Contracting Entity: Prefixbox Zrt., a company incorporated in Hungary (registered office: 1132 Budapest, Visegrádi utca 31.; company number: 01-10-142754).

These Terms of Service ("Terms", "Agreement") govern access to and use of the Prefixbox AI Services (the "Services") . By signing a contract, or an order form (each, a "Contract") enabling the Services, or otherwise using them, the customer ("Customer") accepts these Terms.

The Services provide AI-assisted chat/agent capabilities (e.g., support automation, product Q&A) delivered and operated by Prefixbox. Features evolve over time; material changes will be communicated via email.

Customer must keep credentials secure and ensure only Authorised Users access the Services. People (end users) may interact with AI features only through Customer's own properties or channels; such interactions do not grant them direct access to the Services. Prefixbox may throttle or suspend where usage materially exceeds fair or contracted limits or threatens platform stability or security, and will notify Customer without undue delay.

Customer (i) shall not, (ii) shall ensure that Authorised Users do not, and (iii) shall make commercially reasonable efforts to prevent People from:

1. use the Services to violate law, infringe IP, or process illegal, harmful, or abusive content;
2. submit Sensitive Personal Information, e.g. payment card data, IDs, or special categories of personal data (e.g., health, biometric, political opinions) unless expressly covered by a written addendum;
3. probe, interfere with, or reverse-engineer any model or security;
4. bypass usage limits or attribution requirements;
5. use Outputs to train competing models without permission.

Prefixbox may suspend the Services for Acceptable use breaches.

Flow-down & safeguards. Customer will flow these Acceptable Use obligations down into its end-user terms and if necessary, deploy reasonable technical and organisational measures to prevent prohibited submissions.

Certain features may allow integrations with Customer's tools or messaging channels. Customer is responsible for those accounts and their terms. Prefixbox is not responsible for third-party networks or APIs.

1. Nature of AI. Outputs are probabilistic, may be inaccurate, incomplete, or out-of-date, and can vary on each run. Human review is recommended for high-risk use cases.
2. No Professional Advice. Outputs are not legal, medical, financial, or other professional advice.
3. Training Use. Customer Content is not used to train Foundation Models (LLMs).
4. Non-Exclusivity of Outputs. Similar prompts may yield similar outputs for different users; no representation that outputs are unique.
5. Customer Responsibilities. Customer is solely responsible for (i) the accuracy and legality of Inputs; (ii) reviewing Outputs before production use; and (iii) providing end-user disclosures appropriate to Customer's use case (see §10 and Privacy Policy).
6. Age Limits. The Services are not intended for children.
7. Processing by Prefixbox / LLM Vendors. When AI features are used, Prefixbox (and any third-party LLM vendors it engages) act as processor or sub-processor of personal data in Input and other Customer Content.
8. Locations & Transfers. Personal data for AI features is processed primarily within the European Union. Where processing occurs outside the European Union, appropriate safeguards are implemented in accordance with applicable data protection law.
9. Inputs and Outputs. Inputs (e.g., prompts, conversation data) and Outputs (model-generated results) are Customer Content under this Agreement. Customer will only submit Input and use Output where it has the authority and lawful basis to do so.
10. Transparency to End Users. Customer will ensure end users are informed they are interacting with an AI system, AI-generated content is clearly identified, and such content is not misrepresented as human-generated.
11. Template notice. Prefixbox provides a general template in Annex on End-User AI Assistant Terms. These terms are provided solely as a convenience "as is" and does not constitute legal advice. Prefixbox Zrt. disclaims any responsibility for the template or its use. Customer is solely responsible for its own end-user terms and compliance and should obtain legal counsel.

Fees, usage tiers, renewal terms, and payment schedules are set out in the Contract. Fees are exclusive of taxes; Customer is responsible for applicable taxes and withholdings unless the Contract states otherwise.

1. Roles: For personal data within Customer Content, Customer is controller; Prefixbox is processor providing infrastructure and AI capabilities.
2. Security: Prefixbox maintains appropriate technical and organisational measures (encryption in transit/at rest, RBAC, audit logging, incident response).
3. End-User Transparency: Customer will present clear privacy notices and, where required, obtain consents (e.g., or cookies).
4. Further details are available in the Privacy Policy and the Data Processing Addendum (Annex B) to these Terms.

If the Contract includes confidentiality terms, those govern. Otherwise: each party will protect the other's Confidential Information with reasonable care, use it only to perform under this Agreement, and disclose it only to personnel and sub-processors under binding confidentiality obligations.

• Mutual: each party warrants it has the legal power to enter into this Agreement.
• Prefixbox: provides the Services "as is" and disclaims all implied warranties (merchantability, fitness, non-infringement). No guarantee that Outputs or third-party integrations are error-free or uninterrupted. AI-related disclaimers in §7 apply.

