Civic Customer Product Specific Terms
Last Modified: June 18, 2026
PLEASE READ THESE TERMS CAREFULLY.
The Civic Customer Product Specific Terms are intended to highlight some of the important things about using our different Services. The Customer Product Specific Terms form part of the Civic Customer Services Agreement and are hereby incorporated therein.
If you are using any of the Services described below, the terms corresponding to those product(s) apply to your use. We periodically update this page, so please check back here for current information.
1. CIVIC PLATFORM
1.1 Description
The Civic platform includes AI agent orchestration features that enable Customers to configure and manage access to third-party MCP Servers for use by AI agents. The Civic platform operates exclusively at the MCP protocol layer and allows for centralized management of API credentials, application permissions, and optional guardrails that restrict or condition AI agent API calls at the MCP protocol layer. The Civic platform does not control, monitor, or have visibility into AI agent software, AI agent local capabilities (including without limitation file system access, terminal or shell command execution, network scanning, or browser automation), or any AI agent activity that does not pass through the Civic MCP gateway.
1.2 Service Boundaries
CIVIC HAS NO VISIBILITY INTO OR CONTROL OVER: (I) AI AGENT SOFTWARE, CONFIGURATION, OR CAPABILITIES OUTSIDE THE MCP PROTOCOL; (II) ACTIONS TAKEN ON MACHINES WHERE AI AGENTS RUN; (III) WHICH SPECIFIC TOOLS WITHIN AN AUTHORIZED MCP SERVER ARE INVOKED; OR (IV) ANY AI AGENT CAPABILITIES THAT DO NOT USE THE CIVIC MCP GATEWAY.
1.3 Third-Party AI Agent Disclaimer
CIVIC DOES NOT PROVIDE, DEVELOP, CONTROL, OR WARRANT ANY THIRD-PARTY AI AGENT SOFTWARE THAT CUSTOMER MAY CONNECT TO THE CIVIC PLATFORM. CUSTOMER IS SOLELY RESPONSIBLE FOR (I) SELECTING, INSTALLING, CONFIGURING, AND SECURING ANY AI AGENT SOFTWARE; (II) EVALUATING THE SECURITY, CAPABILITIES, AND RISKS OF SUCH AI AGENT SOFTWARE; AND (III) ALL ACTS, OMISSIONS, OUTPUTS, AND CONSEQUENCES OF SUCH AI AGENT SOFTWARE, WHETHER OCCURRING VIA THE CIVIC PLATFORM OR OTHERWISE. CIVIC HAS NO CONTROL OVER AI AGENT CODE, UPDATES, CAPABILITIES, OR CONFIGURATION, AND DISCLAIMS ALL LIABILITY ARISING FROM OR RELATING TO THIRD-PARTY AI AGENT SOFTWARE.
1.4 Security Requirements and Shared Responsibility
Machine Separation Requirement for Certain AI Agents. CERTAIN AI AGENTS HAVE CAPABILITIES THAT MAY ALLOW THEM TO ACCESS CUSTOMER'S AUTHENTICATED CIVIC PLATFORM SESSIONS IF CUSTOMER IS LOGGED INTO THE CIVIC PLATFORM ON THE SAME MACHINE WHERE SUCH AI AGENTS RUN. SPECIFICALLY, AI AGENTS WITH BROWSER AUTOMATION, TERMINAL ACCESS, OR SIMILAR CAPABILITIES MAY BE ABLE TO NAVIGATE TO THE CIVIC PLATFORM, ACCESS CUSTOMER'S AUTHENTICATED SESSION, AND BYPASS CIVIC PLATFORM SECURITY CONTROLS. Customer must evaluate the capabilities of any AI agent software before connecting it to the Civic platform. For AI agents with browser automation, terminal/shell access, or other capabilities that could access authenticated web sessions, Customer MUST NOT access or log into the Civic platform from the same machine on which such AI agents are running. Customer should configure and authorize Civic platform toolkits on a separate machine and authorize AI agent requests from that separate machine or via links sent to another device. Examples of AI agents requiring machine separation include: (i) AI agents with headless browser automation capabilities; (ii) AI agents with unrestricted terminal or shell command execution; (iii) AI agents capable of making direct HTTP requests to web applications or services outside the MCP protocol; and (iv) AI agents that can automate desktop application interactions or access applications outside their sandboxed environment. AI agents that operate in sandboxed environments without browser automation, terminal access, or similar capabilities (such as Claude Desktop in its default configuration) generally do not present this authentication bypass risk; however, Customer remains responsible for evaluating each AI agent's capabilities and implementing appropriate security measures. CIVIC DISCLAIMS ALL LIABILITY FOR ANY SECURITY INCIDENT, UNAUTHORIZED ACCESS, OR DAMAGES ARISING FROM CUSTOMER'S FAILURE TO EVALUATE AI AGENT CAPABILITIES AND MAINTAIN APPROPRIATE MACHINE SEPARATION WHERE REQUIRED. CUSTOMER IS RESPONSIBLE FOR REVIEWING AI AGENT DOCUMENTATION, UNDERSTANDING AI AGENT CAPABILITIES, AND IMPLEMENTING SECURITY CONTROLS APPROPRIATE FOR THE SPECIFIC AI AGENTS BEING USED.
