Master Terms of Service

1.1.

“Activation Support” means onboarding, implementation support, enhanced technical assistance, integration assistance, specialized consulting, custom development, training, and advanced technical services provided by Corti to help Customer deploy, configure, and optimize the Platform. Additional Activation Support may be purchased using API Credits as specified in an Order Form or through the Platform console and are billed based on the scope of work set forth in the applicable Statement of Work or service description. For Order Forms structured with a Pricing Envelope under Section 1.5, API Credits committed under the Pricing Envelope may be used for both Platform Services consumption and Activation Support services, unless otherwise specified in the Order Form.

1.2.

"Administrator" means one or more individuals who are employees of the Customer, having responsibility for the administration of the Platform on the Customer's side.

1.3.

“Affiliate” means an entity that controls, is controlled by, or is under common control with another entity.

1.4.

“API” means the application programming interfaces made available by Corti as part of the Platform, which allow Customer’s systems, applications, or services to communicate and interact with the Platform.

1.5.

“API Credits or Credits”  means the metered units of consumption, with 1 API Credit being equal to one U.S. dollar (USD $1.00) worth of tokenized API consumption, that is allocated to Customer for use of the Platform Services and Activation Support.  API Credits are fungible and may be used for any Corti Service, including Platform Services (model inference, API calls, data processing) and Activation Support (implementation assistance, training, consulting), unless otherwise specified in an Order Form.  For Enterprise Order Form Customers, API Credits may be structured as a"Pricing Envelope" a committed annual quantity of Credits that serves as both a spending floor (minimum commitment) and a consumption ceiling (maximum consumption without additional authorization), with pricing and any applicable credit-to-user conversion rates locked for the full term of the Order Form.  Volume-based discount tiers may apply based on annual commitment levels, as specified in the applicable Order Form. Corti will calculate API Credit usage based on its system logs and metering infrastructure, which shall serve as the authoritative record for billing purposes.  Credit consumption rates and pricing are set forth in the applicable Order Form for Enterprise Orders or, for pay-as-you-go services, in Corti’s then-current pricing published on the Platform.  

1.6.

“API Rate Limits” means the maximum number of API requests, volume of data processed, or computational resources that Customer may consume within a specified time period, as defined in the applicable Order Form, the Documentation, or Corti’s then-current usage or service policies. API Rate Limits may vary by commitment tier or API and may be adjusted by Corti to maintain Platform stability, provided that any material reductions will be communicated in advance.

1.7.

"Authorized User” means employees or computerized system of Customer or its Affiliates (or other individuals or customers of the Customer solely to the extent explicitly permitted in an Order Form) selected by Customer to access and use the Corti Services and Platform.

1.8.

“Beta Service” means any feature of the Corti Platform that is clearly designated as “beta”, “experimental”, “preview” or similar, that is provided prior to general commercial release, and that Corti, at its sole discretion, offers to Customer, and Customer at its sole discretion elects to use.

1.9.

“Business Days” means Monday through Friday, excluding public holidays observed in the jurisdiction of the Corti contracting entity as identified in the Background section of this Agreement. For purposes of calculating time periods expressed in business days, only Business Days shall be counted.

1.10.

“Corti IP Rights” means copyrights, designs, patents, trademark rights, domain names, and any other proprietary intellectual property rights and know-how to the Platform, including the software, any Enhancements, and the Documentation.

1.11.

“Corti Products” means software applications developed, owned, and operated by Corti that are built on the Platform Infrastructure and offered to customers as distinct products with their own regulatory status and intended use, including without limitation Corti Assistant. Corti Products may be offered as standalone services or via API integration with Customer’s systems. Specific Corti Products shall be available through Order Form only, and may be subject to additional terms, obligations, and restrictions set forth in product-specific sections of this Agreement, which shall supplement and, where expressly stated, modify the general provisions of this Agreement.

1.12.

“Corti Services” means the (a) “Platform Services”, which include hosting and operating the Platform, providing API access, executing AI model inference and processing requests, generating Output, and related technical services necessary to deliver the Platform functionality; (b) “Support Services”, (c) "Activation Support"; and (d) "Corti Products" (as defined in Section 1.  11), to the extent ordered by Customer under an applicable Order Form. For clarity, “Platform Services” refers specifically to the hosted AI platform and API capabilities, while “Corti Services” is the collective term encompassing Platform Services, Support Services, Activation Support, and any Corti Products ordered by Customer.  References to “Platform Services” throughout this Agreement refer to the services described in subsection (a) above.

1.13.

“Customer” means the person or entity seeking to use the Platform pursuant to these Terms.

1.14.

“Customer Data” means any data, content, or information (including Personal Information) that (a) Customer or its Authorized Users submit to or transmit through the Platform in connection with use of the Corti Services (including API requests, audio files, text inputs, and configuration data); or (b) data generated by the Platform solely for Customer’s use and contains or is derived directly from Customer’s submitted content (such as intermediate processing results or enriched datasets created for Customer); for clarity, Customer Data includes all inputs and outputs associated with Customer's accounts except for Usage Data as defined herein.

1.15.

