Other Policies

These AI Terms supplement the EPX Terms of Use and apply to AI-enabled features, models, agents, workflows, and outputs made available through the Services.

1. Nature of AI Features

EPX may make available AI-enabled features such as prompts, summaries, analyses, recommendations, classifications, drafts, reasoning chains, workflow suggestions, automation triggers, and generated content. AI features may be powered by EPX, subprocessors, model providers, or customer-directed third-party services.

2. No Guarantee of Accuracy or Outcomes

AI outputs may be inaccurate, incomplete, biased, outdated, misleading, or inappropriate for your circumstances. EPX does not guarantee that AI features or outputs will achieve any specific business result, revenue result, compliance outcome, or operational improvement. Furthermore, EPX is not responsible for availability or performance in any regard from third party applications and services you connect to the EPX platform.

3. Human Review Required

You are solely responsible for reviewing, validating, approving, and deciding whether and how to use any AI output before sending, publishing, implementing, or relying on it.

4. Prohibited Reliance

Unless EPX expressly agrees otherwise in writing, you may not rely on EPX AI features as a substitute for legal, tax, accounting, employment, investment, medical, mental health, insurance, safety-critical, or other regulated professional advice. You may not use EPX AI features for fully automated decisions that have legal or similarly significant effects on individuals unless EPX expressly authorizes that use in writing and you implement lawful safeguards and human review.

5. Third-Party Models and Services

EPX may route requests among different AI models, providers, or external tools. The availability, quality, security, privacy practices, and performance of third-party AI providers are not under EPX's control.

6. Customer Responsibility for Inputs and Outputs

You represent and warrant that you have all rights and permissions necessary to submit prompts, data, files, and other inputs into the AI features and to use any outputs in the manner you choose.

7. Changes to AI Features

EPX may modify, limit, suspend, replace, or discontinue AI features, model providers, model versions, safety settings, token limits, and output formats at any time.

8. Conflict

If there is a conflict between these AI Terms and the EPX Terms of Use, the EPX Terms of Use will control unless these AI Terms expressly state otherwise.

This Data Processing Addendum ("DPA") forms part of the agreement between EPX, Inc. ("EPX") and the customer entity that enters into the EPX Terms of Use, master services agreement, order form, statement of work, or other written agreement governing the Services (the "Agreement"), to the extent EPX processes personal data on behalf of the customer.

1. Scope and Roles To the extent EPX processes personal data contained in Customer Content on behalf of Customer, Customer is the controller or business and EPX is the processor or service provider, except where EPX acts as an independent controller for its own business operations as described in the Privacy Policy.

2. Processing Details Subject matter: provision of the Services. Duration: for the term of the Agreement and any limited post-termination period necessary to complete return, deletion, legal retention, backup, or security obligations. Nature and purpose: hosting, storage, organization, transmission, retrieval, analysis, workflow execution, authentication, support, security, logging, troubleshooting, output generation, and other processing necessary to provide the Services. Categories of data subjects may include Customer personnel, end users, prospects, clients, vendors, contractors, and other individuals whose personal data is included in Customer Content. Categories of personal data may include identifiers, contact information, profile information, communications, content, prompts, files, usage data, metadata, business data, and any other personal data Customer chooses to submit or connect.

3. Customer Instructions EPX will process personal data only on documented instructions from Customer, including as reflected in the Agreement, Customer configurations, authorized user actions, workspace settings, connected services, and support requests, unless required otherwise by applicable law. Customer is responsible for ensuring its instructions are lawful and that it has all rights and legal bases necessary for EPX to process the data.

4. Confidentiality EPX will ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.

5. Security Measures EPX will implement commercially reasonable technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

6. Subprocessors Customer authorizes EPX to use subprocessors in connection with the Services. EPX will maintain a public subprocessors page and is not responsible for the performance of its subprocessors in commercial performance unless to the extent required by law.