• Customer will indemnify Prefixbox and its sub-processors (including Prefixbox) against third-party claims arising from (i) Customer Content; (ii) use in breach of §5; or (iii) Customer's systems or Third-Party Platforms.
• Prefixbox will defend and indemnify Customer against third-party claims that the Services, when used as authorized, infringes IP, and will pay finally awarded (or settled) damages and costs. Customer must give prompt written notice, grant Prefixbox exclusive control of defense/settlement, and provide reasonable cooperation. No indemnity for claims caused by modifications not made by Prefixbox, combinations with items not provided by Prefixbox, unauthorized use, Customer Data or third-party components, features common to similar products, Third-Party Messaging Apps, or Customer settlements/admissions without Prefixbox's prior written consent. Prefixbox may procure continued use, modify/replace the Services with substantially equivalent functionality, or terminate the affected Services with a pro-rata refund by Prefixbox.

If the Contract sets liability caps/exclusions, those govern. Otherwise: to the maximum extent permitted by law: (a) neither party is liable for indirect or consequential damages (lost profits, business, data, goodwill); and (b) each party's aggregate liability in a 12-month period is capped at the amounts paid by Customer to Prefixbox for the Services giving rise to the claim in that period. These limits do not apply to unpaid fees.

This Data Processing Addendum ("DPA") forms part of the Contract between Prefixbox Zrt. ("Prefixbox") and the Customer and applies where Prefixbox processes Personal Data on behalf of Customer in connection with the Services.

This DPA sets out the parties' rights and obligations with respect to such processing in accordance with applicable data protection law, including Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

Unless otherwise defined in this DPA, capitalized terms shall have the meanings given in the Terms of Service.

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Regulation (EU) 2016/679 (General Data Protection Regulation) and any applicable national implementing laws.
• "Controller", "Processor", "Data Subject", and "Supervisory Authority" shall have the meanings given to them under the GDPR.

1.1 Controller and Processor

For the purposes of this DPA, Customer acts as controller and Prefixbox acts as processor with respect to Personal Data contained in Customer Content and other Personal Data processed on Customer's behalf in connection with the Services.

1.2 Subject Matter

The subject matter of the processing under this DPA is the provision of the Services, including AI chat and agent functionality, contextual response generation, webpage content processing, integrations, and related administrative and support activities.

1.3 Duration

This DPA applies for the duration of the Contract and for any additional period during which Prefixbox processes Personal Data on behalf of Customer in accordance with the Contract.

1.4 Nature of Processing

Processing activities may include collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, transmission, restriction, erasure or destruction of Personal Data, as necessary to provide the Services.

1.5 No Independent Use

Prefixbox shall process Personal Data solely on documented instructions from Customer, as set out in the Contract, and shall not determine the purposes or means of processing independently.

2.1 Subject Matter and Purpose of Processing

Prefixbox processes Personal Data solely for the purpose of providing the Services to Customer, including:

1. AI chat and agent functionality;
2. contextual response generation based on webpage content;
3. retrieval and processing of webpage content where enabled by Customer;
4. integration with Customer-configured systems;
5. service performance monitoring (including latency measurement and error logging);
6. security monitoring, abuse prevention, and incident response; and
7. provision of technical and customer support.

2.2 Categories of Personal Data

Depending on Customer's configuration and use of the Services, Personal Data processed may include:

1. messages, prompts, and other Input submitted by users;
2. AI-generated Output;
3. files or structured data uploaded by Customer;
4. identifiers voluntarily provided within chat sessions;
5. URL information relating to webpages viewed where contextual functionality is enabled;
6. chat session identifiers, timestamps, request identifiers, and related operational metadata;
7. information relating to whether recommended product links were clicked; and
8. administrator account information (such as name, work email, authentication and role data).

2.3 Categories of Data Subjects

Data subjects may include:

1. Customer's employees and contractors;
2. administrators and authorised users of the Services;
3. People (end users of Customer's websites, applications, or services); and
4. visitors interacting with AI-enabled functionality on Customer's properties.

2.4 Special Categories of Data

The Services are not intended for the processing of Sensitive Personal Information (as defined in the Terms of Service), unless expressly agreed in writing and appropriate safeguards are implemented.

2.5 Nature of Processing Operations

Processing may include collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, transmission, restriction, erasure, or destruction of Personal Data, as necessary to provide the Services in accordance with the Contract.

3.1 Processing on Documented Instructions

Prefixbox shall process Personal Data only on documented instructions from Customer, as set out in the Contract, this DPA, and any documented configuration or use of the Services by Customer.

If Prefixbox believes that an instruction infringes applicable data protection law, it shall inform Customer without undue delay.

3.2 Confidentiality

Prefixbox shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security of Processing

Prefixbox shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.

Such measures include, among others, encryption of data in transit and at rest, role-based access controls, logging and monitoring, and documented incident response procedures.

3.4 Subprocessors

Customer provides general authorisation for Prefixbox to engage subprocessors to support the provision of the Services.