“Data Processing Agreement” or “DPA” means the applicable data processing, data protection, or privacy agreement governing Corti’s processing of Personal Information under applicable law, which may include: (a) for the European Economic Area, United Kingdom, or Switzerland :where the Customer is the data controller or the data processor: the Corti Data Processing Agreement available here; (b) for the United States States: (i) where the Customer is a HIPAA Covered Entity: the Business Associate Agreement (“BAA”) available here, under which Corti acts as a Business Associate; or (ii) where the Customer is a HIPAA Business Associate: the Subcontractor Business Associate Agreement (“Subcontractor BAA”) available here, under which Corti acts as a Subcontractor Business Associate; or (c) for other jurisdictions: equivalent data protection addenda as required by applicable law. In most PHI engagements, Corti’s default position is as a Subcontractor Business Associate, consistent with its role as a sub-processor under the DPA for GDPR purposes. If the parties have executed a separate PA, BAA,  or Subcontractor BAA, that executed version shall apply.  Otherwise, the Corti standard agreement for the applicable jurisdiction is incorporated into this Agreement by reference.  For purposes of this Agreement, references to “BAA” include the Subcontractor BAA where applicable, and references to “DPA” include the BAA or Subcontractor BAA where applicable.

1.16.

“Documentation” means any user guidelines, tutorials, manuals, or other documentation that may be provided by Corti from time to time regarding the Platform and which are available here.

1.17.

“Effective Date” is the date upon which Customer accepts these Terms.

1.18.

“Enhancements” means updates, upgrades, modifications, improvements, developments, new features, or other enhancements related to the Platform.

1.19.

“Excluded Claims” means claims arising from (a) personal injury or death caused by the gross negligence or wilful misconduct of a party, its employees or agents; (b) fraud or fraudulent misrepresentation; (c) any other liability that cannot be excluded or limited as a matter of applicable law; and (d) Losses attributable to the third party IP indemnity in section 7.1.1 (subject to at all times to section 7.1.2).

1.20.

“Monthly Subscription” means a recurring monthly subscription package for a fixed allotment of API Credits at a specified monthly fee, as offered through the Platform console or in an Order Form. Monthly Subscriptions are billed monthly in advance on a take-or-pay basis and are non-cancellable during the monthly term. Unused API Credits from a Monthly Subscription remain valid and carry forward to subsequent months within the twelve (12) month period from the date of purchase (the “Credit Validity Period”), as set forth in Section 3.7.

1.21.

"Order" means a request for Corti Services made through an executed Order Form, referencing this Agreement. Orders typically apply to annual commitments, volume usage, or custom arrangements and may include negotiated pricing, SLAs, or other customized terms. In the event of any conflict between this Agreement and an Order, the Order Form will prevail only with respect to the specific terms described therein.

1.22.

“Order Form” means the written or electronic document that serves as the vehicle for Orders and becomes binding when executed by both parties.  Each Order Form sets out the commercial details of the Order, including the description of Corti Services, fees, usage limits, term, any special conditions, and references to applicable Statements of Work.  For clarity, Monthly Subscriptions and PAYG Wallet purchases do not require Order Forms and are instead initiated through Transactions as defined in Section 1.36.

1.23.

"Order Form Customers” means customers who have entered into a contractual agreement with Corti by executing an Order Form for annual commitments or custom arrangements.

1.24.

"Output" means any results, responses, analyses, transcriptions, summaries, recommendations, or other content generated by the Platform in response to Customer Data or other inputs provided by or on behalf of Customer. Output is generated content derived from processing Customer Data or Customer input through the Platform, but does not include Usage Data

1.25.

“Pay-As-You-Go Wallet” or “PAYG Wallet” means a prepaid credit balance that Customer may load into their Platform account and draw down based on actual usage of Corti Services. PAYG Wallet credits are purchased in advance and consumed as Customer uses the Platform, with billing occurring when Customer replenishes the wallet balance.

1.26.

“PAYG Wallet Customers” are customers who purchase and use Corti Services through a prepaid wallet balance on the Platform, as distinct from Monthly Subscription Customers or Enterprise Customers.

1.27.

“Personal Information” means any information submitted by or on behalf of Customer to the Platform relating to an identified or an identifiable natural person.

1.28.

“Platform Infrastructure” means Corti’s general-purpose artificial intelligence infrastructure, including foundation models, APIs, SDKs, developer tools, and related technical services, that enables customers to build, deploy, and operate their own applications, products, or services. Platform Infrastructure is designed as upstream AI infrastructure and is not itself a medical device or regulated AI system for any specific use case. Products, applications, or services developed by Customer or third parties using Platform Infrastructure may be subject to separate regulatory requirements, compliance obligations, and liability frameworks for which such Customer or third parties, and not Corti, are solely responsible unless otherwise expressly agreed in writing.

1.29.

"Platform Services" means the hosted AI platform capabilities, API access, model inference, data processing, and related technical services provided by Corti to deliver the Platform functionality. All Platform Services, pricing, API specifications, and service descriptions are maintained at docs.corti.ai, with detailed technical documentation, integration guides, and current pricing information available through Corti's online documentation portal. Individual Order Forms will reference specific Platform Services selected by Customer.

1.30.

“Service Disruption” means any unplanned interruption, degradation, or unavailability of the Platform Services that materially impairs Customer’s ability to access or use the APIs, excluding disruptions caused by Customer’s infrastructure, internet connectivity, or third-party services not controlled by Corti.

1.31.

“SLA” means the Service Level Agreement that describes the service performance standards and support levels applicable to the Corti Services. If the parties have executed a separate Service Level Agreement, that executed version shall apply. Otherwise, the Corti standard Service Level Agreement available here is incorporated into this Agreement by reference.

1.32.