Customer Security Obligations. Customer acknowledges that the Civic platform controls only the MCP protocol layer and that Customer is solely responsible for: (i) implementing security controls appropriate for autonomous agent deployment, including access restrictions, monitoring, and incident response capabilities; (ii) configuring Civic platform guardrails, parameter presets, and least-privilege OAuth scopes as appropriate for Customer's use case; (iii) securing AI agent runtime environments according to industry best practices and Customer's risk tolerance; (iv) monitoring both Civic platform audit logs (for MCP gateway activity) and AI agent local logs (for non-MCP activity); (v) managing token lifecycle, including renewal of Civic platform access tokens and response to authorization elevation requests; (vi) testing AI agent integrations with non-production data before deploying with sensitive, personal, or regulated data; (vii) implementing human oversight and approval processes appropriate for AI-generated actions in Customer's environment; (viii) complying with all applicable laws and third-party service provider terms; (ix) providing appropriate disclosures to end users regarding AI agent capabilities and data access; (x) disabling or restricting unsafe AI agent features; and (xi) promptly revoking Civic platform access if an AI agent is suspected of being compromised or misbehaving.
Incident Response Limitations. Customer acknowledges that Civic cannot detect compromised or malicious AI agents, detect anomalous AI agent behavior, emergency-stop an active AI agent session, prevent AI agents from obtaining credentials outside the Civic platform, or see or log AI agent local actions. Customer is solely responsible for incident detection, response, and remediation relating to AI agent activity. If Customer suspects an AI agent is compromised or acting inappropriately, Customer must immediately revoke access via Civic platform toolkit deletion or authorization revocation, and investigate AI agent local activity and host machine security.
1.5 Logging and Data Visibility
Civic logs API requests and responses passing through the Civic MCP gateway and retains such logs for approximately thirty (30) days. Civic does not process or have visibility into: (i) conversational content between Customer and AI agents; (ii) AI agent local activity or logs; (iii) which specific tools or APIs an AI agent invokes within an authorized service; or (iv) data that AI agents access outside of the Civic platform. Customer is solely responsible for ensuring that AI agent data handling complies with applicable privacy and data protection laws. For additional information about Civic's data processing practices, please refer to Civic's Data Processing Agreement.
1.6 Developer Responsibilities
If you are using the Civic platform as a developer, You are responsible for ensuring that your use of the Civic platform complies with applicable law and all third-party terms governing access to connected services. This includes: (i) obtaining end-user consent where applicable; (ii) providing required disclosures regarding AI agent behavior and connected services; (iii) implementing appropriate safeguards for any data processed via MCP servers or by AI agents outside of the Civic platform; (iv) ensuring AI agents are operated in compliance with any guardrails imposed; (v) ensuring that AI agents comply with all terms of service, acceptable use policies, and other requirements of third-party services accessed via the Civic platform; and (vi) monitoring AI agent behavior for violations of third-party terms.
1.7 Experimental Features
CERTAIN CIVIC PLATFORM FEATURES (INCLUDING CHATBOT AND DESKTOP BRIDGE) MAY BE OFFERED AS “CIVIC LABS” OR BETA FEATURES, WHICH ARE EXPERIMENTAL, PRE-COMMERCIAL, AND PROVIDED SOLELY FOR EVALUATION PURPOSES. THESE FEATURES MAY BE INCOMPLETE, MAY CHANGE SUBSTANTIALLY, OR MAY BE DISCONTINUED AT ANY TIME WITHOUT NOTICE, AND CIVIC MAKES NO COMMITMENT THAT THEY WILL BECOME GENERALLY AVAILABLE OR MEET ANY PARTICULAR SPECIFICATIONS. CIVIC LABS AND BETA FEATURES MAY NOT COMPLY WITH CIVIC’S USUAL SECURITY, PRIVACY, OR COMPLIANCE STANDARDS AND SHOULD NOT BE USED WITH PRODUCTION DATA, PERSONAL DATA, OR REGULATED DATA UNLESS CIVIC EXPRESSLY AUTHORIZES SUCH USE IN WRITING. THEY ARE PROVIDED “AS IS,” WITHOUT WARRANTIES OF ANY KIND, AND ARE EXCLUDED FROM CIVIC’S SERVICE LEVEL COMMITMENTS, UPTIME GUARANTEES, AND SUPPORT OBLIGATIONS. CUSTOMER ASSUMES ALL RISKS RELATED TO ITS ACCESS OR USE OF THESE FEATURES, INCLUDING POTENTIAL DATA LOSS, SERVICE INTERRUPTIONS, OR FUNCTIONAL LIMITATIONS, AND CIVIC DISCLAIMS ALL LIABILITY ARISING FROM SUCH USE. CIVIC MAY SOLICIT OR COLLECT FEEDBACK ON THESE FEATURES, WHICH CUSTOMER GRANTS CIVIC A PERPETUAL, ROYALTY-FREE RIGHT TO USE WITHOUT RESTRICTION.