Prefixbox shall ensure that any subprocessor is subject to data protection obligations substantially equivalent to those set out in this DPA.

Prefixbox remains responsible for the performance of its subprocessors in accordance with applicable data protection law and this DPA.

3.5 Assistance with Data Subject Requests

Taking into account the nature of the processing, Prefixbox shall assist Customer, by appropriate technical and organisational measures, insofar as reasonably possible, in fulfilling Customer's obligation to respond to requests for exercising data subject rights.

3.6 Assistance with Impact Assessments

Taking into account the nature of the processing and the information available to Prefixbox, Prefixbox shall provide reasonable assistance to Customer in connection with data protection impact assessments and prior consultations with supervisory authorities where required under applicable data protection law. Such assistance shall be provided to the extent reasonably necessary and, unless otherwise agreed, at Customer's reasonable expense.

3.7 Personal Data Breaches

Prefixbox shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

Such notification shall include available information necessary for Customer to meet its obligations under applicable data protection law.

3.8 Demonstration of Compliance

Prefixbox shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, and without undue disruption to Prefixbox's operations.

4.1 Processing Location

Personal Data processed under this DPA is processed primarily within the European Union, including Microsoft Azure regions located in Sweden and West Europe.

4.2 International Transfers

To the extent that Personal Data is transferred outside the European Economic Area, such transfers shall be subject to appropriate safeguards in accordance with Article 46 GDPR.

Where required, the European Commission's Standard Contractual Clauses (SCCs) are hereby incorporated by reference and shall apply to such transfers.

4.3 Subprocessors

Prefixbox engages subprocessors to provide specific components of the Services. The current list of subprocessors is set out in Annex II to this DPA.

4.4 Subprocessor Changes

Prefixbox may engage additional subprocessors from time to time to support the provision of the Services.

Prefixbox will update Annex II and, where the change is material, provide prior notice to Customer (for example, via the Admin Portal or email).

Prefixbox remains responsible for the performance of its subprocessors in accordance with this DPA.

4.5 Government Access Requests

If Prefixbox receives a legally binding request from a public authority for disclosure of Personal Data processed under this DPA, Prefixbox shall, to the extent legally permitted, notify Customer without undue delay before responding to such request. Where notification is legally prohibited, Prefixbox shall use reasonable efforts to challenge or limit the scope of such request, where appropriate.

5.1 Liability

The liability of the parties arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service or the applicable Contract, unless otherwise required by mandatory applicable law.

5.2 Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

5.3 Incorporation

This DPA forms an integral part of the Contract and shall automatically apply to the extent that Prefixbox processes Personal Data on behalf of Customer in connection with the Services.

6.1 Retention Period

Personal Data processed under this DPA shall be retained in live systems for up to 12 months from creation, unless a shorter period is agreed in the applicable Contract.

6.2 Operational Logs

Operational and security logs (including latency measurements and error codes) are retained for up to 30 days.

6.3 Backups

Encrypted backups are maintained within Microsoft Azure infrastructure with a rolling retention period of up to 7 days. Backup data is automatically overwritten in the normal course of operations and is not separately accessed except for disaster recovery purposes.

6.4 Deletion upon Termination

Upon termination or expiry of the Contract, Personal Data shall be deleted from live systems within 30 days, unless otherwise agreed in writing or required by applicable law.

Residual data contained in system backups shall be overwritten in accordance with the standard backup retention cycle.

The following annexes form an integral part of this DPA:

• Annex I — Technical and Organisational Measures
• Annex II — Subprocessors

Prefixbox implements appropriate technical and organisational measures designed to protect Personal Data processed under this DPA, including:

1. Encryption

• Encryption of data in transit using industry-standard TLS protocols.
• Encryption of data at rest within Microsoft Azure infrastructure.

2. Access Controls

• Role-based access control (RBAC).
• Least-privilege access model.
• Administrative access restricted to authorised personnel.
• Access to chat session data by Prefixbox personnel is limited to support, troubleshooting, and security purposes and requires appropriate authorisation.

3. Pseudonymisation and Data Minimisation

• User display names within chat sessions are system-generated pseudonyms by default.
• Prefixbox does not require or enforce the collection of real names for end users.
• IP addresses are not stored or logged.
• Token counts are not stored or retained.

4. Infrastructure Security

• Hosting within Microsoft Azure data centers located primarily in the European Union.
• Environment segregation and access isolation.

5. Monitoring and Logging

• Centralised logging and monitoring of system activity.
• Recording of operational metrics such as latency and error codes.
• Chat content access is restricted and logged where applicable.

6. Backup and Recovery

• Encrypted backups with rolling retention of up to 7 days.
• Disaster recovery procedures.

7. Incident Management

• Documented incident response procedures.
• Internal escalation processes for security events.

8. Personnel Security

• Confidentiality obligations for authorised personnel.
• Access limited to personnel with a legitimate business need.