This Addendum applies to any DuoCircle Cloud Service that includes AI Features. It governs how those features are operated, what we will and will not do with the data flowing through them, and the limits on Customer’s permitted use. It is incorporated into the Cloud Terms automatically for any Customer using a Cloud Service in scope.
In-scope AI Features
The following Cloud Services include AI Features as of the Effective Date above. The list is updated as features are added or removed.
| Product | AI Feature | What it does |
|---|---|---|
| Phishing Protection | Threat classification model | Scores inbound mail for phishing, malware, and BEC indicators using a layered ML stack trained on aggregated threat intelligence. |
| Spam Filtering | Spam-likelihood model | Scores inbound mail for spam likelihood using ML trained on aggregated reputation and content signals. |
| Verisend (Visual Mail Verification) | Visual brand recognition | Compares inbound message visual elements against a library of trusted brand references to detect impersonation. |
| NuReply | AI-assisted reply drafting | Drafts and refines outbound email replies inside Customer’s connected mailbox, on Customer instruction. |
| DMARC Report | Anomaly detection | Surfaces unusual sending patterns in Customer’s DMARC aggregate reports for review. |
Cloud Services not listed above do not include AI Features within the meaning of this Addendum. We update this list as the portfolio evolves.
Training and Customer Data
DuoCircle does not use Customer Data, Customer email content, Customer credentials, Customer inputs to AI Features, or Customer-specific outputs from AI Features to train, fine-tune, or improve any AI model offered to other Customers or to the public.
This is a hard commitment. It is not subject to a separate opt-out flag, a “by default opted in” pattern, or a hidden setting. There is nothing to opt out of because we never opt you in.
We may use Customer Data internally, in aggregated and anonymized form, for the purpose of operating, securing, and tuning the Cloud Service for the Customer in question. Examples include false-positive feedback loops, threat-intelligence sharing among customers in the form of unattributable hashes and reputation signals, and operational telemetry. None of this constitutes training a generally-available model.
Third-party model providers
Some AI Features rely on models operated by third parties under DuoCircle’s account with the model provider. The current list is published in the DuoCircle Subprocessor List under the AI processing category. Each model provider in our supply chain has been reviewed and configured for zero-retention or short-retention processing where the provider supports it, and contractually bound under DuoCircle’s commercial agreement with the provider not to use customer inputs or outputs to train models offered to other parties.
If Customer requires that no AI Feature in scope route through a specified third-party model provider, contact legal@duocircle.com before purchase. We will confirm fit before contract.
Output ownership and accountability
Subject to Customer’s compliance with the Cloud Terms and this Addendum, Customer owns the outputs of AI Features generated for Customer’s account. Provider does not assert any ownership in outputs. Provider does not warrant that outputs are unique to Customer; the same prompt or input can produce a similar output for another Customer of the same model.
AI Feature outputs are generated by statistical models. They can be incorrect, incomplete, biased, or inappropriate to the context. Customer is responsible for reviewing AI Feature outputs before relying on them in any business decision. DuoCircle does not warrant that outputs are accurate, complete, current, free from infringement, or fit for any particular purpose, except as expressly set out in the Cloud Terms or in a written Order. The disclaimers, limitations, and indemnities in the Cloud Terms apply.
Prohibited high-risk uses
Customer must not use AI Features as the sole or primary basis for any of the following decisions or determinations, in each case where a meaningful adverse impact on a natural person is reasonably foreseeable:
- Eligibility for or denial of credit, insurance, housing, or social assistance
- Hiring, promotion, demotion, discipline, or termination decisions
- Educational assessments, school admissions, or scholarships
- Medical diagnosis, treatment recommendation, or clinical triage
- Criminal-justice risk assessment, parole, sentencing, or law-enforcement targeting
- Government benefits eligibility or immigration determinations
- Determinations under the EU Artificial Intelligence Act Article 6 high-risk categories or equivalent regimes in other jurisdictions
Customer is responsible for any human review and oversight required by applicable law for any decision touched by AI Features. Customer must not use AI Features to generate child sexual abuse material, deepfakes designed to deceive in non-satirical contexts, biometric identification of natural persons in publicly accessible spaces, or any output that infringes third-party intellectual property rights.
Customer responsibilities
Customer represents and warrants that:
- Lawful inputs. Customer’s inputs to AI Features are lawful in the jurisdiction of the sender and any expected recipient. Inputs do not include personal data Customer is not authorized to process.
- Notice. Where applicable law requires notice to a natural person that AI Features are involved (for example, certain consumer protection regimes or employment contexts), Customer provides that notice. DuoCircle does not provide it on Customer’s behalf.
- Output use. Customer reviews AI Feature outputs before relying on them in any external communication, public statement, or business decision with material consequence.
- Logging and retention. Customer is responsible for any logging or retention of AI Feature inputs and outputs that Customer’s regulatory regime requires. DuoCircle’s retention is set out in the Cloud Terms and the DPA.
Confidentiality of inputs
Inputs to AI Features are Customer Data under the DPA. They are processed only to provide the Cloud Service. They are not shared with third parties beyond the model providers listed in the Subprocessor List, and only on the zero-retention or short-retention terms set out above. They are not used to train any model offered to other Customers.
Provider obligations
Beyond the Bonterms AI Addendum v2.0 standard, DuoCircle commits to:
- Disclosure. Maintain the in-scope AI Features list above and the model-provider list at /legal/subprocessors/ as living documents. Notify the technical contact on the account of material changes thirty days in advance, consistent with the DPA subprocessor change process.
- Documentation. Publish a plain-language description of each AI Feature, the inputs it consumes, the outputs it produces, and known limitations, in product documentation.
- Human override. Provide a way for Customer to disable, override, or bypass each AI Feature, except where doing so is technically incompatible with the Cloud Service (in which case Provider documents the constraint).
- Incident handling. Treat material harms or systemic errors traced to an AI Feature as Security Incidents under the DPA. Notify Customer per the timelines in the Cloud Terms.
Modifications to the standard form
The Bonterms AI Addendum v2.0 governs except as expressly modified by the Provider-Specific Terms above and the in-scope feature list, which replaces any default model-features schedule in the standard. There are no other modifications.
Questions about this document?
DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130. Email legal@duocircle.com for legal inquiries, or support@duocircle.com for everything else.