“SOW” means a Statement of Work, which is a document executed by both parties that describes specific professional services, deliverables, timelines, and any associated fees or responsibilities to be performed under this Agreement. Each SoW will reference this Agreement, form an integral part of each Order Form, as part of the Enterprise Order.

1.33.

“Support Services” means the software support operated and made available by Corti as further described in the SLA.

1.34.

“System” means any application, computing or storage device, or network.

1.35.

“Third-Party Sites” means any websites, platforms, applications, or other software or materials owned and operated by third parties.

1.36.

“Transaction” means any self-service purchase, subscription, activation, or usage event initiated by Customer through the Platform console, developer portal, or API interface, including PAYG Wallet credit purchases, Monthly Subscription, Activations Support or trial registrations.  Transactions are completed through electronic acceptance mechanisms within the Platform, including clickthrough acceptance, electronic signature, or confirmation buttons.  Receipt of a Transaction confirmation email or display of a confirmation screen within the Platform constitutes Customer’s acceptance of this Agreement and the applicable usage and billing terms published on the Platform at the time of the Transaction.  For clarity, Transactions do not include Enterprise Orders, which are separate bilateral agreements executed via Order Forms signed by or otherwise accepted on behalf of both parties, and Transactions do not include access to or use of Corti Products, which require an executed Order Form in accordance with Section 1.11.

1.37.

“Usage Data” means technical and operational data generated in connection with Customer’s use of the Platform that relates to the performance, operation, and utilization of the Corti Services. Usage Data may include API call metadata (such as timestamps, response times, error codes, and endpoint usage), technical logs, telemetry data, performance metrics, and aggregated statistical information about Platform usage patterns. Usage Data does not include Customer Data, the substantive content of inputs or outputs processed through the Platform, or any information that directly identifies Customer’s specific patients, personnel, or proprietary business information. If Usage Data initially contains or could be used to re-identify any Personal Information or Protected Health Information (PHI), Corti will either: (a) de-identify such data in accordance with applicable standards (including HIPAA de-identification standards at 45 CFR § 164.514 for PHI, or equivalent standards under other applicable laws); or (b) handle such data in accordance with the DPA or BAA, as applicable. Corti may use properly de-identified or aggregated Usage Data to operate, maintain, analyze, and improve the Platform and related technologies, and may incorporate such data into benchmarks, research, or derivative works, provided that such use does not re-identify any Customer, individual, or entity.

1.38.

“Wallet” means the Customer’s credit balance maintained by Corti, which records the amount of prepaid API Credits purchased by Customer and the deductions made based on Customer’s consumption of the Corti Services. The Wallet is an accounting mechanism only and does not create a separate account, escrow, or property interest in favour of Customer.

2.1.1.

Pay-As-You-Go (PAYG) Wallet. Customer loads prepaid API Credits into a wallet balance and credits are consumed based on actual usage. Payment occurs when Customer replenishes the wallet balance. For clarity, Corti Products are not available through the PAYG Wallet and require an executed Order Form in accordance with Section 1.11.

2.1.2.

Monthly Subscription. Customer subscribes to automatic monthly billing of a fixed fee for a predetermined allotment of API Credits. Monthly fees are automatically charged to Customer's payment method each month. For clarity, Corti Products are not available through Monthly Subscriptions and require an executed Order Form in accordance with Section 1.11.

2.1.3.

Commitments (Order Form only). Customer commits to a specified dollar amount of API Credits to be consumed within a fixed period (expressed as whole years) as specified in an Order Form. At the end of the commitment period, Corti will invoice Customer for the difference between the committed amount and actual consumption, and remaining Credits then lapse.

2.2.1.

Output is probabilistic and may be inaccurate. Output generated by the Platform (including transcripts, summaries, analyses, or recommendations) may be incomplete, inaccurate, or inappropriate for your specific use case. Customer must not rely on Output as a sole source of truth, factual information, or as a substitute for professional judgment, advice, or decision-making.

2.2.2.

Human validation is required. Customer is responsible for evaluating all Output for accuracy, completeness, and suitability before relying on it, sharing it, or incorporating it into any workflow. Where Output may influence clinical, operational, or other high-impact decisions, Customer must implement appropriate human oversight and review consistent with applicable laws, regulations, and professional standards.

2.2.3.

Restrictions on use involving individuals. Customer must not use any Output about an identified or identifiable person for any purpose that could have a legal, clinical, or material impact on that person, including making or influencing decisions about their health, medical care, insurance coverage, credit, education, housing, employment, or legal rights; provided, however, that this restriction does not apply to Customer’s use of a Corti Product that has been cleared, registered, or certified as a medical device under applicable law, where such use is (a) within the intended use described in the applicable Documentation, (b) in compliance with Sections 2.2.2, 6.5, and 6.7 (including all human oversight and validation requirements), and (c) subject to Section 6.8 or any other applicable product-specific terms. For Platform Infrastructure customers building their own clinical applications, this restriction may be modified via Order Form with appropriate risk allocation terms.

2.5.1.

General Requirements. The Customer is responsible for establishing and maintaining the technical environment required to connect to and use the API as described in the Documentation, including secure management of API Keys, network connectivity, and configuration.

2.5.2.