1.8 No Access to End-User LLM Activity
Civic does not process or store content exchanged between Customer’s AI agents and MCP-connected tools, except as necessary to facilitate authorization and Guardrail enforcement.
1.9 AI Output Disclaimer
THE CIVIC PLATFORM ENABLES CUSTOMERS TO CONNECT AI AGENTS WITH THIRD-PARTY MCP SERVERS. YOU ACKNOWLEDGE AND AGREE THAT (I) CIVIC DOES NOT CONTROL OR GENERATE THE CONTENT, RECOMMENDATIONS, OR ACTIONS OF ANY AI MODEL OR AGENT; (II) AI AGENTS MAY OPERATE AUTONOMOUSLY AND EXECUTE ACTIONS WITHOUT HUMAN APPROVAL, INCLUDING ACTIONS THAT MAY BE IRREVERSIBLE OR CAUSE HARM; (III) SUCH MODELS MAY PRODUCE INACCURATE, INCOMPLETE, OFFENSIVE, OR MISLEADING RESULTS (“HALLUCINATIONS”), WHICH ARE OUTSIDE OF CIVIC’S CONTROL; AND (IV) YOU ARE SOLELY RESPONSIBLE FOR REVIEWING, VALIDATING, AND APPROVING ANY AI-GENERATED OUTPUT OR ACTION BEFORE RELYING ON IT OR PERMITTING IT TO AFFECT YOUR SYSTEMS, DATA, OR END USERS. CIVIC MAKES NO REPRESENTATION OR WARRANTY AS TO THE ACCURACY, RELIABILITY, SAFETY, OR SUITABILITY OF ANY AI OUTPUTS OR ACTIONS TAKEN THROUGH OR IN CONNECTION WITH THE CIVIC PLATFORM, AND DISCLAIMS ALL LIABILITY ARISING FROM OR RELATING TO YOUR RELIANCE ON SUCH OUTPUTS OR THE CONSEQUENCES OF AI AGENT ACTIONS. YOU MUST IMPLEMENT AND MAINTAIN APPROPRIATE HUMAN OVERSIGHT, REVIEW PROCESSES, AND APPROVAL WORKFLOWS TO MITIGATE RISKS FROM AI-GENERATED CONTENT OR AUTONOMOUS AI AGENT ACTIONS.
1.10 Sanctions Compliance
Customer must not deploy or use the Civic platform's AI orchestration features in connection with any transaction, workflow, or counterparty that would violate applicable U.S. sanctions laws or OFAC regulations. Where Customer's application makes the AI orchestration features available to end users, Customer must ensure those end users are not located in Embargoed Countries and are not identified on the OFAC SDN List. Customer is responsible for implementing appropriate screening of end users and workflows against applicable sanctions lists.
1.11 Indemnification
You agree to indemnify, defend, and hold harmless Civic, its affiliates, and their respective officers, directors, employees, agents, licensors, and service providers, from and against any and all losses, liabilities, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to (i) your access to or use of the Civic platform; (ii) your violation of applicable laws, regulations, or third-party rights, including without limitation any terms of service or acceptable use policies governing third-party MCP servers; (iii) any misuse, circumvention, or misconfiguration of guardrails, or any acts or omissions of your AI agents when interacting with MCP servers or otherwise; (iv) your failure to implement, enforce, or maintain appropriate security measures, access controls, machine separation, human oversight processes, or end-user disclosures relating to use of the Civic platform or AI agents; (v) any claim that your data, configurations, or use of the Civic platform infringe, misappropriate, or otherwise violate the intellectual property or other proprietary rights of a third party; (vi) any third-party claims arising from AI agent actions, including without limitation claims by providers of third-party services accessed via the Civic platform alleging violations of their terms of service; (vii) any security incident involving AI agents connected to the Civic platform, including incidents arising from compromised, misconfigured, or misbehaving AI agents; or (viii) your gross negligence, fraud, or willful misconduct. Civic reserves the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify Civic, and you agree to cooperate fully with Civic in the defense of such matters.
2. CIVIC AUTH
2.1 Embedded Wallet Disclosure and Third-Party Terms
Civic Auth is an authentication feature of the Civic platform, powered in part by MetaKeep. If the application you are accessing through Civic Auth has enabled embedded wallet functionality, a MetaKeep wallet may be automatically created on your behalf using your email address provided during the Civic Auth account creation process. Your use of any such MetaKeep wallet is governed solely by MetaKeep’s terms and policies, which are separate from and not controlled by Civic. You are responsible for reviewing MetaKeep’s applicable terms to understand your rights and obligations related to wallet usage. By using Civic Auth to access an embedded wallet, you acknowledge that MetaKeep governs the use of the wallet and that Civic does not control or maintain these terms.
