorist conduct
• Breaching copyright, trademark, or other intellectual property regulations
• Infringing an individual's privacy or their entitlement to publicity
• Promoting terrorist propaganda or providing operational guidance (e.g., explosives instructions)
• Disseminating instructions for crimes, whether violent or non-violent, with foreseeability of aiding/abetting per 18 U.S.C. § 2
• Generating or hosting non-consensual intimate imagery, including deepfakes for deceptive purposes
• Facilitating human trafficking or real-world threats/extortion
• Inciting hate speech or violence against protected groups
• Creating any child exploitation content
• Infringing on copyrights without fair use
• General adult content permissible only with age verification and disclaimers

You are solely accountable for all liabilities emerging from content produced on Deepshi, including deepfakes, to the utmost degree allowed by law. ELI disclaims all liability for user-generated content, including deepfakes.

Definitions

• “Applicable Data Protection Laws” refers to all data safeguard and privacy statutes and rules pertinent to the handling of Personal Data, which might encompass European Data Protection Laws and U.S. Privacy Laws.
• “Europe” denotes the European Economic Area and its member nations, Switzerland, and the United Kingdom (“UK”).
• “European Data Protection Laws” denotes all data safeguard and privacy statutes and rules of Europe, as pertinent to the handling of Personal Data, including (i) the General Data Protection Regulation 2016/679 (“GDPR”); (ii) the GDPR as it constitutes part of UK law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (collectively, “UK GDPR”); and (iii) the Swiss Federal Act on Data Protection of 2020 and its Ordinance (“Swiss FADP”); as may be revised, supplanted, or substituted.
• “Personal Data” refers to any details defined as “personal information” under the CCPA, “personal data” under the GDPR, or analogous terms under Applicable Data Protection Laws, that you supply to ELI in relation to Deepshi as User Content and that we process on your behalf, as outlined in the relevant appendix.
• “Restricted Transfer” denotes a conveyance of Personal Data originating from Europe to a jurisdiction that does not offer a sufficient level of safeguard for personal data within the scope of applicable European Data Protection Laws.
• “Security Incident” denotes a violation of ELI's or its Subprocessors' safeguards resulting in the inadvertent or illicit destruction, loss, modification, unauthorized revelation of, or access to Personal Data in relation to Deepshi. Security Incidents exclude unsuccessful endeavors or activities that do not jeopardize the safeguard of Personal Data, including unsuccessful login endeavors, pings, port scans, denial of service assaults, and other network assaults on firewalls or networked frameworks.
• “SCCs” denotes the standard contractual clauses attached to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be revised, supplanted, or substituted.
• “Subprocessor” denotes any third-party handler engaged by ELI to handle Personal Data to furnish Deepshi. Subprocessors exclude ELI's staff, contractors, or advisors.
• “UK Addendum” denotes the International Data Transfer Addendum issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as may be revised, supplanted, or substituted.
• “U.S. Privacy Laws” denotes all federal and state data safeguard and privacy statutes and rules of the United States, as pertinent to the handling of Personal Data, including (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and its implementing rules (“CCPA”) as well as California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.) (“CIPA”); (ii) the Virginia Consumer Data Protection Act (VA Code Ann. §§ 59.1-575 et seq.) (“VCDPA”); (iii) the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.) and its implementing rules (“CPA”); (iv) the Connecticut Data Privacy Act (Pub. Act No. 22-15) (“CTDPA”); and (v) the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.) (“UCPA”); in each instance when effective and as may be revised, supplanted, or substituted. ELI disclaims obligations under these laws to the maximum extent permissible, including no “sale” of data and no mandatory opt-outs unless required.

The terms “controller”, “data subject”, “personal data”, “process”, “processing”, “processor”, and “supervisory authority” bear the meanings ascribed to them under Applicable Data Protection Laws.

Scope and Roles

These provisions apply insofar as we process Personal Data on your behalf in connection with furnishing Deepshi under the Terms. The parties recognize and concur that ELI is a processor and you are a controller or processor of Personal Data, as applicable, under Applicable Data Protection Laws.

Details of Processing

The topic, duration, character, and objective of the processing of Personal Data, and the kinds of Personal Data and classes of data subjects, are described in the relevant appendix.