API Keys and Authentication The Customer is solely responsible for the security of its API Keys and authentication credentials. Customer will (a) keep such credentials confidential, (b) store API Keys securely using industry-standard secret management practices (such as encrypted vaults or key management services); (c) not embed API Keys directly in client-side code, public repositories, or unsecured configuration files; (d) implement appropriate access controls limiting which personnel and systems can access API Keys; (e) use separate API Keys for development, testing, and production environments where feasible; (f) rotate API Keys periodically in accordance with Customer’s security policies and upon termination of any personnel with access to such keys; and (g) immediately notify Corti at security@corti.ai if Customer suspects or detects any unauthorized access, disclosure, or use of API Keys. Upon notice of suspected compromise, Corti may immediately suspend the affected API Keys to prevent further unauthorized use. Corti will provide Customer with the ability to generate new API Keys through the Platform dashboard. Customer acknowledges that all API requests made using Customer’s valid API Keys will be deemed authorized by Customer and billed accordingly, regardless of whether such requests were made by Customer or by unauthorized third parties who obtained Customer’s keys. Customer will cooperate with any Corti investigation of suspected security incidents involving Customer’s API Keys.

2.5.3.

Data Responsibility. Customer is solely responsible for the accuracy, legality, and content of any data transmitted to or through the API. Customer must ensure that it has all necessary rights and authorizations to submit and process such data using the Platform. Customer will make and maintain its own backups of Customer Data.

2.5.4.

Reasonable Use instructions. Customer shall follow all reasonable use instructions and recommendations given by Corti in respect of the use of the Platform, including Corti’s published rules, policies, or guidelines, whether in the Documentation or otherwise. Customer shall cover any additional costs of Corti incurred by Customer not fulfilling its obligations as set form in the Documentation.

2.9.1.

Beta Services are not intended for use in any workflow where failure or inaccuracy could cause harm, regulatory non-compliance, or material impact. Corti makes no commitments regarding the continued availability of any Beta Service or the release of a corresponding commercial version.

2.9.2.

Customer acknowledges that Beta Services are provided “as-is” without warranties of any kind and that Corti will have no liability arising from or relating to their use. Feedback regarding Beta Services may be used by Corti for any purpose, and all resulting enhancements or derivatives will remain Corti’s exclusive property.

2.9.3.

To the extent a license to any Beta Services has been granted, such Beta Services may be discontinued at any time without notice and without any obligation to provide a commercial version.

2.9.4.

If a Beta Service transitions to general availability (“GA”), Corti will notify Customer at least thirty (30) days in advance via email and through Platform notifications. Following such transition, the service will become subject to the standard terms, warranties, SLA commitments, and pricing applicable to Platform Services. If GA pricing differs from any Beta pricing (including free Beta access), Customer may discontinue use of the service without penalty. Continued use of the service after the GA transition date constitutes acceptance of the GA terms and pricing.

2.10.1

hardware (e.g. Microphones), software, network connectivity, or infrastructure not provided or controlled by Corti;

2.10.2

third-party services, integrations, or data sources not operated by Corti;

2.10.3

Customer’s or its users’ failure to follow Corti’s Documentation, implementation guidance, or security instructions;

2.10.4

Customer’s modification or misuse of the API or SDKs;

2.10.5

Customer’s rejection of required updates or Enhancements; or

2.11.1.

Processing rights. Corti processes Customer Data solely to provide and improve the Corti Services, maintain operational security, and troubleshoot incidents in accordance with documented instructions under the DPA or BAA; Corti will not use Customer Data to train or improve models provided to other customers absent Customer’s prior, express opt‑in via the Model Training and Improvement Addendum, and, subject to and as governed by the DPA or BAA, will implement retention limits so that Customer Data stored by Corti as part of the Corti Services (excluding transient system logs and disaster‑recovery backups, which remain subject to the DPA or BAA) is deleted or irreversibly de‑identified within a commercially reasonable period after collection; for clarity, any thirty (30) day deletion timeline is an operational objective and not a service level commitment. .

2.11.2.

Backups. Corti does not serve as the system of record for Customer Data. Customer is responsible for maintaining its own persistent copies or backups of Customer Data and Output. In the event of any loss or corruption of data within Corti’s control, Corti will use commercially reasonable efforts to restore such data from its existing logs or backups, if maintained, in accordance with its standard operational procedures.

2.11.3.

Personal Information. Corti will process Personal Information strictly in accordance with Customer’s documented instructions as set out in the DPA or BAA. Any additional Customer-specific data-processing instructions may require written agreement and may result in additional charges.

3.7.1.

Credit Validity Period. All API Credits purchased (whether through PAYG Wallet, Monthly Subscription, or Enterprise Order) are valid for twelve (12) months from the date of purchase (“Credit Validity Period”), unless otherwise specified in an Order Form. Credits are consumed as Customer uses the Platform Services during the Credit Validity Period.

3.7.2.

Monthly Subscription. Monthly Subscriptions operate on a take-or-pay basis, with the payment obligation assessed at the end of each monthly billing cycle: Customer will be charged the full monthly subscription fee for each month regardless of actual usage or API Credit consumption during that monthly billing cycle. This monthly take-or-pay obligation means Customer must pay for each month’s subscription whether the allocated credits are consumed or not. Unused credits from Monthly Subscriptions remain valid and carry forward to subsequent months within the Credit Validity Period. For clarity, this monthly obligation differs from annual Enterprise Orders, where the take-or-pay obligation is assessed at the end of the 12-month term.

3.7.3.