2.2 Developer Responsibilities and Flowdown Obligations
If you are using Civic Auth as a developer, you agree to: (i) include in your end-user application terms of service (a) that such user’s use of the application must comply with applicable law, (b) restrictions and obligations and acknowledgement of risks applicable to end-users that are consistent with those restrictions and obligations and acknowledgement of risks contained in MetaKeep’s Terms of Service, including without limitation, responsibilities and risks related to authentication credentials, email recovery, key import and key export, (c) indemnify, defend, and hold harmless Civic and MetaKeep from and in connection with any and all responsibility or liability related to the risks set forth in MetaKeep’s Terms of Service, including without limitation, exported private keys and seed phrases or access credentials related to imported private keys stored outside MetaKeep’s services; (ii) require end-users to agree to such end-user application terms of service prior to being able to use the application; (iii) monitor the activity of end-users within the application for their compliance with such end-user application terms of service; (iv) use commercially reasonable efforts to enforce such end-user application terms of service after you become aware of such non-compliance by an end-user; (v) screen each end-user in accordance with your applicable compliance policies (including without limitation the minimum compliance policy requirements set forth in MetaKeep’s Terms of Service); (vi) include in your end-user terms an express prohibition on use by individuals or entities on the OFAC Specially Designated Nationals and Blocked Persons List ("SDN List") or located in any country or territory subject to a comprehensive U.S. government embargo, including Cuba, Iran, North Korea, Syria, or the Crimea/Sevastopol, Donetsk People's Republic, or Luhansk People's Republic regions of Ukraine ("Embargoed Countries"); (vii) implement, or engage a qualified third-party compliance provider to implement, screening of end users accessing your application through Civic Auth against applicable U.S. government sanctions lists, including the OFAC SDN List, and immediately suspend access for any end user for whom a match is identified; and (viii) not deploy Civic Auth in connection with any application whose primary user base is located in an Embargoed Country. Furthermore, you will engage in commercially reasonable efforts, in good faith, to ensure that the implementation and/or use of the application by each end-user is in accordance with all applicable laws, rules and regulations, MetaKeep’s Terms of Services, the foregoing requirements and the MetaKeep’s documentation.
2.3 Disclaimer
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CIVIC PROVIDES CIVIC AUTH ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR ANY WARRANTIES ARISING FROM A COURSE OF PERFORMANCE, DEALING, OR USAGE OF TRADE. CIVIC MAKES NO REPRESENTATION OR WARRANTY THAT CIVIC AUTH WILL BE SECURE, UNINTERRUPTED, ERROR-FREE, OR FREE FROM HARMFUL COMPONENTS.
2.4 Indemnification
To the maximum extent permitted by law, you agree to indemnify, defend, and hold harmless Civic, its affiliates, and their respective officers, directors, employees, agents, licensors, and service providers, from and against any and all losses, liabilities, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees and costs) arising out of or relating to (i) your access to or use of Civic Auth; (ii) your violation of applicable laws, regulations, or third-party rights, including without limitation any terms of service or acceptable use policies governing embedded wallets or third-party integrations (such as MetaKeep); (iii) any acts or omissions of your end users when accessing Civic Auth under your account; (iv) your failure to implement or enforce appropriate end-user terms, security measures, or disclosures; or (v) your gross negligence, fraud, or willful misconduct. Civic reserves the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify Civic, and you agree to cooperate fully with Civic in the defense of such matters.
3. CIVIC LABS
3.1 Experimental Services
From time to time, we may provide you with access to early-stage, pre-release, beta, or prototype features, tools, or services (“Labs Features”) that are still in development. These Labs Features are experimental, pre-commercial, and provided for limited evaluation purposes only. They may not be fully tested, and may change significantly or be discontinued entirely at any time without notice. Access to Labs Features does not imply any commitment by Civic to release such features publicly or continue offering them in the future.
3.2 No Production Use or Commitments
Labs Features are offered solely for evaluation and testing purposes. They are not intended or licensed for production use, public deployment, or mission-critical operations. They are not covered by our standard service levels, support policies, or availability guarantees. We may limit, suspend, or terminate access to any Labs Feature at our sole discretion, at any time. You acknowledge that we have no obligation to maintain, support, or further develop any Labs Feature, or to make it part of our generally available services.
3.3 Use at Your Own Risk
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CIVIC PROVIDES ALL LABS FEATURES ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. THIS INCLUDES, BUT IS NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR ANY WARRANTIES ARISING FROM A COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. CIVIC MAKES NO REPRESENTATION OR WARRANTY THAT ANY LABS FEATURE WILL BE SECURE, UNINTERRUPTED, ERROR-FREE, OR FREE FROM DEFECTS OR HARMFUL COMPONENTS.
3.4 Feedback and Monitoring
We may ask you to provide feedback or suggestions about your experience with Labs Features. Any feedback you provide is completely voluntary, and by submitting it, you irrevocably assign to Civic all rights, title, and interest in such feedback, and grant Civic the unrestricted right to use, reproduce, and incorporate it into our products and services without compensation or attribution. We may also monitor your usage of Labs Features for testing, diagnostic, performance, or improvement purposes. Your use of any Labs Feature indicates your consent to such monitoring.