Your Responsibilities

In your utilization of Deepshi, you shall:

• Adhere to your duties under Applicable Data Protection Laws, including (i) ensuring that your processing directives to ELI comply with Applicable Data Protection Laws; and (ii) securing all requisite rights, consents, and authorizations needed to supply Personal Data to ELI and permit us to process Personal Data as envisaged by the Terms;
• Without prejudice to our safeguard duties, utilize Deepshi in a secure fashion, including by (i) protecting your account verification credentials; (ii) guaranteeing the safeguard of systems and devices employed to access Deepshi; and (iii) backing up or retaining copies of Personal Data as suitable; and,
• If you are a processor of Personal Data, (i) warrant that the pertinent controller has authorized your engagement of ELI as another processor and approved your processing directives to us; and (ii) remain accountable for any communications, notifications, assistance, and/or authorizations that may be needed in connection with the processing of Personal Data.

ELI's Responsibilities

We shall adhere to our duties under Applicable Data Protection Laws in our capacity as a processor and notify you if we cannot or can no longer fulfill such duties. As a processor, we consent to:

• Process Personal Data exclusively in accordance with your lawful and documented processing directives, where such directives are consistent with the terms of the Terms;
• Notify you if, in our reasonable judgment, your processing directives infringe Applicable Data Protection Laws;
• If Personal Data is subject to U.S. Privacy Laws, not (i) “sell” or “share” Customer Personal Data (as defined by the CCPA or equivalent notions under U.S. Privacy Laws); (ii) retain, utilize, disclose, or otherwise process Personal Data outside of our direct business relationship; or (iii) merge Personal Data with Personal Data collected or received from or on behalf of any third party; except to the degree necessary to furnish Deepshi; and,
• If you permit or direct us to process Personal Data in a deidentified, anonymized, and/or aggregated form, (i) adopt reasonable measures to prevent such information from being used to infer information about, or otherwise being linked to, a particular data subject; (ii) not attempt to reidentify such information except to ascertain that the information has been effectively deidentified in accordance with Applicable Data Protection Laws; and (iii) contractually obligate any recipients of such information to adhere to the requirements of this provision.

For California Residents

Pursuant to the California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.) (“CIPA”), by accessing or using the Service, you expressly consent to the monitoring, recording, interception, storage, and analysis of your communications, inputs, and interactions with Deepshi, including but not limited to text, or data transmissions, as described in these Terms and for the purposes outlined herein, such as providing, improving, and securing the Service. This consent applies to any third-party processors engaged by us and may be revoked by ceasing use of the Service and contacting us at privacy@deepshi.ai. We do not intercept communications for unlawful purposes.

No Assessment of Compliance

Notwithstanding the foregoing, ELI is not responsible for monitoring your compliance with applicable laws or determining if your processing directives are compliant with applicable laws. Furthermore, we have no duty to evaluate Personal Data in order to identify information that is subject to specific legal requirements.

Appointment of Subprocessors

You consent and provide a general written authorization that ELI may engage Subprocessors to process Personal Data. ELI's list of general Subprocessors is available upon request by emailing privacy@deepshi.ai. ELI shall (a) enter into a written agreement with each Subprocessor containing data protection duties that are substantially the same as those in these provisions; and (b) remain liable for any acts or omissions of our Subprocessors that cause us to breach our duties under these provisions.

Changes to Subprocessors

ELI will notify you if we add or replace Subprocessors at least fifteen (15) days before such changes take effect. You may object on reasonable grounds relating to data protection to our engagement of any new or replacement Subprocessor by informing us in writing within fifteen (15) days after receiving notice. Such notice shall explain the reasonable grounds for the objection. The parties shall discuss the objections in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, ELI will, at its sole discretion, either not appoint the Subprocessor or permit you to terminate the affected part of Deepshi in accordance with the termination provisions under the Terms without liability to either party (but without prejudice to any fees incurred by you prior to such termination). This termination right is your sole and exclusive remedy if you object to any new or replacement Subprocessor. If you do not exercise your right to object in the terms defined above, your silence shall be deemed to constitute an approval of such engagement.

Confidentiality

We ensure that any persons authorized to process Personal Data are subject to a duty of confidentiality.