Order Form Take-or-Pay. Order Forms with committed API Credits operate on an annual take-or-pay basis. Customer must pay for the full annual commitment whether API Credits are consumed or not, unless otherwise specified in an Order Form. Payment obligation is assessed at the end of the 12-month term, with any unused committed credits lapsing and Corti invoicing Customer for the difference between the committed amount and actual consumption.

3.7.4.

Credit Exhaustion and Service Continuity. If Customer exhausts its allocated API Credits or prepaid balance: (a) For Customers with an active Order Form: Corti will provide email notice to Customer's designated billing contact when Customer reaches 90% and 100% of allocated API Credits. Corti may continue to provide services for up to five (5) business days after API Credit exhaustion to allow Customer to purchase additional API Credits, with any such overages billed at standard rates.  For Order Forms structured with a Pricing Envelope, any additional credits purchased beyond the Pricing Envelope ceiling ("top-up credits") will be priced at the same per-credit rate as Customer's existing Pricing Envelope commitment, with no surcharges or penalties applied for such overages, and such top-up pricing shall be specified and fixed in the applicable Order Form.

3.7.5.

Credit Expiration and Renewal.  Credits that remain unused at the expiration of the Credit Validity Period will expire and become non-recoverable, except as follows: (a)  iIf Customer renews or purchases additional credits within thirty (30) days of expiration, Customer may request that Corti either: (i) extend the validity of unused credits (up to 20% of the original purchase) for an additional 90 days; or (ii) allow Customer to purchase a reduced amount of credits for the renewal to account for the unused balance; or (b) for Customers with Order Forms structured with a Pricing Envelope: unused credits from the expiring term will lapse and may not be carried forward for consumption or used to reduce the renewal commitment amount; however, if Customer renews at an annual commitment equal to or greater than the prior term's commitment, the volume of unused credits from the prior term may be added to the renewal commitment volume solely for purposes of determining discount tier eligibility under the renewed Order Form (such unused credits remain non-spendable).  If Customer renews at a lower annual commitment than the prior term, unused credits will not be considered for tier qualification purposes.. Any credits not renewed or extended as described above will expire.

3.7.6.

Service Disruption Extensions. The Credit Validity Period may be extended in the event of Service Disruptions attributable to Corti that prevented Customer from using the Platform for a cumulative period exceeding five (5) business days during the term, with extension period equal to the duration of such Service Disruptions.

3.7.7.

Activation Support. Any Activation Support will be invoiced as set out in the relevant Statement of Work or service description in the Order Form, and may be payable in API Credits or invoiced separately as specified therein.

a)

is already known to Recipient without obligation of confidentiality prior to its disclosure by Discloser;

b)

is in or enters the public domain through no wrongful act of the Recipient;

c)

is or was lawfully received by Recipient from a third party without confidentiality obligations; or

d)

can be established by written documentation to have been independently developed by Recipient without access to the Confidential Information.

5.4.1.

Output Ownership. As between the parties, and to the extent permitted by applicable law, Customer retains all rights, title, and interest in its Customer Data and in all Output generated by the Platform based on that Customer Data. If and to the extent Corti has any rights in such Output, Corti hereby assigns those rights to Customer. Notwithstanding the foregoing, Corti retains all rights, title, and interest in and to the underlying Platform, APIs, models, algorithms, software, and other technologies used to generate the Output.

6.2.1.

has implemented and will maintain commercially reasonable technical and organizational measures to prevent unauthorized access to the Platform and misuse of any API credentials; and

6.2.2.

will use the Platform and Corti Services only in compliance with all applicable laws and regulations, including those relating to healthcare, data protection, and export control.

6.5.1.

The Platform uses artificial intelligence and machine learning technologies that are probabilistic in nature. AI agents, embedded applications, and API-generated Output may produce varied, unexpected, incomplete, or inaccurate results.

6.5.2.

Model-generated Output is not a substitute for professional judgment, human review, or subject-matter expertise. Customer is solely responsible for verifying the accuracy, completeness, and appropriateness of any Output before use, particularly in clinical, medical, or other regulated contexts.

6.5.3.

Customer must not rely on Output as a sole source of truth or use it for decisions that could materially affect individuals (including diagnosis, treatment, or patient care) without appropriate human oversight and independent verification as required by law or professional standards.

6.5.4.

Customer must not use Output for any purpose that could have a material impact on any individual (including but not limited to medical diagnosis, treatment decisions, or patient care) without appropriate human oversight and independent verification.

6.5.5.

If Output references any third-party products, services, or information, it does not mean such third party endorses or is affiliated with Corti, nor does Corti endorse or warrant such third-party content.

6.5.6.

The Platform may contain links or references to third-party sites or data. Customer acknowledges that Corti does not own or control such third-party content and has no liability for Customer's use of or reliance on such third-party content; any residual warranties to the extent not disclaimable under applicable law are limited to ninety (90) days from the date Corti first granted Customer access to the Platform.

6.7.1.

Medical Device Regulatory Status. (a) Platform Infrastructure. Platform Infrastructure is general-purpose AI infrastructure and is not itself a medical device. Products, applications, or services built by Customer or third parties using Platform Infrastructure may be medical devices under applicable law, and responsibility for classification, regulatory clearance, and ongoing compliance for such products rests solely with the Customer or third party that develops such product. (b) Corti Products. Certain Corti Products (such as Corti Assistant MD) are classified and registered as medical devices in specified jurisdictions. Corti will maintain applicable regulatory clearances, certifications, or registrations for such Corti Products as described in the Documentation for each product. Customer may request documentation of applicable regulatory status, intended use statements, certificates, and other regulatory information for any Corti Product. The regulatory classification and intended use of each Corti Product may vary by jurisdiction. (c) Documentation. Corti will provide Customer, upon reasonable request, with compliance documentation, intended use statements, certificates, and regulatory status information necessary for Customer’s own regulatory assessments and audits.

