Terms and Conditions

1.1. These Terms and Conditions ("Terms") govern your access to and use of Spock's AI workspace, assistants, integrations, related websites, and APIs (the "Service").

1.2. By creating an account, accessing, or using the Service on behalf of yourself or an organisation, you agree to these Terms. If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have authority to bind that entity, and "you" or "Customer" refers to that entity.

1.3. If you do not agree to these Terms, you may not use the Service.

2.1. Privacy Policy. Our Privacy Policy explains how we collect and process personal information and forms part of these Terms.

2.2. Data Processing Agreement (DPA). Where we process personal information on your behalf (for example, where you or your users upload content that contains personal information), the Spock Data Processing Agreement forms part of these Terms and governs that processing.

2.3. Order of precedence. If there is any conflict:

• The DPA prevails for data-protection matters,
• Then the Privacy Policy,
• Then these Terms.

3.1. Description. Spock is an AI-powered workspace/productivity platform that lets users chat with AI models, upload content, run knowledge tasks, and integrate with third-party systems.

3.2. Architecture.

• Core application services and databases are hosted in the European Union (Germany) on third-party infrastructure providers (currently DigitalOcean and Hetzner).
• All AI inference (prompts, uploaded content that must be processed by a model, and model outputs) is routed to AI model providers hosted in the United States (currently OpenAI, Google/Gemini, Anthropic/Claude, and Groq).
• We use Resend to send transactional emails, Stripe to process payments and Crisp to provide an in-app support platform.

3.3. We may improve or modify the Service from time to time. Where a change materially affects data processing or sub-processors, we will handle it in line with the DPA (advance notice and right to object, where applicable).

4.1. You must provide accurate account information and keep it up to date.

4.2. You are responsible for all activities that occur under your account, including those of your authorised users.

4.3. You must keep your passwords and access tokens secure.

4.4. We may suspend access where we reasonably believe there is a security issue, misuse, or non-payment.

5.1. "Customer Content" means any data, text, files, documents, prompts, instructions, personal information, or other material that you or your users submit to, or generate through, the Service.

5.2. You as Controller. If your Customer Content contains personal information about your staff, customers, or other individuals, you are the "responsible party"/"controller" for that personal information under POPIA/GDPR, and we are your "operator"/"processor". The DPA governs that relationship.

5.3. We as Controller. We are the controller for account data, billing, security logs, product analytics, and communications (for example, emails we send you). Our Privacy Policy covers this.

5.4. You warrant that you have obtained all necessary permissions, consents, and authorisations to submit Customer Content to the Service and to instruct us to process it as described in these Terms and the DPA.

6.1. You acknowledge and instruct us to store Customer Content in the EU (Germany) and to transmit Customer Content to AI sub-processors in the United States for the purpose of providing AI inference and generating outputs.

6.2. We will only use sub-processors that offer data-protection terms consistent with GDPR and POPIA, including Standard Contractual Clauses or equivalent safeguards for transfers to the US. The current list of sub-processors and transfer safeguards is published in our DPA and TIA summary (https://spock.chat/trust).

6.3. Spock warrants that it will not, and shall contractually prohibit its Sub-processors from, using Customer Content (including prompts, files, and outputs) to train, fine-tune, or otherwise improve any artificial intelligence model for Spock's or the Sub-processor's own purposes. This warranty is a core, non-derogable obligation under these Terms.

7.1. You must ensure that your use of the Service complies with applicable laws, including POPIA (South Africa), GDPR (EEA/UK), and any industry-specific rules that apply to you.

7.2. You must not submit to the Service any special/sensitive personal information (as defined in POPIA/GDPR) unless you have a lawful basis and have obtained the necessary Prior Authorisation from the South African Information Regulator (POPIA s.57), and/or have notified the data subjects that the information will be transferred to the United States for AI processing.

7.3. You must not use the Service to infringe intellectual property rights, to generate unlawful content, or to probe or attack the Service's security.

7.4. You are responsible for configuring your own environment (including identity, SSO, and workspace permissions) to limit access to Customer Content.

8.1. We implement appropriate technical and organisational measures to protect Customer Content, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.

8.2. If we become aware of a personal data breach affecting Customer Content, we will notify you without undue delay and in any event within 72 hours, providing the information we have at that time, and we will cooperate with you to meet your notification duties under POPIA/GDPR.