Government Requests

We do not intend to disclose Personal Data to any law enforcement agency or government authority (collectively, “Government Authority”) unless instructed by you or as necessary to comply with applicable laws or a valid and binding order of a Government Authority, such as a subpoena or court order. If we are legally compelled to respond to a request from a Government Authority, we shall review the legality of the request and determine whether the request may be challenged. In any event, we shall only disclose the minimum information required to comply with the request.

Security Measures

We implement and maintain reasonable commercially available technical and organizational measures, as appropriate to the processing of Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Personal Data and protect against Security Incidents, as further described in the relevant appendix (“Security Measures”). We may update or modify the Security Measures from time to time provided that such updates and modifications do not decrease the overall security of Deepshi.

Audits and Security Certifications

Upon written request, and subject to reasonable notice and confidentiality agreements, we will provide access to documentation that adequately demonstrates our compliance with these provisions, including copies of certifications, audit reports, and/or other relevant documentation. At our discretion, we may instead make available a summary of the results of third-party certifications and/or audits relevant to our compliance with these provisions.

Incident Notification

We will notify you without undue delay, and where feasible, no later than 48 hours, after we become aware of any Security Incident. Such notification will describe the nature of the Security Incident and include other relevant information that we are reasonably able to disclose, taking into account the nature of Deepshi, the information available to us, and any restrictions on disclosing the information (such as confidentiality). Any notification that we provide relating to Security Incidents shall not be construed as an acknowledgement by ELI of any fault or liability.

Any notification required under this Section is meant to satisfy the requirements under Applicable Data Protection Law and include, where legally required, information that can be ascertained with reasonable commercially available technology and effort, such as: (i) a description of the Security Incident, including the number and categories of individuals affected, categories and number of records concerned, types of Personal Data affected, likely consequences of the Security Incident, and date and time of such incident; (ii) a summary of the incident that caused the Security Incident and any ongoing risks that the Security Incident poses; (iii) the name and contact information of the individual who can provide more information to you; (iv) a description of the likely consequences of the Security Incident; (v) a description of the measures proposed or taken by ELI to address the Security Incident; (vi) any other information required under Applicable Data Protection Law or reasonably requested by you. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. In the event of a Security Incident, you have the right to control the breach notification process including, but not limited to, control over notifying any individuals, regulators, and supervisory authorities, or third parties of the Security Incident, unless Applicable Data Protection Law dictates otherwise.

International Data Transfers

You acknowledge and agree that ELI may transfer and process Personal Data outside Europe as necessary to provide Deepshi, including the United States and other countries where ELI and its Subprocessors maintain data processing operations. We shall take all such measures as are necessary to ensure such transfers are made in compliance with Applicable Data Protection Laws and these provisions.

Standard Contractual Clauses

To the extent that your transfer of Personal Data to ELI involves a Restricted Transfer, the SCCs shall be incorporated and form an integral part of these provisions as follows:

EU Transfers

In relation to Personal Data that is subject to the GDPR: (i) Module Two (Controller to Processor) or Module Three (Processor to Processor) shall apply, as applicable; (ii) in Clause 7, the optional docking clause shall apply; (iii) in Clause 9, Option 2 shall apply and the time period for prior notice of Subprocessor changes is set out in the changes to subprocessors provision; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of the Republic of Ireland; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and (vii) Annexes I and II of the SCCs shall be deemed completed with the information set out in the relevant appendices of these provisions respectively.

UK Transfers

In relation to Personal Data that is subject to the UK GDPR, the SCCs shall apply in accordance with the EU Transfers provision and as modified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of these provisions. Any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum. Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out in the relevant appendices of these provisions respectively, and Table 4 shall be deemed completed by selecting “neither party”.

Swiss Transfers

In relation to Personal Data that is subject to the Swiss FADP, the SCCs shall apply in accordance with the EU Transfers provision and the following modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland”; (iii) the competent supervisory authority shall be the Swiss Federal Data Protection Information Commissioner; (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the applicable courts of Switzerland.