3.5 Data Handling
Labs Features may not meet the same privacy, security, or compliance standards as our fully released Services. You must not submit, upload, or process any live production data, personal data, or regulated data through a Labs Feature unless we have given you prior written authorization. You are solely responsible for ensuring that your use of any Labs Feature complies with applicable data protection laws and your internal policies.
3.6 Indemnification
To the maximum extent permitted by law, you agree to indemnify, defend, and hold harmless Civic, its affiliates, and their respective officers, directors, employees, agents, licensors, and service providers, from and against any and all losses, liabilities, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees and costs) arising out of or relating to (i) your access to or use of any Civic Labs or beta feature; (ii) your violation of applicable laws, regulations, or third-party rights in connection with such use; (iii) any acts or omissions of your end users or integrations using Civic Labs features under your account; (iv) your failure to implement or maintain appropriate safeguards, security measures, or disclaimers when using Civic Labs features; or (v) your gross negligence, fraud, or willful misconduct. Civic reserves the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify Civic, and you agree to cooperate fully with Civic in the defense of such matters.
4. BRYN
4.1 Description
Bryn is Civic’s signal-based go-to-market agent. Bryn combines first-party behavioral signals collected from Customer’s website or application with identity-resolution data sourced from Civic's identity-resolution data providers and, where separately authorized by Customer, other data enrichment providers, to identify anonymous website visitors (“Resolved Visitors”) and surface engagement recommendations to Customer’s growth and sales teams. Bryn is a standalone product and is not part of the Civic platform AI orchestration features described in Section 1. The term “Resolved Visitors” as used in this Section 4 refers to individuals whose identity has been inferred or resolved by Bryn through the combination of behavioral data collected by the Bryn Beacon and identity-resolution data supplied by Civic’s data providers.
4.2 Data Controller and Processor Roles
(a) Customer Deployment. Where Customer deploys Bryn on Customer’s own website or application: (i) Customer acts as the data controller with respect to Personal Data of Resolved Visitors processed by Bryn; (ii) Civic acts as a data processor processing such Personal Data on Customer’s behalf pursuant to the Civic Customer Services Agreement, including the Data Processing Agreement; and (iii) Resolved Visitors are data subjects in Customer’s controller relationship and are not “End Users” as defined in the Civic Customer Services Agreement. Customer is solely responsible for establishing and maintaining a valid lawful basis, providing adequate notice, and complying with all applicable Data Protection Laws with respect to Resolved Visitor data.
(b) Civic Demonstrations. Where Civic deploys Bryn on Civic’s own websites or properties to demonstrate the Service to prospective customers, Civic acts as the data controller with respect to Resolved Visitor data collected through such deployments. Civic will maintain its own privacy notice, lawful basis (including a legitimate interest assessment where applicable), and opt-out mechanism for such processing. The Customer flow-down obligations in Section 4.3 do not apply to Civic’s own demonstration deployments.
(c) Identity Resolution Provider Layer. Customer acknowledges that Bryn relies on identity-resolution data supplied by Civic's identity-resolution data providers. With respect to resolved identity output data ("Output Data") transferred from Civic's identity-resolution data providers to Civic, each such provider and Civic each act as independent controllers (for GDPR and UK GDPR purposes) and independent Businesses (for CCPA purposes) with respect to that data. Each such provider acts as a service provider (processor) only with respect to input data submitted by Civic for matching purposes. The transfer of Output Data from Civic's identity-resolution data providers to Civic constitutes a CCPA “sale” of personal information. This arrangement is subject to controller-to-controller terms as further described in Section 4.6 and the Data Processing Agreement.
4.3 Customer Flow-Down Obligations
If you are deploying Bryn on your website or application, you agree to the following before enabling Bryn and at all times during your use of the Service:
(i) Privacy Notice. Publish and maintain a publicly accessible privacy notice (or update your existing privacy notice) that discloses: (a) that your website uses visitor identification and enrichment technology to identify anonymous visitors and associate behavioral signals with individual identity records; (b) the categories of Personal Data collected and resolved, which may include IP address, device identifiers, company identifiers, email address, and behavioral event data; (c) your lawful basis for such processing; (d) that Civic Technologies, Inc. is engaged as a service provider for visitor identification and enrichment, and that Civic uses one or more third-party identity-resolution data providers for this purpose, as identified in Civic's published sub-processor and vendor list; and (e) how Resolved Visitors may exercise applicable data subject rights, including deletion and opt-out.