6.7.2.

Customer’s Regulatory Responsibilities. (a) Platform Infrastructure Customers. Where Customer uses Platform Infrastructure to build its own products, applications, or services, Customer is solely responsible for: (i) determining the regulatory classification of Customer’s products under applicable law, including medical device regulations, the EU AI Act, and any other applicable requirements; (ii) obtaining all necessary regulatory clearances, certifications, or registrations for Customer’s products; (iii) implementing clinical validation, human oversight, quality management systems, and technical documentation as required by applicable laws and regulations; (iv) reporting adverse events, safety concerns, or product issues to applicable regulatory authorities; and (v) maintaining required records and audit trails related to Customer’s products and their use. (b) Corti Product Customers. Where Customer uses a Corti Product (such as Corti Assistant), Customer’s regulatory responsibilities are limited to those of a deployer or user of the product, including: (i) ensuring that Customer’s specific use case and clinical validation requirements are appropriate for the intended use described in the Documentation; (ii) implementing required human oversight and professional review processes as described in Section 6.5 and the product Documentation; (iii) reporting adverse events, safety concerns, or product issues to Corti in accordance with Section 6.7.4; and (iv) maintaining records as required by applicable law for Customer’s use of the Corti Product. Corti is responsible for the regulatory classification, clearance, and ongoing compliance of the Corti Product itself. (c) General. In all cases, Customer remains responsible for compliance with applicable professional standards of care and institutional policies governing Customer’s operations.

6.7.3.

AI Regulation Compliance. AI Regulation Compliance. (a) EU AI Act – Platform Infrastructure. To the extent Platform Infrastructure qualifies as a general-purpose AI (GPAI) model under the EU AI Act, Corti will comply with applicable GPAI provider obligations, including model documentation, training data transparency, and copyright compliance obligations. Customers using Platform Infrastructure to build their own AI systems are independently responsible for their own AI Act provider or deployer obligations (as applicable), including conformity assessment, registration, technical documentation, and ongoing compliance for such systems. Corti will provide model documentation and technical information to support Customer’s compliance with applicable AI Act requirements. (b) EU AI Act – Corti Products. For Corti Products that are AI systems subject to the EU AI Act (including where such products are also medical devices), the parties acknowledge that: (i) Corti, as the provider of the AI system, will be responsible for compliance with provider obligations under the AI Act, including conformity assessments, technical documentation, quality management, registration, and post-market monitoring; (ii) Customer, as the deployer, will be responsible for deployer obligations under the EU AI Act, including human oversight, monitoring system operation, incident reporting, and ensuring use in accordance with instructions; and (iii) the parties will cooperate in good faith to fulfil their respective obligations, including Corti providing necessary technical documentation and Customer providing feedback on system performance and incidents. (c) Other AI Regulation. To the extent other laws or regulations governing AI systems apply to the Corti Services, the allocation of obligations shall follow the same framework: Corti will comply with applicable provider or developer obligations for Corti Products, and Customer is solely responsible for all regulatory compliance for products Customer builds using Platform Infrastructure. (d) Updates. Corti reserves the right to update the Documentation, Platform Infrastructure, or Corti Products to comply with the EU AI Act requirements or other applicable AI regulations as they become effective, and may pass through reasonable, documented costs of compliance to Customer in accordance with Section 3.12.

6.7.4.

Post-Market Surveillance and Vigilance. If the Platform is subject to post-market surveillance or vigilance requirements under applicable law (including MDR or similar regulations), Customer agrees to: (a) promptly notify Corti of any serious incidents, malfunctions, or safety concerns related to the Platform; (b) cooperate with any Corti investigation, field safety corrective action, or recall; (c) provide Corti with reasonable access to relevant records and personnel to support regulatory reporting or investigations; and (d) not publicly disclose any safety issue without prior coordination with Corti, except as required by law or ethical obligations. Corti will handle any such reports in accordance with applicable vigilance reporting timelines and requirements.

6.8.1.

Application and Priority of Terms. This Section 6.8 applies where Customer uses Corti Assistant MD, Corti products registered as medical devices or any other Corti Product expressly designated as subject to this Section in an Order Form or the Documentation. To the extent any provision in this Section 6.8 conflicts with a general provision elsewhere in this Agreement, this Section 6.8 shall prevail for customers using Corti Assistant MD, Corti products registered as medical devices, or any other Corti product expressly designated as subject to this Section in an Order Form or the Documentation. This Section supplements (and does not replace) the general provisions of this Agreement unless expressly stated otherwise.

6.8.2.

Medical Device Status. Corti Assistant MD is a Corti Product that has been classified and registered as a medical device in specified jurisdictions. Corti maintains and will make available to Customer, upon reasonable request, documentation of the current regulatory status of Corti Assistant MD in each applicable jurisdiction. Customer acknowledges that the regulatory classification and status of Corti Assistant MD may vary by jurisdiction and may change over time. Corti will use commercially reasonable efforts to notify Customer of material changes to the regulatory status of Corti Assistant MD, provided that any delay or failure to provide such notice shall not give rise to any liability on the part of Corti.

6.8.3.