Legal Effect; Term

These provisions are incorporated into the Terms. Except for the changes made by these provisions, the Terms remain unchanged and in full force and effect. These provisions supersede and replace all prior or contemporaneous representations, understandings, agreements, or communications between the parties, whether written or verbal, regarding the subject matter of these provisions. These provisions shall continue in force until the termination of the Terms and so long as ELI continues to process Personal Data on your behalf.

Limitation of Liability

The liability of each party under these provisions (including the SCCs) shall be subject to the exclusions and limitations of liability set out in the Terms. In no event do these provisions restrict or limit the rights of any data subject under Applicable Data Protection Laws.

Disclosure of these Provisions

You acknowledge that ELI may disclose these provisions and any relevant privacy provisions of the Terms to a supervisory authority or other judicial or regulatory body upon request.

Changes to these Provisions

We may, in our sole discretion, modify or update these provisions from time to time: such modifications or updates shall not decrease the level of data protection provided under these provisions. When we change these provisions in a material manner, we will update the ‘effective’ date at the top of this page and notify you that material changes have been made to these provisions. Your continued use of Deepshi after any change to these provisions constitutes your acceptance of the new provisions. If you do not agree to any part of these provisions or to any future provisions, do not access or use (or continue to access or use) Deepshi.

Governing Law

These provisions shall be governed by and construed in accordance with Delaware law, unless otherwise required by these provisions or Applicable Data Protection Laws.

(A) List of parties

Data Exporter:

• Name: The data exporter is the entity identified as you in the applicable registration documents for Deepshi.
• Address: The data exporter's address is set out in the applicable registration documents for Deepshi.
• Contact person: The data exporter's contact information is set out in the applicable registration documents for Deepshi.
• Activities: Processing activities in receiving Deepshi as set out in the Terms.
• Role: Controller / Processor

Data Importer:

• Name: Evermind Labs, Inc.
• Contact: Head of Legal, Deepshi privacy@deepshi.ai
• Activities: Processing activities in providing Deepshi as set out in the Terms.
• Role: Processor

(B) Description of the transfer

• Categories of data subjects: End users of your products, services, or applications that access Deepshi and whose information is provided to ELI through Deepshi.
• Categories of personal data: The information processed through Deepshi is determined and controlled by you in your sole discretion. Such information may include Personal Data incidentally included within Inputs and Outputs.
• Sensitive data: The information processed through Deepshi is determined and controlled by you in your sole discretion. Subject to any applicable restrictions and/or conditions in the Terms, such information may include sensitive data incidentally included within Inputs and Outputs, such as Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, or data relating to criminal offenses or convictions. See the security appendix for applied restrictions and safeguards for sensitive data.
• Frequency of the transfer: Continuous
• Nature of the processing: Collection, storage, organization, modification, retrieval, disclosure, communication, and other processing in performance of Deepshi as set out in the Terms.
• Purpose(s): Processing activities in performance of Deepshi pursuant to the Terms.
• Retention period: In accordance with the deletion of Personal Data provision of these provisions.
• For transfers to (sub-) processors: Performance of Deepshi pursuant to the Terms.

(C) Competent supervisory authority

For the purposes of the SCCs, the competent supervisory authority shall be determined in accordance with the GDPR.

Pseudonymisation and encryption

All User Content is de-identified using per customer hashed identifiers, and encrypted at rest and in transit, using industry standard encryption (AES-256 encryption for data at rest and TLS 1.3 for data in transit).

Ongoing confidentiality, integrity, availability and resilience

Access to User Content is restricted to authorized personnel only, and all personnel with access are subject to confidentiality agreements. Background checks are performed (where legally permissible) of employees with access to User Content. Employees are subject to annual security training. Access to User Content and any identifying information is further restricted through the use of hash based pseudonymisation. Technical controls are in place to restrict access to data and systems based on job functions and authority levels (e.g., in accordance with “least privilege” and “need-to-know” principles, use of unique identities for each user, enforcement of password complexity requirements, revocation of access upon termination or change in job function). Regular reviews of user access rights are performed to identify and remove invalid or inactive users and accounts. User Content is continuously backed up, and access controls are implemented to prevent unauthorized modification or access. Regular data integrity checks are performed to ensure the accuracy and completeness of the data. As an additional measure, User Content is versioned and encrypted such that it is possible to revert to a previous state, while verifying integrity. Excessive authentication failures will result in account lockout requiring administrator reset. Redundant systems and data centers are used to ensure high availability, and regular testing and maintenance is performed to prevent system failures. Disaster recovery / business continuity plans are in place to ensure prompt recovery in the event of an emergency situation or disaster. Regular security assessments and penetration testing is performed to identify and address vulnerabilities. Regular training and awareness programs are conducted for personnel to ensure they are aware of security best practices and threats. Regular monitoring and review of the processing systems and services is performed to ensure compliance with these provisions and Applicable Data Protection Laws. Any identified issues are promptly addressed and remediated by the Security Incident Response Team.