8.3. You acknowledge that no system is perfectly secure and that the Service depends on third-party infrastructure.

9.1. Fees, billing cycles, and plan limits are described on our website or in an order form.

9.2. You authorise us (and our payment processor, Stripe) to charge all applicable fees to your chosen payment method.

9.3. Fees are non-refundable unless we state otherwise in writing or required by law.

10.1. We own all rights, title, and interest in and to the Service, our software, models, UI, and documentation.

10.2. You own your Customer Content.

10.3. Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable licence to access and use the Service during your subscription.

11.1. The Service generates AI-based outputs. These outputs may be probabilistic and may not be accurate, complete, or suitable for your specific use case. You must not use the Service to take decisions producing legal or similarly significant effects on data subjects without human involvement.

11.2. You are responsible for reviewing and verifying outputs before relying on them.

11.3. You must not use outputs in ways that violate applicable law.

11.4. No Professional Advice & Human Review. The AI Outputs do not constitute professional advice (e.g., medical, legal, financial). You are solely responsible for ensuring the Outputs are not used to make decisions that produce legal or similarly significant effects on a data subject without human review and intervention (GDPR Art. 22 / POPIA s.71).

11.5. Prohibited Use Cases. You must not use the AI Outputs or the Service to generate content that infringes IP, violates law, or is intended for prohibited high-risk uses such as medical diagnosis or high-stakes financial trading without professional oversight.

12.1. Each party must keep the other party's non-public information confidential and use it only to perform under these Terms.

12.2. Confidentiality obligations do not apply to information that is public, already known, independently developed, or disclosed under legal obligation.

13.1. For South African customers and data subjects, we process personal information in accordance with the Protection of Personal Information Act, 4 of 2013 ("POPIA").

13.2. You and we will each comply with POPIA conditions for lawful processing, including openness, purpose specification, and security safeguards.

13.3. South African data subjects may lodge a complaint with the Information Regulator (South Africa) if they believe their personal information has been unlawfully processed. We will include the Regulator's contact details in our Privacy Policy.

13.4. Cross-border transfers from South Africa to the United States are conducted under s72 POPIA using binding agreements and/or comparable protections, as explained in the DPA.

14.1. We provide the Service "as is" and "as available".

14.2. We do not warrant that the Service will be uninterrupted or error-free or that AI outputs will meet your expectations.

14.3. To the extent permitted by law, we disclaim all implied warranties.

15.1. To the extent permitted by law, neither party is liable for indirect, consequential, or special damages, or loss of profit or business.

15.2. Our total liability arising out of or relating to the Service is limited to the fees you paid to us in the 12 months preceding the event giving rise to the claim, except as explicitly stated for data protection liabilities in Section 15.4.

15.3. Nothing in these Terms excludes liability that cannot be excluded under applicable law.

15.4. Notwithstanding 15.2, for all claims arising from a breach of our data protection obligations under the DPA, our total aggregate liability is limited to the greater of (i) the fees you paid to us in the 12 months preceding the event giving rise to the claim, or (ii) $500,000 (Five Hundred Thousand US Dollars). Liability for fraud and willful misconduct remains uncapped.

You will indemnify and hold us harmless from claims arising from (a) your unlawful use of the Service, (b) your failure to obtain necessary consents, or (c) your violation of these Terms.

17.1. These Terms apply for as long as you use the Service.

17.2. We may suspend or terminate your access if you breach these Terms, if required by law, or if non-payment occurs.

17.3. On termination, we will retain or delete Customer Content according to the retention rules in the Privacy Policy and DPA, and will provide you an opportunity to export data where technically feasible.

18.1. These Terms are governed by the laws of the State of Delaware, USA, without regard to conflict-of-laws principles. For matters of data protection, the governing law is as set out in the Data Processing Agreement (DPA).

18.2. The exclusive jurisdiction for disputes will be the state and federal courts located in Delaware, USA.

18.3. South African relief. Nothing in this clause prevents either party from seeking urgent or interim relief in a court of competent jurisdiction in the Republic of South Africa, especially in relation to data-protection or confidentiality breaches.

We may update these Terms from time to time. If we make material changes, we will notify you via the Service or by email. Your continued use after changes take effect constitutes acceptance.

Questions about these Terms, data protection, or legal notices should be sent to the contact details in our Privacy Policy, addressed to either the POPIA Information Officer or the GDPR EU Representative.