7. Assistance Taking into account the nature of the processing and information available to EPX, EPX will provide commercially reasonable assistance to Customer in responding to data subject requests, security incidents, and applicable assessments or consultations, to the extent required by law and appropriate for the Services.

8. Security Incidents EPX will notify Customer without undue delay after becoming aware of a confirmed security incident affecting Customer personal data processed by EPX under this DPA, as required by law.

9. Return and Deletion Upon termination of the applicable Services, EPX will delete or return personal data as described in the Agreement and Privacy Policy, unless continued retention is required by law, needed for security or backup purposes, or otherwise permitted by the Agreement.

10. Cross-Border Transfers Where required by law, the parties will use an appropriate transfer mechanism for cross-border transfers of personal data.

11. CCPA / CPRA Terms To the extent applicable, EPX will process personal information as a service provider or contractor and will not retain, use, or disclose such personal information except as permitted by the Agreement, this DPA, and applicable law.

12. Order of Precedence If there is a conflict between this DPA and the Agreement regarding processing of personal data, this DPA will control to the extent of that conflict.

Questions regarding this DPA may be sent to support@epx.global.

EPX may use subprocessors and service providers to help deliver the Services. This page is intended to provide a public summary of the categories of subprocessors EPX may use in connection with hosting, security, communications, analytics, billing, support, AI services, and workflow functionality.

Because EPX's platform may route actions through third-party services chosen by customers, customer-enabled integrations, APIs, MCP connectors, webhooks, and connected applications may involve additional processors or subprocessors that are not controlled by EPX and may vary by customer configuration.

Core Subprocessor Categories

1. Cloud hosting and infrastructure - Used to host application services, databases, storage, backups, and core infrastructure.
2. AI and model providers - Used to process prompts, content, metadata, and outputs for AI-enabled features.
3. Workflow, integration, and communications providers - Used to support APIs, message delivery, email, notifications, webhook processing, authentication, and integration functionality.
4. Billing and payments providers - Used to process subscriptions, invoices, transactions, and payment-related metadata.
5. Support, CRM, and operations tools - Used to manage support requests, customer communications, business operations, and account administration.
6. Analytics, logging, and security tools - Used to monitor reliability, diagnose issues, detect abuse, and maintain security.

Customer-Directed Third Parties

If a customer connects or routes data to third-party systems, applications, model providers, MCP connectors, webhooks, or other services, those third parties may process Customer Content and personal data under the customer's instructions. EPX is not responsible for third parties selected, connected, or authorized by the customer except to the extent otherwise expressly agreed in writing.

Questions

Questions regarding subprocessors may be sent to support@epx.global.

EPX is designed to support operational AI, workflows, integrations, and network collaboration with governance in mind. This page provides a high-level overview of EPX's current security posture and design principles.

Security Principles

• role-based permissions and workspace controls;
• approval-based workflows where appropriate;
• logging and audit trails;
• commercially reasonable encryption and access protections;
• vendor and subprocessor management;
• monitoring, abuse prevention, and incident response.

Shared Responsibility

Security for the Services is a shared responsibility. EPX is responsible for the security of the platform environment under its control. Customers are responsible for user access, customer data access and use, internal approvals, connector choices, permission scopes, connected accounts, endpoint security, and appropriate use of workflows and outputs.

Integrations and Off-Platform Processing

EPX may support integrations through APIs, MCP connectors, webhooks, and third-party platforms. When customers enable those features, data and actions may be processed outside the EPX environment. Customers should evaluate the security, privacy, and compliance posture of each connected service.

Credentials and Access

EPX may process API keys, tokens, webhook secrets, OAuth grants, and other credentials to support requested features. Customers should use least-privilege permissions, rotate secrets, revoke unused access, and monitor connected systems.

Incident Handling

EPX maintains processes intended to detect, investigate, contain, and respond to security events affecting the Services. If EPX confirms a security incident affecting customer personal data and applicable law requires notice, EPX will provide notice as required by law or contract.

Questions

Questions regarding security may be sent to support@epx.global.