Carve-Out from Section 2.2.3 (Use of Output for Clinical Purposes). Notwithstanding Section 2.2.3 (Restrictions on use involving individuals), Customer may use Output generated by Corti Assistant MD about identified or identifiable persons for clinical purposes, including to support, inform, or document decisions about such persons’ health or medical care, provided that Customer: (a) uses Corti Assistant MD within the intended use described in the Documentation; (b) complies with all human oversight, validation, and professional review requirements set forth in Sections 2.2.2, 6.5, and 6.7; (c) ensures that a qualified healthcare professional reviews and validates all Output before it is relied upon for clinical decisions or incorporated into medical records; and (d) complies with all applicable laws, professional standards, and institutional policies governing clinical documentation and patient care. For clarity, this carve-out applies only to Corti Assistant MD and does not modify the restrictions in Section 2.2.3 for Platform Infrastructure or other Corti Services.

6.8.4.

Regulatory Allocation. For Corti Products that are classified as medical devices or AI systems under applicable law: (a) Corti is responsible for applicable provider or manufacturer obligations under such law; (b) Customer is responsible for applicable deployer or user obligations under such law, including implementing human oversight, monitoring system operation, and promptly reporting serious incidents to Corti; and (c) Corti will provide Documentation to support Customer’s compliance with applicable deployer or user obligations.

6.8.5.

Post-Market Obligations. Customer agrees to promptly notify Corti of any serious incident, malfunction, or safety concern related to Corti Assistant MD that comes to Customer’s attention and to cooperate with any Corti investigation, field safety corrective action, or product recall. Corti will handle incident reports in accordance with applicable regulatory requirements and will keep Customer reasonably informed of material developments in any investigation, subject to Corti’s confidentiality obligations to regulatory authorities and other parties.

6.8.6.

Limitation of Product-Specific Terms. This Section 6.8 applies solely to Corti Assistant MD and any other Corti Products expressly designated as subject to this Section in an Order Form or the Documentation. The general provisions of this Agreement continue to apply to all other Corti Services, including Platform Infrastructure. Corti may add additional product-specific sections to this Agreement for other Corti Products as they become available.

7.1.1.

Third Party IP Claim. Corti will indemnify, defend, and hold Customer harmless from and against any losses, liabilities, damages, fees, costs, and expenses (including reasonable attorneys’ fees) (collectively, “Losses”) it may incur in connection with a third-party claim to the extent arising out of any infringement of third party’s patent, copyright, trademark or trade secret by Corti or the Platform. If a third-party claim of infringement is threatened or occurs, Corti may seek to mitigate damages by modifying the Platform to be non-infringing, obtaining a license for Customer to use the Platform, or (if neither of the foregoing are commercially feasible) terminating this Agreement with immediate effect and refunding to Customer any unused, prepaid fees.

8.2.1.

TO THE FULLEST EXTENT PERMITTED BY LAW NEITHER PARTY WILL HAVE ANY LIABILITY FOR: (i) LOST PROFITS OR REVENUE; (ii) LOSS OF GOODWILL OR BUSINESS REPUTATION; (iii) LOSS OR CORRUPTION OF DATA; (iv) INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES; or (v) LOSS ARISING FROM INACCURATE OR UNEXPECTED RESULTS ARISING FROM THE USE OF THE CORTI SERVICES, IN EACH CASE REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES ARISING; FOR CLARITY, THIS SECTION 8.2.1 DOES NOT EXCLUDE AMOUNTS PAYABLE TO THIRD PARTIES UNDER A PARTY’S INDEMNIFICATION OBLIGATIONS, SUBJECT TO THE APPLICABLE CAP.

8.2.2.

GENERAL LIABILITY CAP. SUBJECT TO SUB-SECTIONS 8.2.3 - 8.2.5 BELOW, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THE AGREEMENT EXCEED THE TOTAL AMOUNT PAID OR PAYABLE BY CUSTOMER AND ITS AFFILIATES (INCLUDING UNDER THE APPLICABLE ORDER FORM(S), IF RELEVANT) FOR THE CORTI SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE (12) MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE, WHETHER ARISING OUT OF CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY (THE “GENERAL CAP”); PROVIDED THAT AMOUNTS RECOVERABLE UNDER THE ENHANCED CAP SHALL NOT ALSO COUNT AGAINST THE GENERAL CAP FOR THE SAME CLAIM.

8.2.3.

