Terms and Conditions

Master Services Agreement

GRL Works AB, trading as GRAIL, org.nr 559542-7195, Storgatan 48, 114 55 Stockholm, Sweden, provides strategic advisory and AI transformation services, including the design and delivery of custom AI agents. These terms take effect when you sign a Service Order and continue until all workstreams under it are complete and closed.

Definitions

§ 1  —  Scope and Change Control

Services are specified in a signed Service Order. Changes require written agreement from both parties. Email confirmation is sufficient. Until a change is agreed, GRAIL continues under the existing Service Order.

Unless a Service Order specifies otherwise, GRAIL's deliverables are management development and commercial capability work, not IT implementation. Technical integration, systems integration, data modelling, proprietary development, configuration of Client systems, and ROI guarantees are not included.

GRAIL delivers remotely by default. On-site delivery is available only if expressly agreed in the Service Order; travel and accommodation costs are borne by Client.

Deliverables are deemed accepted fifteen (15) business days after delivery unless Client provides a reasoned written objection specifying material non-conformity with the Service Order.

§ 2  —  GRAIL's Responsibilities

GRAIL will deliver the Services with the professional skill and care expected of senior advisory professionals.

GRAIL uses AI-assisted tools from reputable providers including OpenAI, Anthropic, and Google, under their commercial terms. AI-assisted outputs may contain errors and require human review. Client will not use such outputs as the sole basis for business-critical, legal, financial, medical, or regulatory decisions.

Client acknowledges that deliverables incorporating AI-assisted outputs may contain errors. Client is responsible for validating deliverables before operational use. GRAIL is not a software vendor or systems integrator unless a Service Order says so.

§ 3  —  Fees and Payment

Each Service Order specifies its fee, invoicing schedule, and payment terms. Where silent, payment is due thirty (30) days net from invoice date. All fees are exclusive of VAT.

If Client disputes an invoice in good faith, Client will notify GRAIL in writing within fifteen (15) days, pay the undisputed portion by the due date, and the parties will resolve the dispute. Properly disputed amounts do not count as late payment.

GRAIL may suspend performance if an undisputed invoice remains unpaid ten (10) days after written notice of non-payment. Late payment of undisputed amounts attracts interest at 2% per month, or the statutory rate if lower.

§ 4  —  Confidentiality

Each party will keep all non-public information received from the other party strictly confidential and use it only to perform the Services. This obligation survives termination for five (5) years and for as long as information remains a trade secret under the Swedish Trade Secrets Act (2018:558).

GRAIL processes Confidential Information only on managed encrypted devices, using providers whose commercial terms prohibit training on Client data. On completion or termination, GRAIL will return or securely destroy all Confidential Information.

If GRAIL becomes aware of any actual or suspected unauthorised access to Client's Confidential Information, GRAIL will notify Client in writing within seventy-two (72) hours and take reasonable steps to contain and remediate the incident.

§ 5  —  Intellectual Property

GRAIL IP. GRAIL retains all rights in its methodology, models, prompts, frameworks, and know-how, whether existing or developed during the engagement. This covers how GRAIL works, not what GRAIL builds for Client.

Client Materials. All data, documents, and information Client provides to GRAIL remain Client's property. GRAIL uses them only to perform the Services.

Client Agents. On payment of the fees due under the applicable Service Order, GRAIL assigns to Client all rights in the Client Agents built under that Service Order. Client may use, copy, modify, and further develop the Client Agents for Client's internal business. Where Client Agents depend on embedded GRAIL IP, Client receives a perpetual, royalty-free, worldwide, non-transferable licence to use that IP as part of the Client Agents.

Client may assign a Service Order to an affiliate within Client's group on written notice to GRAIL. Any other assignment requires GRAIL's prior written consent.

§ 6  —  Liability

Neither party is liable for indirect, consequential, incidental, special, or punitive damages, including loss of profit, revenue, goodwill, anticipated savings, or data, whether in contract, tort, or otherwise. This applies to any use of AI tools and third-party services.

Each party's aggregate liability is capped at the fees paid by Client under the Service Order(s) giving rise to the claim in the twelve (12) months before the claim. This cap does not apply to fraud, wilful misconduct, or gross negligence.

No claim may be brought more than two (2) years after the party became aware, or should reasonably have become aware, of the facts giving rise to it.

§ 7  —  Term and Termination

Either party may terminate a Service Order for convenience on thirty (30) days' written notice. Either party may terminate with immediate effect for material breach not remedied within fourteen (14) days of written notice.

On termination, Client pays for Services properly performed and deliverables already delivered, pro-rated against the Service Order fee. If GRAIL terminates for convenience before delivery, Client is entitled to a pro-rata refund of fees paid in excess of Services performed.

§ 8  —  Governing Law and Disputes

This agreement is governed by Swedish law, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods.

Any dispute will be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (SCC) under the Rules for Expedited Arbitrations. The seat is Stockholm. The language is English. A sole arbitrator decides.

Either party may seek interim or injunctive relief in any competent court to protect intellectual property rights or Confidential Information. The authoritative language of these terms is English.

GRAIL operates as an independent contractor. This agreement does not create employment, joint venture, agency, or partnership. Client grants GRAIL the right to use Client's name and logo in GRAIL's marketing without disclosing confidential information. Client may request in writing that GRAIL cease future use.

Data Processing Schedule

§ 9  —  Scope and Roles

This schedule applies to personal data that GRAIL processes on behalf of Client in performing the Services. GRAIL acts as processor. Client acts as controller under Regulation (EU) 2016/679 ("GDPR").

Where GRAIL holds only incidental access to Client personal data, for example contact details used for routine engagement logistics, each party acts as independent controller of its own processing and this schedule does not apply.

§ 10  —  Processor Obligations

GRAIL processes personal data only on Client's documented instructions. GRAIL ensures that persons authorised to process personal data are bound by confidentiality.

GRAIL assists Client to respond to data-subject requests and to comply with Articles 32–36 GDPR. At Client's choice, GRAIL will return or delete all personal data after the end of the Services.

GRAIL will notify Client of any intended addition or replacement of sub-processors with at least thirty (30) days' prior notice. Client may object on reasonable data-protection grounds within that period.

§ 11  —  International Transfers

All processing takes place within the European Union or in countries covered by a valid European Commission adequacy decision, except for the US-based sub-processors listed below.

Transfers to the United States are made under the 2021 EU Standard Contractual Clauses (Module 3, processor-to-processor) with supplementary measures. Client may request EU-only processing for any category of personal data on reasonable written notice.

§ 12  —  Security and Breach Notification

GRAIL applies technical and organisational measures appropriate to the nature of the personal data: full-disk encryption on all GRAIL working devices, multi-factor authentication on all cloud services, access limited to GRAIL personnel on a need-to-know basis under confidentiality undertakings, and no Client personal data stored on public platforms or personal accounts.

GRAIL will notify Client within forty-eight (48) hours of a confirmed personal data breach affecting Client personal data, preserving Client's ability to meet its GDPR Article 33 seventy-two-hour regulatory notification obligation.

Client may audit GRAIL's compliance with this schedule once per calendar year on not less than thirty (30) days' written notice. GRAIL may satisfy audit requests by providing certifications, written responses to security questionnaires, or third-party audit reports.

§ 13  —  Pre-approved Sub-processors

Client grants GRAIL general written authorisation to engage the sub-processors listed below. All are bound by enterprise-tier contractual terms that prohibit use of Client data for model training.