Availability and access restoration

User Content is backed up continuously with verifiable hashes allowing for verification of backup integrity. Multiple geographic zones are in place to ensure service availability is not impacted by a single point of failure. Incident management procedures, as well as business continuity and disaster recovery plans, are in place. User Content is versioned and encrypted such that it is possible to revert to a previous state, while verifying integrity.

Testing and evaluation of measures

Technical: Product Security, Enterprise Security and Infrastructure security reviews are performed on a continuous basis. Penetration testing is conducted by a third-party on a yearly basis to ensure the robustness of the organization's security controls. Organizational: Yearly disaster recovery and business continuity testing is performed to assess the resilience of our systems. Security awareness training is conducted yearly for all employees, and Secure Development & Data Handling training is provided to employees with access to User Content. All employees must complete an assessment following completion of the training.

User identification and authorization

Access to the platform is restricted by authentication and authorization policies, implemented within our software stack. Identification is performed by verifying the email and domain of the party accessing the platform. After the party is identified authorization checks are performed to determine the level of access and workspaces which the party has access to. Workspace administrators (customers) are able to authorize additional parties as they see fit.

Protection of data during transmission

Before data can be transmitted, authentication and authorization take place in order to verify data access rights. Following authorization, a per customer decryption key is used to retrieve the required data, and it is transmitted over a TLS 1.3 encrypted channel.

Protection of data during storage

All User Content is stored at rest and subject to strict access control. Access to areas housing User Content are limited to services necessary to process the data and to employees with the need to know. Detailed Logging and Monitoring is applied to User Content stores, and alerting is in place to immediately notify the Security Incident Response team of anomalous access. User Content at rest is encrypted with per customer AES-256 keys. These keys are only handled by machine-based services, and not made available to any employees.

Physical security

All ELI facilities are subject to strong physical access requirements. These include restricted entry, controlled ingress, identification of personnel, video surveillance of common areas, and 24/7 physical security monitoring.

Events logging

User Content access is monitored at multiple points throughout its lifecycle, and centralized in a Security Information and Event Monitoring system. Storage buckets containing data are monitored continuously in real-time through immutable monitoring controls.

System configuration

Immutable design principles are in place to ensure that all systems are built in an approved, change-controlled manner. System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. A Change Management Policy has been implemented. After systems are deployed, access is restricted such that the integrity of the system infrastructure is not negatively implemented. If any integrity or security issues are discovered the system can safely be rolled back to a previous state.

IT security governance

ELI has in place a written information security policy, including supporting documentation. ELI has a team dedicated to information security, led by the Head of Security. ELI has adopted the NIST 800-171 Rev.3 framework as a baseline for our internal security standards.

Data minimization

Only the information necessary to provide services is collected during your use of Deepshi systems, and all User Content is accessed in a de-identified manner. Additionally, data masking is utilized across all systems to ensure User Content is not accessed using sensitive identifiers.

Data quality

Conducting stress tests of the Deepshi production system that is equivalent to ten (10) times the expected user base. The purpose of the test is to simulate concurrent access to Deepshi in order to improve site stability and confirm that the current production system can support the intended target user base.

Limited data retention

Our data retention period is at our customer's discretion as it regards their user data, subject to legal requirements. Customers are able to delete their data at will. Following a data deletion request, our systems automatically delete all login data, prompt/response pairs, and billing information stored within our systems typically within 30 days.

Accountability

ELI has established enterprise support and Information Security functions, with established direct lines of contact. ELI's security team is reachable via email at security@deepshi.ai.