(ii) Lawful Basis. Establish and document in writing a valid lawful basis under applicable Data Protection Laws prior to deploying Bryn and processing Resolved Visitor data. For deployments subject to the GDPR, UK GDPR, or Swiss DPA, you must either: (a) complete a legitimate interest assessment (“LIA”) concluding that your interests in identifying and engaging potential customers are not overridden by Resolved Visitors’ fundamental rights and freedoms, with the LIA retained and made available to us on request; or (b) obtain freely given, specific, informed, and unambiguous consent from Resolved Visitors prior to processing. You will not deploy Bryn in any jurisdiction where you have not established and documented a valid lawful basis.
(iii) Consent and Cookie Mechanism. Where applicable law requires consent for the placement or activation of tracking technologies, you will implement and maintain a consent management platform or equivalent mechanism that covers the Bryn Beacon (Civic’s visitor identification script deployed on your website) and any associated cookies, pixels, or similar technologies, such that: (a) the Bryn Beacon and all associated tracking is not activated until affirmative consent is obtained from the visitor; (b) visitors may withdraw consent at any time with prospective effect; and (c) you maintain auditable consent records. The consent obligation under this Section 4.3(iii) is triggered by the collection of visitor data, not by the tier of identity resolution subsequently performed. Accordingly, where your deployment is subject to a prior-consent requirement (for example, under the ePrivacy Directive as implemented in certain EU member states), the Bryn Beacon must be treated as a non-essential script and consent-gated regardless of whether Bryn subsequently performs company-level or person-level resolution. You will not activate the Bryn Beacon prior to obtaining required consent.
(iv) Data Subject Rights. Implement and maintain a process by which Resolved Visitors may: (a) request access to, correction of, or deletion of their Personal Data; (b) opt out of visitor identification and enrichment processing at any time; and (c) exercise any other applicable rights under Data Protection Laws. You will respond to such requests within the timeframes required by applicable law. Where Civic receives a data subject request relating to Resolved Visitor data processed on your behalf, Civic will notify you promptly and you will be solely responsible for responding substantively.
(v) No Deployment Without Compliance. You will not deploy Bryn or permit Bryn to process Resolved Visitor Personal Data until: (a) your privacy notice has been updated to disclose Bryn’s data practices as required by this Section; (b) you have established and documented a valid lawful basis; and (c) any required consent mechanism is live and operational. Deployment prior to satisfying each of these conditions constitutes a material breach of the Civic Customer Services Agreement.
(vi) Downstream Outreach Compliance. Where you use Resolved Visitor data to engage potential customers through outbound communications, you will comply with all applicable laws governing such communications, including the CAN-SPAM Act, CASL, the TCPA, and any applicable email marketing or telemarketing regulations in the jurisdiction of the recipient. You will ensure that all outbound communications to Resolved Visitors include required identification, unsubscribe, and opt-out disclosures.
(vii) Records of Processing. You will maintain records of your processing activities with respect to Resolved Visitor data as required by applicable Data Protection Laws, including documentation of your lawful basis and, where applicable, your completed LIA.
(viii) Automated Decision-Making Notice. To the extent your deployment of Bryn’s visitor scoring and automated outreach features constitutes the use of automated decision-making technology (“ADMT”) under applicable law, including any regulations promulgated under the California Consumer Privacy Act (CCPA/CPRA) or other applicable law, you will: (a) provide any required pre-use or point-of-collection notices to affected individuals; (b) implement any required opt-out mechanisms for automated profiling or decision-making; and (c) maintain documentation of your ADMT compliance posture and make it available to Civic on request.
4.4 Customer Representations and Warranties
You represent and warrant that: (i) you have full legal authority to deploy Bryn in the manner contemplated by the Civic Customer Services Agreement; (ii) your deployment and use of Bryn complies with all applicable laws and regulations, including Data Protection Laws, marketing laws, and anti-spam laws; (iii) prior to deploying Bryn in any jurisdiction subject to the GDPR, UK GDPR, or Swiss DPA, you will have either completed a valid LIA or obtained required consent as applicable; (iv) your privacy notice accurately and completely discloses your use of Bryn and your processing of Resolved Visitor data; (v) you have implemented and will maintain throughout the term all consent mechanisms required under applicable law for the geographies in which you deploy Bryn; (vi) you will not deploy the Bryn Beacon on any website or application that is subject to HIPAA, GLBA, COPPA, or equivalent sector-specific data protection regimes, including the Family Educational Rights and Privacy Act (FERPA) and comparable non-U.S. children’s data protection laws, without Civic’s prior written consent; (vii) at the time of each new website or application deployment on which the Bryn Beacon is activated, the site is not subject to any of the sector-specific regimes listed in clause (vi); and (viii) if, after activation of the Bryn Beacon on any website or application, that website or application subsequently becomes subject to any of the sector-specific regimes listed in clause (vi), you will (a) notify Civic in writing at privacy@civic.com promptly and in any event within five (5) business days of becoming aware of such change, and (b) promptly disable the Bryn Beacon on that website or application pending Civic's prior written consent under clause (vi).