ENHANCED CAP FOR DATA BREACHES. NOTWITHSTANDING SECTION 8.2.2, CORTI’S AGGREGATE LIABILITY FOR CLAIMS (INCLUDING THIRD-PARTY CLAIMS AND REGULATORY INVESTIGATIONS OR ENFORCEMENT ACTIONS, TO THE EXTENT RECOVERABLE UNDER APPLICABLE LAW) ARISING FROM (A) ANY UNAUTHORIZED DISCLOSURE OR BREACH OF CUSTOMER DATA (INCLUDING ANY “PERSONAL DATA BREACH” OR “SECURITY INCIDENT” AS DEFINED IN THE DPA OR BAA, AS APPLICABLE) RESULTING FROM CORTI’S BREACH OF (i) ITS CONFIDENTIALITY OBLIGATIONS SET FORTH IN SECTION 4 (CONFIDENTIALITY), OR (ii) ITS DATA PROTECTION AND SECURITY OBLIGATIONS SET FORTH IN THIS AGREEMENT, THE DPA, OR THE BAA (AS APPLICABLE), OR (B) CORTI’S MATERIAL FAILURE TO IMPLEMENT AND MAINTAIN THE SECURITY MEASURES REQUIRED OF IT UNDER ARTICLE 32 GDPR THAT DIRECTLY CAUSES, CONTRIBUTES TO, OR AGGRAVATES THE EVENT DESCRIBED IN CLAUSE (A), IN EACH CASE SHALL BE LIMITED TO THE GREATER OF (X) TWO (2.0) TIMES THE GENERAL CAP AMOUNT AND (Y) ONE MILLION UNITED STATES DOLLARS (USD $1,000,000), PROVIDED THAT IN ALL CASES SUCH LIABILITY SHALL NOT EXCEED FIVE MILLION UNITED STATES DOLLARS (USD $5,000,000) (THE “ENHANCED CAP”). THIS ENHANCED CAP DOES NOT APPLY TO BREACHES CAUSED BY CORTI’S GROSS NEGLIGENCE OR WILFUL MISCONDUCT, WHICH REMAIN SUBJECT TO THE EXCLUDED CLAIMS IN SECTION 8.1. NOTWITHSTANDING SECTION 11.9, FOR CORTI PRODUCTS THAT ARE CLASSIFIED AS MEDICAL DEVICES, THE ENHANCED CAP AMOUNT MAY BE INCREASED (BUT NOT DECREASED) BY MUTUAL WRITTEN AGREEMENT IN AN ORDER FORM TO REFLECT THE SPECIFIC RISK PROFILE OF THE CORTI PRODUCT AND CUSTOMER’S USE CASE.

8.2.4.

SINGLE RECOVERY. FOR ANY SINGLE INCIDENT OR SERIES OF RELATED INCIDENTS, CUSTOMER MAY RECOVER UNDER ONLY ONE CAP SET FORTH IN THIS SECTION 8.2 (WHETHER THE GENERAL CAP, IP INDEMNIFICATION PURSUANT TO SECTION 7.1.1 OR THE ENHANCED CAP FOR DATA BREACHES). THE MAXIMUM AGGREGATE LIABILITY ACROSS ALL CLAIMS, REGARDLESS OF THEORY, SHALL NOT EXCEED THE HIGHEST APPLICABLE CAP AMOUNT FOR THE TYPE OF CLAIM ASSERTED.

8.2.5.

MULTI-PARTY CLAIM PROTECTION. WHERE MULTIPLE PARTIES (INCLUDING RESELLERS, PARTNERS, DISTRIBUTORS, OR OTHER INTERMEDIARIES) ASSERT CLAIMS AGAINST CORTI ARISING FROM THE SAME INCIDENT OR SERIES OF RELATED INCIDENTS AFFECTING AN END CUSTOMER, CORTI’S AGGREGATE LIABILITY TO ALL SUCH PARTIES COLLECTIVELY SHALL NOT EXCEED THE HIGHEST APPLICABLE LIABILITY CAP UNDER SECTION 8.2 THAT WOULD APPLY IF THE AFFECTED END CUSTOMER HAD BROUGHT THE CLAIM DIRECTLYCORTI SOLE DISCRETION TO DETERMINE THE ALLOCATION OF PAYMENTS AMONG CLAIMANTS WITHIN THE APPLICABLE CAP, AND PAYMENT TO ANY ONE CLAIMANT SHALL REDUCE THE REMAINING CAP AVAILABLE TO ALL OTHER CLAIMANTS FOR THE SAME INCIDENT.

9.1.1.

Subject to Section 9.1.2 below, Corti may suspend Customer’s access to the Platform (a) upon seventy-two (72) hours’ prior written notice if Corti reasonably believes that Customer (or one of its Authorized Users) has materially violated Sections 2.5 (Customer Obligations) or 2.6 (Platform Restrictions), provided that Corti will describe the suspected violation in reasonable detail and provide Customer an opportunity to cure or dispute the allegation prior to suspension taking effect; or (b) immediately without prior notice only if Corti determines, in its reasonable discretion, that (i) continued Customer access poses an imminent security threat to Corti’s systems, other customers’ data, or the integrity of the Platform, (ii) Customer’s use violates applicable law in a manner that exposes Corti to criminal or regulatory liability, or (iii) Customer has failed to pay undisputed amounts that are more than thirty (30) days past due. For clarity, “imminent security threat” means active malicious activity, suspected unauthorized access, or ongoing violation of security protocols, not mere suspicion of past or potential future violations; and any Suspension Notice and cure opportunity will be provided in accordance with Section 9.1.2. Corti will not suspend access for disputed payment amounts that are the subject of a good-faith billing dispute raised in writing within thirty (30) days of the applicable invoice.

9.1.2.

Subject to Section 9.1.1(b), and save for genuine security emergencies where suspension may be immediate and without notice, Corti will provide no less than seventy‑two (72) hours’ prior written notice of a proposed suspension (a “Suspension Notice”), describing in reasonable detail the alleged violation and offering a reasonable opportunity to cure consistent with Section 9.1.1(a).

Subject to Section 9.1.1(b), and save for genuine security emergencies where suspension may be immediate and without notice, Corti will provide no less than seventy‑two (72) hours’ prior written notice of a proposed suspension (a “Suspension Notice”), describing in reasonable detail the alleged violation and offering a reasonable opportunity to cure consistent with Section 9.1.1(a).

9.1.3.

Any suspension shall not affect Customer’s payment obligations.