Legal and Commercial Terms Summary
Contracting posture for pilot and production review — implemented positions, not aspirational.
Commercial posture
- —Mutual confidentiality expected — governed by written NDA or agreement
- —Customer data ownership preserved by contract
- —Customer data not used for generalized model training unless expressly agreed
- —Breach notice handled by written agreement — not by public website terms
- —Security and diligence cooperation available under NDA
- —Termination assistance and deletion certification handled contractually
- —Liability allocation subject to negotiated written agreement — not inferred from public copy
Important Framing
This page is a public summary of CreditAxis contracting posture for due diligence purposes. It is not a contract. Commercial pilot and production engagements are governed by separate written agreements that address confidentiality, security, data handling, service levels, liability allocation, and operational terms.
Pilot vs. Production
Pilot participation is for evaluation only. Production deployment, integration scope, service levels, and commercial terms are handled under a separate written agreement. Pilot participation creates no automatic production commitment.
Contract Paper Inventory
CreditAxis contracting may include:
- Master Services Agreement
- Statement of Work (pilot or production)
- Data Processing Addendum
- Confidentiality / NDA
- Order form or pricing schedule
Data Ownership
Customer data remains the property of the institution. CreditAxis processes Customer Data solely on the documented instructions of the institution and does not retain, use, or share it outside the contracted services.
Confidentiality
Mutual confidentiality obligations are established in the applicable written agreement. Neither party discloses the other's confidential information without written consent.
Customer Data and Model Training
Customer data is not used to train generalized AI models except as expressly permitted by written contract. Intelligence-layer inputs and outputs within a customer environment remain governed by the applicable agreement.
Subprocessors
CreditAxis engages three subprocessors: Supabase (database and authentication), Vercel (frontend hosting), and Hugging Face (AI/ML inference — conditional on Intelligence module activation). This list is consistent with the DPA, security pages, and model governance disclosure.
Full subprocessor details including data classes, geographic scope, and certifications are available in the Vendor Review Room and in the DPA.
Security Measures
CreditAxis maintains the following implemented security measures relevant to data processing:
- Encryption in transit: TLS 1.2 or higher
- Encryption at rest: AES-256 via Supabase infrastructure
- Access controls: RBAC and RLS
- Audit logging: Immutable append-only
- Incident notification: 72 hours for confirmed incidents affecting Customer Data
Breach Notification
For confirmed incidents affecting Customer Data: CreditAxis will notify affected customers within 72 hours. Notification timing and scope are also governed by the applicable written agreement.
Deletion and Offboarding
Data deletion is completed within 30 days of agreement termination. A deletion certificate confirming destruction of Customer Data is available upon request. Customer retains the right to export audit records prior to deletion.
Pilot offboarding steps are confirmed at pilot conclusion regardless of production decision.
Liability Framework
Liability allocation, caps, exclusions, and indemnities are subject to negotiated written agreement. Public website copy does not establish commercial liability terms for regulated financial institution engagements.
Audit and Diligence Cooperation
Reasonable diligence cooperation — including document review, questionnaire responses, and architecture review — is provided under NDA. Full diligence materials are available through the Request Diligence Package pathway.