4.5 Indemnification
TO THE MAXIMUM EXTENT PERMITTED BY LAW, YOU AGREE TO INDEMNIFY, DEFEND, AND HOLD HARMLESS CIVIC, ITS AFFILIATES, AND THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, LICENSORS, AND SERVICE PROVIDERS, FROM AND AGAINST ANY AND ALL LOSSES, LIABILITIES, DAMAGES, FINES, PENALTIES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS’ FEES) ARISING OUT OF OR RELATING TO: (I) YOUR DEPLOYMENT OR USE OF BRYN ON YOUR WEBSITE OR APPLICATION; (II) YOUR FAILURE TO ESTABLISH A VALID LAWFUL BASIS FOR PROCESSING RESOLVED VISITOR DATA, INCLUDING ANY FAILURE TO COMPLETE A REQUIRED LIA OR OBTAIN REQUIRED CONSENT; (III) YOUR FAILURE TO PUBLISH OR MAINTAIN AN ADEQUATE PRIVACY NOTICE DISCLOSING BRYN’S DATA PRACTICES; (IV) YOUR FAILURE TO IMPLEMENT OR MAINTAIN REQUIRED CONSENT OR OPT-OUT MECHANISMS; (V) YOUR FAILURE TO RESPOND TO RESOLVED VISITOR DATA SUBJECT REQUESTS WITHIN REQUIRED TIMEFRAMES; (VI) YOUR VIOLATION OF APPLICABLE DATA PROTECTION LAWS, MARKETING LAWS, OR ANTI-SPAM LAWS IN CONNECTION WITH YOUR USE OF RESOLVED VISITOR DATA; (VII) ANY CLAIM, FINE, OR REGULATORY ACTION BY A RESOLVED VISITOR, DATA PROTECTION AUTHORITY, OTHER GOVERNMENTAL AUTHORITY, OR ANY THIRD PARTY WHO RECEIVED OUTBOUND COMMUNICATIONS INITIATED BY BRYN-TRIGGERED PLAYS, ARISING FROM YOUR DEPLOYMENT OR USE OF BRYN OR YOUR USE OF RESOLVED VISITOR DATA IN OUTBOUND COMMUNICATIONS; (VIII) YOUR DEPLOYMENT OF THE BRYN BEACON ON A WEBSITE OR APPLICATION SUBJECT TO HIPAA, GLBA, COPPA, OR EQUIVALENT SECTOR-SPECIFIC REGIMES WITHOUT CIVIC’S PRIOR WRITTEN CONSENT; (IX) YOUR GROSS NEGLIGENCE, FRAUD, OR WILLFUL MISCONDUCT IN CONNECTION WITH YOUR USE OF BRYN; OR (X) YOUR BREACH OF THE PER-DEPLOYMENT REPRESENTATION AND WARRANTY IN SECTION 4.4(VII) OR YOUR FAILURE TO SATISFY THE CONTINUING OBLIGATION IN SECTION 4.4(VIII), INCLUDING ANY DEPLOYMENT OF THE BRYN BEACON ON A WEBSITE OR APPLICATION THAT IS SUBJECT TO A SECTOR-SPECIFIC REGIME LISTED IN SECTION 4.4(VI) WHERE YOU FAILED TO IDENTIFY SUCH COVERAGE PRIOR TO ACTIVATION OR FAILED TO NOTIFY CIVIC AND DISABLE THE BRYN BEACON UPON SUBSEQUENTLY BECOMING AWARE OF SUCH COVERAGE. CIVIC RESERVES THE RIGHT, AT YOUR EXPENSE, TO ASSUME THE EXCLUSIVE DEFENSE AND CONTROL OF ANY MATTER FOR WHICH YOU ARE REQUIRED TO INDEMNIFY CIVIC, AND YOU AGREE TO COOPERATE FULLY WITH CIVIC IN THE DEFENSE OF SUCH MATTERS.
4.6 Identity Resolution Data Providers
(a) Architecture and Access. Customer acknowledges that Bryn’s visitor identification functionality relies on identity-resolution data supplied by Civic's identity-resolution data providers under commercial arrangements between Civic and each such provider. Civic's current data providers are identified on its published sub-processor and vendor list. Civic operates the Bryn Beacon on Customer’s website to collect visitor behavioral data, which Civic transmits from Civic’s own environment to its data providers' APIs using Civic’s own credentials. Civic's data providers do not interact directly with Customer’s website or code, and Customer does not have access to any data provider's platform, credentials, or services. Civic is the sole party in a direct contractual relationship with each data provider.
(b) Controller Characterization. With respect to resolved identity Output Data, Civic's identity-resolution data providers and Civic each act as independent controllers (GDPR/UK GDPR) and independent Businesses (CCPA) with respect to that data. No data provider is a sub-processor of Civic with respect to Output Data. Each data provider acts as a service provider (processor) only with respect to input data submitted by Civic for matching purposes.
(c) CCPA Sale of Personal Information. Customer acknowledges that under the CCPA, the transfer of resolved identity Output Data from Civic's identity-resolution data providers to Civic constitutes a "sale" of personal information, as Civic pays monetary consideration (in the form of API access credits) to access the identity-resolution services through which Output Data is delivered. Civic discloses this characterization in its own privacy notice and has implemented the required consumer opt-out mechanism. Customers deploying Bryn must evaluate whether their subsequent use or sharing of Resolved Visitor data (including disclosure to downstream CRM, email sequencer, enrichment, or advertising tools) constitutes a "sale" or "share" under the CCPA as applied to their own operations, and must provide any required disclosures or opt-out mechanisms.
(d) Customer Notice Obligations at Collection. The Bryn Beacon collects visitor behavioral data on Customer’s website. Because applicable privacy law attaches to the point of collection, Customer bears the primary obligation to provide notice at the collection point, including in Customer’s privacy notice and in any required cookie or consent banner. Customer must disclose: (i) that Civic operates a collection script on Customer’s site for visitor identification purposes; (ii) that Civic uses one or more third-party identity-resolution data providers for this purpose, as identified in Civic's published sub-processor and vendor list; and (iii) how visitors may exercise applicable opt-out or deletion rights. Civic maintains opt-out handling in accordance with each applicable identity-resolution data provider's published consumer opt-out process; Customer must route Resolved Visitor opt-out and deletion requests to Civic at privacy@civic.com for propagation.
(e) Prohibited Uses. Customer will not use Resolved Visitor data (including data received from one or more identity-resolution data providers enabled within Bryn) to: (i) create derivative data products or competitive products that incorporate or are substantially derived from such data; (ii) resell, re-license, or redistribute such data in any form as a standalone data product or feed; or (iii) expose a “list of users” endpoint or one-to-many data query interface that returns such data in bulk. A breach by Customer of this Section 4.6(e) constitutes a breach of Customer’s obligations to Civic.
(f) Geographic Scope. Bryn’s visitor identification operates on two resolution tiers with different geographic scope:
(i) Company-level resolution (worldwide). Bryn resolves visitor IP addresses to company domains for visitors worldwide, including visitors located in the EU, UK, and Switzerland, using Civic's company-level IP-to-company resolution capability. This layer identifies the company associated with a visit and does not resolve individual identities. Customer acknowledges that company-level resolution involves transmission of visitor IP addresses, which may constitute personal data under EU, UK, and Swiss law, to Civic's data providers (US entities); the applicable cross-border transfer mechanism for such transmission is documented in the Data Processing Agreement. For Customers with EU, UK, or Swiss visitor traffic, the consent management obligation in Section 4.3(iii) applies to the Bryn Beacon regardless of whether person-level resolution is attempted.
(ii) Person-level resolution (US-only). Bryn’s person-level resolution (resolving a visitor IP address to an individual’s identity, including name, email address, and job title) is limited to US-based visitors in the current release. Person-level resolution for EU, UK, or Swiss residents is not available in the current release and requires additional legal safeguards before it can be offered. Civic will notify Customer in writing when person-level resolution for EU, UK, or Swiss residents becomes available, including confirmation that the applicable legal safeguards are in place. Customer will not configure Bryn to attempt person-level resolution of EU, UK, or Swiss residents until receipt of such written notice from Civic.
(g) Civic Disclaimer. CIVIC DISCLAIMS ALL LIABILITY FOR ANY IDENTITY RESOLUTION PROVIDER'S INDEPENDENT PROCESSING OF PERSONAL DATA AS A CONTROLLER, INCLUDING ANY PROCESSING BY ANY SUCH PROVIDER OUTSIDE THE SCOPE OF CIVIC’S INSTRUCTIONS OR THE CIVIC CUSTOMER SERVICES AGREEMENT. CIVIC’S OBLIGATIONS UNDER THE CIVIC CUSTOMER SERVICES AGREEMENT WITH RESPECT TO IDENTITY-RESOLUTION DATA ARE LIMITED TO CIVIC’S OWN PROCESSING AS A PROCESSOR ON CUSTOMER’S BEHALF AND AS A CONTROLLER IN CIVIC’S OWN CONTROLLER CAPACITY.
4.7 Disclaimer
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CIVIC PROVIDES BRYN ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR ANY WARRANTIES ARISING FROM A COURSE OF PERFORMANCE, DEALING, OR USAGE OF TRADE. CIVIC MAKES NO REPRESENTATION OR WARRANTY THAT BRYN WILL BE SECURE, UNINTERRUPTED, ERROR-FREE, OR FREE FROM HARMFUL COMPONENTS. BECAUSE BRYN’S VISITOR IDENTIFICATION FUNCTIONALITY DEPENDS ON IDENTITY-RESOLUTION DATA SUPPLIED BY CIVIC'S IDENTITY-RESOLUTION DATA PROVIDERS, CIVIC MAKES NO REPRESENTATION OR WARRANTY AS TO THE ACCURACY, COMPLETENESS, CURRENCY, OR AVAILABILITY OF SUCH DATA, AND DISCLAIMS ALL LIABILITY FOR ANY ERRORS, OMISSIONS, OR INTERRUPTIONS IN IDENTITY-RESOLUTION RESULTS.